Cybersecurity Review 2016: Elections, Ransom, Botnets & Lessons Learned
January 11, 2017
As computers become more pervasive in our government, our businesses, and our homes, cybersecurity crises seem to arise with alarming regularity and often in unexpected places. In particular, networking among computers and electronics is sharply on the rise, giving hackers extraordinary power to attack, compromise and control systems from afar without ever leaving their desks.
This year alone we have seen hackers wreak havoc on a national party, a presidential election, public institutions and services, consumer electronics and even basic web pages on the internet.
The events seem to blur together into a confusing haze of perpetual cybersecurity meltdown. But if we analyze exactly what makes these hacks possible — why one system gets hacked and not another — we can keep recent events in perspective and glean lessons from them that can be applied to security in our own lives.
Beginning in the summer of 2015, the Democratic National Committee’s computers were successfully penetrated by hackers, whose intrusion went unnoticed for nearly a year. The following summer, in the heat of the presidential race, a trove of emails captured from the hacked computers was published by WikiLeaks.
The emails served to undermine the DNC’s stated neutrality in the party’s nomination process, suggesting that executives may have actively undermined the campaign of Senator Bernie Sanders. The leaks led the committee chair, Debbie Wasserman Schultz, to resign just before the Democratic National Convention in July. After the convention, the committee’s CEO, CFO, and communications director also resigned.
True to its principles, WikiLeaks would not name its source. Immediately following the emails’ publication, a lone hacker calling himself Guccifer 2.0 claimed responsibility. American security experts, both public and private, agreed that the Russian government was responsible for the hack. Furthermore, they believed Guccifer 2.0 to be a disinformation campaign on Russia’s part.
In a separate hack also leaked to WikiLeaks, Clinton campaign chairman John Podesta’s personal Gmail account was compromised in March, 2016. Hackers used a phishing email made to look like a security alert that directed Podesta to their Google spoof site, where he unwittingly entered his credentials. Not only was Podesta’s entire email history immediately available to the hackers, but he would not become aware that he had been hacked for at least several weeks. While not as revealing as the DNC emails, these leaks nevertheless proved embarrassing just the same. Again, evidence and expert opinion tended to pin the blame on Russia.
The aggregate effect of the hacks was to put Clinton’s campaign on the defensive repeatedly and arguably contribute to her defeat. The most remarkable thing about the events is not the hacks themselves, which politicians concede to be all but routine, but the leak and publication of the emails. A political data breach of such scope and consequence has arguably never before been made public.
In the weeks since the election, evidence of Russia’s interference has only grown. The FBI, CIA and Director of National Intelligence James R. Clapper Jr. all agree that Russia’s efforts aimed, at least in part, to help Donald Trump win the White House.
It is important to note that although these events could be described as Russian interference in the election, there is no evidence that any actual votes were hacked. In fact, the prospects for anyone who might wish to do so are quite limited. This is because voting machines with unique security features are in various locations and would need to be hacked simultaneously — an operation that would likely take years, increasing the chances it would be discovered before damage was done.
Data Held Hostage
On Friday, November 25, 2016, the start of the busiest shopping weekend of the year, the ticketing system for San Francisco’s light rail transit network was taken offline by ransomware. Ticketing kiosks began displaying the message, “You Hacked, ALL Data Encrypted,” along with an email address to contact for the key to unlock the system. The ransom was reportedly 100 Bitcoin, worth roughly $70,000.
The trains and their safe operation was not affected. In fact, the outage proved a boon to transit riders, as the agency’s response was to allow riders aboard for free until systems were restored the following Sunday. The agency has reportedly not paid any ransom, but they have not disclosed whether they were able to completely remove the ransomware from their computers.
This is only the most recent ransomware attack on a public institution. A string of them happened in rapid succession in February, 2016. The police department in Melrose, Massachusetts fell victim to an attack after an unsuspecting user within the department opened a seemingly innocuous email that contained a virus. They quickly paid their Bitcoin ransom and suffered no permanent data loss. A hospital in Hollywood, California, and a school district in North Carolina were similarly compromised and eventually paid up.
As the hackers were never identified, the question of whether these three attacks on American public institutions were related remains unanswered. Moreover, a great many more ransoms are likely paid quickly and quietly by private firms and institutions such as law firms. We only hear about the attacks on public organizations because of their public accountability. But we know that such attacks on private entities are not uncommon.
However, some ransom demands go unpaid because the targets have comprehensive data backups and plans in place to quickly restore the hacked information. Most people are unlikely to ever hear of these attacks because they cause so little harm. No individual or business can completely eliminate the possibility that they will be exposed to malware. Nonetheless, they can ensure that their losses in such an event will be minimized.
On October 21, 2016, hackers disrupted access to dozens of popular websites by activating a virus resident on a large number of internet-connected consumer devices. You may have noticed an interruption in your ability to access Amazon.com, Netflix, CNN, The New York Times or other sites. What you probably do not realize is that you may have inadvertently taken part in the attack that caused the disruption.
The hack was a Distributed Denial of Service, or DDoS, attack. A “distributed denial of service” attack involves flooding a server with requests so as to make it unavailable to respond timely to its true users. A denial of service attack enlists multiple internet-connected devices at disparate locations, making it very difficult to stop the attack by blocking all requests from a certain computer.
