At least one Canadian whose company specializes in launching cyber attacks to test the security of various organizations believes the distributed denial of service attack which knocked out Web sites such as Amazon, Twitter, Spotify, Netflix, Tumblr, Reddit, and PayPal in much of the United States and Canadian east coast, believes the whole thing could be a dry run for something bigger.
“This thing is not just about a few thousands of people not being able to converse on Reddit or watch movies on Netflix for a few hours,” said Claudiu Popa, principal of Toronto-based security and privacy risk assessment firm Informatica Corp. “I believe whoever launched these attacks was just trying to prove their capability and check the authorities’ response times and procedures.”
Early Friday morning, domain registration and Internet performance management company Dyn reported that its network was experiencing some service interruptions. The New Hampshire company’s managed DNS infrastructure is responsible for directing Internet users to the Web sites they want to access. Apart from numerous corporate firms, its customers include the likes of social media firms like Twitter.
Popa warns security administrators should not let the all-clear message lull them into complacency.
While Dyn announced that the latest attack on its system has been resolved, the assaults have revealed weak spots in the cloud networks that link many of the online services that people use.
The new face of DDoS
The most basic form of denial of service attack relies on flooding a target Web site with massive amounts of online traffic to the point that where it is no longer able to respond to the online queries and simply grinds to a halt.
The traditional way of accomplishing this has been for attackers to gain control of thousands of computers and create a botnet that would carry out the incapacitating online bombardment.
The growth of the Internet of Things has changed everything, according to Popa.
“Now that we have millions upon millions of devices connected to the Internet, attackers suddenly have a broader range of arsenal at their disposal,” he said. “Think about it, every sensor, surveillance camera, connected thermostat, or toaster connected to the Internet can be turned into a botnet node.”
Too far-fetched? Not really. Such an IoT-based attack was used on the Web site of U.S. journalist Brian Crebs, according to ITiC columnist Eric Jacksch.
“Many of the devices used to attack Krebs were reportedly IoT devices, including cheap IP surveillance cameras sold to consumers, said Jacksch. “The devices were comprised en masse due to flawed designs and the widespread use of default passwords.”
Flawed IoT devices and the rush to market
There lies the root of the problem, said Popa.
In their rush to churn out IoT devices to cash in on the IoT trend, manufacturers are neglecting to install adequate protection on their products, he said.
“The focus, it seems is to get to market as quickly as possible,” Popa lamented. “In the rush to meet market demand, many of these devices are probably not being tested properly.”
He said engineers and manufacturers need to ensure that security features to prevent the devices from being hacked should be “baked into the products” at the design and manufacturing stage.
Complacency has also led many users both corporate and consumer to neglect basic security practices. One of this, he said, is altering the default passwords that come with devices. Default passwords are very low hanging fruits for attacks. Once the have their hands on a default password for one device model, it’s very easy for them to gain control of other units of the same model.
Larger threat looming
The threat is not over. It is just beginning.
Last week’s DDoS attackers could have been showcasing a new DDoS tool to potential clients.
We will likely see an increase in the use of IoT devices in DDoS attacks in the very near future. InfoWorld warns that while last week’s victims were social media users, next time the biggest victims could be enterprises that rely on software-as-a-service for critical business operations.
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…