Attacking the Internet is Now Child’s Play
Brian Krebs has made a lot of enemies by publicizing and thwarting many hacker organizations. So it’s not surprising that his website is constantly under attack. A recent attack on Krebs' website effectively silenced him for a week. Another recent attack took many popular sites offline for hours. Read on to see what's happening, and what you can do about it... |
Could Poorly-Secured Gadgets Bring Down the Internet?
For years, Krebs has been shielded on a pro bono basis by Akamai Technologies, a content delivery and cloud services company. But even Akamai was overwhelemed by the distributed denial-of-service (DDoS) that hit KrebsOnSecurity.com on the evening of September 20. That deluge of junk traffic was twice the size of any DDoS attack that Akamai had ever seen before, and arguably the largest that had ever been seen. Krebs measured 660 gigabits per second of malicious traffic at his site’s ports.
Deflecting this tsunami of bad bits would have cost Akamai hundreds of thousands of dollars and degraded service to its paying customers. So Akamai had to cut Krebs loose from its DDoS shield. KrebsOnSecurity.com went offline for nearly a week.
Krebs shopped around to see what comparable protection might cost him. The best estimate he got was $150,000 to $200,000 per year, far more than any independent journalist can afford. Fortunately, Google stepped up to cover Krebs with its Project Shield, a protective service it offers to news sites that are targeted by would-be censors.
There were some other unique and disturbing characteristics about the DDoS assault that silenced Krebs besides its unprecedented enormity. First, the two botnets identified as the source of the attack consist of compromised “Internet of Things” (IoT) devices, not personal computers. Second, it turns out that IoT devices are so insecure that any low-skilled “script kiddie” can build an equally potent weapon and wield it against anyone his doesn’t like.
Level 3 Communications, a backbone network provider, has been tracking the botnets that attacked Krebs. One of them includes about 980,000 hacked devices, while the other has about 500,000 devices. That’s nearly 1.5 million sources of attack data, all aimed at one website.
What is a Botnet?
You might be wondering what exactly is an "IoT device" and why they are so easily hacked and enslaved in botnets. Most soldiers in this army of hacked devices are unsecured webcams, along with other internet-connected gadgets you may own. That does not come as a surprise. Security experts have been sounding alarms about the danger of flimsy or non-existent security in cameras, DVRs, home-automation systems, even “smart” refrigerators and coffee makers, for several years. Now, it seems, that chicken has come home to roost with a vengeance.
How bad is the security of surveillance cameras? A site called Insecam.com aggregates over 73,000 Internet-connected cameras whose default userid/password has never been changed from “admin/admin.” Anyone online can access the feed from such a defenseless camera, or even turn it to point wherever he wishes. If that’s possible, imagine how easily a hacker can make it part of his botnet.
Generally, we’re not talking about the webcam in your laptop or smartphone. Millions of closed-circuit TV surveillance cameras have been installed worldwide, ostensibly to provide greater security to citizens - actually, to make it easier to identify and prosecute the perpetrators of crimes that have already happened and been “caught on camera.” Ironically, these crime-fighting tools are being usurped by criminals and used to commit crimes.
But Insecam has also included baby monitors among its collection of totally unsecured cameras. That should give parents pause. “We’re starting to see the first consequences of these poorly secured devices and the damage they can do when they are compromised,” said Matthew Prince, the founder of Cloudflare, a company that offers DDoS protection.
Chaos For Sale
Indeed, the process of penetrating the flimsy security of IoT devices from many manufacturers has been automated in software, which is available for sale on the “dark web” where drugs, guns, and other dangerous items are traded in secret. Other software for assembling and controlling compromised devices in a botnet of Biblical proportions has long been available. You don’t need much skill, just a bit of money.
Krebs is not the first, last, or largest victim of this new generation of mega-botnets powered by legions of poorly secured IoT devices. In fact, the same technique was used to trigger a massive Internet outage just over a week ago. For reasons unknown, hackers targeted Dyn, a company that provides Internet connectivity services to many popular websites. As a result, Amazon, Netflix, Twitter, Spotify and other sites were unreachable for several hours.
