””

News analysis

Why the latest Net attack should scare you

Taking down a large chunk of the Internet is well within the grasp of small criminal groups and other ordinary actors

SAN FRANCISCO • Millions of Internet users lost access to some of the world's most popular websites last Friday, as hackers hammered servers along the United States East Coast with phony traffic until they crashed, then moved westward.

A global attack on one provider of domain name system (DNS) services, Dyn, took down sites, including Twitter, Spotify, Reddit, CNN, Etsy and The New York Times, for long stretches of time - from New York to Los Angeles.

NBC reported that a senior intelligence official told the network that the hack "does not appear at this point to be any kind of state-sponsored or directed attack".

It may be that new evidence emerges that leads the US intelligence community to change its opinion and identify a major state as a responsible party.

However, the scarier possibility is that it was not a state that did it and here is why.


PHOTO: BLOOMBERG

ATTACK TARGETED THE DNS

The Internet relies on a complicated mix of systems and protocols to work. Last Friday's attack targeted a key aspect of the Internet - the DNS.

Every time your desktop or phone browser asks to load a Web page, specialised servers need to turn the Web address into a series of numbers - the Internet Protocol (IP) address - to figure out where the request ought to be sent.

The company that was hacked last Friday runs part of the DNS. The hackers sent so many requests to the domain name servers that they were overwhelmed.

This kind of attack is called a distributed denial of service attack, or DDoS attack. It used to be thought of as a relatively unsophisticated instrument, and many forms of DDoS can be easily repelled once the target of the attack realises what is going on.

THESE KINDS OF ATTACKS HAVE ESCALATED

Unfortunately, such attacks have escalated dramatically over time. The problem started with unsecured computers.

What is called the "Internet of Things" - the many consumer products connected to the Internet - has created opportunities for botnet herders because these products tend to be badly secured and are usually never updated.

Many people are bad at keeping their computer operating systems updated, with the result that their computers have been quietly subverted and made part of "botnets" made up of thousands of enslaved machines.

These computers can then be turned against a target system, repeatedly bombarding it with demands until it is effectively taken off the Internet.

Criminals have herded botnets to blackmail the owners of gambling websites by threatening to keep them offline with DDoS attacks until a ransom is paid.

Recently, however, the stakes have escalated.

What is called the "Internet of Things" - the many consumer products connected to the Internet - has created opportunities for botnet herders because these products tend to be badly secured and are usually never updated.

ANYONE COULD BE RESPONSIBLE

It used to be that only states had the firepower to mount really dramatic attacks like this.

Other kinds of cyber attacks - such as the attack the US and Israel reportedly mounted on the Iranian nuclear programme - require bespoke skills and customisation and are out of the reach of all but sophisticated nation-states.

But taking down a large chunk of the Internet, as last Friday's attack apparently did, is well within the grasp of small criminal groups and other ordinary actors.

Many of the techniques used to identify the perpetrators of cyber attacks rely on "fingerprints" in the computer code underlying the attack. Such identification techniques will be harder to use against DDoS attacks like this one, which deploy a code that is widely available and hence impossible to attribute to another actor.

This might tempt states as well as non-state actors to use this system to mount DDoS attacks in the belief that others will likely be blamed.

UNDERLYING PROBLEM TOUGH TO SOLVE

These attacks are likely to continue - and get worse - as long as more devices are released that can be subverted and enslaved by botnets.

Unfortunately, as prominent security expert Bruce Schneier argues, that is going to keep on happening. The producers of buggy and insecure cameras, and so on have no incentive to improve them, since no one can sue them for the side effects of their carelessness.

Product users do not have reason to care too. Mr Schneier suggests we might at least begin to address the issue by regulating manufacturers or by making it possible for victims of attacks to sue them.

This is, as he certainly knows, unlikely under current political circumstances. The business community has resisted such mandates and rights for decades and almost certainly still has enough political clout to continue to resist.

BLOOMBERG, WASHINGTON POST

SEE INSIGHT

A person, a bank, a country - it's a free-for-all

Governments and corporations need eachother's support

S'pore's weapon: cyber diplomacy

Cyber security = job security for S'pore grads

A version of this article appeared in the print edition of The Sunday Times on October 23, 2016, with the headline 'Why the latest Net attack should scare you'. Print Edition | Subscribe