On October 21st, millions of people on the on the East Coast were denied access to dozens of major websites such as Netflix, Twitter, Spotify, Reddit, Pinterest, and Paypal; as well as to news sites like CNN, Fox News, The New York Times and the Guardian. Later in the day, a wave of similar outages affected the Atlantic coasts of the United States and Europe.
The attack was focused on Dyn, which is one the companies that runs the internet’s Domain Name System, (DNS). The first attack came around 7am EST, although a second followed at noon and a third just after 4pm. The Department of Homeland Security began an investigation the same day.
The outages were the result of a cyber attack known as a DDoS, or Distributed Denial-of-Service, a threat that is becoming increasingly more common, according to Brian Krebs, an independent security researcher, noted earlier in October on his blog KrebsOnSecurity.com. Simply put, a DDoS attack is designed by hackers to flood a network with useless traffic until it crashes.
Amazon’s web services division, the world’s largest cloud computing company, was also affected, although Doug Madory, director of internet analysis at Dyn, could not confirm if the outages at Dyn and Amazon were linked. Flashpoint, a cybersecurity firm, attributed the attack to malware based on the Mirai source code, infecting an entire network of devices with the self-propagating code and thereby overloading it.
The Mirai source code powers the “Internet of Things” botnet, which allows objects to be sensed and/or controlled remotely across existing network infrastructure and thereby allows more direct integration of the physical world into computer-based systems. Ideally, the IoT improves efficiency, accuracy and economic benefits, although its scope, including smart devices, security systems and integrated networks, means that attacks can be devastating.
The IoT was born in 2008, when the world first had more smart devices than human being, at which point cybersecurity experts warned such devices were incredibly insecure. “Among the numerous vulnerabilities are that most of them have open and discoverable administrative controls, default passwords and no capability to be patched or updated,” writes Taylor Armerding of CSO Online.
Unfortunately, due to the fact that there are now estimated to be roughly 16 billion smart devices in the world, securing all of them would be a Herculean feat. And what may be surprising is that the attack is not expected to have originated from a national enemy or cyber criminal mastermind, but rather by “script kiddies” who used the Mirai malware source code after finding it posted publicly on hacker websites.
Another major problem is that many users do not know how to, or the importance of, securing their devices. However, the onus is not necessarily on the user, Chester Wisniewski, principle research scientist at Sophos, explains: “Today almost all of the responsibility is on the consumer, who more often than not is not aware of the risks and doesn't know what to do to mitigate them… Consumers have some responsibility, but shouldn't have to become security specialists.” He maintains that “The burden should be almost entirely on the manufacturer to make it as simple as possible.”
Mike Lynch, chief strategy officer at inAuth, adds a second point which is that product designers and manufacturers are not necessarily security experts. “In the eyes of many organizations, building in security protocols is an unnecessary expense that eats into margins, both factors combine to create conditions where security is relegated to afterthought status,” he said.
While this attack will almost certainly not be the last of its kind, because it affected an entire DNS, as opposed to being relegated to individual owners, we may begin to see a movement toward better encryption and security protocols taken more seriously and on a wider scale.