In-security by default

Professionals and representatives from government authorities and public organizations came together in the ninth Integral Security Encounter (Encuentro de la Seguridad Integral: SEG2), organized by the trade reviews 'Red Seguridad' and 'Seguritecnia'. GMV’s Javier Zubieta, Cybersecurity Business Development Manager of GMV Secure e-Solutions, presented a paper called “The Mirai case, a story of zombies”.

During his speech Javier Zubieta talked about the cyberattack of October 2016 targeting systems run by one of the world’s main Domain Name System (DNS) providers, Dyn. The attack was based on multiple denial-of-service (DoS) attacks driven by the malware Mirai, producing a 10-hour outage of 60 Internet platforms and services around the world, especially in the USA. This attack highlighted the current vulnerability of IoT (Internet of Things).

On this occasion the zombies were not PCs. We know that the Dyn attack came by way of routers, televisions sets, webcams and, above all, surveillance cameras, among other IoT items. Mirai is a botnet accessible to one and all (the botnet’s source code was leaked on the net), targeting IoT devices and carrying out DDoS type attacks.

Tens of millions of users were cut from their apps and services. The services targeted by this attack included several of the most used and most critical for online shopping and other SaaSs of huge importance. This DDoS attack has been reckoned to be one of the biggest cyberattacks of recent years, but it is only the start of a long list that looks set to continue into the future. Cybersecurity experts like Javier Zubieta urge IoT device manufacturers to harden the security of their equipment to the utmost degree. “Manufacturers,” he says, “have to incorporate security from the factory, especially in their default configurations. This Dyn attack levered user names and passwords configured from the very manufacture of IoT devices. This constitutes a basic, inbuilt vulnerability that anyone can plug into”.

This case presented by Javier Zubieta also shows the importance of raising the cybersecurity level throughout the whole supply chain. An attack on any intermediary, after all, could have an adverse knock-on effect on any link in the chain and the chain as a whole. The cybersecurity expert wound up by arguing that, “it is necessary to solve the auditing problem and set up the necessary worldwide mechanisms”.