The Internet of Things attacks. If we don’t do better, we will get hurt.

Summary: While America chattered about the soundbites and lies, one of the largest cyberattacks in history took place. Cybersecurity expert Emilio Iasiello discusses what happened and what it means. As so often happens, the big stories often get lost amidst the flotsam and jetsam of the news.

Watch the evolution of a historic attack on the United States…

DDOS attack - By Andrew Liszewski
DDOS attack – From iO9, by Andrew Liszewski.

The Internet of Things attacks. When Will We Learn?

By Emilio Iasiello.
Posted at Cyber DB, the Cyber Research Databank.
7 November 2016. Posted with his gracious permission.

In late September and late October 2016 two massive distributed denial-of-service (DDoS) attacks successfully targeted and impacted the operations of their targets. In the October DDoS against Dyn, a cloud-based Internet Performance Management company, several high profile organizational websites (Twitter, Pinterest, Reddit, GitHub, Etsy, Tumblr, Spotify, PayPal, Verizon, Comcast, to name a few ) for a substantial part of the day {details here}. While Dyn was ultimately able to mitigate the three-wave attack, it did impact users’ abilities to access these sites.

In both instances, attackers took advantage of generally insecure Internet of Things (IoT) devices and harnessed the volume to create large botnets able to launch substantial DDoS attacks. These are not the only two instances in which enterprising criminals sought to leverage IoT in fulfillment of their activities. Both in September and June 2016, IoT devices such as home routers and closed circuit television cameras were used to proliferate the attacks. This is very disconcerting given the fact that IoT as an industry is becoming a foregone conclusion and that more and more of these devices are being produced, marketed, and injected into our daily existences. Unsurprisingly, this is a market expected to continue to grow and is frequently cited as a top trend according to some sources.

CyberCrime

On one hand, the IoT is an escapable foregone conclusion: the more products and devices are upgraded with technologies, the more IoT makes its presence known in our lives. Indeed during 2015, the IoT gained significant traction and momentum across a range of industries, a trend that is expected to continue for the foreseeable future. According to one source, the manufacturing ($165 billion) and transportation ($78 billion) sectors led the word in IoT spending in 2015 with insurance, healthcare, and consumer verticals estimated to quickly catch up.

With more devices coming online in the era of the Internet of Things, what’s disconcerting is the fact that any device can be leveraged to conduct such attacks. Moreover, there is currently not a way to monitor the various IoT items that are Internet accessible, thereby making any seemingly benign device a potential collaborative aide for hostile actors. What the Dyn attack and the Mirai before that has demonstrated is that even the most seemingly benign devices can be harnessed to inflict a specific effect.

What’s more, the Dyn incident shows that it is not necessary for hostile actors to go after high profile organizations’ websites, but applying a “works smarter not harder” ethic, try and determine if a third party company is in charge of managing several websites and going after it.

However, the problem in trying to address security in IoT may be easier said than done. Industries within that space need to collectively come up with standards and regulations and compliance measures. This is no easy hurdle to be sure. But despite the seemingly daunting challenges these few initiatives face, to do nothing is nothing short of negligent in this day and age where breaches are getting larger with more and more data being compromised and put at risk. As we move to the end of 2016, what has been evident is that trying to address security after the fact has proven a largely ineffective endeavor. With an approximate number of IoT devices in all industries estimated at 6.4 billion by the end of this year, by the time any progress is made in “catching up” will likely be wasted with newer technologies being produced, and older legacy ones no longer being supported.

As the adage implies, “if you don’t learn from history you are destined to repeat it,” so our high information technology existences eagerly seek to provide the latest devices to be incorporated into our lives without giving a thought to have to secure it; or as consumers, how the public writ large can ensure the security of the devices in their homes. Regardless of the amount of cyber breaches resulting in the loss of millions of sensitive financial or personal records that have garnered significant global attention, convenience and ease of use still appears to champion the fundamental aspects of information security – maintaining confidentiality, integrity, and availability of the information systems and the information resident on them. IoT should be more than just the next evolution in better streamlining our experiences and workflows; it needs to provide better protection to instill confidence in the very technology that is trying so desperately to improve our lives.

————————————————–

Editor’s note

There is another dimension to this, one ignored by most cybersecurity experts: the motivation of these DDOS attacks. If vandals, they are a crime and a problem. If these attacks are profitable — perhaps very profitable — because they will be imitated, making them a much larger problem. The tool has been built. Now people will find ways to use it.

Emilio Iasiello

About the Author

Emilio Iasiello has more than 12 years’ experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as a private sector companies. He has delivered cyber threat presentations to domestic and international audiences and has published extensively in peer-reviewed journals.

See his other articles on the Dark Matters website. He now posts at Dead Drop of the LookingGlass Cyber Threat Intelligence Group.

For More Information

For more about this attack see “It’s the Beginning of a Dark Era for Cyber Security” by Techno and “Hackers Used New Weapons to Disrupt Major Websites Across U.S.” by Nicole Perlroth at the NYT.

If you liked this post, like us on Facebook and follow us on Twitter. See all posts about cybersecurity, especially these…

To learn more about this vital subject, here are some useful sources:  Kevin Mitnick’s Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker and Brian Krebs’ Spam Nation: The Inside Story of Organized Cybercrime-from Global Epidemic to Your Front Door.

Ghost in the Wires
Available at Amazon.
Spam Nation
Available at Amazon.
Advertisements

3 thoughts on “The Internet of Things attacks. If we don’t do better, we will get hurt.

Leave a comment & share your thoughts...

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s