The Internet of Things will give superpowers to a new class of entrepreneurs able to forge the future of connected communications. Unfortunately, some of them will be criminals.
Recently website KrebsOnSecurity.com was the target of an unprecedented cyberattack. In the parlance of hackers, it was a Distributed Denial of Service, or DDOS: Throw so much junk data at compromised sites they cannot perform their intended role.
The Krebs attack is game-changing because it probably wasn’t the work of a nefarious nation-state. It was very likely ragtag hackers using an arsenal of Internet of Things appliances. Like TV’s McGyver, they banded together scads of routers, IP security cameras and digital video recorders, used software to make them compliant, then pointed every last one of them at Krebs.
Internet of Things security has been a pressure point among researchers for a while. In an effort to keep costs low and the learning curve lower for neophyte consumers, manufacturers have rushed connected things to the market. Many have generic firmware and, worse, default passwords. Creepy hackers have easily commandeered everything from home security cameras to baby monitors. The jump to using connected devices as weaponry was just a matter of time.
Brian Krebs, an investigative journalist, is no stranger to attacks. He made it his business to ferret out malware and expose cyber criminals. His work is so well regarded that Akamai provided DDoS protection to his own site pro bono before the attacks last week made that too costly. The site has since been embraced by Project Shield, an Alphabet service that protects journalists worldwide and their right to free speech.
Two weeks ago he published a long blog post exposing the inner workings of a hacked, online service called vDOS. It brazenly sold DDoS exploits to would be cyber extortionists on a subscription basis. For as little as $30 per month customers got computing resources capable of taking most sites down. Krebs alleges the hacker-for-hire operation helped coordinate 150,000 exploits, yielded $600,000 in Bitcoin for site administrators over a two-year period and was responsibility for the majority of DDoS shutdowns worldwide during that time. Further investigation led him to thousands of paying clients, their targets and the alleged masterminds, two Israeli teens, Itay Huri and Yarden Bidani. The pair were later arrested by the FBI.
Taking down KrebsOnSecurity was just payback from miffed cyber criminals. More worrisome is the scale of attacks now possible using security-challenged Internet of Things devices. More than 620 gigabits per second was blasted at KrebsOnSecurity last week. For the sake of comparison, in 2013 a DDoS exploit shot 300 gigabits per second at Spamhaus and some said it threatened the very Internet itself. In a recent post Krebs said, “The idea that tools that used to be exclusively in the hands of nation states are now in the hands of individual actors, it's kind of like the specter of a James Bond movie."
In the Bond films, despite villain superpowers, the forces of good always win. Then again, there is usually just one villain and they can’t rent superpowers for just $30 a month. Cyber security trouble is not going away. My favorite names in the space are still Palo Alto Networks (PANW) and Qualys (QLYS), though Cisco Systems is cheap and plays a key role as well.
