I always start my day by reading The New York Times over coffee. On the morning of Oct. 21, however, The Times homepage wouldn’t load. I tried Twitter and Amazon only to find the same issue. I reboot my computer and then reset my router. That didn’t work. I even took my phone off Wi-Fi and used my cell provider’s network to try to access the sites. Nothing. All I got was “page not found.”
I then realized something was seriously wrong.
We now know that one of the largest distributed denial-of-service (DDoS) attacks ever had taken down much of the Internet across the Eastern Seaboard that Friday morning. This was significant. This was serious. I needed to know what was going on. So I turned to my network of cybersecurity gurus, and Bryce Austin, CEO of TCE Strategy, was at the top of the list. Here’s a segment of a call in which Bryce explained — in terms I could understand — what happened and how it happened, and offered some suggestions that could have prevented such an attack.
Phil Weinzimer: Bryce, What happened?
Bryce Austin: From the reports we have so far, a carefully orchestrated DDoS attack against Dyn, one of the primary companies that translates website addresses into the computer IP addresses that run the Internet, was underway. It prevented computers like yours from being able to see Internet sites by their name. For example, www.bryceaustin.com translates to 107.180.27.156, but you need a server to translate one to the other. That’s what the bad guys went after.
Which bad guys?
We don’t know yet. A group called New World Hackers has claimed responsibility, but I’m unaware of any evidence to substantiate that claim. Interestingly, the group known as Anonymous petitioned President Obama in 2013 to make DDoS attacks a legal form of protest. Friday’s attack took DDoS attacks to a whole new level.
What does it take to pull off an attack such as this?
The firepower comes from Internet-connected devices, many of which you and I own. Thousands and thousands and thousands of them. A bad guy has taken them over and we, as their owners, don’t know it. These Internet-connected devices flooded Dyn’s servers with so many requests that they couldn’t keep up with the demand and were essentially taken offline as a result. This would be the equivalent of having every automobile owner in New York get in their car at the exact same moment and go for a drive. There would be gridlock. No one could get anywhere. That is what happened. It appears to be the most significant, sophisticated attack using the Internet of Things (IoT) yet.
How would you explain IoT to a CEO who is unfamiliar with the term?
The IoT is made up of all those things that you can access over the Internet but don’t think of as a traditional computer. Security cameras. Internet-connected thermostats. Coffee pots and garage door openers that you can control with your smartphone. All of these things are little computers, and when used in concert, they can make quite a racket on the Internet. That’s what happened last Friday morning.
What does this say about IoT?
It says that we have left ourselves vulnerable. The way that these IoT devices were compromised was very simple: Many IoT devices have default administrator passwords or run on OSes that have known vulnerabilities that are easy to exploit. Hackers have been scanning the Internet for devices like these, and when they find them, they take control of them. Sometimes they use the control they have to hack further into a given network, but you have to be a high-value target for that to be worthwhile for the bad guys. Normally, they use this army of IoT devices to do their bidding when the time is right. A few weeks ago, it was an attack on the well-known cybersecurity journalist Brian Krebs’s website. Now it’s an attack on one of the underpinnings of the internet itself.
What can we do to prevent this in the future?
There are many steps we can take to help.
Short term:
- We can ask our technology teams to find the IoT devices on our networks. Have them look up the model numbers of those devices on the internet and see if there are known vulnerabilities or default passwords associated with them. They can either patch them (if a patch is available) or update the password to a complex one that is difficult to guess.
- If no solutions from option one are available, we can disconnect these devices from the internet and accept any loss of functionality that occurs as a result. We need to ensure that all IoT devices we use are providing a genuine business value. Do we really need to be able to change the temperature of a thermostat from our smartphone? Is that a competitive advantage for a company?
- Those that handle procurement of electronic devices can call the manufacturers of these devices and request that they release a firmware update to patch any known vulnerabilities with their devices. We can write contract language that requires vendors to stop shipping devices with universal default passwords.
Long term:
- We need to demand from manufacturers that they take cybersecurity seriously. IoT cybersecurity goals need to be stated as policies that companies take very seriously when evaluating who to do business with.
- As business owners, technology leaders, or procurement or purchasing leaders, we can demand that contracts signed going forward with vendors contain language stating that their devices are able to accept remote firmware updates, and that they will make changes to the firmware of their devices to keep them protected against current and future cybersecurity threats.
- We can increase the awareness of the need for periodic scanning and patching of IoT devices on all networks, so that we do not leave so many devices open and exposed to those that would do us harm.
Lessons learned
I found my interview with Austin very enlightening. When the Internet was developed, companies quickly figured out how to leverage this new technology into revenue. Now, those that would do us harm are quickly figuring out how to use this technology against us, and the very nature of the internet breaks down all geographic and political borders. We are concerned about security and how it can not only damage our company, but our national security as well. Last Friday’s DDoS attack was not a devastating event, but it should be taken as a warning that more serious events are likely to come unless we act.
Companies are taking this very seriously. An example of this is a recent PCWorld.com article about a Chinese firm that is recalling “4.3 million IoT camera devices due to a security vulnerability that can make them easy to hack.” That is real progress.
As an analogy, changes in fire code came swiftly after Mrs. O’Leary’s cow knocked over a lantern in Chicago in 1871. Changes in earthquake resistance in buildings tend to come soon after major earthquakes. Hopefully the October 21st DDoS attack will serve as a warning that we can work together to prevent larger attacks from ever occurring as security is becoming a central focus for every company.
I always look forward to any insights and comments, and Bryce Austin can be contacted bryce@bryceaustin.com.
This article was originally published at CIO magazine.
