In this newsletter, my objective is to focus on security of AV devices. However, I’m going to use an indirect approach to this topic. First, I’ll discuss an internet protocol and service that is absolutely critical to the proper function of nearly all IP networks. It is especially critical to the use and function of the Internet. Then, we’ll turn our attention to the attack that denied the use of that resource for a period of time. Lastly, I’ll explain how AV devices played a critical part in the attack.
Domain Name Services (DNS) is vital to the operation of almost all IP networks. The only exception would be small isolated networks with a few devices that have no connection to other company networks or to the Internet. DNS capability is dependent on systems and devices across the globe. It is a stored, distributed database of names that relate or map those names to specific IP addresses. For example, I understand that the address 220.127.116.11 is related to Google because DNS has the network address for the server in its database. Now, how is this distributed database critical to each of us? When I go onto the web and click on an icon or type a name such as matrox.com into a browser address field, I have asked for a resource from a server. However, I don’t need the address of that server because DNS tells my browser it is at 18.104.22.168. So, that’s where my request packets are sent. However, most people are surprised to learn that when you visit a typical home page of a company or college, your browser sends 12-18 DNS queries to obtain all of the resource files necessary to build that page for you. In other words, take away the DNS capability and you can’t browse or get resources from the Internet. Think about the impact of this function on customers who are looking at your company’s web site for products or services.
Now, let’s turn our attention to an attack on DNS that was very disruptive. On October 16, 2016, a denial of service attack was launched on DYN, a major DNS service provider. This disruption caused many web sites to be nearly inaccessible for over two hours. Some of the companies affected included Fox News, Amazon, and Paypal. After a few hours, the attack was blocked, but it repeated two more times during the day. I have spent most of my career as a college professor. Therefore, I like multiple choice questions. Here’s one for you: The attack was primarily launched by
- a. a clandestine, nation sponsored group from the Pacific rim, probably North Korea.
- b. disgruntled computer science students.
- c. compromising a large number of cameras and other embedded system devices.
- d. a former employee of Paypal.
- e. compromising a major retailer’s payment server.
The answer is C. Some reports indicate that the botnet of cameras and devices may have exceeded 100,000. That is, the attack was launched because someone had control of this vast number of devices and could issue the attack command. Here’s the really scary part. The attack, named Mirai, was based on compromising the attack devices using a list of 60 common username/password combinations set as factory defaults. The passwords were never changed by the users and this made the devices vulnerable to the Mirai control server. The AV industry must stop shipping devices with default authentication combinations like admin/blank. A major step was taken by at least one manufacturer of cameras. They require the initial use of the camera to be dependent on changing the password. I believe that is a major step in the right direction. However, as users, we must be informed enough to change the default to something that is not simple to guess. It certainly doesn’t show good business operations to have it made public that our cameras were part of an attack that interrupted service to tens of millions of Internet users.