The DDoS That Came Through IoT: A New Era For Cyber Crime

A New Era for Cyber Crime

Last September, the website of a well-known security journalist was hit by a massive DDoS attack. The site’s host stated it was the largest attack of that type they had ever seen. Rather than originating at an identifiable location, the attack seemed to come from everywhere, and it seemed to have been driven through a botnet that included IoT-connected devices like digital cameras. This was something special and unusual, and a stark warning about the future of cyber warfare.

The attack was so large and relentless that the journalist’s site had to be taken down temporarily. The exercise of fending off the attack and then repairing and rebuilding was extremely expensive. Given that the target was a writer and expert on online security and cybercrime, the attack was not only highly destructive but also symbolic: a warning to security specialists everywhere that the war has changed.

Chris Sellards, a Texas-based Certified Cloud Security Professional (CCSP) agrees. He points to the sheer volume of IoT connected devices – a number that is growing exponentially, with Gartner forecasting 6.4 billion devices to be connected this year.

PC users have become a little more sophisticated with regard to security in recent years,” Sellards says. “They used to be the prime target when creating a botnet and launching DDoS attacks because they rarely patched their systems and browser configuration settings were lax by default. However, with automatic upgrades and an increased use of personal firewalls and security apps, PCs have become a little more of a challenge to penetrate. Attackers almost always take the path of least resistance.”

Consequently, IoT devices have become the new playground. They are the new generation of connected machines that use default passwords, hard coded passwords, and inadequate patching. The rush to make everything IoT compatible and affordable leaves little time or incentive for manufacturers to build in sophisticated security layers. In addition, there is an innocence factor at play. Who would ever suspect their digital camera, fitness tracker or smart thermostat of being an accomplice to cybercrime?

future-iot

Sellards points out that one of the most interesting aspects of the attack was that GRE (Generic Routing Encapsulation protocol) was used instead of the normal amplification techniques used in most DDoS attacks. This represents a change in tactic specifically designed to take advantage of the high bandwidth internet connections that IP based video cameras use.

These developments have experts like Sellards worried, given the huge – and growing – number of IoT devices that form part of the nation’s critical infrastructure. “”If default and hardcoded passwords can be compromised to install Malware that launches DDoS attacks, they can also be compromised to launch more nefarious attacks with significantly higher consequences,” he says. It shows IoT installs are insecure and not hardened. They are exposed to the Internet without firewall filtering. “All best business practices we’ve spent decades developing have gone right out the window.” 

IoT in general represents a fascinating new chapter in convenience and communication for businesses and consumers alike. But as all security experts already know, the bad guys never rest. The way in which they discovered and exploited both the weaknesses and the built-in features of IoT shows a creativity and dedication that must never be ignored. Thus the value of a CCSP having a seat at the Executive table has just increased exponentially.

For more on the CCSP certification from (ISC)2, please visit their website. Sponsored by (ISC)2.

By Steve Prentice

Notable Stock Screeners for 2021

Stock Screeners By this point, you probably already heard about everything that happened with GameStop (GME) stocks. GameStop is the largest video game retailer with 5,000 stores around the U.S. Due to the pandemic, the ...

Ransomware – Cybercriminal Groups Know The Weak Points

Cybercriminal Groups Grow Data breaches and leaks represent a quickly growing security problem these days. When plenty of people work from home, the risk of data leaks is much higher. Cybercriminal groups know the weak ...

Telemedicine to medical smartphone applications

Telemedicine to medical smartphone applications With the current and growing worldwide concerns regarding the Coronavirus (COVID 19). Telemedicine is more important now than ever. What are some of the key areas in the coming years ...

A Winning Data Strategy Series Part 3: From Data-driven To An Insight-driven Organization

Insight-driven Organization This is the third piece of a 5-part series on plugging the obvious but overlooked gaps in achieving digital success through a refined data strategy. Data is essential, yes. But the whole idea ...

Episode 3: The Bottomless Cloud – An Interview with David Friend of Wasabi

Why data is not “the new oil” and why “cloud” means more than we think. In his new book, author David Friend refers to the cloud as "bottomless," and disputes peoples' assessment that data is ...

What’s the cloud forecast for 2020?

Tech Agnosticism In 2019, we saw how cloud computing transformed the way data is managed, the way applications are developed and deployed, and also the way IT teams operate. Organizations are starting to experience the ...