A very crude version of a DDoS attack might involve coordinating hundreds of individuals to simultaneously load and reload a website that ordinarily sees small amounts of traffic at any one time. Likewise, a sudden spike in popularity of a website can inadvertently cause it to shut down. This happens often when an obscure site is the subject of a popular post on a message board such as Reddit, or when the Canadian immigration website became unavailable on the night of the US presidential election.
The October attack, however, was not crude or inadvertent. The target was no ordinary website, but rather a major Domain Name System (DNS) provider called Dyn. As a DNS provider, Dyn takes the user-friendly URL like “www.amazon.com” that you enter into your browser and translates it to an IP address — a string of digits that directs to a certain server on the internet. If a DNS provider cannot respond timely to users’ requests, those users will be unable to access certain websites, which is exactly what happened.
The agents of the attack were internet-connected consumer devices such as Wi-Fi routers, printers, security cameras, and baby monitors that had been infected with a virus known as Mirai. The infected devices, recruited in the October attack, composed a “botnet” — a group of devices subject to the control of a third-party hacker — that may have numbered in the tens of millions.
It is not unlikely, therefore, for any household full of online gadgets to have taken part in the attack. The hijacking would in most cases go completely unnoticed by the user because no one device would have to devote itself entirely to the DDoS attack in order for the aggregate effect to be crippling to its target. The user might go on using their infected Wi-Fi router, blissfully unaware that the device is sending a DNS request to Dyn once per second or so.
The Mirai botnet attack was the largest DDoS ever. The load of malicious data directed at Dyn’s servers is estimated to be as high as 1.2 terabits per second — some 50,000 times the total bandwidth of a typical home’s internet connection. Dyn said that the attack was very complex and unlike typical DDoS events.
Hacker groups Anonymous and New World Hackers quickly claimed joint responsibility for the attack, saying it was retaliation for Ecuador’s cutting off internet access at their embassy in London, where Julian Assange has taken asylum since 2012. Assange is the founder of WikiLeaks, a darling of so-called “hacktivist” groups of politically-minded hackers. This also served to implicate Russia, accused of colluding with WikiLeaks to disrupt the US presidential election.
However, Flashpoint, a business risk intelligence firm, believes the attack was the work of amateur hackers with no political or financial motivation, but simply a desire to cause chaos for sport. The firm cites similar characteristics with past attacks known to have been perpetrated by amateurs, as well as the lack of a clear political or financial objective.
The fact that anyone from any nation-state to hacker group to loosely connected amateurs can be implicated in the largest DDoS attack in history is troubling. If such a sophisticated and disruptive attack could in fact have been achieved by amateurs, the thought of an attack by a powerful national government is truly frightening. And if it turns out that only government agents could pull off such a feat, their willingness to do so and the mystery of their motivation should cause no less concern.
These days, those who would wreak havoc with computer viruses need not even have the ability to write code. Even if a hacker has no motivation at all to cause disruption, they should have no difficulty finding someone willing to pay for the ability to do so. In fact, about a month after the Dyn attacks, two hackers advertised a Mirai botnet of their own which they made available for rent by anyone with a target in mind and cash (that is, bitcoin) in hand.
The hackers appear to be the same ones behind past successful hacks of large US companies, and they claim to have a botnet numbering at least 400,000 Mirai-infected devices at their disposal. They also claim to have made significant improvements to the original Mirai code, making it more difficult to detect. Clients can rent 50,000 of the bots for two weeks for a cost around three to four thousand dollars — likely too pricey for an individual who simply wants to cause destruction, but affordable for motivated organizations with an ulterior motive.
If you notice a common thread in all these hacks, it might be “low-hanging fruit.” Given the scale and consequence of these hacks, it is easy to forget that in most cases they do not start with a supercomputer or a super-genius overcoming some seemingly impenetrable wall of security. Instead, they tend to rely on that weakest of link: humans. Podesta’s lack of skepticism about an email that seemed to come from Google let his email get hacked. Employees at private and public organizations consistently fall prey to similar scams. And consumers’ unwillingness to change their new gadgets’ passwords (or their unawareness of the importance of doing so) lets hackers control millions of the devices at will.
Don't be an easy target
For all the sophistication of various methods of hacking, the ordinary password remains the cornerstone of cybersecurity. A bad password is the weakest link in most security chains, and a strong password is enough for practical defense for the layman. The Mirai malware, though a marvel of ingenious coding, nevertheless depends entirely on factory-default or otherwise easily guessable passwords.
So what can you do to protect yourself? Make your passwords longer, do not use the same password twice and do not use dictionary words. Use a password manager like LastPass, Keeper or 1Password. Enable two-factor authentication for sensitive logins. When you buy a new internet-connected device, immediately change the default password. Implement and stick closely to a comprehensive data backup plan so that if you fall victim to ransomware, you have a real choice whether to pay up.
Watch out for phishing emails. They look like emails from entities you trust, but they contain links to malicious sites. If an email looks suspicious, do not click on anything in it. Only log into a sensitive website after typing in the URL yourself or clicking on a bookmark you created. Look for security icons next to URLs in your address bar. Finally, talk about cybersecurity and share these tips with employees and colleagues.
Do not be the low-hanging fruit. A determined hacker will always be able to find an attractive and penetrable target. But it does not have to be you or your firm.