This phenomenon is relatively new, but it promises to mushroom into a global crisis very quickly. As fast as one botnet is identified and neutralized, another milllion or so devices can be compromised to take its place. Some security experts fear that the Dyn attack was just a "proof of concept" and that a similar attack, perpetrated by hackers or a foreign government, could do much more damage.
What Can Be Done?
Neutralizing this IoT threat isn’t easy. Few of the older generations of devices have firmware that can be upgraded remotely, or upgraded at all without pulling and reprogramming a flash ROM chip. Even after a security hole is identified, plugging it isn’t cost-effective so, in most cases, it won’t get done.
Internet service providers (ISPs) also need to step up and implement security standards and practices that can mitigate these attacks. There are ways to detect and block botnet activity, and it's also possible for ISPs to notify a customer if a device is spewing malicious traffic. But according to a WIRED article most ISPs are reluctant to do either, because of the cost involved.
So what can YOU do? As I advised in my article IoT Security News Just Gets Worse, the most important thing you can do is to change the factory-supplied password of every internet-connected device you own, to something strong and unique. Going forward, consumers need to demand strong data security in any IoT products, and refuse to buy those that don’t provide it. That goes for light bulbs and refrigerators as well as surveillance cameras. No matter what its function, every “smart” device is an Internet-connected computer, and every Internet-connected computer can be hacked and used as a weapon.
Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 27 Oct 2016
For Fun: Buy Bob a Snickers. |
Prev Article: Geekly Update - 26 October 2016 |
The Top Twenty |
Next Article: Google Chrome, Ungoogled? |
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin Subscribe to AskBobRankin Updates: Free Newsletter Copyright © 2005 - Bob Rankin - All Rights Reserved About Us Privacy Policy RSS/XML |
Article information: AskBobRankin -- Attacking the Internet is Now Child’s Play (Posted: 27 Oct 2016)
Source: https://askbobrankin.com/attacking_the_internet_is_now_childs_play.html
Copyright © 2005 - Bob Rankin - All Rights Reserved
Most recent comments on "Attacking the Internet is Now Child’s Play"
Posted by:
Bob k
27 Oct 2016
One problem I have is being able to identify what devices I can change security on before I buy them. I walk into Costco, Sams, HomeDepot, or some similar store, see something on sale, and I really don't think I can find an inkling of a clue as to what security that thing has. Even trying to find out on the web may be impossible.
As a customer of broadband services, I would like to have routers give some immediate attention when unusual amount of traffic start on my service. And, with people streaming more and more video, that may be well impossible.
Back in the old days, before routers were commonly used, I had a Linux box as a firewall. I ran a program (full time) that showed traffic conditions. With that I was able to detect when my system was involved in a DoS attack, and shut it down. But the average consumer isn't going to be bothered with that.
Posted by:
lath davis
27 Oct 2016
Bob I understand how smart devices can be used. My question is this. If my devices in my home must use the wifi that is provided by my router to access the internet would I not be able to just provide my router with a strong password and prevent this from happening? It seems that my devices must be gotten through my router to be able to be used. Thank you.
Posted by:
CtPaul
27 Oct 2016
Call me a philistine, or a luddite, but "The Internet of Things" always seemed absurd to me. From "smart" refrigerators, to "smart" light bulbs.... logically it follows that a "smart" condom that tightens it's grip if more pressure is needed is only a patent away!
Bob, remember- I said it here first... we can split the royalty checks!
Posted by:
erasmus
27 Oct 2016
Imagine the state of medicine, as a science and an institution, if tens or hundreds of thousands of the best, foremost, leading minds in the field had no connection with any schools, hospitals, or professional organizations, didn't have a practice, no office, no license, no oversight - nothing. But meanwhile, these people were determining the future of medicine and controlling much of its use along the way. That's digital tech and science. Remember that the next time anyone claims anything is safe.
