Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

12/8/2016
10:30 AM
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

From Carna To Mirai: Recovering From A Lost Opportunity

We had four years to prepare for recent DDoS attacks and failed. How can we learn from our mistakes?

Those not immersed in security and technology are mostly oblivious to one fact: the Internet is a fragile ecosystem. There are many parallels between the Internet and the ecosystems that span our globe. Each has vital resources that need to be protected and utilized for the greater good. When there is an imbalance in an ecosystem, bad things happen.

We saw this twice recently with the Mirai botnet, which co-opted a cadre of devices in the Internet of Things and forced them to issue denial-of-service (DoS) attacks that crippled many sites and services. But we knew this was coming and did virtually nothing to stop it, just like many real-world ecosystem disasters.

Let's look at where we were four years ago, how far we've progressed, and what we could do to stave off an Internet ecosystem disaster.

Back to the Future: The Carna Botnet 
The Internet and media were abuzz four years ago when individuals claiming to be researchers — they remain anonymous to this day — released reports from what was described as the most comprehensive scan of the Internet to date. This became known as the 2012 Internet Census, and it provided insight into what was running on the Internet back then. These anonymous researchers hijacked home routers using weak, default credentials and installed software on those devices that let them control the execution of Internet service scans. While they claim to have done this solely to study the Internet, it is not known if they only performed harmless actions or used the devices in more malicious ways.

Reliving the Past until We Get It Right 
Let the previous section sink in for a minute: we knew this was possible four years ago and as each year passed we knew there would be more "things" connected to the Internet, and yet we did nothing to prevent these "things" from being deployed insecurely.

We're now at a point in time when it's easy to quickly scan the entire Internet and — if you're performing scans from hacked machines — at virtually no expense or risk.

When these devices are taken over and used maliciously because of vulnerabilities or weak default configurations, there are no consequences for manufacturers of IoT devices, owners of IoT devices, or network providers where these IoT devices originate communications.

Again, we're reliving the pain of decades of PC bots and viruses in the era of IoT with some key differences when it comes to things such as vulnerabilities, rampant adoption, usability, and exposure. There is another problem that comes with millions of IoT bots joining together in massive attacks: we're virtually defenseless, primarily because of how the Internet has been architected.

The distributed DoS mitigation company protecting Brian Krebs had to abandon him as a customer because it couldn't absorb the attack on his site in September. Even if there were a handful of providers that could absorb such attacks, most people and organizations couldn't afford to use them, leaving everyone else at the mercy of the attackers. This is what's at risk if we retain the status quo.

A Secure Path Forward
If we do nothing, the attacks we saw this fall will not only be repeated, they will grow larger, have longer impact, and potentially have more sinister outcomes. What can be done?

For starters, more IoT vendors should follow Hangzhou Xiongmai's lead and recall products that have unfixable or easily exploitable default configurations. Although this step would be the responsible thing to do, it might not have the impact you'd expect. There's no surefire way to notify all individuals with problem equipment, and it only takes a scarily small number of vulnerable systems to cause widespread damage.

Another option is for each of us, in every country, to work with lawmaking bodies and get sane standards and regulations put forth for IoT devices. This won't affect the vast number of devices that are already out there, but most of us will throw these things away as we upgrade devices to take advantage of new features (or, they'll just break down, as many aren't made to last). This approach can be time-consuming, and it may take five years to have strong, enforceable standards in place.

A third option is for Apple, Amazon, and Google to co-develop requirements for when manufacturers want to integrate their IoT devices with the ecosystems of those three companies. These three are fast becoming the gatekeepers of IoT, and if they set the bar high enough it would have an immediate downstream effect. My guess is that we'd see more secure versions of products within one product release cycle and discounts for upgrade/trade-in offers.

A fourth option: a "cash for clunkers"-like program. Given the potential impact of these insecure "things," governments around the world — in partnership with nonprofit foundations — could band together and offer cash incentives for bringing in derelict devices. Coordination at this scale would be difficult, but it would be a boost to security and the global economy.

The Internet of Things has the potential to dramatically change our lives for the better and for the worse. We must all work to understand the current, tenuous state our fragile Internet ecosystem is in, then work together to ensure it will be there when we expect it to be. 

Related Content:

 

Bob Rudis, Chief Data Scientist, Rapid7Bob Rudis has over 20 years of experience using data to help defend global Fortune 100 companies and is a chief security data scientist at Rapid7. Bob is a serial tweeter (@hrbrmstr), avid blogger (rud.is), author (Data-Driven Security), ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
12/8/2016 | 12:42:00 PM
Certainly Not Our Only Options?
Living in the open world, the free and open source software world, I am loathe to consider some of the other options that have been thrown out there of late, including introduction of highly proprietary protocols for the Internet and network firmware that would replace current ones.  However, I can't believe that these are our only options.  A recent article I read on the GCHQ and their push to get Internet providers to change protocols to help fight spoofing and its use in DDoS attacks raised the excellent point that in order for this to work, you'd need a global effort that would pull in both hardware and software consortiums across the planet to make changes that would theoretically help make the Internet more secure.  Wow.  I can see the trillions of dollars that go into that project evaporate in a hearbeat when the first exploit gets published on that new infrastructure.  

Not to discount my statement that there must be more options, which I'm starting to talk myself out of, but how about from another angle in which (at least in the US) we provide more protection to White/Grey Hat (ethical) hackers who can actually help through offensive cybersecurity tactics?  Get funds into tactical cybersecurity teams who not only can help, but are willing to put their best efforts forward in analyzing, profiling and attacking hackers and their teams in such a way that they are either quickly found by on-the-ground law enforcement teams, or can't get the resources they need online to perform their hacks.  Not to make a standard Hollywood image of the offensive hacker team seem realistic and easy to put together, but come on, there is a level of reality to this option that is hampered in large part by fear of prison due to our nation's archaic and frankly ill-informed computer-related laws.

I just feel there needs to be a big leap, a massive impact, in order to get ahead of cybercrime; the must-dos and process changes noted here obviously are going to happen, but we need a wall to get raised somehow to help that work not go to waste.
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "SpearPhish! Everyone out of the office!"
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-1919
PUBLISHED: 2019-07-17
A vulnerability in the Cisco FindIT Network Management Software virtual machine (VM) images could allow an unauthenticated, local attacker who has access to the VM console to log in to the device with a static account that has root privileges. The vulnerability is due to the presence of an account w...
CVE-2019-1920
PUBLISHED: 2019-07-17
A vulnerability in the 802.11r Fast Transition (FT) implementation for Cisco IOS Access Points (APs) Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected interface. The vulnerability is due to a lack of complete error handling conditi...
CVE-2019-1923
PUBLISHED: 2019-07-17
A vulnerability in Cisco Small Business SPA500 Series IP Phones could allow a physically proximate attacker to execute arbitrary commands on the device. The vulnerability is due to improper input validation in the device configuration interface. An attacker could exploit this vulnerability by access...
CVE-2019-1940
PUBLISHED: 2019-07-17
A vulnerability in the Web Services Management Agent (WSMA) feature of Cisco Industrial Network Director (IND) could allow an unauthenticated, remote attacker to gain unauthorized read access to sensitive data using an invalid X.509 certificate. The vulnerability is due to insufficient X.509 certifi...
CVE-2019-1941
PUBLISHED: 2019-07-17
A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability exists because th...