As I write this on 9/24/16 the preceding link doesn't work, although the Wayback Machine has copies. To find out why the link isn't working and what it has to do with the IoT, follow me below the fold.
The insecurity of the IoT has been a theme of many of my blog posts since 2014, pointing out that it was handing the bad guys, even relatively unskilled bad guys, a weapon that could render the Internet unusable. But nothing has been done to fix the problems and defuse the weapon. Dan Goodin's Why the silencing of KrebsOnSecurity opens a troubling chapter for the ‘Net tells us that we are running out of time:
KrebsOnSecurity, arguably the world's most intrepid source of security news, has been silenced, presumably by a handful of individuals who didn't like a recent series of exposés reporter Brian Krebs wrote. ... On Thursday morning, ... he reported that a sustained attack was bombarding his site with as much as 620 gigabits per second of junk data. ... At 4 pm, Akamai gave Krebs two hours' notice that it would no longer assume the considerable cost of defending KrebsOnSecurity. Krebs opted to shut down the site to prevent collateral damage hitting his service provider and its customers. ... In 2013, attacks against anti-spam organization Spamhaus generated headlines because the 300Gb torrents were coming uncomfortably close to Internet-threatening size. The assault against KrebsOnSecurity represents a much greater threat for at least two reasons. First, it's twice the size. Second and more significant, ... the attacks against KrebsOnSecurity harness so-called Internet-of-things devices—think home routers, webcams, digital video recorders, and other everyday appliances that have Internet capabilities built into them.Go read the whole article.
This is asymmetric warfare. It doesn't take much skill or many resources to build a DDOS weapon of this kind. But defending against it is beyond the reach of most websites:
Krebs said he has explored the possibility of retaining a DDoS mitigation service, but he found that the cost—somewhere between $100,000 and $200,000 per year for the type of always-on protection he needs against high-bandwidth attacks—is more than he can afford.So, unless you're seriously wealthy, any time you publish something on the net the bad guys don't like, they can blow your web presence away. Krebs' conclusion is sad:
"Free speech in the age of the Internet is not really free," he said. "We're long overdue to treat this threat with a lot more urgency. Unfortunately, I just don't see that happening right now."And don't think that knocking out important individual Web sites like KrebsOnSecurity is the limit of the bad guys capabilities. Everyone seems to believe that the current probing of the root servers' defenses is the work of China but, as the Moon Worm showed, careful preparation isn't necessarily a sign of a state actor. There are many bad guys out there who could take the Internet down; the only reason they don't is not to kill the goose that lays the golden eggs.
Pastor Martin Niemöller had it right:
First they came for the security gurus, and I did not speak out -This is probably yet another reason why we need to evolve to a Decentralized Internet (not just a Decentralized Web), perhaps Named Data Networking (NDN). Although, as I wrote, I'm not aware of a major "black hat" analysis of these decentralized proposals, the argument is very plausible.
Because I was not a security guru.
Why can a large number of small, compromised devices with limited bandwidth upstream bring down a large, powerful Web site, even one defended by an expensive DDOS mitigation service? Two reasons:
- In today's centralized Internet, the target Web site will be at one, or a small number of IP addresses. The network focuses the traffic from all the compromised devices on to those addresses, consuming massive resources at the target.
- In today's centralized Web, the target Web site will be be one tenant sharing the resources of a data center, so the focused traffic inflicts collateral damage on the other tenants. It was the cost in resources and the risk to other customers that caused Akamai to kick out KrebsOnSecurity.
Denial-of-service attacks are possible in NDN. They take the form of flooding requests for resources that are known not to exist; flooding requests for resources that do exist, such as posts that you don't like, won't work. But both local and cooperative detection and mitigation techniques seem likely to be effective, see for example:
- Poseidon: Mitigating Interest Flooding DDoS Attacks in Named Data Networking, A. Compagno et al.
- Interest flooding attack and countermeasures in Named Data Networking, Afanasyev, A. et al.
- Identifying Interest Flooding in Named Data Networking, J. Tang et al.
A study by the RAND Corporation, published in the Journal of Cybersecurity, looked at the frequency and cost of IT security failures in US businesses and found that the cost of a break-in is much lower than thought – typically around $200,000 per case. With top-shelf security systems costing a lot more than that, not beefing up security looks in some ways like a smart business decision.Of course, if because of the insecurity of IoT devices the Internet becomes unusable, or even merely uninteresting once the bad guys have driven anything interesting away, everyone, from the ISPs to the DDOS mitigation services to the IoT device vendors will be out of business. But right now the money is rolling in and it doesn't cost anything to just kick off the targets of the bad guys wrath. Actually fixing things is someone else's problem.
Romanosky analyzed 12,000 incident reports and found that typically they only account for 0.4 per cent of a company's annual revenues. That compares to billing fraud, which averages at 5 per cent, or retail shrinkage (ie, shoplifting and insider theft), which accounts for 1.3 per cent of revenues.
Update 9/25/16: Cory Doctorow writes:
Meanwhile, Krebs was eventually bailed out by Google's Project Shield, one of Jigsaw's anti-"surveillance, extremist indoctrination, and censorship" tools. That right there is another sign of the times: the attacks launched by state-level actors and those who can muster comparable firepower are no match for Google -- so far.He quotes a post by Krebs called The Democratization of Censorship:
But what we’re allowing by our inaction is for individual actors to build the instrumentality of tyranny. And to be clear, these weapons can be wielded by anyone — with any motivation — who’s willing to expend a modicum of time and effort to learn the most basic principles of its operation.Krebs post is long but important - go read it now, before it goes away again. If it does, the Wayback Machine has it.