Endpoint
12/8/2016
10:30 AM
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

From Carna To Mirai: Recovering From A Lost Opportunity

We had four years to prepare for recent DDoS attacks and failed. How can we learn from our mistakes?

Those not immersed in security and technology are mostly oblivious to one fact: the Internet is a fragile ecosystem. There are many parallels between the Internet and the ecosystems that span our globe. Each has vital resources that need to be protected and utilized for the greater good. When there is an imbalance in an ecosystem, bad things happen.

We saw this twice recently with the Mirai botnet, which co-opted a cadre of devices in the Internet of Things and forced them to issue denial-of-service (DoS) attacks that crippled many sites and services. But we knew this was coming and did virtually nothing to stop it, just like many real-world ecosystem disasters.

Let's look at where we were four years ago, how far we've progressed, and what we could do to stave off an Internet ecosystem disaster.

Back to the Future: The Carna Botnet 
The Internet and media were abuzz four years ago when individuals claiming to be researchers — they remain anonymous to this day — released reports from what was described as the most comprehensive scan of the Internet to date. This became known as the 2012 Internet Census, and it provided insight into what was running on the Internet back then. These anonymous researchers hijacked home routers using weak, default credentials and installed software on those devices that let them control the execution of Internet service scans. While they claim to have done this solely to study the Internet, it is not known if they only performed harmless actions or used the devices in more malicious ways.

Reliving the Past until We Get It Right 
Let the previous section sink in for a minute: we knew this was possible four years ago and as each year passed we knew there would be more "things" connected to the Internet, and yet we did nothing to prevent these "things" from being deployed insecurely.

We're now at a point in time when it's easy to quickly scan the entire Internet and — if you're performing scans from hacked machines — at virtually no expense or risk.

When these devices are taken over and used maliciously because of vulnerabilities or weak default configurations, there are no consequences for manufacturers of IoT devices, owners of IoT devices, or network providers where these IoT devices originate communications.

Again, we're reliving the pain of decades of PC bots and viruses in the era of IoT with some key differences when it comes to things such as vulnerabilities, rampant adoption, usability, and exposure. There is another problem that comes with millions of IoT bots joining together in massive attacks: we're virtually defenseless, primarily because of how the Internet has been architected.

The distributed DoS mitigation company protecting Brian Krebs had to abandon him as a customer because it couldn't absorb the attack on his site in September. Even if there were a handful of providers that could absorb such attacks, most people and organizations couldn't afford to use them, leaving everyone else at the mercy of the attackers. This is what's at risk if we retain the status quo.

A Secure Path Forward
If we do nothing, the attacks we saw this fall will not only be repeated, they will grow larger, have longer impact, and potentially have more sinister outcomes. What can be done?

For starters, more IoT vendors should follow Hangzhou Xiongmai's lead and recall products that have unfixable or easily exploitable default configurations. Although this step would be the responsible thing to do, it might not have the impact you'd expect. There's no surefire way to notify all individuals with problem equipment, and it only takes a scarily small number of vulnerable systems to cause widespread damage.

Another option is for each of us, in every country, to work with lawmaking bodies and get sane standards and regulations put forth for IoT devices. This won't affect the vast number of devices that are already out there, but most of us will throw these things away as we upgrade devices to take advantage of new features (or, they'll just break down, as many aren't made to last). This approach can be time-consuming, and it may take five years to have strong, enforceable standards in place.

A third option is for Apple, Amazon, and Google to co-develop requirements for when manufacturers want to integrate their IoT devices with the ecosystems of those three companies. These three are fast becoming the gatekeepers of IoT, and if they set the bar high enough it would have an immediate downstream effect. My guess is that we'd see more secure versions of products within one product release cycle and discounts for upgrade/trade-in offers.

A fourth option: a "cash for clunkers"-like program. Given the potential impact of these insecure "things," governments around the world — in partnership with nonprofit foundations — could band together and offer cash incentives for bringing in derelict devices. Coordination at this scale would be difficult, but it would be a boost to security and the global economy.

The Internet of Things has the potential to dramatically change our lives for the better and for the worse. We must all work to understand the current, tenuous state our fragile Internet ecosystem is in, then work together to ensure it will be there when we expect it to be. 

Related Content:

 

Bob Rudis, Chief Data Scientist, Rapid7Bob Rudis has over 20 years of experience using data to help defend global Fortune 100 companies and is a chief security data scientist at Rapid7. Bob is a serial tweeter (@hrbrmstr), avid blogger (rud.is), author (Data-Driven Security), ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
12/8/2016 | 12:42:00 PM
Certainly Not Our Only Options?
Living in the open world, the free and open source software world, I am loathe to consider some of the other options that have been thrown out there of late, including introduction of highly proprietary protocols for the Internet and network firmware that would replace current ones.  However, I can't believe that these are our only options.  A recent article I read on the GCHQ and their push to get Internet providers to change protocols to help fight spoofing and its use in DDoS attacks raised the excellent point that in order for this to work, you'd need a global effort that would pull in both hardware and software consortiums across the planet to make changes that would theoretically help make the Internet more secure.  Wow.  I can see the trillions of dollars that go into that project evaporate in a hearbeat when the first exploit gets published on that new infrastructure.  

Not to discount my statement that there must be more options, which I'm starting to talk myself out of, but how about from another angle in which (at least in the US) we provide more protection to White/Grey Hat (ethical) hackers who can actually help through offensive cybersecurity tactics?  Get funds into tactical cybersecurity teams who not only can help, but are willing to put their best efforts forward in analyzing, profiling and attacking hackers and their teams in such a way that they are either quickly found by on-the-ground law enforcement teams, or can't get the resources they need online to perform their hacks.  Not to make a standard Hollywood image of the offensive hacker team seem realistic and easy to put together, but come on, there is a level of reality to this option that is hampered in large part by fear of prison due to our nation's archaic and frankly ill-informed computer-related laws.

I just feel there needs to be a big leap, a massive impact, in order to get ahead of cybercrime; the must-dos and process changes noted here obviously are going to happen, but we need a wall to get raised somehow to help that work not go to waste.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.