The digital dust has settled, for now at least, on last week’s Distributed Denial of Service (DDoS) attack against DNS service provider Dyn.
There have been numerous rumours of what the attack was for, and why the attackers pounded Dyn with redundant traffic designed to harm the company’s ability to serve legitimate customers.
If you’re in a takeaway trying to order a nice, quick burger, but there are 100 people in front of you in the queue who ask politely all about today’s specials before calmly walking out without buying anything, both you and the burger vendor are going to take strain. Worse still, the time-wasters don’t have to spend any money buying up products to stop you getting served, so there’s not much to limit the scale of the disruption.
However, given that we’re in the last week of Cybersecurity Awareness Month, we thought we’d leave the rumours for later and start right at the top with our tips for how to fight back against the cybercrooks in our midst.
So here are some simple and general security tasks you can carry out at home (or at work!) to make life harder for the crooks:
- Patch early, patch often. If your router has a firmware update available, install it now. If you have fallen behind on operating system updates, consider activating fully automatic updates so you won’t forget again. A hole that could be patched is a whole that should be patched.
- Turn off remote access to your Internet of Things (IoT) devices like cameras and printers if you can. Some connected devices let outsiders login by default, which is handy for troubleshooting but even handier for crooks. If the device lets you restrict access to your local network only, make sure that option is turned on.
- Change all device passwords so you don’t have any defaults. Many devices come preconfigured with usernames and passwords such as
root/rootoradmin/adminthat can be found with a search engine. A default password is as bad as no password. - When you acquire a new device, research it online before you make it live. If there are security patches available, apply them first. If there are risky settings you can turn off, do that up front. Even if it’s a gift, don’t feel pressurised into connecting it up right away.
- Learn how to scan your own network for security holes. Tools such as Nmap can help you find holes before the crooks do. It’s legal to probe your own network, so you may as well find out if there are any obvious problems first. (If you already know how to do this, why not help your friends as your contribution to #NCSAM?)
- Consider trying an industrial-strength home firewall. For example, Sophos Firewall Home Edition is 100% free. You’ll need a spare computer and some technical savvy (or a friend with the savvy) to set it up, but you’ll end up with all the features of our commercial product, and it will keep itself up-to-date with protection against the latest hacking threats.
What about the Dyn attack?
Some of the rumours we’ve heard about the attack on Dyn include:
- The DDoS was an experiment to see how big an attack could be if the crooks really wanted.
- The DDoS was a practice session for an attack on the forthcoming US election.
- The DDoS was a show of strength, in case Julian Assange of Wikileaks turned out to be dead.
So far, however, the most likely explanation we’re aware of is that Dyn recently published a article about the risk of DDoS to service providers.
Dyn dealt with the extent to which an open-source DDoS attack tool called Mirai was involved, and how to work against this sort of attack in the future.
If the name Mirai rings a bell, we wrote about it just two weeks ago after a similarly-huge DDoS attack on well-known cybercrime journalist Brian Krebs.
Krebs, in turn, seems to have been attacked because he was involved in an exposé that led to the arrest of two young DDoS-for-hire hackers from Israel.
In short, this may very well boil down to a series of “tit-for-tat” salvos launched by the DDoS crooks.
Why is this a job for us all?
For all the deeply sinister explanations you can come up with for the attacks on Dyn, there’s an underlying and prosaic reason why cybercrooks carry out DDoSes of this scale:
Q. Why do cybercrooks carry out DDoSes of this scale?
A. Because they can.
Unfortunately, one of the main reasons why the crooks are able to carry out such ambitious attacks is equally simply expressed:
Q. How is it that crooks are able to carry out such ambitious attacks?
A. Because we let them.
In the case of the Mirai attack tool mentioned above, the DDoS malware runs on unsecured IoT devices, from cameras and printers to routers and modems – devices that many people don’t even realise can contribute to cybercrime.
Worse still, while the Mirai malware is busy with attack X, it’s also automatically scanning the internet looking for the next wave of insecure devices that can be used for attack X+1.
Unlike old-school viruses and network worms, which looked for potential new victims and infected them automatically, Mirai plays a more secretive hand. It quietly reports its new list of potential victims back to the crooks, leaving infection until later. It therefore keeps a lower online profile than if it spread as far as possible and as quickly as it could.
It’s not just DDoS attacks from IoT devices that we have to worry about, by the way.
A significant proportion of the many websites that act as malware distribution servers used to attack Windows computers are otherwise-legitimate websites that have been hacked because they were unpatched or otherwise ill-secured.
LEARN MORE: How innocent servers serve cybercrime
(Audio player not working? Download MP3, listen on Soundcloud, or read the transcript.)
And a significant proportion of the spam that we see comes from regular computers that are infected with zombie malware that allows crooks to spew out spam at will.
These three sorts of cyberattack share several worrying characteristics:
- They give the crooks free bandwidth for their cybercrimes.
- They divert the blame onto the wrong people.
- They are hard to disrupt because they come from so many sources at the same time.
- They seem innocent because they come from devices with no obvious criminal connection.
- They can often be run again and again because just removing the malware is not enough.
Finding the Mirai malware on your home router, for example, soothes but does not sort out the problem: if you simply delete the malware and do nothing more, the crooks will soon find you again and co-opt you back into their arsenal.
You need to close the door on the crooks on a more permanent basis whenever you can.
So, why not start with the #CyberAware tips we set out at the top of this article?
After all, when it comes to DDoS bots, spam zombies, unpatched servers and even to shabby passwords…
…if you aren’t part of the solution, you’re part of the problem.
