Hacking The IOT

This is a post series on cyber crime. For more posts click here or the cybercrime tag below.

It turns out that yesterday’s DDOS attack on a DNS server was carried out primarily by using devices not typically considered computers but connected to the internet.

http://www.usatoday.com/story/tech/2016/10/21/cyber-attack-takes-down-east-coast-netflix-spotify-twitter/92507806/

The from Market Ticker.

DNS, the turning of names such as “market-ticker.org” into IP numbers, is an essential part of any online presence on the Internet.  Being without it in most cases doesn’t reduce you to using IP numbers, it means what you’re trying to do doesn’t work at all, especially in any sort of shared hosting environment on the web.

The good news is that it’s not all that hard to do DNS on your own but it does take some attention to do well, particularly if you care about security of your domain responses (and online transaction sites most-certainly do!)

The “save a nickel” crowd got rat****ed today, as there appears to be yet another instance of mass-stupidity which has infested the Internet and now it has blown up in those people’s faces who relied on it.

This morning a ton of websites and services, including Spotify and Twitter, were unreachable because of a distributed denial of service (DDoS) attack on Dyn, a major DNS provider. Details of how the attack happened remain vague, but one thing seems certain. Our internet is frightfully fragile in the face of increasingly sophisticated hacks.

Meh.

Why is Dyn at the center of all of this?  Is it impossible for Twitter, Amazon, CNN, Reddit, the NY Times, PayPal, Spotify, Soundcloud, AirBnB, HBO, Netflix, Etsy, Github, Vox and others to run their own damn DNS servers?

No.  They’re just cheap, ignorant fools.

And, like the “cloud” guys (some of them are the “cloud guys”) they bought into the same bull**** they peddle to the masses.

Oh, and it probably didn’t help that a bunch of other cheap bastards sold a lot of crap into the consumer market (like webcams, etc) that are grossly insecure, trivially hacked and taken over either.

What appears to have wound up happening is that these firms DNS services got concentrated at one company instead of being spread out as the Internet was originally designed to work, and some malefactors discovered this and hammered the concentration point using said insecure devices as their “relays”, trashing all of them at once.

Oops.

It’s not supposed to work like that, or have an impact like that.  But it did, and it does, and on we go.

You know, I’m just a little blog publisher.  But I run my own DNS.  I even secure it with DNSSEC so attempts to poison my zone won’t work.

Gee, how come?

Because it’s not really very hard, it’s a small part of what running the rest of the site consists of in terms of effort and expense, and without DNS nothing works at all.

That last part is sort of important, you know…..

But heh, it’s kinda like sticking your so-called “encrypted” data on a cloud machine, then putting the key there so you can use said data and believing that all of this is secure even though anyone who has administrative access at said cloud provider can almost-certainly read the memory image of your virtual machine, steal the key and once they’ve done so they have it forever.

Yes, I know, all these nice big cloud companies have great security policies, some might even fingerprint people and do background checks (is it really hard to pull a background check on a high-level sysadmin?).  It’s not like taking the three or five guys and gals who might need “God” keys to the infrastructure at your company and multiplying the risk of compromise from five people to 500, including some who aren’t even in the US and thus aren’t reachable by US law through playing “cloud” is a bad idea, right?

Never mind that if some big company did screw the pooch they’d be held accountable both civilly and criminally, yes, just like the thousands of criminal charges brought against officers, directors and executives of various firms that have done all sorts of nasty things over the years, including the fraud-laced Internet bubble, the fraud-laced housing bubble and the pie-in-the-sky market bubble now, right? You could look at Yahoo, which was so forthcoming about being massively hacked with 500 million accounts stolen; they got indicted, right? Or you could look at all those indictments out at Wells Fargo offices for identity theft against 2 million consumers who had accounts set up under false pretense complete with claimed signatures that never were given (that’s forgery, by the way, and bank fraud, by the way, and last time I checked both are crimes.)  Oh wait, you mean there hasn’t been even one arrest made in either case and in the latter the abuse has been going on for nearly 10 years?  And how many similar screw jobs have there been in other big businesses and how many busts?  Uhhhhh….. yeah.

And as for the producers of all those nice “Internet of things” devices they have all been held accountable too, just like you would be for putting up a pool with no fence since they’ve been selling knowingly insecure devices that are trivially hackable and able to be abused to screw others, right?  I mean, we can find thousands of indictments against the officers, directors and owners of those companies, and a bunch of them are in jail right now,  yes?  Oh wait…..

Finally, and for context in the present situation, none of these firms would ever screw up due to just pure stupidity, incompetence, lack of knowledge or laziness, none of the people they hired would ever be careless, crooked, bribed or blackmailed and the firms would never take a shortcut like…….. putting their DNS in the same, concentrated, non-dispersed and thus easily-attacked place?

https://market-ticker.org/akcs-www?post=231579

He points out, correctly, the issues of all the companies putting all their DNS eggs in one basket.  That’s a HUGE vulnerability and I hope that the affected companies deals with the issue really fast, preferably by setting up their own DNS servers.

That doesn’t change the fact that the Internet of Things is incredibly vulnerable and that changes are going to be needed. This time it was a DDOS attack. Next time it could be a mass shutdown of critical devices at selected times in security systems.  Or the kind of stuff in that cartoon I posted recently.  The time has come to take computer security to a new level or everybody is going to get burned.

The Week In Ransomware.

http://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-21-2016-mbrfilter-click-me-games-and-more/

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s