Internet of Things devices are starting to pose a real threat to security for the sensible part of the web, Akamai's chief security officer Andy Ellis has told The Register.

Speaking in the aftermath of the large DDoS against security journalist Brian Krebs, Ellis elaborated a little on the makeup of the botnet which took down Krebs' website, saying it was mostly made up of hacked Internet of Things devices.

“We've noticed a strong overlap between the attack … and one of the botnets that we have been working at in modelling,” Ellis told El Reg, as he named the Kaiten malware as one of the vectors involved in the Krebs attack.

Kaiten has long been known as a source of IRC-controlled DDoS attacks. While the original chiefly targeted routers, this latest version also “targets DVRs and some cameras” according to Ellis.

During the attack against Krebs, Akamai jettisoned him from their DDoS mitigation service with two hours' notice. Krebs was a pro bono customer and the sheer volume of traffic – 620Gbps – threatened to affect services for Akamai's paying clients. Krebs later said he didn't blame Akamai for taking the action they did, even though Google stepped in with its Project Shield service.

“This is a very concerning thing, looking at the prevalence of IoT and the ability for [the Krebs attackers] to throw around this volume of traffic,” Ellis said. “More research is being done on the adversary side to find out how to better take control of IoT devices, whether by means of a brute force attack using a known and common credential such as the [default] admin password, which gets them into a handful of routers out there, and then [the attackers start] leveraging the bandwidth of these end users.”

The chief problem for DDoS mitigation outfits trying to defend against IoT botnets is that with so many devices potentially falling under the control of miscreants, it is straightforward for the attacker's traffic to masquerade as legitimate web traffic.

“Compromised IoT devices … have the ability to source traffic from the same IP address as a legitimate user,” said Ellis, “which obviously gives the advantage that it stops [attackers] from being trivially filtered. I don't think I'm giving anything away when I say that when you're protecting a web server, any traffic coming in that's not related to web traffic is very deep and easy for you to drop. And the more that an adversary can look like a legitimate user, the more difficult it becomes, the more resources you have to expend to identify that that's an attacker and mitigating it.”

Culture change needed in IoT architecture

Part of the problem is the sheer difficulty of patching and updating IoT devices to take advantage of the latest vuln plugs.

Ellis said: “If you have an iPhone it auto updates in the background and you press OK and it takes care of it for you. We've become so used to that on the internet of general purpose computing devices that when we look at the Internet of Things – or as one of my colleagues likes to call it, Things on the Internet – there aren't devices built into that same robust infrastructure.”

Then he spelled out the painful upgrade process for most current IoT devices:

If I want to patch them, I need to go to the vendor website, hunt for my model of device, download an executable to my desktop and run it, when the executable will open a network hole and patch, upgrade the firmware on my device. You walk through that and to you and I that probably seems like, 'that's painful but at least I understood what it was I was doing'.

For most users that's a really challenging thing. They're not professional systems administrators. Why do we expect them to treat these devices the same way that a systems administrator treats enterprise-class routers?

He also said that IoT devices ought to be “deployed in a fashion that makes them automatically udpate and keep themselves secure all the time.”

As for the Krebs hack, does the widespread use of an IoT botnet mean that the whole concept of IoT security is fatally flawed? Do we need to trash it all and start over?

“We don't know for certain that every machine involved in this was IoT; it's quite possible that the attacker spliced together a botnet including traditionally compromised servers as well as these IoT devices,” Ellis concluded. “Hopefully we'll learn more as we dig through the data.” ®

Sponsored: Application managers: What’s keeping you up at night?

The Register - Security

At the G20 summit on Tuesday, President Obama said he had been talking to other heads of state about cybersecurity and avoiding a potential cyber arms race, but experts say it may be too late.

President Obama said nations should focus more on the dangers of non-state actors rather than repeating the mistakes of the Cold War in cyberspace. However, President Obama also began his comments by claiming the U.S. has more cyber "capacity than any other country, both offensively and defensively."

Experts said comments like this and the constant attribution of cyberattacks to countries like Russia and China are proof that the cyber arms race has already begun.

Michael Patterson, CEO of Plixer, said the cyber arms race is close to 10 years old at this point.

"The cyber arms race is on and has probably been accelerating since before the 2008 explosion on the Baku-Tbilisi-Ceyhan oil pipeline in Turkey that is thought to have been perpetrated by the Russians," Patterson told SearchSecurity, although the attribution of that attack to Russia has since come under question. "It was the United States and Israel that launched the Stuxnet attack in 2010 against Iran.  Everyone better believe that the race is on and has been for a while."

Dwayne Melancon, vice president of products for Tripwire, said it is unlikely that a cyber arms race would develop into a cyber-Cold War simply because nations won't hesitate to use their cyberweapons.

"If this truly becomes a cyber arms race akin to the nuclear arms race that would mean nations would develop weapons, use them to threaten other nations, and almost never use them to attack. However, I don't think that is what will happen with cyber arms -- I think they'll be used anyway," Melancon told SearchSecurity. "After all, the perceived consequence and damage seems much less outrageous when you think of cyber arms, at least at face value. Of course, cyber security researchers know that cyber weapons could cause death, destruction and chaos if deployed against critical infrastructure, systems affecting public safety, and so forth."

From cyber arms race to cyber-Cold War

John Dickson, former U.S. Air Force CERT and principal of Denim Group Ltd., based in San Antonio, said he thinks we're already in a cyber-Cold War -- though he would like a better term for it -- and to the point where a cyberattack could prompt a physical response, which pushes the need for more accurate cyber attribution.

