Cyberattacks are still here and so are your availability issues.
Just a few days ago ten of thousands of Internet of Things (IoT) devices brought down major websites in probably the largest Denial of Service (DoS) attack to date. It will take a long time until we learn how to protect our networks from those who want to prevent access to it. Here is the analysis of what happened, why the problem is not going to go away in the near future and what you can do to step up your security now.
Better safe than sorry.
Here is what we know.
Early morning on Friday October 21, over 100,000 IoT devices (e.g., printers, routers, video cameras, smart TVs) IP starting attacking Dyn – a Managed Domain Name System (DNS) infrastructure company operating in the US. According to Dyn there were three attack waves:
- Wave 1 From 11:10 UTC to 13:20 UTC that affected mainly customers in the East Coast. Internet users directed to Dyn servers on the East Coast of the US were unable to reach some sites, including Amazon, Reddit, Airbnb, Soundcloud etc.
- Wave 2 From 15:50 UTC until 17:00 UTC an attack that was more globally diverse and affected global customers of the company.
- Wave 3 that lasted until 20:30 UTC but didn’t affect any customers.
Who was affected?
Naturally, Dyn was the primary victim of the attack. But as a network infrastructure Dyn is well prepared for those kind of scenarios as they“practice and prepare for scenarios like this on a regular basis, and… constantly evolving playbooks and work with mitigation partners to address scenarios like these.”
Over 60 large well know online services providers were affected by the attack. Among them were: Amazon (AWS), PayPal, Twitter, Netflix, Soundcloud, Airbnb, Reddit etc.
On Oct 24 it was reported that Chinese electronics firm Hangzhou Xiongmai the manufacturer of the camera that participate in the attackannounced that they are recalling 10,000 devices. This is one of the first times and sets a precedent regarding manufacturer’s liability and responsibility to securing the IoT devices they manufacture.
How was it done?
The attack, characterized by the company as a “complex & sophisticated attack” was made using the “Mirai” botnet using vendor default passwords for Telnet access.
According to the US-CERT: “The Mirai malware continuously scans the Internet for vulnerable IoT devices, which are then infected and used in botnet attacks. The Mirai bot uses a short list of 62 common default usernames and passwords to scan for vulnerable devices. Because many IoT devices are unsecured or weakly secured, this short dictionary allows the bot to access hundreds of thousands of devices.”
After the devices is hacked, the operators are using maliciously targeted, masked TCP and UDP traffic over port 53 generating recursive DNS retry traffic. Dyn confirmed that Mirai botnet as primary source of malicious attack traffic. It is assumed that there are over 400,000 hacked IoT devices that are part of the Mirain botnet.
How can this happen?
Two trends made this possible: (1) The insecurity of critical internet infrastructure (DNS) and (2) the ‘explosion’ of unsecured IoT devices.
The DNS is a critical system that is responsible for two key roles:
- It resolves the web addresses, like www.financemagnates.com, into the IP addresses (18.104.22.168)
- Locating server that accepts mail for a given mailbox address.
Without DNS nothing on the internet can really work.
Let’s talk about IoT.
IoT is defined by the ITU as “a global infrastructure for the information society, enabling advanced services by interconnecting (physical and virtual) things based on existing and evolving interoperable information and communication technologies.” In other words, devices such as smart cameras, energy meters, asset tracking, mobile payments, health monitoring, wearable sensors in watches, bracelets and so on that are connected to the internet and can communicate.
IoT is possible because of developments in GPS miniaturization, wireless and mobile connectivity, nanotechnology, radio-frequency identification (RFID) smart sensor technologies etc.
Despite all the exciting possibilities brought by the IoT, it can also jeopardize our privacy and security. According to recent estimates by Cisco there are already 15.7 billion devices connected to the internet. These devices include mobile phones, parking meters, thermostats, cameras, tires, roads, cars, supermarket shelves and many other types of objects. By 2020 it is estimated that there will be over 25 billion devices connected. That is more than 3 devices per person on earth. Securing those devices poses a challenge.
What can you do?
1. Check and see if there are any devices in your network that are infected to remove the Mirai malware from an infected IoT device follow these instructions. Even if there aren’t, it is highly recommended to take preventive measures such as: changing default passwords, updating old firmware, etc.
2. Understand your risks and single point of failures. Don’t assume it’s taken care of – because it’s not. Make sure you understand your potential losses and liabilities from incident response, business interruption, reputational damages, regulatory exposures and potential regulatory defense liabilities.
3. Analyze your risk from different aspects:
- As a direct victim – when the attack is against you.
- Your clients as third party victims (and their clients as well).
- As an owner of IoT or other devices that can be used by someone else. You can be held liable, especially if you haven’t done much and there were warnings (such as in our case).
4. Train and practice your incident response teams for relevant cyber attack scenarios for your organization on a regular basis.
5. Make sure your contracts with your clients and 3rd party supplies protect you from service failure liabilities and other exposures.
6. Buy from those you trust or from companies with a reputation for providing secure devices. It might cost more, but it will keep you less worried later.
7. Consider cyber insurance for your business.
The attack on the DNS infrastructure should serve as a reminder to us all that perfect internet security is still far away. We also need to start dealing with the ethics of the people behind the these attacks. As Dr. Mark Weiser “father of ubiquitous computing” once said: “The most profound technologies are those that disappear. They weave themselves into the fabric of everyday life until they are indistinguishable from it.” But the problem remains.
We now have to protect them to protect the fabric of our everyday life.