A man is sternly lifting his index finger next to a Scottie dog that is looking away.

Sit, Ubu, Sit…(ruff)…good dog.

NOTE: This is part 3 in a series about the recent DDoS attacks using Internet of Things enabled devices. We look at where manufacturers are culpable in this latest attack.

The Insecurity of Things:
Part 1Look into the MiraiAn overview of what happened
Part 2 – Wagging the Dog – What Mirai is really about – security and secure passwords
Part 3A Manufactured ProblemThe ‘root’ of this lies with the manufacturers – Here’s what they’re doing, and what they need to do

Yesterday, I wrote in part one about the DDoS attacks that we’ve experienced in the last month and what went down to make them happen. In part two, I want to expound on one of the ways we can work to mitigate and or prevent this from happening again: secure passwords and better security.

I subtitled this ‘wagging the dog’ because I feel that’s what’s been happening in the media. They are focused on the result and not the problem.  A lot of the titles included phrases like ‘IoT botnet’, ‘Mirai uses IoT to attack’, and the like, putting the focus on the types of devices used, rather than how Mirai gained access. This is about security and proper password and credential management. Period. In the third paragraph of a post on a site called Threat Post, they say how it happened (emphasis mine):

Mirai’s purpose is to continuously scan the public Internet for IoT devices and tries to access them using known default or weak credentials before exploiting and forcing devices to join botnets used in DDoS attacks.

‘Known default or weak credentials’. That was the big contributor to this attack. IoT is the tail. Credentials are the dog. Passwords and usernames were easily guessable. If you’re using one of these 25 common passwords or equivalents, this could have happened to you. Brian Krebs wrote an article after he was attacked about the devices that were identified in the source code of Mirai, the botnet. Here is an image from that article showing the 68 devices, and their credentials:

List of devices attacked in Mirai botnet attack with default usernames and passwords.

From Brian Krebs’ follow up piece on the Mirai DDoS attack.

Remember:
IoT is the tail.
Credentials are the dog.

It starts with a mind shift. We’ve been thinking about Internet of Things devices as devices that we can access from our phones and control and get data from. Maybe that mindset is the problem. Before, when using my coffee maker, I didn’t have to have a password. So, here’s how I would encourage you to think about Internet of Things and smart home devices: Think of them as physical applications, equivalent to your app for banking or your app for your email, that need the same level of security. Rather than these physical apps being on a computer or phone, they have a real world presence that needs security. This is the most prominent example of our physical and virtual worlds co-mingling. You lock your door with a unique key, why wouldn’t you lock each device with a unique password? In part three, I’ll address what vendors need to do about their default passwords, but today I’ll take a look at what we can do once we own these devices.

What can we do about this?

You’ll note from the list the onus is on the users and manufacturers of these devices. Simply put, when installing a new IoT device, NEVER use the default password and username for it. Using simple passwords like ‘password’ or ‘1234’ are bad ideas when you’re using them for your online accounts, but even worse when you use them for internet-enabled devices like cameras and DVRs. First and foremost for your devices, make strong passwords and change default usernames. Most consumer grade devices have graphical user interfaces for you to work with and change your credentials. In fact, should a REALTOR sell a home with smart devices in it, they should work with the new homeowner to reset ALL of those devices.  At CRT Labs, we worked with the Online Trust Alliance to produce a smart home checklist last year. Use this as a way to ensure you are securing these smart devices.

Stronger, better passwords

TLDR; Chris and I spoke about this in our office hours a couple of weeks back. You can take some time to watch that video here (go ahead, I’ll wait):

What is that? Your kid's birthday and pet's name for your bank password?? Why don't you just hand me your wallet and get out of my way!!!!

“What IS that?? Your kid’s birthday and pet’s name for your bank password?? Why don’t you just hand me your wallet and get out of my way!!!!” (Image found here.)