"I'm not sure we've seen a case to date where physical destruction caused by a cyberattack was serious enough where a nation state would seriously consider striking back with what the military calls a 'kinetic' attack, or via conventional warfare," Dickson told SearchSecurity. "I suspect that will likely happen at some point, which is when incorrect attribution will really be substantially more critical. If terrorists or nation states brought down an airliner or opened up a dam causing downstream death and destruction, there would likely be pressure to retaliate in the physical realm with military force. If we, or another nation state, misread attribution, the results could be potentially devastating and could escalate to a much larger military conflict."

Brian NeSmith, the CEO of Arctic Wolf Networks, Inc., said there is no such thing as a cyber-Cold War.

"In preparation for a cyberwar, nations would be penetrating an adversarial nation's critical infrastructure and planting cyber-nuclear bombs," NeSmith said. "In a cyberwar, the 'invasion' would occur way in advance of the actual attack, and there would likely be no time to mount a defense before critical infrastructure is destroyed and real lives lost."

Jonathan Sander, vice president of product strategy for Lieberman Software, said the steps toward a cyber-Cold War may have already begun.

"One could say that the separation likely to result from a cyber-Cold war has already begun in the form of the 'Great Firewall of China,'" Sander told SearchSecurity. "The Chinese attempt to sever its cyber ties has many analogs to the USSR's iron curtain -- complete with resistance fighters, defections (both information and people), and espionage bringing things through the wall now and then."

Sander added that it may be impossible to imagine the political aspects of a cyber-Cold War, but the social impacts are easier to imagine.

"During the first Cold War, we saw some of the greatest physicists in the world stuck on [the] opposing side of an iron curtain. Science thrives on collaboration, and separation can be devastating to overall progress," Sander said. "With some of the greatest minds in computer science spread throughout all of the major players, and bitter rivals, that would be on sides of this cyber-Cold War, the chilling effects on overall progress may be a predictable outcome."

John Bambenek, manager of threat systems at Fidelis Cybersecurity, said a cyber-Cold War could be advantageous because it would force people to prepare for cyberattacks.

"In a cyber-Cold War scenario we would be spending real time and effort in securing our systems and educating the public in the very simple things they can do to protect themselves -- patching systems, avoiding phishing," Bambenek told SearchSecurity. "The hacking of the Illinois State Board of Elections, for instance, could have been prevented by the most basic SQL injection prevention techniques. What we have now is open conflict and the time for preparation is over."

The risks of faulty cyber attribution

Cyber attribution methods recently came under fire after confusion as to who was responsible for the DNC hack with some experts saying cyber attribution was an impossible task while others said the key was in human intelligence gathering and not focusing too much on technical evidence, which can be spoofed.

Melancon said the cyber arms race "is a perilous path for nations to walk -- and the error-prone nature of attribution make it even more perilous" because cyber attribution is "extremely hit or miss."

"It is unlikely you'll know exactly who the perpetrators are unless they are: careless; not very good; or really want you to know they did it," Melancon said. "Often, security investigators arrive at conclusions like, 'I really think so-and-so did it,' but most of the time the evidence is insufficient to know for sure."

Patterson said being accurate with cyber attribution is currently difficult and may even be an "impossible task."

"Attackers often bounce from one country to the next before launching an attack.  Hackers purposely put comments in their code to imply a different language other than their native tongue," Patterson said. "No one wants to get caught and cybercrime makes it relatively easy to cover your tracks."

Dickson said the only way to truly confirm cyber attribution as accurate would be to reveal "certain intelligence collection sources and methods to do so."

"Recall that during the Cuban Missile Crisis -- the U.S., at the United Nations Security Council, revealed compelling photo reconnaissance evidence that the Soviet Union had deployed certain ballistic missiles in Cuba. The downside of providing this evidence was that it provided certain adversaries insight into our national photographic intelligence collection capabilities," Dickson said. "If the United States were really interested in blaming the Russians or Chinese on a particular intrusion, they would risk revealing certain intelligence sharing relationships, national capabilities, and overall context that would provide more insight for subsequent attackers."

Sander said the Cold War shows a "perfect example of what the cyber-Cold War could bring if there was an incorrect attribution.

"In 1979, NORAD nearly reacted with deadly force to a software glitch that, a bit too much like the movie War Games, mistook a simulation for a real attack," Sander said. "If an attribution makes the powers-that-be think it's an enemy attack and not some bad guys doing cybercrime, then they may go a step further than they did in 1979 and hit the big red button. One hopes that in a cyberwar the red button means letting loose cyber weapons and not nuclear devastation. But it's also good to remember that cyber systems control all our power, water, heating, and even nuclear facilities today."

Sander said even if cyber attribution could accurately identify who performed the attack, that doesn't necessarily translate to knowing if the attacker was hired by someone else.

"Pinning down the attribution of cyberattacks so you know exactly who is behind them is much more art than science right now. And often it's the art of politics," Sander said. "The trouble is that even if you get the technology parts of attribution perfectly, which is a massive challenge, you may still not know who was behind the attack. The bad guys often call in cyber contractors. If you can somehow manage to get past all the evasion and misdirection of professional cyber criminals, then you have only found the fingers on the keyboard not the mastermind."

NeSmith said, "Incorrect attribution is like pronouncing someone guilty when in fact they are innocent. It can only lead to ill will and get in the way of what's really needed, which is a productive dialogue, collaboration and a common set of rules everybody will follow."

Next Steps

Learn more about DoD security panels calling for new cyber-defense and offense.

Find out how we lost the plot of the decade-old "cool" cyberwar.

Get info on Microsoft's calls for an independent body to address cyber attribution.

SearchSecurity: Security Wire Daily News