We take everything we do on the internet for granted now. We are as dependent on the internet as we are on the electricity grid. But just how vulnerable is the internet?
Simon Clayton-Mitchell explains why the internet is now part of our Critical National Infrastructure, and he shares several scenarios on why we should be focused on our cyber security.
Imagine waking up one morning to find the electricity is out. No lights, no heating; the alarm clock dead. Beyond the initial inconvenience of not being able to make a cup of tea – which in itself would almost constitute a national crisis in the UK – you would start to wonder where else the power was out. Your neighbours? Are the street lights on?
The TV and Internet are down, which makes finding out what is going on harder. Do you wish you still had a battery powered radio? When you realise the power appears to be out across the whole neighbourhood, you immediately think about your fridge and freezer contents and that you will need a re-supply of fresh food soon – especially if the outage has occurred during a hot summer.
Realising the supermarkets power must be out too, you jump in your car and drive around to find a rapidly diminishing supply of fresh produce such as milk, eggs, and bread.
To add to the growing pandemonium, traffic lights are out and are causing congestion and gridlock in many areas. As accidents inevitably occur there will be a rapidly decreasing number of ways to contact emergency services as the mobile telecom network shuts down.
If the power outage is nationwide, things start to get serious fast. Once you’ve used up all the petrol in your car looking for supplies, you are out of luck as the petrol pumps won’t work – after all there is no electricity to pump the fuel into your vehicle.
Some critical services will have backup power provided by diesel generators – hospitals, key government facilities, as well as data centres. But without electricity to refuel the trucks used to refuel the generators, they will run dry within 24 to 48 hours.
Realistically, Government has about 72 hours to restore the power. Beyond that, social order starts to strain and will eventually break. Life in the cities and towns starts to resemble an episode from a Netflix series that until now you had been delighted to watch as a fictional series – bar the Zombies.
Scenarios such as this do keep Government planners awake at night, and until about 15 years ago it was the electricity grid that was the focus of their worry.
Indeed, Italy had to undertake a “black start” in 2003, the term given to recovering the electricity grid from a nation-wide blackout. To the credit of the country’s engineers, and those in neighbouring countries, the power was restored in around 12 hours with no serious injuries reported.
However, the growth of the Internet has now added a new, and less secure vulnerability to the list of Critical National Infrastructure. And as the Internet extends into so many areas as a critical communication system, it has extended its vulnerabilities into these areas, including the electricity grid. It is highlighting the blindingly obvious to point out that the Internet is important to us.
Over 50% of Europeans do their banking online, and in the US, the Commerce Department estimates that 12% of all retail sales were conducted online last year. We took it for granted that this array of digital services worked and the pandemic only highlighted who was vulnerable without remote access. .
The UK coffee shop, Pret, has just started a subscription service for its coffee: sign-up and download the QR code – that little square of black and white boxes – onto your smart phone’s wallet and scan that each time you get your coffee. These services are convenient but each one relies on the Internet to function. Even the homeless who sell the magazine, The Big Issue, take payments online. As more services move online our options to do things without the Internet diminish.
Obviously one serious risk to the Internet is the electricity grid; however, I want to approach this from the other side and look at the security of the Internet. There have already been a number of ‘incidents’ involving failures within the Internet. Some were mistakes, others were deliberate and malicious attacks – a hint of what might yet happen.
BGP routing error (the mistake)
One of the most commonly cited Internet disruptions occurred in 2008 when Pakistan Telecom (PT), following instructions from the Pakistan government, attempted to block a specific YouTube video because it was deemed inappropriate.
In order to block access to it, PT ‘advertised’ their own network as the shortest internet route to a specific IP-address range belonging to YouTube. This is done using an Internet routing protocol called Border Gateway Protocol, or BGP for short.
Under normal circumstances each network on the Internet provides a list of all the IP addresses along with instructions on how to get there using BGP. It’s the Internet equivalent of a set of directions, These BGP routing tables have been described as the glue that holds the Internet together.
If you want to access YouTube, I’ll pass you on to network 2, who will then take you to network 3, who will pass you to network 4, and that’s where YouTube’s video can be found.
In this case PT basically said “you can find YouTube here on my network”. This ensured that any Internet Service Provider downstream from PT, trying to access this specific YouTube address would instead be routed to a destination set by PT. It was probably a server in a basement that said, “you’ve tried to access prohibited content”.
Upstream in error
However, this false internet route was also inadvertently advertised and accepted by PT’s upstream network provider, Pacific Century Cyber Works (PCCW). PCCW was not filtering route changes that originated from PT for invalid IP address advertisements. Why would it? PT was a trusted network customer and there was no need to check every change in Internet routing that PT made. If a check had been made, it would have been recognised that the YouTube IP address range that PT was announcing did not belong to PT.
Instead, PCCW propagated PT’s false route to get to YouTube to the rest of the world, resulting in most requests for YouTube made globally being routed to PT’s server sitting in that basement! Despite YouTube’s best efforts to get the valid route re-established, the problem was not resolved until PCCW finally (temporarily) disconnected PT from the rest of the Internet.
