The Spanish-born American
philosopher, George Santayana wrote in his book titled “The Life of Reason”, 1905 that those who cannot remember the past
are condemned to repeat it. Time and time again we have seen this school of thought proven true. If we look at it from a social perspective, pick fashion for example; how many
times have we ‘brought back’ a style that was the ‘in thing’ back in the days?
Plenty of times, I would say. While this is not necessarily a bad thing, it just shows
that humans are somehow wired to repeat things. Apply this human nature to
computing and information security and we see the same type of threats being resurrected
from the ‘dark web cemetery’ and lo and behold! We always get a ‘Gotcha moment’.
Last year, right about
this time, I wrote a blog about Botnets
and the Internet of Things. The post talked about Conficker and how its
logic had a mechanism for seeking out new domains on a daily basis; by
mid-2009, Conficker spread to over 10 million computers (Singer, 2011). Fast forward
to October, 2016; a DDoS attack began creating problems for Internet users
reaching an array of sites, including Twitter, Amazon, Tumblr, Reddit, Spotify
and Netflix. Researchers pegged the blame on hacked “Internet of Things” (IoT)
devices, such as CCTV video cameras and digital video recorders (Krebs,
2016). This massive DDoS attack was attributed to a malware dubbed ‘Mirai’
(Japanese for ‘the future’), a name that seems to suit the MO of the malware; locate and compromise IoT devices to further
grow the botnet and launch DDoS
attacks. Mirai scanned the Internet for devices that were not secured;
those that still used default user names and passwords and by employing a dictionary attack against those devices with a pre-configured list of default
username/password combinations, was able to compromise and take over those
devices (Herzberg, Bekerman, & Zeifman, 2016).
 |
| Image Courtesy of ReadWrite.com |
We can now see the trend
and why George Santayana’s statement is true even for computing and information
security. We’ve all seen those pesky reminders setup by IT to change our passwords every so
often. Do we receive those messages with joy or view them as just another nuisance from those IT fellas? I bet most of us hope they would stop reminding us about those damn passwords.
Most issues we observe in today’s cyber world are simply reincarnations
of old threats that were existent before and the same mistakes or vulnerabilities
that propagated those threats are the same ones, although slightly modified, plaguing us again. An attack could be different in that there is a variant but
the core of the attack or what makes it possible most of the time remains the
same. Case in point, use of default passwords in devices making it easy for a
malware code to perform a brute-force attack against the device successfully.
Question therefore is, why
then would IoT manufacturers not step up their game and secure their appliances?
The answer of course is
the good ol’ connectivity vs security battle. IoT manufacturers are focused on
getting products to market as fast as possible with their priority being
connectivity and not security. Market demand and profits associated with these
demands are driving decisions and the manufactures are okay with dealing with
security implications down the line rather than incorporating the measures at
project kick-off. The IoT realm being
relatively new also makes the decision fall on the manufacturers as there are
no set standards of what the security landscape should look like for those
devices. We have a situation where the product manufacturers determine the
appropriate trade-offs for themselves without any best-practice references.
My take on this lack of, or poor IoT security configuration, is that eventually the market and possibly
regulators will arm twist the manufacturers into incorporating more solid plans
that ensure their products are somewhat secure and the public is not victimized
due to negligence on their end, as observed in the case of the Mirai related DDoS attacks. We all love our smart
products and the luxury they afford us but if it means compromising our privacy
and security, some consumers may opt to roll back to the stone age days where
we wrote down our grocery lists on paper instead of the refrigerator sending us
a text. I guess the devices aren't as smart as they purport to be after all :)
References
Denning, T., Tadayoshi,
K., & Levy, H. M. (2013). Computer Security and the Modern Home.
Communications Of The ACM, 56(1), 94-103. doi:10.1145/2398356.2398377
Herzberg, B., Bekerman,
D., & Zeifman, I. (2016, October 26). Breaking Down
Mirai: An IoT DDoS Botnet Analysis [Blog post]. Retrieved from Imperva
Incapsula website: https://www.incapsula.com/blog/
malware-analysis-mirai-ddos-botnet.html
Mirai: An IoT DDoS Botnet Analysis [Blog post]. Retrieved from Imperva
Incapsula website: https://www.incapsula.com/blog/
malware-analysis-mirai-ddos-botnet.html
Krebs, B. (2016, October
21). Hacked Cameras, DVRs Powered Today’s Massive
Internet Outage [Blog post]. Retrieved from KrebsonSecurity website:
https://krebsonsecurity.com/2016/10/
hacked-cameras-dvrs-powered-todays-massive-internet-outage/
Internet Outage [Blog post]. Retrieved from KrebsonSecurity website:
https://krebsonsecurity.com/2016/10/
hacked-cameras-dvrs-powered-todays-massive-internet-outage/
Singer, P. W. (2011,
October 21). Mark Bowden’s “Worm: The First Digital
World War”. Retrieved February 7, 2016, from https://www.washingtonpost.com/
entertainment/books/mark-bowdens-worm-the-first-digital-world-war/2011/08/30/
gIQAwcKO4L_story.html
World War”. Retrieved February 7, 2016, from https://www.washingtonpost.com/
entertainment/books/mark-bowdens-worm-the-first-digital-world-war/2011/08/30/
gIQAwcKO4L_story.html
No comments:
Post a Comment