Last week, I got up and began my normal routine. Brushed my teeth, washed my face, and meandered over to the computer I use to review my blog posts one last time before I post them. Read a few blogs from others and help them garner some notoriety (via twitter and Google plus). Except…

I couldn’t reach my site. I couldn’t reach Twitter. I couldn’t even reach DownForEveryoneOrJustMe.com. I couldn’t reach my site provider (BlueHost), either. Hmm. And, then I got a call from a staffer who complained they couldn’t access our secure server. (Hint: We use Dyn DNS services for that.)

It seems that some nefarious entity (why is it that a Russian government hack pal comes to mind?) harnessed those ubiquitous baby monitors, surveillance cameras, and similar devices to effect a massive distributed denial of service (DDoS) attack.  Massive because at least 1200 sites were affected.

Sure, we want our fridges to tell us when we are running out of that precious chocolate milk. Or, to be told before we get to the office that our printer is running out of ink (so we can pick up a cartridge or cannister on the way). And, to see who’s that really knocking on our door- even if we are half a world away. And, let’s not forget about those driverless cars!

But, you see, those web-connected devices- all part of the Internet of Things (IoT) [I did promise that yesterday’s blog would link to today’s post!]- are easily hacked. Because they have equivalent security of a paper padlock. Looks good, but does nothing to keep things secure.

And, the most annoying thing about this attack? We’ve known FOREVER that these devices were easily exploited. (I’ve reported on such exploits over and over again for nearly five years now. That’s forever in technology time.) You know why? Because the factory-installed passwords for these devices are really sophisticated- ‘12345’, ‘admin’, ‘password’. So, it doesn’t take an idiot – let alone a computer savant- but a second to take over control of the devices.

These devices were then issued the command (using the malware bot, Mirai) to attack Dyn DNS [Dynamic Network Services, and see my note above] headquartered in Manchester (NH).  But, that doesn’t tell the whole story- because DynDNS has 20 locations around the world.  And, 17 of them were attacked; the only locations left alone were in Shanghai, Beijing, and Warsaw.

The bot that was used, Mirai, is an open-source ‘weapon’  (bit of code that is malevolent).  This was derived from the code written by some ticked-off videogame players, which they used to attack Sony and Microsoft back on Christmas Day, 2014.

Millions of devices, from different sources, in multiple waves were used in this attack- so it was difficult to block.  Level 3 Communications (Colorado) has estimated that 10 percent of the IoT Devices- which means IP-enabled cameras, DVRs, home networking gear and other connected devices-  were involved in this attack.  If they are right, it would mean that almost 150 million units were involved in this attack!

(However, it appears that this particular attack harnessed primarily internet-enabled cameras.  These are typically the lowest power processors, so they can’t support sophisticated security.  Oh- and here’s the real kicker.  Many of these devices were manufactured by a firm that no longer exists, so it’s last software patch was light-years ago, in internet time.  Another, uh-oh.  This hack is similar to the process by which nefarious folks can also activate your webcam and spy on YOU.)

Mirai is actually ‘DDos-for-rent malware’.  Which means whoever launched this attack could have bought the assistance of other malware bots, about which we are not aware.   And, most of the affected devices had the same passwords (not that guessing 12345 or admin takes that much time).

How easy is it to rent such software?  Well, you could visit NetStress.org.  There you will find a bot to attack sites with denial of service attacks for a 30 day period for the grand sum of $ 6.99.

Why did these criminals attack DynDNS? Let’s start with the fact that DynDNS issued a statement condemning Mirai and those that afford such ‘weapons’ network bandwith.  Couple that with the fact that DynDNS is a firm that controls the internet switchboard- the one that recognizes your request for “Microsoft.com” is really the network address of 11.22.14.18. (No, that’s not the real number. I don’t want to be responsible for another Microsoft hack.) So, by overloading the circuits at DynDNS, the internet began to slow- if not stop. (This is akin to the Great Blackout of the east coast- one power plant went down, and since many power plants were interlinked to provide backup, a slew of electric power plants were shut down at the same time, unable to handle the excess demand.)

Now, that idea that IoT strategy needs to work on a secure cybersecurity system (as discussed yesterday) doesn’t seem to be an item for the future- but one that needs an answer NOW. After all, there are already 15 billion IoT ‘thingies’ in existence. These devices rely on cheap components (most from China, too). And, it’s only going to get worse. According to Intel, there will be 200 billion of them by 2020. That works out to 20 different devices for each human on earth.

Top that off with the fact that it is absolutely unclear who is responsible to develop the framework, to develop the standards- or to implement whatever we need to do to stay safe. Instead, everyone is doing what they want- which often means creating a password- even though a password that is “password” is NOT.

We shouldn’t be surprised. Banks don’t protect their depositors, leaving their social security numbers, phone numbers, and other personal data available to all takers. The US Civil Service system does no better. Yahoo- ok, let’s not get started on the really easy targets.

DHS (Department of Homeland Security) is theoretically charged with defending the internet. But, that would require funding, employing qualified people, and getting the authority to tell private industry and government agencies to change their ways.  Which is why our power grid, transportation systems, and telecommunications networks are at risk from attacks that can be pulled off  just as easy as this Mirai skirmish.

And, what about the FBI? Sure, they tell us what happened AFTER it happened. And, I doubt either the FBI or DHS have developed standards – or demanded the suppliers of voting machines- that would secure the votes of those folks who effect their choices over the internet. Oh- let’s not forget that the voting system that pertains in the US is NOT considered to be part of our “critical infrastructure”. (Who the heck makes these inane decisions?)

Here’s the real problem. Whether it’s the FBI or DHS, the government is worried about things, it’s worried about locations. Instead of protecting our data. Where it goes or where it doesn’t go.  That’s the focus that will truly lead to protection.

Let’s hope someone does so before all the data is gone- to our enemies and to the criminal elements.