The Candid Voice in Retail Technology: Objective Insights, Pragmatic Advice

The Day The Cameras Took Over: The Dyn Denial Of Service Attacks

						Username: 
Name:  
Membership: Unknown
Status: Unknown
Private: FALSE
					

RSR partner Nikki Baird has long said that one of the risks associated with “smart devices ” that are part of the Internet of Things (IoT) is Malware or ransomware. Bad guys could infiltrate your refrigerator and demand $50 before they’ll let it open for you. Sounds funny, but it’s true.

I don’t think she envisioned the opposite situation: where devices that are part of the IoT would become the primary source of an attack on the internet itself. But, that’s what happened on Friday.

Friday morning, I logged into Facebook, and the first post I saw, with a timestamp of 8:34 am EDT had the headline “Twitter is totally down and unavailable now. ” (Thank you, Michael Krigsman!).

By the time I’d read through the thread, I knew that the outage was limited to the east coast of the US, and that it was a Distributed Denial of Service (DDoS) attack on Dyn, a very large Domain Name Service (DNS) provider. It came and went on the East Coast, at least through 12:25 PM EDT. Later that day, the attack moved to Dyn’s West Coast server.

Not a great day to be Dyn. Not a great day to be a whole lot of companies, really…including, but not limited to PayPal, people.com, Spotify, CNN, Business Insider, Etsy, Netflix, HBO Now and many, many more (a more complete list can be found here)

For the sake of the non-geeks among our readers a couple of definitions are in order:

DNS: This is the abbreviation for Domain Name Server. Think of a Domain Name Server as a massive address directory. Every web site has an address. The address is four sets of numbers between 1 and 256 (called octets, if you’re keeping score) that are unique to it. So an internet address might look like 192.168.1.150, for example.

The chances of anyone keeping track of these numbers for all the web sites we access are somewhere between slim and none. So every web site also has an easier to remember name. When you go to a browser and type in www.rsrresearch.com, your domain name server (DNS) goes out and finds the appropriate address for the web site, and routes you to it. If you move your website, you must update the DNS entry for it.

DDoS: This is the abbreviation for Digital Denial of Service attack. I found a good definition for it on digitalattackmap.com. “A Distributed Denial of Service (DDoS) attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources. “

The words “multiple sources ” are pretty important here… the requests to the server come from sources that are (likely) geographically disbursed.

In days gone by, individual computers could and would be infected by Malware and become like little zombies. While you might be at work or asleep, your computer could be busily hammering on a web site, helping others like it bring the web site to its knees.

But two things were different about this attack, and retailers need to understand both of them.

First, the attack wasn’t targeting one specific web site. Instead it was targeting the “address book ” associated with many, many web sites. According to Bruce Schneier, security analyst, “someone, ” likely a nation state, has been probing the defenses of companies that run “critical pieces of the internet. ” They probe, poke, and run small attacks to get a sense of responsiveness and abilities to ward off threats. Somewhere along the way, they realized they could get serious bang for their malicious buck by targeting Dyn. Truth be told, I was shocked to read the list of companies affected, but I’ll get back to that in a minute.

Second, the source of the attack was not computers. It appears as though most of the offending devices were actually smart cameras.

Internet-enabled cameras are everywhere. Law enforcement officials have used them to great benefit in catching terrorists after an attack. The Boston Marathon bombers, for example, we first identified by a camera operated by the Lord and Taylor store on Boylston Street in Boston.

So how did these cameras get infected? According to security specialist Brian Krebs, himself a source of a massive DDoS attack just days earlier, the culprit is some malware called “Mirai. “

“Mirai scours the Web for so-called IoT devices protected by little more than factory-default usernames and passwords, and then enlists the devices in attacks that hurl junk traffic at an online target until it can no longer accommodate legitimate visitors or users.”

This time it was cameras. Next time it could be your thermostat, refrigeration unit or doorbell.

That’s what happened. But there are a lot of watch-outs embedded in this story.

The easy one is “don’t use default passwords. ” But you knew that already.

The bigger one is this: We have to ask ourselves, “When is a Managed Services company simply too big for its own, and your own good? ” The original intent of the internet, when it was designed by the Defense Department, was to insure that there was no single point of failure. You could not “take the internet down ” because there were too many independent servers.

And (also if you’re keeping score), there are thirteen “root DNS servers ” around the world. As long as at least one is up and running, we’re okay. They are managed by various entities. Partner Brian Kilcourse sent me this list of root DNS servers.

Dyn is NOT a root DNS server. It is a very large company, and it provides DNS services to some real giants, retail and otherwise. Is it too big NOT to fail? Would you be better off having an alternate DNS belonging to a second company? Or having a smaller company manage the service for you?

I was honestly shocked to read the list of names that entrust their DNS to Dyn. This is not a knock on Dyn at all. Obviously, the company has capacity and has demonstrated generally good responsiveness to its clients. But it just surprised me that some of these companies weren’t running their own DNS servers. They are big enough, and truth be told, they’re already buried in technology. Why outsource this?

The last thing I want to think about is DDoS attacks on DNS servers. Sorting through this event has made my brain hurt. But we need enough of an understanding to make smart business decisions.

Neither do you want your DNS server to be part of a mom-and-pop operation, nor do you want it to be part of something that is wearing a “kick-me ” sign on its back. Cyber-terrorism is a growing threat.

IoT is a good thing. We have an extant report on the topic now. The goal of this report was to get beyond the hype to the reality. Sadly, one of the realities is that these devices add vulnerability to your enterprise.

Business executives have to get a bit down into the weeds, to insure that their web sites are safely secured. We may have slowed the barrage of data breaches, but we haven’t stanched the flow of nastiness coming over the web. This nastiness comes more from nation states than it does from “400 pound guys sitting on a bed. ” Our vigilance must remain constant. The internet must remain fluid.

And change the password on your refrigerator!


Newsletter Articles October 25, 2016
Related Research