Posted by:
Jon
27 Oct 2016
If herself reads this I'm going to have to change the 'hacker proofing' on her webcam....
It was only cheap and easy - duct tape.
Total security from people snooping.
There was a guy trying to save time getting his IOT kettle to work for literally hours a couple of weeks ago.
I am getting old and sounding more like my grandparents did, every day.
Jon
Posted by:
Robert A.
27 Oct 2016
Great! This means we'll have to learn another dozen or so passwords, and change them monthly for all of our devices connected to the IoT. It won't be long before hackers figure out a way into the computer of a Samsung "smart" refrigerator, and cause IT to burst into flames, or make it run 24/7, and reward us with a $1,000 electric bill. If the appliances and devices are "smart," we have to learn to become smarter.
Posted by:
John M
27 Oct 2016
Hi Bob, I have the same question as Lath Davis has above, regarding whether or not his/my router with good security wouldn't be enough to secure IoT devices as well.
I'm sure others share the same concerns. Thanks
Posted by:
Old Man
27 Oct 2016
You asked: So what can YOU do?
The answer is: Nothing significant.
Those of us us who subscribe to, and read & heed, e-newsletters (such as yours) are somewhere around 2% of those using technology. Just subscribing shows we are "smarter than the average bear".
The 98% who need this information the most - the average bear - either don't know about sites like yours (and there are several others), or they are just too lazy. All they want is to get the latest gadget or just plug-and-play (emphasis on play).
Posted by:
Paul
27 Oct 2016
The manufacturers of IoT devices like most for-profit corporations are interested in the bottom line which means making the things easy to use and to reduce the number of buyers placing support calls hence the default settings that are wide open.
Posted by:
P38arover
27 Oct 2016
I'll be honest, I don't understand how an IoT device can attack another website.
Posted by:
Leah
28 Oct 2016
How do "smart" meters fit into this?
Posted by:
kevin
28 Oct 2016
There are very very few home devices that truly benefit from being in the Internet of Things. Who actually NEEDS a refrigerator telling them, whether home or away, that they are low on milk? Just because something CAN be done a new way doesn't mean it SHOULD...and that applies even without the security risks discussed in Bob's article.
I would never remotely turn on an IoT Air Conditioner 30 minutes before arriving home just so I could avoid waiting the mere 2-3 minutes it takes to provide substantial relief if turned on when I walk in. That so-called convenience is simply a foolish waste of energy (and money), even more-so if you are delayed by traffic (or your plans change and you neglect to turn it off).
The world now seems headed to a ridiculous level of inter-connectedness. You don't have to be a Luddite to understand that we really truly have gotten along just fine with every appliance being connected to nothing except its power source. Fortunately, it's still possible right now to buy a regular version of most products. In cases where it's not, never mind repeatedly changing passwords for them; simply don't let them connect in the first place.
Manufacturer's will get the message if consumers start rejecting this trend rather than supporting it. The market will have spoken. Anyone lazy enough to continue embracing the IoT will have nobody to blame for the consequences but themselves. Let's hope these latest threats will begin to wake up enough of us to turn "things" around.
Posted by:
Kevin
28 Oct 2016
After posted my rant (above), I should say, on the other hand, that I would have no problem with an "Internet of Thongs."
Posted by:
SamG
28 Oct 2016
Well Bob, your article confirmed my suspicions. Streaming Netflix was unattainable a few days ago for a few hours 2 different nights. And Amazon was more quirky than usual. Wallyworld usually acts quirky so who knows in its case? But where was the notifications that an attack occurred? The first night I reset my router and that had no effect. Didn't see any news on the shutdowns either. Just yours.
Posted by:
Jay R
29 Oct 2016
Kevin- I see that you have a firm grasp on things....er, thongs. Thong Thung Blue.
BTW, good post!
Posted by:
kevin
29 Oct 2016
To Jay R: Thanks.
Actually I better not have a firm grasp at Thongs. Only the Donald can get away with that. (Sorry for that line. My toaster made me say it.)