If you have followed security related happenings in 2016, a few must have caught your attention. You've probably heard about the biggest disruption of the internet services across the globe caused by the DDoS attack on Dyn.
While it is easy to analyze the aftermath of such a situation, it can only serve as a good reminder of how truly vulnerable we are, and how we must invest more into security all around. On the other hand, targeted security breaches happened in healthcare as well as government departments, meaning that not only private property is affected. We will examine most of those security breaches in detail later, but for now, let's start with why breaches happen.
An interesting question?
What do you think, what is the most affected type of data? Judging by the movies and James Bond installments, the most typical guess is financial data. Wrong. The answer is identity theft, meaning that the most commonly targets for hacking are mailing services or social networks, where large amounts of personal info can be scrapped and replicated in order to steal your identity, and later on, your money.
The usual targets are big companies, that aggregate large amounts of information about their users (like Yahoo), and while the percentage of targeted individual security breaches is low, it can happen, so smaller businesses should take care of their personal info by implementing business dashboards and other security alerting features. Taking safety precautions is not only necessary, but presents a moral priority, especially if your online bases have personal info about you and your employees.
Why is DDoS on Dyn important?
The reason is twofold and both sides must be examined in great detail before we can draw good conclusions.
1. The DDoS on Dyn showed the lack of security in IoT (internet of things) devices that are becoming more and more popular and in use every day. The connection to the internet is now a much wider privilege for household appliances than it was only a few years ago, when the only things that had access were phones and tablets with Wi-Fi modules, and laptops and desktop PCs.
Nowadays, a connection to the internet can be established even with an ordinary light bulb, not to mention your TV, fridge, or coffee maker. While all of this proves to be quite convenient for users, especially as IoT promises an integrated experience both at home and at work, the security of those devices (mostly produced in China) is, in lack of a better term, poor or completely non-existent.
While the DDoS attack on Dyn was indeed done by botnets (computers infected by malware), the interesting fact here is that those computers were all actually IoT devices, ranging from digital cameras to DVR players and even internet routers themselves – which is a shift from the previous standard of infecting personal PCs on a global scale, so that they can execute their attract strategy at a precisely defined moment.
This asks an important questions: How safe are the cheap, unnoticeable IoT devices around us?
2. While the DDoS attack is a simple brute force attack, it still is quite difficult of fend off, especially if you do not want to endanger an innocent passerby, i.e. an internet user. In this case, what is interesting is that the target wasn't a particular website, or a database, but an internet service DNS (domain name service).
Let's explain it like this; when you want to call your friend John, you need to open a telephone book and find his number – the chances of you remembering his phone number are quite small, especially now that numbers are much longer, and you have much more friends. Now, imagine that your telephone book was suddenly hidden behind a long queue of people trying to do the same thing. Most of those people are bots that we mentioned, but still, you cannot get your turn because of them. Because of this, you cannot call John, and a connection cannot be established. (in our case: your browser converts from the address you type in via the dedicated DNS to the actual IP address of the physical server where that website is located). This attack caused you do lose access to popular (and giant) websites like Twitter, Paypal and Netflix, and it showed a simple, yet genius flaw – you do not need to destroy a house, you can simply destroy the roads leading to it.
Because of this, we have another question: How vulnerable is the backbone of the Internet itself?
The Lessons of Yahoo!
The latest theft that that Yahoo disclosed on December 15, 2016 states that an unauthorized third party stole personal user data from more than 1 billion accounts. They say that not all the information was properly encrypted and that they had access to names, birthdays, emails, passwords and security questions, but not to financial data. The aftermath included the company sending emails notifying users to change passwords, while experts suggested that people who think they might have used the same password on some other service should change them immediately.
This is viewed as one of the biggest online security breaches in the history of the Internet, and many suggest that this is due Yahoo's lack of attention to security. While we can say that this breach is done and gone, it leaves potential of something more sinister.
The Threat of Social Engineering Hacking
Now that someone has your name, birthday, security questions and answers such as your first pet and your favorite teacher (questions that are very similar across different websites), in addition to your phone number and image, someone can easily steal your identity. From now on, someone using that data can present themselves to your friends, and ask for additional info, or even, well, ask your friends for money. Or, they could simply use the same password on another website, and trying to gain access (the chances of an average user having a different, strong password on each website are quite slim).
How to Secure Yourself
Trying to stay secure should be everyone's priority online, and using different, strong passwords is offered as the best kind of protection. If you are a business owner, and you are scared about your company's security, either hire an expert that can evaluate the risk, or invest into some security solutions or a website business dashboard that will give you all the information you might need. Just keep a clear head, use safe practices, and your online data will be secure.