Killer apps
Until recently, it made sense to talk about the offline world and the online world as separate things. In the mid 1990s, online pioneers often talked about the way life on the screen had given them a much greater appreciation of the physical world.
As I've written before, that made more sense when there was little or no overlap between the people in your offline and online lives, and when you had to dial up and wait to get to the latter. For some time, it's been clear that cyberspace was beginning to colonize the physical world, and a couple of weeks ago we saw the consequences that security experts have been predicting: the first distributed denial-of-service attack on the internet to be mounted by devices we haven't normally thought of as computers: digital video recorders, cameras, and baby monitors.
This was actually the second such attack. In late September, the site of security journalist Brian Krebs was knocked offline with such an enormous flood that even the content delivery network company Akamai struggled to contain it. Krebs had to temporarily shut down, and then move, his site.
Krebs reported, shortly afterwards, that the source code of the Mirai botnet malware used to attack his site had been posted to Github. Within weeks, Level 3 Threat Research was finding an uptick in enslaved devices. Flashpoint, which tracks the progress of such things, suggests that the Dyn attack, which hobbled connections to sites like Amazon, Twitter, and Netflix, was the work of script kiddies - copycats, basically. Script kiddies are why we still need to run anti-virus software to trap very old malware even though it can't detect the most recent, sophisticated attacks. The sole bit of sophistication in the Dyn attack may have been in picking on Dyn, a key intermediary that most people had never heard of and whose function even fewer understood.
Krebs' series of reports on the attacks - the attack itself, details on the devices used, and the news that the manufacturer he named is recalling products and threatening a libel suit.
BBC News this week asked me two questions: what can users do to protect themselves? Is your data at home at risk?
In these particular cases, users had few options. The devices in question had a web interface that was protected by a user name and password. The answer there is easy: change the default user name and password. But underneath the devices, which run a trimmed-down version of Linux, also have a text-based access interface using the standard protocols Telnet and SSH. That feature was not documented, and the default passwords were hard-coded, so users had no ability to change them. According to Krebs, this was the vector by which the Mirai malware infected the devices. A technically capable home user could and should configure their home router to block incoming traffic on all but the ports they need to use - in this case, ports 23 (Telnet) and 48101.
Beyond that, says Graham Cluley, turn off UPnP, which can help attackers take control. Always change default user names and passwords for all devices; this is especially important for home routers, since someone who seizes control of your router has control of your entire network and can mount spoofing attacks on all your internet activities. Fortunately, router manufacturers recognized this issue some time ago, and most home routers now provide better security by default, shipping with individual, randomly generated user names and passwords rather than a single universal pair that users must know to change.
Cluley also recommends checking regularly for vendor firmware updates and patching devices. This is where the whole Internet of Things enterprise is going to founder. Anyone who's ever bricked a device through a failed firmware update is simply not going to risk it when the device to be updated is a car, refrigerator, or other expensive appliance. For vendors, patching software is a fairly expensive effort. It makes sense when your products produce a steady stream of revenue, but none at all for inexpensive items like light bulbs or temperature sensors that may remain in place for years at no benefit to you. Protecting these will have to depend on a secure router or gateway.
But even if you had followed Cluley's recommendations, it wouldn't have helped prevent the Dyn attack. There, the only solution was not to buy the devices in the first place or yank their internet connections. In the interests of being an intelligent customer, for any potential purchase insert the manufacturer, model number, and the word "security" into a search engine to see if any known flaws pop up. Similarly, read the product manual before buying, both to see what it says about security and to find any other annoying habits the product might have. Don't buy anything with standardized, hard-coded login credentials you can't change. Look for unexpected hidden channels (like Telnet and SSH) and make sure you can change those credentials, too. Finally, ask yourself: do you really need this device to be connected to the internet (YouTube)? If not, either buy something else or disable the connection. Think of it as social responsibility: it's not just your own security at risk. Today, these devices are being corralled to attack internet intermediaries; tomorrow, critical infrastructure.
Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.