Attacking the Internet is Now Child’s Play
Brian Krebs has made a lot of enemies by publicizing and thwarting many hacker organizations. So it’s not surprising that his website is constantly under attack. A recent attack on Krebs' website effectively silenced him for a week. Another recent attack took many popular sites offline for hours. Read on to see what's happening, and what you can do about it...
Could Poorly-Secured Gadgets Bring Down the Internet?
For years, Krebs has been shielded on a pro bono basis by Akamai Technologies, a content delivery and cloud services company. But even Akamai was overwhelemed by the distributed denial-of-service (DDoS) that hit KrebsOnSecurity.com on the evening of September 20. That deluge of junk traffic was twice the size of any DDoS attack that Akamai had ever seen before, and arguably the largest that had ever been seen. Krebs measured 660 gigabits per second of malicious traffic at his site’s ports.
Deflecting this tsunami of bad bits would have cost Akamai hundreds of thousands of dollars and degraded service to its paying customers. So Akamai had to cut Krebs loose from its DDoS shield. KrebsOnSecurity.com went offline for nearly a week.
Krebs shopped around to see what comparable protection might cost him. The best estimate he got was $150,000 to $200,000 per year, far more than any independent journalist can afford. Fortunately, Google stepped up to cover Krebs with its Project Shield, a protective service it offers to news sites that are targeted by would-be censors.
There were some other unique and disturbing characteristics about the DDoS assault that silenced Krebs besides its unprecedented enormity. First, the two botnets identified as the source of the attack consist of compromised “Internet of Things” (IoT) devices, not personal computers. Second, it turns out that IoT devices are so insecure that any low-skilled “script kiddie” can build an equally potent weapon and wield it against anyone his doesn’t like.
Level 3 Communications, a backbone network provider, has been tracking the botnets that attacked Krebs. One of them includes about 980,000 hacked devices, while the other has about 500,000 devices. That’s nearly 1.5 million sources of attack data, all aimed at one website.
What is a Botnet?
You might be wondering what exactly is an "IoT device" and why they are so easily hacked and enslaved in botnets. Most soldiers in this army of hacked devices are unsecured webcams, along with other internet-connected gadgets you may own. That does not come as a surprise. Security experts have been sounding alarms about the danger of flimsy or non-existent security in cameras, DVRs, home-automation systems, even “smart” refrigerators and coffee makers, for several years. Now, it seems, that chicken has come home to roost with a vengeance.
How bad is the security of surveillance cameras? A site called Insecam.com aggregates over 73,000 Internet-connected cameras whose default userid/password has never been changed from “admin/admin.” Anyone online can access the feed from such a defenseless camera, or even turn it to point wherever he wishes. If that’s possible, imagine how easily a hacker can make it part of his botnet.
Generally, we’re not talking about the webcam in your laptop or smartphone. Millions of closed-circuit TV surveillance cameras have been installed worldwide, ostensibly to provide greater security to citizens - actually, to make it easier to identify and prosecute the perpetrators of crimes that have already happened and been “caught on camera.” Ironically, these crime-fighting tools are being usurped by criminals and used to commit crimes.
But Insecam has also included baby monitors among its collection of totally unsecured cameras. That should give parents pause. “We’re starting to see the first consequences of these poorly secured devices and the damage they can do when they are compromised,” said Matthew Prince, the founder of Cloudflare, a company that offers DDoS protection.
Chaos For Sale
Indeed, the process of penetrating the flimsy security of IoT devices from many manufacturers has been automated in software, which is available for sale on the “dark web” where drugs, guns, and other dangerous items are traded in secret. Other software for assembling and controlling compromised devices in a botnet of Biblical proportions has long been available. You don’t need much skill, just a bit of money.
Krebs is not the first, last, or largest victim of this new generation of mega-botnets powered by legions of poorly secured IoT devices. In fact, the same technique was used to trigger a massive Internet outage just over a week ago. For reasons unknown, hackers targeted Dyn, a company that provides Internet connectivity services to many popular websites. As a result, Amazon, Netflix, Twitter, Spotify and other sites were unreachable for several hours.
This phenomenon is relatively new, but it promises to mushroom into a global crisis very quickly. As fast as one botnet is identified and neutralized, another milllion or so devices can be compromised to take its place. Some security experts fear that the Dyn attack was just a "proof of concept" and that a similar attack, perpetrated by hackers or a foreign government, could do much more damage.
What Can Be Done?
Neutralizing this IoT threat isn’t easy. Few of the older generations of devices have firmware that can be upgraded remotely, or upgraded at all without pulling and reprogramming a flash ROM chip. Even after a security hole is identified, plugging it isn’t cost-effective so, in most cases, it won’t get done.
Internet service providers (ISPs) also need to step up and implement security standards and practices that can mitigate these attacks. There are ways to detect and block botnet activity, and it's also possible for ISPs to notify a customer if a device is spewing malicious traffic. But according to a WIRED article most ISPs are reluctant to do either, because of the cost involved.
So what can YOU do? As I advised in my article IoT Security News Just Gets Worse, the most important thing you can do is to change the factory-supplied password of every internet-connected device you own, to something strong and unique. Going forward, consumers need to demand strong data security in any IoT products, and refuse to buy those that don’t provide it. That goes for light bulbs and refrigerators as well as surveillance cameras. No matter what its function, every “smart” device is an Internet-connected computer, and every Internet-connected computer can be hacked and used as a weapon.
Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 27 Oct 2016
|For Fun: Buy Bob a Snickers.|
Geekly Update - 26 October 2016
The Top Twenty
Google Chrome, Ungoogled?
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- Attacking the Internet is Now Child’s Play (Posted: 27 Oct 2016)
Copyright © 2005 - Bob Rankin - All Rights Reserved