From Downdetector, areas experiencing major interruptions in major online services as of 10:20 Saturday:
The attack is exploiting employing all those much-hyped devices like thermostats, refrigerators, baby monitors, security cameras, and other appliances devices connected to the so-called ‘Internet of Things” [IoT].
From the Guardian:
Among the sites targeted on Friday were Twitter, Paypal and Spotify. All were customers of Dyn, an infrastructure company in New Hampshire in the US that acts as a switchboard for internet traffic.
Outages were intermittent and varied by geography, but reportedly began in the eastern US before spreading to other parts of the country and Europe.
Users complained they could not reach dozens of internet destinations, including Mashable, CNN, the New York Times, the Wall Street Journal, Yelp and some businesses hosted by Amazon.
Hackers used hundreds of thousands of internet-connected devices that had previously been infected with a malicious code – known as a “botnet” or, jokingly, a “zombie army” – to force an especially potent distributed denial of service (DDoS) attack.
More from BBC News:
Security firm Flashpoint said it had confirmed that the attack used “botnets” infected with the “Mirai” malware.
Many of the devices involved come from Chinese manufacturers, with easy-to-guess usernames and passwords that cannot be changed by the user – a vulnerability which the malware exploits.
“Mirai scours the Web for IoT (Internet of Things) devices protected by little more than factory-default usernames and passwords,” explained cybersecurity expert Brian Krebs, “and then enlists the devices in attacks that hurl junk traffic at an online target until it can no longer accommodate legitimate visitors or users.”
The owner of the device would generally have no way of knowing that it had been compromised to use in an attack, he wrote.
Defense against I0T attacks? Think again. . .
There are few avenues open for owners of I0T-connected devices to protect them from similar intrusions in the future, as Michael DeCesare reports for TechCrunch:
Early government and commercial efforts have focused on how manufacturers can build better security into devices. But this is problematic for a couple reasons, not the least of which is that IoT devices cannot run traditional
But this is problematic for a couple reasons, not the least of which is that IoT devices cannot run traditional cyber security software.
As a result, there are fewer “tools in the shed” to protect the IoT than there are for computers that run traditional operating systems. Some IoT devices can be patched, others can’t. For the device that can be patched, this is a very manual process and not something that is routinely done.
What’s the answer here? As with everything with cybersecurity, there is no silver bullet. Even when it comes to IoT, we have to remember one of the fundamental tenets of this field: defense in depth. Moving beyond the acknowledged need to be better at patching devices, we must then ask if devices are protected by a robust perimeter security solution and are continuously monitored for suspicious behavior.
Welcome to the future, folks.