Last week, Dyn, an internet traffic manager, was hit with a massive DDoS attack that crippled their service and denied access to several major websites. For hours, the internet was down as Twitter, eBay, PayPal, Amazon, and Reddit, to name a few, were knocked offline.
Woah, what’s happening with the Internet today? Look at this map from Level3 pic.twitter.com/VC8n7iY73E
— Alex Fitzpatrick (@AlexJamesFitz) October 21, 2016
DDoS attacks, short for distributed denial of service, are carried out by using compromised IP addresses to flood a server with more traffic than it can handle, effectively causing it to crash. The attack on Dyn was so massive that it grabbed the attention of major news outlets globally and is under investigation by government authorities. It’s also quite similar to what happened to Krebs on Security a few weeks ago, which featured a malware strain known as Mirai.
Mirai targets the Internet of Things (IoT) and uses tens of thousands of compromised devices (known as a botnet) to launch attacks. Basically, your internet-connected things, such as surveillance cameras and DVRs—when infected—become zombies controlled remotely by the attacker, most often without you even knowing. These zombie devices, when called upon, are aimed at specific servers and flood them with more internet traffic than they can handle. Making matters worse, the author of Mirai publicized the source code, allowing other cybercriminals to carry out similar campaigns and likely leading to more in the near future.
The effects of these attacks cause inconveniences for consumers and monetary losses for websites. But the vulnerabilities of IoT are much more concerning than just websites being unavailable.
You may remember a report from last year when a team of hackers demonstrated how they were able to take complete control over a Jeep Cherokee. Even more concerning, cybercriminals used DoS to ground several flights in an attack against a Polish airline. Clearly, there’s a lot at stake here. And we’re just getting started.
The Internet of Things is growing. Our appliances, entertainment systems, thermostats, and motor vehicles—among others—are now connected and can be accessed remotely. Convenience and the “cool factor” sells. As a result, tech companies are quick to roll out new features for products that include IoT capabilities. Their urgency to penetrate the market, however, has led to a major security issue—that being the lack of security.
And it’s not just DDoS attacks we need to worry about; it’s also ransomware. White hat hackers presented evidence of how thermostats can be infected, leading to more concern that soon everything in our homes will be the target of cybercriminals (credit to Joy of Tech for this comic):
As we’ve learned from smartphones and nearly every form of new internet-connected technology, first generation releases are rarely tested for vulnerabilities. And even if they are tested, most of these devices are shipped with factory default log-ins and passwords—both of which are public knowledge. Users typically fail to change the credentials, leaving their devices wide open, which is how both the attacks on Krebs and Dyn were possible.
But as much as we’d like tech companies to ramp up their security efforts (perhaps require new passwords upon first boot), and for there to be more regulation within the tech industry (whether that be self-regulation or, heaven forbid, government mandated), the onus is on all of us to ensure that our devices are properly secured. This is not a technical problem. It’s a human problem. Specifically, it’s a behavioral problem.
Don’t become a zombie: follow these steps now:
Step 1: Usernames and passwords.
As mentioned, the reason why these attacks are so easy for cybercriminals to launch is because users are not updating log-in and passwords for new devices. Nearly everything that connects to the internet has a username and password. The defaults of which are public knowledge and need to be changed ASAP. And as always, just simply changing the log-in credentials isn’t enough. Strong, unique passwords are imperative. In short, make sure your passwords don’t suck.
Step 2: Make a list. Check it twice.
Another reason IoT is so vulnerable is because devices are always on. Go around your home and/or your office and make a list every internet-connected device you own. This list will come in handy as you double-check that every device has a strong, unique password. Once the list is complete, determine which devices are not in use, or rarely used, and disconnect them. It’s easy for tech to be out of site, out of mind and, as a result, out of security safeguards.
Step 3: Automatic updates everywhere.
Now that you have an updated list of all your devices, and you’ve created strong, unique passwords for those devices, it’s time to update them to the most recent software and firmware releases. Once that’s complete, set devices and apps to automatically update. When developers release updates, they do so not just for new features and bug fixes, but also for important security patches. Setting updates to auto ensures that your IoT will always be on the latest and greatest software. Also, keep in mind that as a device ages, the probability of support being discontinued increases. An out-of-date device soon becomes a security liability. Consider disconnected anything that’s no longer supported by the manufacturer or developer (it’s not like technology becomes obsolete quickly these days, right?).
Step 4: Review privacy policies.
Since you’re already logged in to set up a strong, unique password and turn on automatic updates, you might as well review the security settings and make sure they’re adjusted to your liking. We understand no one has the time or desire to read an entire EULA (end user license agreement), but familiarizing yourself with application permissions is security 101. There’s no reason that your fancy coffee maker, for example, needs access to your Facebook page. (What’s it going to do, posts pictures of your morning coffee for you?) It’s also a good idea to occasionally check these settings since they’re likely to change with software updates.
Step 5: Proper disposal.
Not long ago, a user on Reddit shared his story of how he bought a set of WiFi enabled security cameras, determined he had no use for them and returned them. A short time later he received an email that the cameras had detected motion. Confused, he logged into his account and lo and behold, he had full access to the cameras and could watch the new owner of said cameras in his home.
There’s a lot of blame to be spread around for how something like that could even be possible, but the moral of the story is proper disposal. If you return any device, be sure to completely wipe it by resetting it to factory defaults. If you decide to recycle a device or give it away, be sure to completely wipe all personal information and, again, restore to factory defaults. Even if you decide to throw a broken device in the trash, be sure to destroy it beyond repair. Dumpster diving is still a widely used technique by criminals seeking to steal personal information.
Step 6: Don’t click on sh*t.
How do you suppose malware like Mirai spreads? All it takes is one click. Be skeptical of strange emails that contain links or attachments. The same is true of social media. Be careful of which websites you visit. Install antivirus and anti-malware software on every device possible. Always think before you click.
We’re getting close to Halloween which means we can expect to see a lot of zombies. But you certainly don’t want your devices or computers becoming zombies (forgive the analogy; it was too good to pass up). Be a Human Firewall. Don’t sit around and wait for security technology to catch up to criminal hackers. Follow the six steps above and do your part to prevent future attacks.
Latest posts by Justin Bonnema (see all)
- Incident Response: Time Is Not On Your Side - April 1, 2019
- 5 Traits of Security Aware Parents - March 14, 2019
- Bad Habits of Senior Managers That Put Security of Organizations at Risk - March 1, 2019