With help from Eric Geller, Martin Matishak, Darren Samuelsohn and Li Zhou
DNS UNDER DURESS — Friday’s massive, multi-part attack on the domain name system provider Dyn brought into stark relief the importance and fragility of the internet’s directory system, heightening fears that highly disruptive DDoS attacks will become more common. The digital assault — which relied on armies of secretly infected devices flooding Dyn’s servers with gibberish requests to look up non-existent URLs — disrupted access to Twitter, Spotify, The New York Times and other major websites before Dyn resolved its routing issues around 6 p.m. EST. Cloud-hosting titan Amazon Web Services, which partly relied on Dyn’s DNS, also experienced outages. “This shows how interconnected all of the different parts of the internet are,” Matthew Prince, the CEO of major DNS provider Cloudflare, told MC as the attack continued. “When you have something that is as critical a piece of infrastructure as one of the largest DNS providers, and they get impacted by an attack, it has spillover consequences even sometimes to people who might not be direct customers of that provider.”
Story Continued Below
It’s still unclear who orchestrated the DDoS attack, though U.S. officials apparently believe it was vandalism rather than a state-sponsored operation. WikiLeaks supporters have claimed credit for the digital siege, vowing it was retaliation for the Ecuadorian government’s decision to cut off WikiLeaks founder Julian Assange’s internet, but numerous security firms have cast doubt on these boasts. The central lesson of the incident — aside from the inherent fragility of the internet — seems to be that the toasters, DVRs and webcams that make up the Internet of Things are dangerously insecure. The flood of malicious traffic aimed at Dyn came from Internet of Things devices that had been secretly infected with malware, turned into so-called “botnets” and programmed to respond to remote commands. Some percentage of the famous Mirai botnet — best known for record-breaking DDoS attacks on journalist Brian Krebs and cloud hosting company OVH — participated in the attack on Dyn. “This attack wasn’t notable for the volume of traffic so much as it was for the distributed nature of the attack vector,” Dyn’s general counsel, Dave Allen, told reporters.
There is speculation that Dyn’s attackers were testing the waters for something more destructive. Last month, security researcher Bruce Schneier revealed that unknown parties were “probing the defenses of the companies that run critical pieces of the Internet.” Experts are hoping that the headline-grabbing nature of Friday’s DDoS attack prompts a serious discussion of how to better secure the Internet of Things. House Energy and Commerce Committee Chairman Fred Upton, who would play a key role in any legislative effort, said in a statement, “We’re closely monitoring the situation and will continue exploring strategies and developing protections to mitigate the impact these types of attacks have on our networks.” Rep. Jerry McNerney, a member of the committee’s technology subcommittee, added that it was “urgent for Congress to examine this issue.” While things seem to have quieted down for Dyn, there’s no reason why another major attack on it or one of its few competitors couldn’t start tomorrow. “After what had actually been a pretty quiet last year in terms of the scale of attacks, it does seem like these very large-scale attacks are starting to happen again,” said Cloudflare’s Prince. “And unfortunately, it doesn’t take a lot of sophistication to launch one of these attacks.”
HAPPY MONDAY and welcome to Morning Cybersecurity! The new “Black Mirror” episodes haven’t disappointed, in the opinion of your MC host. Send your thoughts, feedback and especially tips to [email protected], and be sure to follow @timstarks, @POLITICOPro and @MorningCybersec. Full team info is below.
SOPA VERSUS DDOS — Rep. Marsha Blackburn suggested over the weekend that the Stop Online Piracy Act might have helped prevent Friday’s DDoS attack, an idea immediately greeted with skepticism. “A few years ago, we tried to do a bill called SOPA in the House which required the [internet service providers] to [do] some governance on these networks and to block some of the bad actors,” she said on CNN. More obviously related was her suggestion about the inability to pass a data security standards and notification bill (she sponsors one version of the legislation) and her advice about cyber hygiene.
TO PRIVATE SERVER, OR NOT TO PRIVATE SERVER — One of Donald Trump’s earliest supporters in Congress made a strange claim late last week as he discussed the hacking of Hillary Clinton campaign chairman John Podesta’s personal email account. Raising the possibility that the breach occurred because someone “hacked into a server,” Yoho told CNN’s Wolf Blitzer, “I can’t think of a more vulnerable server than the one Mrs. Clinton had in an unsecured location, that had top-secret information on it.” When Blitzer pointed out that Podesta had used Gmail, Yoho replied, “Yeah, I know that. But you don’t know what the legs are, the web that’s created, from one server to the next. I don’t think the computer scientists know all that. There’s interlocking mechanisms and routing numbers and all that.” In reality, security experts said, Podesta accidentally gave the hackers his login information by typing it into a fake Google login page.
TRUMP ENVISIONS CYBER ACTION IN FIRST 100 DAYS — Donald Trump said over the weekend that, if he is elected president, he would work with lawmakers on a national security bill that would address cybersecurity during his first 100 days in office. The Republican nominee used a speech in Gettysburg, Pa., to announce a “Contract with the American Voter” outlining a “100-day action plan.” The so-called Restoring National Security Act would, among other things, overhaul the Veterans Affairs Department healthcare system, increase military spending and “[protect] our vital infrastructure from cyberattacks.” The promise aligns with Trump’s previous commitment to improve the security of critical infrastructure facilities like power plants and hospitals. In a Sept. 7 fact sheet, Trump’s campaign said that one of his “first commands” upon taking office would be to ask the Joint Chiefs of Staff and the Cabinet “to conduct a thorough review of United States cyber defenses and identify all vulnerabilities — in our power grid, our communications systems and all vital infrastructure.”