“A large part of the problem is that BGP was not designed with security in mind”. Simon Clayton-Mitchell
The honour system
In truth, routing between networks relies to a large degree on the honour system: each network trusts what the other networks tell it. This works well when it is in everyone’s interest to tell the truth; however, should a major network from a foreign power decide to create mischief, it is easy to start advertising false routes to key Internet services such as Government web-sites, Amazon, banks – even Pret!
If the bad routes are continually announced by a bad actor, it becomes increasingly difficult to determine which route is the valid one to the proper destination, and the Internet starts to fragment.
The default password
Another critical vulnerability arises from the myriad of devices that we now connect to the Internet – part of what has become known as the Internet of Things (IoT).
These include industrial sensors and CCTV cameras, as well as devices in our homes such as monitors that we put in our children’s bedroom, utility smart meters, Amazon’s Alexa speaker in our living rooms, smart locks on our doors.
The problem is that many of these devices ship to the end user with a default password set up: e.g. “Password”. The expectation being that whoever installs the IoT device will change the password to a secure one…
In 2016, kids (well, students actually), released a botnet into the Internet that took advantage of this weakness and directed a Distributed Denial of Service attack (DDoS – pronounced Dee Dos) at a critical piece of Internet infrastructure.
A DDoS attack utilises a special form of malicious software (malware) called a botnet (a roBOTic NETwork). A botnet is an army of computers that are unwittingly (and unknown to their operators) press-ganged into becoming part of an arsenal of Internet weapons, having been ‘infected’ in some way.
The user clicking on a spam email facilitates malware being installed. The malware then sits silently on the computer waiting for the time when an instruction from the botnet’s command-and-control server calls it into action. The malware will then highjack its host computer and start carrying out whatever it has been designed to do.
The students botnet
In this student-led assault the botnet flooded a Domain Name Server (DNS) operated by a company called Dyn.
DNS servers resolve web addresses that we type into our Internet Browser (e.g. www.amazon.com) to an Internet Protocol (IP) numerical address (e.g. 188.8.131.52), that can be read by the various routers that are part of the Internet’s physical infrastructure.
In this case, the botnet flooded Dyn’s server with connection requests until it could no longer handle them and dropped out of service (hence the term Denial of Service), taking large swathes of the Internet with it, ranging from Microsoft, Sony, and Amazon, to Starbucks, Walgreens, and the BBC, amongst others.
The FBI put the total cost of the attack at over $100M.
What made the attack almost comical was that the students had only intended to disrupt competing Minecraft game-players. Fans of this popular game rent servers to play on and by trying to shut their competitors down they could then drive more traffic onto their Minecraft server and hence increase their revenues.
Instead they inadvertently launched what was at the time the largest attack on the Internet ever recorded. All this mayhem, achieved with a dictionary of 62 default passwords taken from IoT device manufacturers’ websites. It’s estimated 600,000+ IoT devices were infected with the botnet.
As IoT devices proliferate, and especially industrial ones, they present an ever-growing set of vulnerabilities that could be utilised by any number of bad actors.
To add to this, as IoT devices become commonplace, older ones may be forgotten. End-of-life planning needs to be considered for such obsolete devices. They cannot be left out in the wild, potentially a forgotten back-door into a company’s network.
Minimum Viable Proposition
These vulnerabilities are very much part of the fabric of the Internet. While various organisations and governments endeavour to mitigate them, the reality is that our interconnected society is more vulnerable that we care to admit.
At a business level it makes sense to prepare for a minimum viable proposition. How do you conduct your business if the Internet is down? For example, could you still ship products using shipping data held on an Excel spreadsheet? For invoices, could you run them on Excel, and print out the documents on a local printer? This kind of disaster recovery planning is done for some organisations; but it behoves us all to think about what we might do if we couldn’t get online for a few weeks.
Dependence without security
In E.M. Forster’s story, “The Machine Stops”, a future is imagined where mankind is completely reliant on a single, all-powerful machine for all their needs: shelter, warmth, food, communication, entertainment – everything.
Living in self-contained rooms with minimal social contact or travel, people are happy and secure, safe in the knowledge that the machine will always provide for them. However, the machine has been designed and built layer upon layer over countless generations. As a consequence the skills and knowledge as to how it actually works have been lost. When the machine starts to malfunction – and eventually stops – so does society.
What makes this dystopian view of the world so fascinating is that it was envisioned by E.M. Forster, in 1909. Wired magazine said of the story:
“A chilling tale of a futuristic information-oriented society that grinds to a bloody halt, literally. Some aspects of the story no longer seem so distant in the future.”
In a very short period of time we have sleepwalked into a situation whereby the Internet has become critical to the functioning of society. Yet we are lacking the security we would want from such an important piece of infrastructure. It is contingent on us all to learn how to work in the face of major disruption.
If you need help with Cyber Security, reach out to me for an friendly chat.
Taken from an article published by Simon Clayton-Mitchell on LinkedIn.