Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Connect Directly
E-Mail vvv

From Carna To Mirai: Recovering From A Lost Opportunity

We had four years to prepare for recent DDoS attacks and failed. How can we learn from our mistakes?

Those not immersed in security and technology are mostly oblivious to one fact: the Internet is a fragile ecosystem. There are many parallels between the Internet and the ecosystems that span our globe. Each has vital resources that need to be protected and utilized for the greater good. When there is an imbalance in an ecosystem, bad things happen.

We saw this twice recently with the Mirai botnet, which co-opted a cadre of devices in the Internet of Things and forced them to issue denial-of-service (DoS) attacks that crippled many sites and services. But we knew this was coming and did virtually nothing to stop it, just like many real-world ecosystem disasters.

Let's look at where we were four years ago, how far we've progressed, and what we could do to stave off an Internet ecosystem disaster.

Back to the Future: The Carna Botnet 
The Internet and media were abuzz four years ago when individuals claiming to be researchers — they remain anonymous to this day — released reports from what was described as the most comprehensive scan of the Internet to date. This became known as the 2012 Internet Census, and it provided insight into what was running on the Internet back then. These anonymous researchers hijacked home routers using weak, default credentials and installed software on those devices that let them control the execution of Internet service scans. While they claim to have done this solely to study the Internet, it is not known if they only performed harmless actions or used the devices in more malicious ways.

Reliving the Past until We Get It Right 
Let the previous section sink in for a minute: we knew this was possible four years ago and as each year passed we knew there would be more "things" connected to the Internet, and yet we did nothing to prevent these "things" from being deployed insecurely.

We're now at a point in time when it's easy to quickly scan the entire Internet and — if you're performing scans from hacked machines — at virtually no expense or risk.

When these devices are taken over and used maliciously because of vulnerabilities or weak default configurations, there are no consequences for manufacturers of IoT devices, owners of IoT devices, or network providers where these IoT devices originate communications.

Again, we're reliving the pain of decades of PC bots and viruses in the era of IoT with some key differences when it comes to things such as vulnerabilities, rampant adoption, usability, and exposure. There is another problem that comes with millions of IoT bots joining together in massive attacks: we're virtually defenseless, primarily because of how the Internet has been architected.

The distributed DoS mitigation company protecting Brian Krebs had to abandon him as a customer because it couldn't absorb the attack on his site in September. Even if there were a handful of providers that could absorb such attacks, most people and organizations couldn't afford to use them, leaving everyone else at the mercy of the attackers. This is what's at risk if we retain the status quo.

A Secure Path Forward
If we do nothing, the attacks we saw this fall will not only be repeated, they will grow larger, have longer impact, and potentially have more sinister outcomes. What can be done?

For starters, more IoT vendors should follow Hangzhou Xiongmai's lead and recall products that have unfixable or easily exploitable default configurations. Although this step would be the responsible thing to do, it might not have the impact you'd expect. There's no surefire way to notify all individuals with problem equipment, and it only takes a scarily small number of vulnerable systems to cause widespread damage.

Another option is for each of us, in every country, to work with lawmaking bodies and get sane standards and regulations put forth for IoT devices. This won't affect the vast number of devices that are already out there, but most of us will throw these things away as we upgrade devices to take advantage of new features (or, they'll just break down, as many aren't made to last). This approach can be time-consuming, and it may take five years to have strong, enforceable standards in place.

A third option is for Apple, Amazon, and Google to co-develop requirements for when manufacturers want to integrate their IoT devices with the ecosystems of those three companies. These three are fast becoming the gatekeepers of IoT, and if they set the bar high enough it would have an immediate downstream effect. My guess is that we'd see more secure versions of products within one product release cycle and discounts for upgrade/trade-in offers.

A fourth option: a "cash for clunkers"-like program. Given the potential impact of these insecure "things," governments around the world — in partnership with nonprofit foundations — could band together and offer cash incentives for bringing in derelict devices. Coordination at this scale would be difficult, but it would be a boost to security and the global economy.

The Internet of Things has the potential to dramatically change our lives for the better and for the worse. We must all work to understand the current, tenuous state our fragile Internet ecosystem is in, then work together to ensure it will be there when we expect it to be. 

Related Content:


Bob Rudis, Chief Data Scientist, Rapid7Bob Rudis has over 20 years of experience using data to help defend global Fortune 100 companies and is a chief security data scientist at Rapid7. Bob is a serial tweeter (@hrbrmstr), avid blogger (rud.is), author (Data-Driven Security), ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
12/8/2016 | 12:42:00 PM
Certainly Not Our Only Options?
Living in the open world, the free and open source software world, I am loathe to consider some of the other options that have been thrown out there of late, including introduction of highly proprietary protocols for the Internet and network firmware that would replace current ones.  However, I can't believe that these are our only options.  A recent article I read on the GCHQ and their push to get Internet providers to change protocols to help fight spoofing and its use in DDoS attacks raised the excellent point that in order for this to work, you'd need a global effort that would pull in both hardware and software consortiums across the planet to make changes that would theoretically help make the Internet more secure.  Wow.  I can see the trillions of dollars that go into that project evaporate in a hearbeat when the first exploit gets published on that new infrastructure.  

Not to discount my statement that there must be more options, which I'm starting to talk myself out of, but how about from another angle in which (at least in the US) we provide more protection to White/Grey Hat (ethical) hackers who can actually help through offensive cybersecurity tactics?  Get funds into tactical cybersecurity teams who not only can help, but are willing to put their best efforts forward in analyzing, profiling and attacking hackers and their teams in such a way that they are either quickly found by on-the-ground law enforcement teams, or can't get the resources they need online to perform their hacks.  Not to make a standard Hollywood image of the offensive hacker team seem realistic and easy to put together, but come on, there is a level of reality to this option that is hampered in large part by fear of prison due to our nation's archaic and frankly ill-informed computer-related laws.

I just feel there needs to be a big leap, a massive impact, in order to get ahead of cybercrime; the must-dos and process changes noted here obviously are going to happen, but we need a wall to get raised somehow to help that work not go to waste.
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-14
An issue was discovered in MDaemon before 20.0.4. There is Reflected XSS in Webmail (aka WorldClient). It can be exploited via a GET request. It allows performing any action with the privileges of the attacked user.
PUBLISHED: 2021-04-14
An issue was discovered in MDaemon before 20.0.4. Remote Administration allows an attacker to perform a fixation of the anti-CSRF token. In order to exploit this issue, the user has to click on a malicious URL provided by the attacker and successfully authenticate into the application. Having the va...
PUBLISHED: 2021-04-14
An issue was discovered in MDaemon before 20.0.4. There is an IFRAME injection vulnerability in Webmail (aka WorldClient). It can be exploited via an email message. It allows an attacker to perform any action with the privileges of the attacked user.
PUBLISHED: 2021-04-14
An issue was discovered in MDaemon before 20.0.4. Administrators can use Remote Administration to exploit an Arbitrary File Write vulnerability. An attacker is able to create new files in any location of the filesystem, or he may be able to modify existing files. This vulnerability may directly lead...
PUBLISHED: 2021-04-14
Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Multiple privilege escalation vulnerabilities were discovered in version 5.2.4 of Pi-hole core. See the referenced GitHub security advisory for details.