For the past several days, security researcher Brian Krebs has been battling a cyber-attack on a scale unlike any ever previously observed on the internet.
Krebs, who writes the security blog Krebs on Security, was on the receiving end of a distributed denial-of-service (DDoS) attack that delivered connection requests at the rate of nearly 700 gigabits per second.
Equally alarming, the attack was generated by well over a million video cameras as well as other internet-connected devices ranging from set-top boxes to video recorders.
And although this is also not the first time video cameras have been used as part of a DDoS attack, it is the first time they have been marshaled for an attack on this scale.
Krebs has said that he was attacked in retaliation for a story he reported about an Israeli attack-for-hire service called “vDOS” that was earning its operators hundreds of thousands of dollars per year.
After the story appeared on Krebs’ blog, the principals of the company were arrested, fined and placed under house arrest. Apparently the internet of things (IoT) attack on Krebs was done to prove that vDOS still had teeth.
Since then, Krebs has moved his website to the protection of Google’s Project Shield, which was created to protect human rights advocates and journalists from censorship by DDoS. Previously Krebs was protected by the Akamai content delivery service, but that company dropped him because handling the attacks was costing Akamai millions of dollars and Krebs was getting the service for free.
The security cameras that were used in the attack on Krebs were mostly produced by Dahua Technology, which produces a wide variety of cameras used both in businesses and by consumers. These cameras are typically delivered with a default user name and password, and relatively few customers change the passwords before installation. Even fewer of these devices are ever updated once they’re installed.
While Dahua products were used in this attack, the company is not unique in how it delivers its products. Very few connected devices have any security beyond a simple name and password, and quite a few don’t even have that. If you want a picture of how bad this problem is, just turn on a WiFi device in a crowded area and look at the list of SSIDs. Note how many are simply the name of the company that made the product.
There are several things your organization can do to reduce the chance of your assets being used in a DDoS attack and that in turn will help you avoid any liability, and any expense for the traffic your network devices may generate. Here’s a list to get you started:
Quiz: What do you know about cybersecurity in 2016?
Thoma Bravo agrees to acquire Darktrace for $5.32 billion in cash, delivering some welcome news…
Customer adoption of AI services embedded in cloud services continues to deliver results for Microsoft,…
TikTok's 'secret source' algorithm is so core to ByteDance, it would rather shut down US…
After relocating from California to Texas in 2020, Oracle's Larry Ellison now reveals plan to…
Share price hit after Meta admits heavy AI spending plans, after posting strong first quarter…
For third time Google delays phase-out of third-party Chrome cookies after pushback from industry and…