Experts: Everyday internet-ready devices susceptible to cyberattacks

Experts: Everyday internet-ready devices susceptible to cyberattacks

Updated 55 minutes ago

A recent massive computer hacking incident that blocked traffic to many popular online sites offered just a taste of how bad future attacks could be, a top national cybersecurity expert said Wednesday in Pittsburgh.

Computer criminals turned ordinary Internet-connected devices into a weapon, called a denial of service attack, that prevented users from reaching popular sites such as Twitter, CNN and Spotify, among many others.

With the so-called “Internet of things,” in which basic items such as lightbulbs, refrigerators and coffeemakers are online, hackers have so many more opportunities for attacking victims, said Matt LaVigna, interim president and CEO of the National Cyber-Forensics & Training Alliance. The Second Avenue nonprofit brings together government and corporate computer security experts to track online threats.

“Nobody’s thinking about security, and this is a big wake-up call,” LaVigna said. “Even the actors that claimed to have perpetrated it have said that this is just a taste of what’s possible, which is true. It’s absolutely just a taste. There are so many things connected to the Internet now that, one, don’t need to be, and that, two, are manufactured and nobody is speaking up to say there should be security in this.”

LaVigna joined two federal cybersecurity officials from Pittsburgh for a panel discussion hosted by the World Affairs Council of Pittsburgh at The Rivers Club, Downtown. Moderated by Andrew Conte, the panelists addressed a wide variety of computer security topics but spent several minutes talking about the most-recent high-profile incident.

Unidentified computer hackers Friday targeted Dyn, a New Hampshire company that manages a key piece of internet infrastructure known as a DNS server. The server takes words users submit to access the internet, such as www.triblive.com , and connects them to the website’s real, numeric address.

A Chinese maker of surveillance cameras has since acknowledged that its devices and technology had been corrupted to launch the attack. The problem with having so many ordinary devices online is that few people will take the time to update software against vulnerabilities as they are discovered, said Keith Mularski, supervisory special agent in charge of the cyber squad at the FBI’s Pittsburgh field office.

A similar problem exists with computers still using out-of-date Microsoft operating systems, but it could become exasperated with household items as they begin to age.

“With your (Internet-ready) refrigerator, who’s taking the time right now to update something that’s 20 years old?” he said. “So that’s going to make it vulnerable, and that’s going to make it an issue as we’re going forward that absolutely is going to need to be addressed.”

If even a refrigerator gets hacked, that’s a federal crime, said James Kitchen, a national security cyber specialist in the office of the U.S. attorney for Western Pennsylvania. That idea once seemed absurd, but federal prosecutors have a broad definition of what constitutes a computer, and it includes many everyday gadgets, he said.

“What this case illustrates is that just because it doesn’t have a screen and a keyboard, that doesn’t mean it’s not a computer,” Kitchen said. “As far as whether it’s your (fitness tracker) or whether it’s your refrigerator, those are all computers, and they all connect back to the Internet, and because they do that, they function in many of the same ways.”

From a security perspective, the growing volume of machines creates a challenge, Kitchen said.

But from an investigative standpoint, they all link back to some central controlling system and could leave important clues.

Ultimately, the federal government might need to regulate computer safety requirements for devices sold in the United States, LaVigna said. No one is calling for that kind of intervention yet because the pain hasn’t gotten bad enough, he added.

“Nobody is standing up and saying, ‘Enough is enough. We’ve lost enough money or companies have lost enough money. All of our information has been hacked. Stop,’ ” LaVigna said. “Nobody’s saying that yet because it hasn’t gotten bad enough. That means the train wreck is still out there yet to come to make us say that.”

Andrew Conte is a Tribune-Review contributing writer and the director of the Center for Media Innovation at Point Park University.

TribLive commenting policy

You are solely responsible for your comments and by using TribLive.com you agree to our Terms of Service.

We moderate comments. Our goal is to provide substantive commentary for a general readership. By screening submissions, we provide a space where readers can share intelligent and informed commentary that enhances the quality of our news and information.

While most comments will be posted if they are on-topic and not abusive, moderating decisions are subjective. We will make them as carefully and consistently as we can. Because of the volume of reader comments, we cannot review individual moderation decisions with readers.

We value thoughtful comments representing a range of views that make their point quickly and politely. We make an effort to protect discussions from repeated comments — either by the same reader or different readers.

We follow the same standards for taste as the daily newspaper. A few things we won’t tolerate: personal attacks, obscenity, vulgarity, profanity (including expletives and letters followed by dashes), commercial promotion, impersonations, incoherence, proselytizing and SHOUTING. Don’t include URLs to Web sites.

We do not edit comments. They are either approved or deleted. We reserve the right to edit a comment that is quoted or excerpted in an article. In this case, we may fix spelling and punctuation.

We welcome strong opinions and criticism of our work, but we don’t want comments to become bogged down with discussions of our policies and we will moderate accordingly.

We appreciate it when readers and people quoted in articles or blog posts point out errors of fact or emphasis and will investigate all assertions. But these suggestions should be sent via e-mail. To avoid distracting other readers, we won’t publish comments that suggest a correction. Instead, corrections will be made in a blog post or in an article.