By Gerard Best
PHILIPSBURG, St Maarten—Keep it secret. And make sure it’s safe.
Don’t use your real name, your birth date, or any single word. Instead, try a short phrase that includes some numerals and even some punctuation.
Devising secure passwords for your online accounts and your family’s Internet-connected devices is simple enough, if you follow a few easy guidelines like these. But most people just don’t.
And a major attack on a little-known company underscores how much of the security of the global Internet now depends on that unwitting majority of ordinary Internet users. On October 21, a distributed denial of service, or DDoS attack, brought down a relatively obscure US-based firm called Dyn. Those attacks are fairly common, and they use huge networks of malicious software called botnets to bring down a specific service.
What made the DDoS attack on Dyn more troubling was that it set a dangerous precedent. Dyn provides domain name system or DNS services, which support part of the critical infrastructure underlying the global Internet. By targeting companies that make up the backbone of the Internet, hackers can bring down all kinds of other services.
Also disturbing is the fact that the hackers used networks of common smart devices like watches, TVs and refrigerators, to cause the major disruption. Analysts have linked the attack to the Mirai malware, which uses the Internet of Things, or IoT, as botnets. The Mirai source code was released on hacking websites in October.
Analysts are also linking the Dyn attack to others that took place within a five-week span, each larger than the previous, and all using Mirai. On September 20, a 660 Gbps attack was launched on the KrebsOnSecurity blog. A 1 Tbps attack was also launched on French hosting provider OVH on the same day.
“In the last two years, we’ve had multiple attacks, and the most recent attacks are using IoT devices,” said Mark Kosters, Chief Technology Officer of the American Registry of Internet Numbers, the organisation that provides number resource allocation and registration services for North America and parts of the Caribbean.
He explained that smart devices present an easy target for hackers to turn into botnets because users typically fail to secure them properly.
“A lot of the devices are vulnerable. It means that more and more homes are very quietly becoming potential sites of DDOS attacks,” he said.
“Now, we all have to make sure that all of those devices that we have around the house are secure.”
As smart devices proliferate, it will become easier for hackers to launch significant cyber attacks using unsecured IoT devices, unless ordinary end-users become more security-conscious. When it comes to cyber security, it turns out personal choices can have global consequences. And for the foreseeable future, it is the network of human beings who will have to keep the Internet of Things safe.
The ARIN CTO was speaking on the second day of a technology conference jointly held by the Caribbean Network Operators Group and the Internet Corporation for Assigned Names and Numbers (ICANN) in Philipsburg, Sint Maarten from October 24 to 26.
He co-presented with Carlos Martinez, Chief Technology Officer of the Latin America and Caribbean Internet Addresses Registry (LACNIC), ARIN’s counterpart in the Caribbean, Central and South America.
Also presenting on the technical, social and policy aspects of cyber security issues facing the Caribbean region were CaribNOG co-founder Bevil Wooding, an Internet Strategist with Packet Clearing House; Albert Daniels, ICANN Senior Manager for Stakeholder Engagement in the Caribbean; and Shernon Osepa, Regional Affairs Manager for Latin America and the Caribbean at the Internet Society (ISOC).
Supported by the Caribbean Telecommunications Union, Packet Clearing House and ArkiTechs, the event was part of Internet Week Sint Maarten, a five-day conference coordinated by the St Maarten telecommunications regulator, BTP and focused on developing the Caribbean Internet. The week ended with Sint Maarten on the Move, a two-day event jointly hosted by LACNIC and ISOC.