— AND HE DINGED CLINTON FOR CYBER HYPOCRISY: Trump on Friday also picked on Clinton over a news story about her time at the State Department. “VERY IRONIC: ‘In 2010 video, Clinton lectured underlings on cybersecurity and guarding ‘sensitive information,’” Trump tweeted. In the video, Clinton said: “I think this is a responsibility we all share as Americans, but as State Department employees, we have a special duty to guard ourselves and our sensitive information. Potential hackers use all kinds of strategies to exploit cyber vulnerabilities and to penetrate the department’s systems.”
HINDSIGHT IS 20/20 — Amid the thousands of John Podesta emails WikiLeaks has dumped online, one that caught our eye came from Teddy Goff. In March 2015, Goff, today Clinton campaign’s top digital strategist, offered Podesta to handle cybersecurity meetings for the campaign with Israelis high-tech CEOs “that have developed some incredible technologies that can be of great help to an eventual campaign.” Podesta replied, “Happy to take these meetings if helpful. I trust they will be in the United States … ” Another exchange touched on the Sony hack.
** A message from RSA: As more attacks on government systems are revealed, concerns multiply that a storm of security incidents could rain down on Election Day. Find out how our democracy became vulnerable to cyberattacks and protect your organization with a free trial of RSA SecurID Access, the world’s leading multifactor authentication solution. **
CYBERSECURITY IN THE ZEITGEIST — In another sign that cybersecurity is on everyone’s mind these days, this weekend’s “Saturday Night Live” featured not one, but two, cyber-centric jokes. The first came during the cold open — which mocked the latest presidential debate — with a question about WikiLeaks. Kate McKinnon, who portrays Hillary Clinton, dodged the question. “So you’re just never going to answer questions about your emails?” asked Tom Hanks, playing a faux Chris Wallace. “No, but it was very cute to watch you try,” McKinnon responded.
Cast member Leslie Jones then sat behind the “Weekend Update” desk to talk about her hack over the summer, when digital trolls stole and publicly posted nude photos of her.“I don’t know if you all know this, but I ain’t shy,” she joked. “If you want to see Leslie Jones naked, just ask. Just ask!” Jones later added: “Real trolls aren’t tapping on keyboards, they’re swinging shovels.”
TWEET OF THE DAY — Nobody ever DDoSed the ancient Egyptians.
RECENTLY ON PRO CYBERSECURITY — “A federal grand jury has indicted a Russian man accused of hacking three American tech companies and stealing user data” … Two top lawmakers took the Federal Deposit Insurance Corporation to task for not informing Congress about a recent breach … House Judiciary Chairman Bob Goodlatte questioned the FBI over a top Clinton adviser who used a Chinese-made laptop to sort the former secretary of State’s private emails from her personal ones … Several European prosecutors joined forces to call for “specialized justice authorities” to force tech companies to break encryption … Estonia’s prime minister encouraged a Swedish telecom firm to develop 5G in Estonia rather than China out of hacking fears.
QUICK BYTES
— Former NSA contractor Harold Martin III’s lawyers assert that he’s a collector, not a traitor. POLITICO.
— Russia’s foreign ministry said someone from the United States hacked one of its websites. AFP.
— Clinton’s vice presidential pick, Sen. Tim Kaine, says he isn’t worried about a WikiLeaks threat and that one released email that referred to him was “flat out incorrect.” RealClearPolitics.
— Tonya Ugoretz, director of the Cyber Threat Intelligence Integration Center, talks about the future of his agency. Federal News Radio.
— The 15 kids under the age of 15 who are all about cyber. Passcode.
— The U.K. is waging cyber war on the Islamic State. BBC.
— And the U.K.’s National Cyber Security Centre wants to stop being scary, and start being real. TechCrunch.
— Chinese hackers targeted a U.S. aircraft carrier, according to FireEye. Financial Times.
— Sen. Mark Kirk talks about foreign hackers’ threat to the United States in an op-ed in USA Today.
— “Congressman raises concern over potential use of Russian satellites for troops’ Internet service.” The Washington Post.
That’s all for today. What would Picasso say?
Stay in touch with the whole team: Cory Bennett ([email protected], @Cory_Bennett); Bryan Bender ([email protected], @BryanDBender); Eric Geller ([email protected], @ericgeller); Martin Matishak ([email protected], @martinmatishak) and Tim Starks ([email protected], @timstarks).
** A message from RSA: As more attacks on government systems are revealed, concerns multiply that a storm of security incidents could rain down on Election Day. Find out how our democracy became vulnerable to cyberattacks and protect your organization with a free trial of RSA SecurID Access, the world’s leading multifactor authentication solution.
While state and federal officials brace for hacks on local voting systems, experts know this problem is not new. Privacy attacks have plagued businesses since they started collecting personal data from consumers and employees. See a breakdown of the 11 worst cyberattacks in recent history and their impact on our society. **
