Despite ignoring claims from Wikileaks and New World Hackers, attempts to attribute blame for the DDoS attack last Friday against the Dyn DNS service seem to agree that it was "non-state actors":
Asked if the internet attack was done by a non-state actor, [US DNI James] Clapper said: "Yes, but I wouldn't want to be conclusively definitive about that yet," adding, "That's an early call."AKA "amateur hackers":
Business risk intelligence firm FlashPoint has put out a preliminary analysis of last week’s massive denial of service attack against Dyn DNS, and its conclusion is it was likely the work of amateur hackers — rather than, as some had posited, state-sponsored actors perhaps funded by the Russian government.Which is, of course, only reassuring if you don't think about it. Even less reassuring is Dyn's new estimate of how many IoT devices were involved in the attack:
With more time to analyse its logs, DNS provider Dyn reckons about 100,000 Mirai-infected home web-connected gadgets knocked it out last Friday.That's less than 10% of the devices estimated to be already infected with Mirai. And new devices are compromised quickly:
In its latest analysis, product executive veep Scott Hilton writes: “We are still working on analyzing the data but the estimate at the time of this report is up to 100,000 malicious endpoints. We are able to confirm that a significant volume of attack traffic originated from Mirai-based botnets.”
The bad news is that the Mirai spreads so fast that a rebooted, clean, device gets re-infected in five minutes, according to the estimates of researchers who’ve been tracking the botnets.The potential is much larger:
Security firm BullGuard, which this summer acquired IoT security startup Dojo-Labs, offers a free IoT scanner tool for consumers to check whether any of the devices connected to their home network have been indexed by the Shodan search engine, which lists publicly accessible IoT devices that may be vulnerable to hackers.So a potential attack that used 10% of the resource would be 100 times larger than the Dyn DDoS. And copy-cat attacks are already happening, one hit Singapore-based network StarHub yesterday.
The company says consumers have scanned more than 100,000 unique IPs via this tool so far — with 4.6 per cent of these scans revealing vulnerabilities. Extrapolating that sample to the circa four billion connected devices that exist globally, BullGuard claims this could equate to around 185 million vulnerable IoT devices.
Desperate suggestions for mitigating the problem range from white-hats taking over the Things (a suggestion that's already been acted upon for other botnets):
Several hackers and security researchers agree that taking over the zombies in the Mirai botnet would be relatively easy. After all, if the “bad guys” Mirai can do it, a “good guys” Mirai—perhaps even controlled by the FBI—could do the same.This isn't really an option:
given that the Mirai botnets are comprised of several disparate devices, made by several different companies, it’d be extremely hard to push an update that works for all of them, according to security researchers.Intel's proposal is equally impractical:
“I suspect a perfect white-hat fixer-upper virus is unfeasible,” Emin Gun Sirer, a professor at Cornell University, told me.
The real challenge of this whole scenario, however, is that despite being for good, this is still illegal.
As for coping with the threat we face now, courtesy of millions of pathetically insecure consumer IoT devices, Schrecker’s proposed solution sounds elegantly simple, in theory at least: “Distribute, for example, gateways. Edge gateways that can contain a DDoS and are smart enough to talk to each other and help contain them that way.”ISPs haven't deployed even the basic BCP38 filtering, so they're going to buy and deploy a whole lot of new hardware? But Intel's Schrecker is right about the threat:
If the operators behind these IoT-enabled botnets were to “point them at industry” instead of smaller targets such as individual journalists’ websites, as happened with infosec researcher Brian Krebs, the impact on the world economy could be “devastating”, he added.In other news of the Things, flaws in the protocol used to control most drones allow attackers to seize control from their owners, opening up lots of exciting new possibilities:
The widespread availability of hijacking devices comes with a tremendous number of consequences, some of them unsettling. One of the more frightening scenarios is someone using a device to hijack one or more devices that are in close proximity to a large number of people. Drones are capable of carrying large amounts of fuel that can burst into flames upon impact, as evidenced in this video.Although most drones have yet to be connected to the Internet, many industrial control system are. And of course they have vulnerabilities:
A vulnerability in Schneider Electric’s industrial controller management software created a possible mechanism for hackers to plant malicious code on industrial networks.Nice Internet you've got there. Shame if anything happened to it.
Industrial cybersecurity firm Indegy discovered the recently resolved flaw in Schneider Electric’s flagship industrial controller management software, Unity Pro. “The vulnerability in Unity Pro allows any user to remotely execute code directly on any computer on which this product is installed, in debug privileges,” Indegy warned in an advisory.
Mike Ahmadi, global director of critical systems security at Synopsys, added: "Security issues in control systems are widespread and continue to grow in numbers as researchers focus on uncovering them.”