24 October 2016 (Frankfurt, Germany) – Last week’s DDoS attacks against Dyn (which provides DNS services for websites large and small) have been reported everywhere. And oh, the irony. Dyn provides managed DNS services to a huge array of companies. Ironically, that means that it promises to protect companies from the very DDoS attack that it suffered. By paying for a company to manage your own organization’s DNS, the theory is that you can save yourself a lot of time and money by not having to hire IT staff or purchase hardware to handle internet infrastructure issues like DNSSEC, IPv6, and a range of logging and reporting systems.
Lovely. A chunk of the internet went down, effectively, because someone did a massive distributed denial-of-service attack using a botnet of millions of hacked IoT devices – mostly, it seems, IP webcams from one Chinese company that don’t have decent security. This is an interesting structural problem – the devices once sold are either impossible to patch or unlikely to be patched, the users probably don’t even know that their device is hacked, and the manufacturer has no motivation and probably few of the necessary skills to do anything about it.
A network designed to withstand nuclear attack, brought down by toasters? Jesus wept.
More interesting/worrying – who is doing this, why, and what will they do next? Bruce Schneiner was traveling in Australia and Asia and had a few brief comments on his blog (a more detailed analysis to come this week) and opined it’s likely related to the DDoS attacks against Brian Krebs but also queried (as did many) whether it was a probing attack against the Internet infrastructure. Schneiner did not think China .. “I don’t think China is going to launch a preemptive attack on the Internet” … while most cried “RUSSIA!!”
The DDoS attack against Dyn affected numerous websites, but the biggest victims are the enterprises that rely on SaaS for critical business operations.
I have been in Frankfurt, Germany over the weekend at the Frankfurt Book Fair which ended yesterday and funnily enough ran into a chap I know from the information security firm Flashpoint. He walked me through the process of how publicly available source code is used to to assemble a bot-net army of internet-enabled devices, and then directs those devices to send massive waves of junk requests to a major DNS provider. It was an education.
But in a “briefing sheet” to provide his clients a quick summary he noted a few things:
- A lot of this traffic – but not all – is coming from Internet-of-Things devices compromised by the Mirai botnet malware.
- This software nasty was used to blast the website of cyber-crime blogger Brian Krebs offline last month, and its source code and blueprints have leaked online.
- That means anyone can set up their own Mirai botnet and pummel systems with an army of hijacked boxes that flood networks with junk packets, drowning out legit traffic.
- One online tracker of Mirai suggests there at least 1.2m Mirai-infected devices on the internet, with at least 173,000 active in the past 24-48 hours.
- Mirai spreads across the web, growing its ranks of obeying zombies, by logging into devices using their default, factory-set passwords via Telnet and SSH.
- Because no one changes their passwords on their gizmos, Mirai can waltz in and take over routers, CCTV cameras, digital video recorders, and so on.
As I have noted in previous posts, there has been no centralized attempt to address the threat from the mass-proliferation of hardware devices such as Internet routers, DVRs and IP cameras that ship with default-insecure settings, despite a chorus of experts screaming “we must have an industry security association publish standards!!” Well, that and assure all members will adhere to the standards which are audited against periodically.Tough request. The wholesalers and retailers of these devices have their focus on a brutally competitive market and so their eye is on buying and promoting those connected devices, not securing them. So until there is a real shift in focus these insecure IoT devices are going to stick around like a bad rash – unless and until there is a major, global effort to recall and remove vulnerable systems from the Internet.
Onwards, downwards the slippery slope
Yet once again the much-hyped illusion of a “solid whole” is ripped asunder. Ummm …. does anybody remember that striking demonstration of what a “solid whole” does not look like? You know … that composite of assembled pieces that came with the 2008 financial crash? What mainstream economists and governments alike had asserted to be the “perfectly calculated”, global financial market collapsed without warning. It turned out that the system was so finely leveraged that a relatively small number of people, who were unable to keep up with their mortgages, set in motion a rolling catastrophe. The very connectedness of the global financial market made it impossible to contain what would once have been a local misfortune. The crisis shows that it is one world now … badly … like it or not.
