Letter from America: What the DDoS Hack Means to You

31.10.16

As my boss for many years used to say when I requested project approval for something a bit outside the norm: Be careful what you ask for; it may just come true. Last week, the custom integration industry did get the news coverage we’ve always been asking for, but it wasn’t quite for what we would have liked.

I’m referring to the Distributed Denial of Service (DDoS) attack that took down quite a few US-based streaming entertainment, web commerce and news sites, including Netflix, Twitter, SoundCloud, Hulu, HBO, and PayPal. Where this impacts us is the fact that one of the probable root suspects that were used to launch the attack were web-connected devices. Most notably, they were said to be “white label” cameras from a single Chinese OEM manufacturer that were sold under a variety of brands, but other connected home products may well have contributed to this.

The event, itself, is bad enough. However, what is worse was the extensive worldwide news coverage that prominently featured shots of the devices we sell, install and maintain. Indeed, I used a connected Roku to view some of the international coverage on SkyNews and the BBC. Cameras, thermostats, DVRs, streaming music players were all, by inference, implicated.

Yes, IoT/Connected products were used, but let’s turn this to our collective advantage. First, it’s clear that you need to know the facts and then communicate them to your clients:

  • The IoT devices were not “taken over” in a way that a renegade could control someone’s house.
  • Rather, a defect in the affected products was used to swamp a DNS service. That is a “Domain Name Server” company who many websites use to translate the web site name (e.g., Hiddenwires.co.uk) typed into browser to the actual IP address of the site (e.g., 81.21.76.62) that is the where the web is pointed to access the site.
  • The huge amount of incoming traffic swamped the servers at the DNS company, DYN, crashed them, and thus made it impossible to reach the address (URL) that was typed into a browser.
  • SO, as an expert on these matters offered during a panel on OTT content distribution during last month’s SMPTE Conference, it was “…more of a clog than a hack…”. In other words, if you put too much pressure through a pipe, it will burst; if you draw too much current through a wire it will overload, pop a breaker, and them the lights will go out.
  • The message to your clients: “Yes, there are potential security issues with any device or computer connected to the internet, but this was NOT situation where emails could be stolen or security compromised.”

That messaging may help assuage fears, but the explanation, alone, is not enough. The reason? Even if you do a credible job in explaining what just happened, you have a much more important task. Given the concern that the news coverage has likely generated, you need to tell your customer base what they can do to maintain security for their own systems and devices. A week out from the DDoS attack the consensus is not that it was the work of a foreign state, but rather the work of “amateur hackers” who simply wanted to prove they could do this or get revenge against sites they did not like. They can strike where and when they wish.

No one can totally prevent this sort of thing from happening again, and make no mistake about it, it will almost certainly happen again. However, there are things that can be done to prevent or minimise future damage and the task is to be prepared to do them, and get across the message that your firm is the group to do it.

What to do? What to suggest? Some of this is easy and to a certain extent, obvious. Not just for defense against hacks and the infiltrations that can cause a DDoS attack or worse, but for the day-in, day-out security every device and every system should have. The most obvious is that whenever there is a default password for any device, CHANGE IT, and make it something the client can remember but which is not obvious to outsiders. Where there is an SSID beacon, turn it off.

Hey, “I can do that myself”, they might say. Perhaps they can, but do they really want to? Convey the message that there is much more than that to create secure, hardened systems. That’s where you come in. Explain that you can do more than the obvious and create value for your services. Show what you can do that the client may not know about, or have the time, energy or skill to do.

For example, make certain that, whenever possible, any connected device is upgradeable, and that the manufacturer does, indeed, do updates. Work with brand name, and when possible, “enterprise-grade” products in every category. Test them in the shop before you recommend them so that your clients and prospects have confidence in what you provision.

Next, create a guest network for each installation. Just as virtually all business and public places do, use the settings in your access point for a separate Wi-Fi path. That way you don’t have to give out the credentials that let friends, relatives or visitors use the home’s secure network and gain access to personal files.

Along with that, a bit of education is in order. Not only should the password for broadband access be unique and secure (no more “ABCD” or the address, etc.), the same should hold true for ANY connected device in the home. Similarly, remind clients to periodically change the passwords for any on-line accounts, particularly those for sensitive financial and medical-related sites. Some sites do that automatically. If not, why not send an email blast to your customer based every 90 days with a reminder to so that?

Part of your client outreach should be to teach them the value of two-factor authentication. While not directly a part of the DDoS attack, the ills that two-factor immunises an account against are something you should explain, and help establish where applicable.

Demonstrating that you can do that they might not even know about, or have the knowledge and skill to do. For example, explain that forwarding from open ports is another suspect in the DDoS debacle. In your “security sweep” make certain that there are no open ports on routers or switchers. Even that is not foolproof. Create a plan to either use a VPN for tunneling of outside device communication, or use the similar built-in features vendors such as Control4 provide. The value there is clear and provable. I’ll bet many of your clients are familiar with VPN for their corporate email and file access systems. That should make it easy to explain and sell it.

That takes us back to the central point. Your clients are familiar with the VPN and other security systems at work or in their professional life. They are used to remote access for IP issues when they call the corporate help desk. That is a natural rationale to pitch what you do. If you don’t already offer managed IP services you are missing the boat. If you don’t offer periodic “security checkups” you are also leaving business on the table.

More importantly, if you don’t establish that IoT and connected devices are valuable but come with some risks. You can both minimize the possibility of them compromising an installation with upfront, “before the fact” services and advise while at the same time act quickly to fix any holes and repair any damage when there is a problem.

Yes, the way the news about the recent DDoS attack may not have been the type of thing you may have wished for, but unfortunately, we all got it. While the damage is certainly not what anyone would have wished for, let’s turn the incident around. Consider it as a message to help make the individual systems you are responsible for more secure. By extension, that makes everyone’s network and internet use safer and more secure.

Along with that, communicate the value of the professionally installed, managed devices, networks and systems you provide. That makes this a win for your business in a way that makes things a bit better for all.

Michael Heiss is a technology consultant and journalist, CEDIA Fellow, CEDIA ESC 2 Certified, and US correspondent for HiddenWires magazine. You can contact Michael via the HiddenWires LinkedIn Group. Follow him on Twitter: @captnvid.