The only thing the homeowner may notice is a slight slowdown in their Internet connection. But meanwhile, their cable modem or webcam was out bringing down the Internet. This was just one of the scenarios described by David Hobbs at the MIT Enterprise Forum. It happened last fall when the Mirai botnet brought down a large corner of the Internet for days, by crippling the Dyn DNS service.
So what are you going to do? Rip out that handy doorbell cam and go back to analog?
A vigilante hacker calling himself The Janit0r took it upon himself to provide "a lesson" to telecom companies, by sending out a worm that infects a device, attempts to block future infections, but if it cannot do that, it "bricks" the device by overwriting its firmware and making it completely non-functional -- as useful as a brick. He named the work "BrickBot", and this style of attack has become a new acronym in the attack dictionary -- a PDoS attack, short for "Permanent Denial of Service".
Meanwhile, the multiple Equifax breaches make us all wonder why we have such a vulnerable personal identifier that can cause you permanent grief if somebody malicious gets ahold of it -- surely we can come up with something more secure than a 9-digit social security number? The Equifax hack is a problem of their own making, according to Frank Heidt, another speaker on the panel, in that the credit rating agencies are largely responsible for using federal social security numbers as the primary identifier for a person's credit, and not creating something else that could be more easily discarded/changed if it got stolen.
Failing to understand that physical security is now digital security has lead to many more break-ins, according to Mike Simon. Physical security professionals are used to installing door locks that they might not replace for 40 years. But if they are connected to the Internet, leaving them alone for 5 years might make it trivial for an attacker to break in -- before installing Internet-connected security devices, you need to make sure they are digitally secure, and updated as software comes out.
These are just a few of the highlights of Wednesday's MIT Enterprise Forum event, "e-Infrastructure: Using the 21st Century Data Network to Secure our Physical Infrastructure."
At Freelock we like to think of ourselves as security-minded. Compared to many of our peers, we are. We use one-time login links instead of passwords, require SSH keys for access to production systems, have multiple redundant backups across services and locations, and have built secure environments in response to site owners who have come to us with hacked sites looking for help. We don't pretend we can keep everything secure -- so our focus is on resilience -- making sure we can recover from an attack or disaster with minimal data loss, as well as recover from updates gone awry.
This panel made it clear how much deeper the security professionals go. Spending an hour teaching what exactly happens when you click a link on a webpage (just a single click takes an hour to trace through the various systems that might provide a place for an attacker to infiltrate). The attack vectors of a satellite with rocket fuel unprotected from a cyber attack (hint: attacking other satellites?). Cyber attacks that have killed people -- exacerbating power outages due to monitoring PCs that are not functional, SCADA attacks, 911 systems going offline.
And more scary stuff -- anyone can go on the dark web and rent a botnet to send 150 Gigabytes of traffic to knock out a website of their choosing for 15 minutes, for a measly $19. Revenue-sharing botnets who will help you target an organization for a Ransomware attack -- all you have to do is press the button, and you get half the proceeds. Credit card numbers with high limits for $6, full identities for $75.
So what can we all do about this?
These days applying updates as quickly as possible is a must. "If it ain't broke, don't fix it" is now officially a dangerous mindset, leaving you open to attack. "We can't risk updating our production site" is also not an option -- if it can't be updated, it shouldn't be online.
We already have an automated testing pipeline we run all updates through, giving us some level of confidence that things won't blow up when we deploy an update to a WordPress or Drupal site. It also backs up sites before each deployment, so we can recover if something goes really wrong. Next we're going to tackle automatic updates, having our bots apply updates to sites automatically, with testing, notifications, and backups. If we can help with keeping your site safe and up-to-date, give us a call!
Meanwhile, I'm not deploying any "Internet of Things" devices in my house unless it talks to a service I control...
We will update this post when video becomes available...