And that “connectedness” in the information age … yikes! If you get a chance, read Manuel Castells, a Spanish sociologist well-associated with research on the information society, communication and globalization. Back in the early 1990s he wrote about “electronic information networks” and what he called “a networked life” and “a network society”. He was speaking more about social relationships but noted we were moving toward a “frenzy of everything” and being “connected to everything”.
We have screwed ourselves. And we keep thinking there are levels, degrees of separation.
Wrong, oh mighty ones. The Internet is not just another form of a medium. It is THE universal medium for EVERYTHING. Just like media. There is no specific “social media”. ALL media is social media. It is what we use to depict ourselves to others, and to ourselves.
We humans have linked our destinies with our machines. Our technology has gotten so complex that we no longer can understand it or fully control it. As Neri Oxman (an American-Israeli architect, designer, and professor at the MIT Media Lab) has so eloquently written, we have entered the “Age of Entanglement”. She writes that when humans lived in the jungle, they thought that nature’s displays arose from mystical qualities. In the Dark Ages humans blamed the gods for causing unforeseen events that altered people’s lives. But the Enlightenment brought reason to bear; scientific analysis made sense of more and more of the world. We began to feel in control, and our understanding gave us the power to construct our own complex environment of technology.
To understand how the Internet encourages this interweaving of complex systems, you need to appreciate how it has changed the nature of computer programming. Back in the twentieth century, a programmer had the opportunity to exercise absolute control within a bounded world with precisely defined rules. They were able to tell their computers exactly what to do. Today, programming usually involves linking together complex systems developed by others, without understanding exactly how they work, or what other systems they might relate to. In fact, depending upon the methods of other systems is considered poor programming practice, because it is expected that they will change.
In one of her essays Neri Oxman uses truck shipments:
A program that, say, directs trucks to restock stores needs to find the locations of the trucks and warehouses, maps of the streets and the inventories of stores. And sensors at the loading docks. The program follows this information by connecting to other programs via the Internet. It might also support systems that track packages, pay drivers and track truck maintenance. All using similar public source code, which is used for many devises in the “Internet of Things”.
Expand this picture to include factories and power plants, as well as salespeople, advertisers, insurers, regulators and stock traders, and you begin to see the entangled system behind so many daily decisions. Although we created it, we did not exactly design it. It evolved. We are dependent and not entirely in command. Each expert knows a piece of the puzzle, but the big picture is too big to comprehend. Or where it all goes, connects to.
I cannot see a countertrend developing, which Neri espouses, that we should begin to build simple backup systems that one person can truly understand, to protect ourselves when critical systems fail. Well, yeah. In decades gone by, ham radio operators could keep the world connected if commercial communications crumbled. So are we going to develop a simple communications system independent of the Internet, so that civilization can continue to operate after a cyberattack, computer virus or unforeseen emergent behavior jams cyberspace? Ummm … no.
So there we are, back in the jungle – a digital jungle of our own creation. Most people will just accept the complexity and learn how to cope with it. Others will try to live “off the grid,” although few of them will give up Web access or cell phones or electric lights or penicillin. I am somewhat amused by the surge reported of Millennials dropping their smartphones for flip phones, candybar phones and other 2000s throwbacks.
Like it or not, the dependencies are too strong to allow us to disconnect. Our destinies are entangled with one another’s and with our technologies.
As Bill Turton, Brian Krebs, and others cyber mavens noted over the weekend we’ve entered into a new DDoS paradigm. The newfound ability to highjack insecure internet of things devices and turn them into a massive DDoS army has contributed to an uptick in the size and scale of recent DDoS attacks. We are nevertheless getting a taste of what the new era of DDoS attacks look like, however. As Bruce Schneier explained in a brief blog post:
“Over the past year or two, someone has been probing the defenses of the companies that run critical pieces of the Internet. These probes take the form of precisely calibrated attacks designed to determine exactly how well these companies can defend themselves, and what would be required to take them down. We don’t know who is doing this, but it feels like a large nation state.”