By Jordan True
By now last week’s historic Internet outage that shut down access to some of the most popular consumer websites—PayPal, Pinterest, Reddit, Spotify, the New York Times, Twitter among an estimated 1192 others—is old news.
For anyone who isn’t up to date, it is believed that hackers leveraged tens of thousands of Internet of Things (IoT) connected devices (like security cameras) to bombard these sites, sending so many fake requests for access that they literally jammed them, preventing legitimate users from being able to connect. (Want to know more on how it works? See Distributed Denial of Service, here.)
If you are a casual internet user who doesn’t tweet, stream music, pay for things using PayPal and such, it may not seem like that big a deal. But if you’re a company that depends on services like Enterprise file sharing service Box for collaboration, Twitter for customer service, Shopify to power eCommerce, Heroku for building apps, all of which were affected of Friday, being out of business for part or most (as many as 11 hours) of the day, is not only inconvenient, but it’s also costly.
And while it may be tempting to blame the service provider’s Domain Name System (DNS) provider (in this case Dyn) for not protecting itself and its customers better, or not having the spare bandwidth needed to prevent its customers from suffering the consequences of such an attack, that’s not actually a solution at all. Consider that the problem was caused by hackers who leveraged a new, open-source IoT botnet named Mirai.
Mirai works by scanning the IoT looking for devices with vulnerable usernames and passwords, like the default admin/1111 combination that came with our early cell phones and GPS devices. When it finds them, it breaks in and sends them to a central control system, from where the attacks are launched.
So where’s the vulnerability? In the security of the devices, right?
If that’s the case, then the solution, or at least part of the solution, seems simple: get everyone to set up unique usernames and passwords for their IoT-connected devices. How is that working among your family, friends, and neighbors?
Consider that according to a recent report from security firm ESET, 30 percent of respondents said that they aren’t sure if they have changed the login credentials for their home routers, 14 percent couldn’t tell you how many devices were connected to their routers, and 20 percent aren’t sure that they have taken any precautions at all. We’re in trouble. But there’s more…
Multiply that by the fact that Gartner estimates that 6.4 billion “things” will be in use by the end of this year—everything from baby monitors, dog activity monitors, home routers, refrigerators, security cameras, garden sensors—and, maybe, even your toothbrush– then warning signals should be set on high alert.
Worse yet, when you consider that, according to Krebs on Security, Mirai’s source code was made generally available earlier this month and the code for the Mirai scanner has already been downloaded from GitHub more than 1000 times (at least some of these had to be guys and gals wearing white hats), it’s unlikely that Friday’s event will be the last one we’ll see.
What’s the remedy? Securing passwords, protecting endpoints, and controlling access will go a long way. Educating and empowering those within your circle of influence is also a good start. Thycotic provides some educational literature and related products geared toward businesses in that regard. Industry-wide conversations need to be held as well- we are all in this together.
It’s also worth noting that the enemy isn’t a lone cowboy, but a cyber-criminal army whose members don’t necessarily even think of themselves as black-hatters, villains, and evil doers. As Wired reporter Kevin Poulsen wrote earlier this year, the (hacker) underground is “like any machine, tireless and indifferent and, for the most part, simply looking for work that pays”.