On the evening of September 20, the website of computer security researcher and journalist Brian Krebs suffered a massive Distributed Denial of Service (DDoS) attack that ultimately took his site offline. While DDoS attacks are common enough, experts at Akamai, the Web-caching company also relied on by major news organizations, acknowledged this one was different.
Yes, the attack was almost twice as large as the largest Akamai had on record. But more notable were the machines used to execute it: Instead of relying on virus-infected computers, it was carried out by an extremely large collection of everyday devices, such as routers connected to the internet, often described as the “Internet of Things.” In a post about the attack several days later, Krebs noted that, while his case was a first, “it seems likely that we can expect such monster attacks to soon become the new norm.”
For anyone who tried to access sites such as Twitter, Amazon, The New York Times, The Verge, and Github this past Friday, Krebs’s observation was prescient, to say the least. This time, however, the DDoS attack—which paralyzes Web resources by demanding information faster than targeted computers can respond—was directed not at an individual website, but towards Dyn, a Domain Name Service (DNS) company. DNS functions something like the phone book of the internet, connecting users to the correct location when they type in a URL. So while an attack against a DNS provider doesn’t actually compromise the websites affected, as far as users are concerned, those sites are effectively offline.
This should matter to journalists, beyond the need to report the story, for two reasons. First, while the use of common household devices to execute the attacks against Krebs and Dyn was novel, the hackers got control of those devices using one of the oldest and easiest methods out there: bad passwords, a vulnerability most journalists share.
The companies that make internet-connected devices—everything from routers to refrigerators—often reuse the same username and password on every item they ship, and most consumers never change the defaults because doing so is rarely required to make the device function. The result is that millions of internet-connected machines can be commandeered and directed to do the hackers’ bidding, simply by going through a short list of common username and password combinations.
But it’s not only manufacturers that reuse passwords; plenty of humans do it, too. Earlier this month, for example, BuzzFeed’s site was briefly defaced in alleged retaliation for a story about hacking group OurMine. Though BuzzFeed hasn’t commented publicly on how the attack was carried out, Wired‘s Lily Hay Newman notes the group that targeted them has been known to focus on reused passwords. As a leak of nearly 200,000 decrypted passwords stolen from Gawker Media illustrated several years ago, journalists are often guilty of using—and reusing—poor quality passwords (a tally by The Wall Street Journal found over 3,000 passwords that were “123456”; nearly 2,000 were “password”). Since many of those passwords are the only thing standing between a hacker and a CMS, it’s clear how quickly a reused password can compromise a news organization’s website, social media accounts, and credibility.
The second reason journalists should attend to these attacks is that strategic use of both DDoS attacks (for example, recent attacks on Newsweek and the BBC) and DNS manipulation are common tools for censorship. This is in part because they are cheap, easy (the software credited with Friday’s attack was posted openly just a few weeks ago), and highly effective in preventing some or all internet users from accessing the content they target.
Among the challenges for news organizations is how to continue to deliver news under such an attack. For example, while Akamai defended Krebs’s site (which it protects pro-bono) by absorbing and filtering out bad traffic requests for two days, doing so eventually became too expensive, and the site went offline. “When you have the best-resourced companies being challenged,” says Citizen Lab research associate Christopher Parsons, “we’re at a point now where there isn’t an effective defense.”
For new organizations, self hosting is becoming more and more challenging, Parsons points out. Companies like Google offer some protection through efforts like Project Shield, which helps filter out malicious traffic and keep websites active during DDoS attacks. But “if you’re moving your online operations behind some of these companies,” Parsons pointed out, “they may be blocked” in China or elsewhere.
Ultimately, news organizations will have to explore alternate ways to deliver their content—such as standalone distributions points or even physical delivery via USB or SD card—and get serious about security to maintain independence in the digital age.