Okay, before we get started on this, I want you to think about me as a password personal trainer. The equivalent Jillian Michaels preferably. I will push hard on this. I’m going to ask things of you that you know you should be doing, but haven’t because ‘it’s not easy’ or ‘it’s hard to remember’. Listen, the Internet of Things is coming and you need to get in this habit because there will be BILLIONS of these devices in about 4 years time. Anytime you use an insecure password, you are not just exposing your information, but potentially, personal information about your clients. How many documents, contracts, or pieces of personal information of your clients do you have in your email? You need to think of your passwords as you do your keys or keys to a home you’re showing. You don’t just hand those out willy nilly or make them flat because ‘getting the notches cut means I have to go to the hardware shop and I only like the way that Eddie cuts the keys but Eddie only works on Thursdays’…do you? If you do hand them out, can I have a key? Sorry, got a bit side tracked. So, what do you do to protect yourself? Here is what you do.

Stronger passwords. Period.

Rather than using personally identifiable information, make your passwords tough. I mean really tough. So tough, you have to change how you think about passwords to remember them. Let me give you some easier to remember examples, followed by harder to remember examples.

So, here is how I like to think about my ‘easier’ passwords. I will take either a song, poem, book or other source material and I’ll look for a line or two that I can remember or memorize. Then what I’ll do is condense that to some letters, numbers and punctuation or symbols to make a password. Let me give you an example. Robert Frost is a poet we all know. The Road Not Taken seems like a good teaching poem for this. Here are the first couple of lines from that poem (please don’t use these two lines to make your password now):

Two roads diverged in a yellow wood,
And sorry I could not travel both

Okay, so, here is what I would do with this:

2rdiayelloww,AsIcntb*1920

So, to show you how I put this together, I’ve taken the line of poetry and added highlighting to show what my thoughts were:

Two 2 roads diverged in a yellow wood,
And sorry I could not travel both *1920

You’ll note that I changed the word ‘Two’ to ‘2’ and used the whole word of yellow. I did these to mix it up a bit. The *1920 is also there to add some complexity. The year 1920 was the year this poem was published. I added the asterisk to put another character in there. Please note, this is a minimum I would do for a password. I’m using it for demonstration. The next section will show you how to generate and store more complex passwords using a service.

Get a Password Manager

One of our big recommendations are password managers. Password managers are applications that you use to store your credentials for your different applications. You have 1 master password (and you don’t want to forget it because if you do, you essentially are locked out of your password manager and can’t get back in. You can use the technique above to generate that password.). That password is used to unlock your vault of passwords and other sensitive information. Many of these apps make it extremely easy for you to add passwords from all of your accounts.  I use one called 1Password. You can find many that were recommended and reviewed by PCMag this year at this link. And guess what, you may have to spend some money. 🙂

Many password managers offer a password generator as part of the software. Here is a password that 1Password generated for me (I’m not using it anywhere):
#YBx77MjtyowowJcUYHF>NBrZg

Here is an image of that password being generated:

screen-shot-2016-10-25-at-7-00-14-am

To the left, don’t use those. To the right, use that..

You’ll note from my password manager, I can change the number of characters, symbols and numbers and I can also see how strong the password is. My password manager has a browser plugin that makes it easier for me to use these devices on the web. Look at the list provided by PCMag and you can see if there’s one that meets your needs.

By the way, I want to be clear that the responsibility for password security isn’t JUST on you. If you have a bank or service provider that has limits on what you can enter as a password (example, no symbols, or all upper case or no upper case), don’t worry about changing your password. Worry about changing that bank or service provider.

Two-Factor Authentication

Finally, the next step in securing your devices is two-factor authentication. We will dive more into this in a later post, but this is a start. To see if your applications (banks, Dropbox, Google) support 2-factor authentication, you can use this link and search for a specific program. This is where you take something you know (a password) and something you have (a phone) to gain access to applications. In order to do this, you can download apps for your phone, like Google Authenticator. After you’ve set up 2-factor authentication, here’s how it works:

  1. You login to the site with your username and password (what you know in the 2-factor auth scenario).
  2. The site prompts you to enter a number (typically a 6 digit number) that you will receive either via email or sms or other means.
  3. Your device (what you have in the 2-factor auth scenario) receives the number from the company. (
  4. You enter said number and submit.
  5. You now have access to your account.

That extra step of having the device and a method for creating a ‘token’ as it were is important. It makes it harder for the baddies to get in. Definitely use it. We’ll need it when we get this Internet of Things thing figured out. Tune in tomorrow to see what we have to say about Internet of Things vendors and what they need to do to make their sites secure. Thanks for reading. Now drop and give me 20 burpees!!