Tom
Devices with default login credentials are a bigger problem than most people including techs are aware of. I was told to work on an enterprise class printer/copier/fax that sends faxes to the network server. When I asked for the admin password, I was told that it is 123456 (cringe). This printer is from a very large multinational electronics manufacturer. I wonder if all their devices use that password?
Paul Ducklin
Six characters is a bit short…maybe it’s “12345678” now :-)
Odd Samvik
Certainly good advice, but the ones reading this article aren’t the ones we need to be worried about. The vast majority of users don’t read this, nor would they understand a word of it. That’s just the way it is, and I don’t blame them. It’s on professionals to fix the problem. Laying the burden on to consumers is wrong, and won’t work. It’s an industry problem.
Paul Ducklin
We’re not “laying the burden on consumers,” we’re offering some advice to people who’d like to do a bit more in order to encourage them to do so.
Anyway, stating that “the vast majority of users […] wouldn’t understand a word of it” is a bit presumptuous, wouldn’t you say? I think the average user can understand “patch early, patch often,” that most users are capable of changing password via a web GUI, and that the majority of Naked Security readers are here because they’re keen to learn, and perfectly capable of doing so.
Odd Samvik
Presumptuous? Not at all. The ones needing to be reminded to patch and change passwords aren’t here, Paul. They are on Facebook. They don’t know what IoT, DDoS, DNS or NMAP is. Nor do they care. it’s a mystery to me why you’d think they are here. I think you may underestimate your actual audience, while overestimating average users.
Paul Ducklin
People who are “on Facebook” are perfectly welcome here, as I am sure you know.
Indeed, many of our readers are the very Facebook users you don’t seem to think very highly of, and they seem to have no trouble understanding the very stuff you seem to think they’re not interested in. Maybe it’s because we make an effort not to talk down to people, and we try to avoid acting like some sort of technological high priesthood with a low opinion of what you refer to as “average” people?
If your job was giving advice, but you only ever gave advice to the very people who already knew it and genuinely didn’t need it, life would be kind of dull, don’t you think?
mrrocket2u
I think that you both have good points! Odd Samvik is correct, we are fooling ourselves to believe that non-technical people will understand any of this. When they buy a device and get it out of the box, they want to just plug it in and it work. Manufacturers are playing to this and cutting security corners to keep costs down and customers happy. You, Paul, are correct, we in the industry need to tell people what they should be doing. If we don’t, then nothing will change! I believe that manufacturers should pay penalties for producing insecure products.
Paul Ducklin
[This comment thread is now closed.]
mr x
the issue is most people this relates to would not, i can relate to this where people don’t really understand the implication of having there nanny cam online or CCTV online and the risks of doing it (until told about it)
also can you please make sure you put a large point about making sure CCTV systems should not be allowed online at all unless behind a VPN or remote access via other means, as video on youtube does not point out a lot of these CCTV and IoT devices have hardcoded username and password or no auth required at all (most of the time changing password is pointless)
Deborah A. Viele
I am one of the Facebook people you speak of and I am here. Simultaneously I am sharing the information on Facebook. There’s more than one way to accomplish something and those of us who take our responsibility seriously in this issue are also tasked to pass the information on to consumers at large. I’m am a researcher at heart and ascribe there are many, many others who share that sentiment lest we all fall into a place of ignorance.
Nick
Sadly, because of Windows 10 and Microsoft’s sneaky ways of trying to “upgrade” Windows 7, myself and several people I know will never trust automatic updates ever again. I have to check OS updates manually and wait to see if anything untoward has been added. And Microsoft’s latest way of delivering updates – the roll-up, is not going to help matters either.
Paul Ducklin
How will you know if “anything untoward” has been added? And why is the roll-up going to make things worse?
Nick
Before, when you had several updates, and one either broke your system or an application you could miss it out until or if a fix was introduced. Now you have to miss all the updates in the roll up to avoid the one update that is the problem.
One of the ways to know if anything untoward has been added is wait (maybe a week) and see if there are any complaints before installing. Definitely read all the KB’s on the updates.
Paul Ducklin
Maybe I’ve been lucky, or spoiled…for several years now I have just grabbed Apple and Microsoft updates and never had anything untoward happen.
Occasionally, a major macOS update has revealed how woefully out of date some piece of third-party software is, and a little bit of digging has quickly revealed that the vendor hasn’t updated it for years, and never will. A little bit more digging usually reveals an alternative app that is newer, still being actively developed, getting security updates – and typically both better and cheaper (or free). Software has come along a lot in recent times.
Sometimes, the past can really weigh you down, especially when computer security is concerned. For examnple, if ever my 10-year-old $50 scanner stops working after an OS update because the vendor hasn’t invested in a driver update for 10 years, I’m not going to rant at Apple or Microsoft for that. I’ll save up $50 and buy a newer, smaller, faster, better one…
…or just do without it. (To be honest, I haven’t even taken the scanner out of its box since I got a recent iPhone, because the phone’s camera gives better results in a fraction of the time for the sort of documents I want to scan.)
Dustin
I tried asking my ISP about how to change the default password on my cable modem. They simply replied that our modems aren’t vulnerable to viruses. I’ve had my router locked down from the start, but the modem provides not UI to change the password. I don’t think it can be logged into from the internet though. So atleast there is that. So at this point, since most modems would probably be similar in setup. I would say it’s on the ISPs to prevent this avenue from being an issue. I did my due diligence here and came up empty.
[Modem in question is from UBEE]