Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

8/10/2017
10:30 AM
Bogdan Botezatu
Bogdan Botezatu
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Taking Down the Internet Has Never Been Easier

Is there a reason why the Internet is so vulnerable? Actually, there are many, and taking steps to remain protected is crucial.

On October 29, 1969, two computers linked via telephone exchanged a couple of letters, then crashed. While the experiment did not achieve its goal, it was the first time computers at a significant distance from one another exchanged information via a data link.

Fast-forward 48 years, where everything — including the kitchen sink, in the case of smart kitchens — is hardwired to a massive network of networks (and things), transporting the entirety of human knowledge one bit at a time. The Internet has come a long way from the two machines attempting to digitally shake hands over a phone line. In 2016 alone, more than 1 zettabyte of data was sent and received over networks. Today, the Internet hosts billions of devices. From a network of computers fully trusting one another, the Internet has morphed into a place where the notion of trust is not part of the equation.

There is no single reason for this current state of vulnerability. Instead, there's a confluence of contributing factors.

The Internet's Architecture Hasn't Caught Up with the Times
In October 2016, a massive botnet of Internet of Things (IoT) devices was used in a highly effective distributed denial-of-service (DDoS) attack against the Internet's core infrastructure: DNS services operated by Dyn. The attack blacked out significant portions of the US Internet for almost a day, halting business for dozens of Fortune 500 companies and causing untold millions, if not billions, of dollars in damage.

Devastating DDoS attacks aren't new — we've had them for years, but until this point they were hard to leverage into a problem that affected more than one organization at a time. Either large botnets or complex amplification techniques were required to knock a host offline.

More modern attacks, however, rely on large botnets of misconfigured IoT devices to pack a serious punch. Today, gathering a significant number of IoT devices to participate in such an effort is a simple script away, readily available to wannabe cybercriminals with no hacking experience.

The DNS system is one of the most heavily targeted subcomponents of the Internet, and it is easy to understand why it remains in the attackers' crosshairs. Overloading the DNS infrastructure with queries will render it inaccessible to other users who need to interrogate what IP a domain name points to.

What Else Is Broken on the Web?
Routing is another hot issue related to the welfare and neutrality of the Internet. Routing is the path that data travels from a machine to the destination server, as it traverses a number of networks operated by distinct companies. In passing, it goes through multiple service providers that use the Border Gateway Protocol (BGP) to determine the path our information should take to its destination. By manipulating the BGP, hostile parties can force data onto a different route, which allows them to intercept and modify traffic.

There have been numerous incidents of BGP manipulation such as China's "18-minute mystery," where the country hijacked 15% of the world’s traffic with very few people noticing. Such attacks can be used to snoop on or manipulate unencrypted traffic before it is relayed to the original recipient. False routing info propagation can also be used to deny access to services at a global level (see the YouTube-vs.-Pakistan incident of February 2008).

Digital Trust and PKI Are Flawed
Digital trust plays a key role in keeping things normal. The public key infrastructure — on which the security of the Web itself stands — is another issue that could dramatically affect the proper functioning of the Internet.

Certificate authority abuse is one example. Several certificate authorities have wrongfully issued digital certificates to fraudulent parties. Turktrust and WoSign are two of the many CAs that have been "tricked" into giving away the keys to websites of high-profile companies such as Microsoft, Google, and Github, allowing third parties to impersonate these companies online.

Even when PKI works well, it is still approaching its expiration date. Cryptography works because of the mathematical complexity behind it. As the industry moves toward quantum computing, PKI and current crypto-algorithms will stop working.

Endpoint Security Is a Serious Cause for Concern
Any discussion of security and the Internet should include individual security itself. Just like herd immunity is achieved through mass vaccination that helps people stay free from infectious diseases, endpoint security plays a key role in keeping others safe on the Internet. The same effect happens with unprotected devices. They can end up herded into botnets operated by cybercrime gangs. Botnet traffic puts serious strain on the infrastructure while raising operational costs for Internet service providers. By sending junk traffic, these hosts "clog" the Internet and cause massive delays in the delivery of legitimate information.

As of the writing of this piece, bad bots are responsible for almost 30% of the Web traffic, carrying out DDoS attacks and spreading spam (which, according to Statista, accounts for 61% of all e-mails sent globally).

But the Internet Endures … for Now
Despite these challanges, the Internet has survived all these incidents, and gracefully waltzed through the IPv4 address pool depletion issue. Still, the security of the Internet is serious cause for concern. For a society so completely reliant on the positive benefits and outcomes of connectivity, taking steps to protect us from its dangers has never been more crucial.

Related Content:

Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the Web without protection or how to rodeo with wild ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27348
PUBLISHED: 2020-12-04
In some conditions, a snap package built by snapcraft includes the current directory in LD_LIBRARY_PATH, allowing a malicious snap to gain code execution within the context of another snap if both plug the home interface or similar. This issue affects snapcraft versions prior to 4.4.4, prior to 2.43...
CVE-2020-16123
PUBLISHED: 2020-12-04
An Ubuntu-specific patch in PulseAudio created a race condition where the snap policy module would fail to identify a client connection from a snap as coming from a snap if SCM_CREDENTIALS were missing, allowing the snap to connect to PulseAudio without proper confinement. This could be exploited by...
CVE-2018-21270
PUBLISHED: 2020-12-03
Versions less than 0.0.6 of the Node.js stringstream module are vulnerable to an out-of-bounds read because of allocation of uninitialized buffers when a number is passed in the input stream (when using Node.js 4.x).
CVE-2020-26248
PUBLISHED: 2020-12-03
In the PrestaShop module "productcomments" before version 4.2.1, an attacker can use a Blind SQL injection to retrieve data or stop the MySQL service. The problem is fixed in 4.2.1 of the module.
CVE-2020-29529
PUBLISHED: 2020-12-03
HashiCorp go-slug before 0.5.0 does not address attempts at directory traversal involving ../ and symlinks.