In a previous post, I discussed the possibility that, even though there are some seemingly insurmountable problems with computer security in contemporary systems, perhaps the overall state of computer security could be vastly improved by fixing certain simple problems. Maybe there’s no way to efficiently create software that has no vulnerabilities, but perhaps we could make a big dent in our breaches and hacks by solving the problem with poor passwords.
With the oncoming tide of an Internet-of-Things (IoT) world, perhaps this is an even more critical “first step” in not being swept away by the digital security tides.
Apparently, the security blog website “Krebs on Security” (krebsonsecurity.com) was attacked last month by a historically large DDoS attack. DDoS stands for “Distributed Denial of Service” and typically involves having thousands, tens of thousands, or even hundreds of thousands of devices connect to a website or service at the same time in an attempt to overwhelm it. The attacker gets control of these devices, called a “BotNet” by distributing malware or viruses. Each infected computer phones home to the attacker letting him know that a new system has just been taken over. Once the bad guy has enough of these “bots”, she launches the attack by signalling them to simultaneously begin their connections to the specified target.
But the September 2016 attack on Krebs was even larger than ever.
... according to Akamai, it was nearly double the size of the largest attack they’d seen previously, and was among the biggest assaults the Internet has ever witnessed.
To give you an idea of how big, the attack was producing approximately 620 Gigabits Per Second of traffic. For comparison, the standard size of a feature length film is approximately 50 Gigabytes (400 Gigabits), so this is equivalent to downloading one and a half full-length, HD movies every second! Most websites hit by this much traffic are simply knocked offline.
How did the attackers generate this much bandwidth? How did they get more devices?
Krebs, being a security website, has investigated the incident with interest. They discovered that the DDoS attack against them used IoT devices. The list of devices includes “…dozens of products, including routers, security cameras, printers and digital video recorder (DVRs).” How many of these types of Internet-connected devices do you have in your house? I have at least five. How many does my neighbor have? How many does the average consumer have?
Well, it turns out that many of these devices are designed to “work out of the box.” You just unpack them, and turn them on. But universally, these devices also can be accessed and controlled over the Internet so that users can configure them and technicians can diagnose their misbehavior. Unfortunately, “working out of the box” generally means that they have default usernames and passwords that users don’t have to change.
Accordingly, bad guys can scan the Internet looking for devices that have common default username/password combinations. Any such device encountered is immediately absorbed into the botnet.
As I stressed previously, this is a completely solvable problem. And it is easily solvable. As Ross Anderson points out in his excellent book Security Engineering:
..many people just [accept] the standard configuration of a system, as they assume it will be good enough. This is one reason why secure defaults matter... (p.26) For example, one top-selling dial access system in the 1980’s had a default software support user name of 999999 and a password of 9999. It also had a default supervisor name of 777777 with a password of 7777. Most sites didn’t change these passwords, and many of them were hacked once the practice became widely known. Failure to change default passwords as supplied by the equipment vendor has affected a wide range of systems. To this day there are web applications running on databases that use well-known default master passwords — and websites listing the defaults for everything in sight. (p. 39) [Accordingly,] Software should... be designed so that the default configuration, and in general, the easiest way of doing something, should be safe. Sound architecture is critical in achieving safe defaults and using least privilege. (p. 124)
In other words, general consumer-oriented devices should ship non-operational until the user configures them with a username and password. As much as everyone loves the ease of “out-of-the-box” solutions, the bad guys, unfortunately, like them even more. And the last thing we want to do is gift-wrap a system for their use.