Million Hacked IOT Devices broke the internet

A massive Distributed Denial of Service (DDoS) attack against Dyn, a major domain name system (DNS) provider, broke large portions of the Internet on Friday, causing a significant outage to a ton of websites and services, including Twitter, GitHub, PayPal, Amazon, Reddit, Netflix, and Spotify.

But how the attack happened? What's the cause behind the attack?

Exact details of the attack remain vague, but Dyn reported a huge army of hijacked internet-connected devices could be responsible for the massive attack.

Yes, the same method recently employed by hackers to carry out record-breaking DDoS attack of over 1 Tbps against France-based hosting provider OVH.

According to security intelligence firm Flashpoint, Mirai bots were detected driving much, but not necessarily all, of the traffic in the DDoS attacks against DynDNS.

Mirai is a piece of malware that targets Internet of Things (IoT) devices such as routers, and security cameras, DVRs, and enslaves vast numbers of these compromised devices into a botnet, which is then used to conduct DDoS attacks.

Since the source code of Mirai Botnet has already made available to the public, anyone can wield DDoS attacks against targets.

This time hackers did not target an individual site, rather they attacked Dyn that many sites and services are using as their upstream DNS provider for turning internet protocol (IP) addresses into human-readable websites.

The result we all know: Major sites and services including Twitter, GitHub, Reddit, PayPal, Amazon, AirBnb, Netflix, Pinterest, and so on, were among hundreds of services rendered inaccessible to Millions of people worldwide for several hours on Friday.

"Flashpoint has confirmed that at least some of the devices used in the Dyn DNS attacks are DVRs, further matching the technical indicators and tactics, techniques, and procedures associated with previous known Mirai botnet attacks," Flashpoint says in a blog post.

This type of attack is notable and concerning because it largely consists of unsecured IoT devices, which are growing exponentially with time. These devices are implemented in a way that they cannot easily be updated and thus are nearly impossible to secure.

Manufacturers majorly focus on performance and usability of IoT devices but ignore security measures and encryption mechanisms, which is why they are routinely being hacked and widely becoming part of DDoS botnets used as weapons in cyber attacks.

An online tracker of the Mirai botnet suggests there are more than 1.2 Million Mirai-infected devices on the Internet, with over 166,000 devices active right now.

In short, IoT botnets like Mirai are growing rapidly, and there is no easy way to stop them.

According to officials speaking to Reuters, the US Department of Homeland Security (DHS) and the FBI are both investigating the massive DDoS attacks hitting DynDNS, but none of the agencies yet speculated on who might be behind them.

The Internet Has a New Controlling Authority & It’s Not the U.S

The Government of United States has handed over the control of the Internet Assigned Numbers Authority (the internet’s address book) to ICANN, an independent international body made up of a number of governments, corporations and individual users.

What is Internet Assigned Numbers Authority (IANA)?

The IANA manages the allotment of IP addresses all over the globe. It also delegates five regional Internet registries (RIRs) to allocate IP address blocks to local Internet registries (Internet service providers) and other entities.

In simple terms, the IANA is a database that stores all the domain names on the internet. For example, if you type “propakistani.pk”, the IANA is responsible for directing you to our website.

Who owns the IANA now?

Initially, IANA was established as an informal way to reference to various technical functions for the ARPANET by Jon Postel and Joyce K. Reynolds. They alone were responsible for managing the IANA from 1988 to 1998.

In 1998, the Department of Commerce created ICANN, a nonprofit organization that is responsible for coordinating the maintenance and procedures of several databases. With participants from all over the globe, the organization’s purpose is to keep the Internet secure, stable and interoperable.

After Postel’s death in 1998, they granted ICANN a contract to manage the IANA. ICANN was to get the full ownership of IANA eventually, but the process was bogged down due to politics. Numerous political leaders from the Republican Party, including Ted Cruz, have opposed this move. However, ICANN finally approved a transition plan this year.

On the 1st of October, a judge ruled in favor of the plan, allowing it to move forward. As of this moment, the ICANN is now the official owner of the IANA.

WebUSB API- Connect USB with Internet, SECURELY

Two Google engineers have developed a draft version of an API called WebUSB that would allow you to connect your USB devices to the Web safely and securely, bypassing the need for native drivers.

WebUSB – developed by Reilly Grant and Ken Rockot – has been introduced to the World Wide Web Consortium's Web Incubator Community Group (W3C WICG), is build to offer a universal platform that could be adopted by browser makers in future versions of their software.

Connecting USB Devices to the Web

WebUSB API allows USB-connected devices, from keyboards, mice, 3D printers and hard drives to complex Internet of Things (IoTs) appliances, to be addressed by Web pages.

The aim is to help hardware manufacturers have their USB devices work on any platform, including Web, without having any need to write native drivers or SDKs for a dedicated platform.

Besides controlling the hardware, a Web page could also install firmware updates as well as perform other essential tasks.

However, the draft API (Application Program Interface) is not meant to be used for transferring files to or from flash drives.

"With this API hardware manufacturers will have the ability to build cross-platform JavaScript SDKs for their devices," Google engineers wrote in the draft project description.

"This will be good for the Web because, instead of waiting for a new kind of device to be popular enough for browsers to provide a specific API, new and innovative hardware can be built for the Web from day one."

Privacy and Security Concerns

The Google engineers also outlined security concerns.

• WebUSB will include origin protections, like a type of the Cross-Origin Resource Sharing (CORS), to restrict the Web pages from requesting data from other domains except the one from where they originate.

This means a Web page could not be able to exploit your USB device to access your PC, or your important files or any files that your computer or the USB device itself may hold.

• To address the issue of USB devices leaking data, WebUSB will always prompt the user to authorize a website or web page in order to detect the presence of a device and connect to it.

For now, the WebUSB is only a draft of a potential specification, which hasn't been officially adopted by W3C. WebUSB remains a work in progress at the current, though you can check out the full WebUSB codebase on GitHub.