How to break the internet

What is the internet? This might sound like a stupid question, but perhaps the best way of describing it isn’t – as one US congressman once put it – as a series of tubes – but rather as a tool of liberation. As internet connectivity has grown it has empowered billions of people. We can now carry around the collective brain of humanity in our palms, and this is completely normal. And this is also why it’s absolutely infuriating when the lights on your BT Home Hub turn from a reassuring blue to an angry orange. The vast majority of the time, of course, they’ll switch back a few moments later, so you only have to spend a few brief moments disconnected from the rest of the world. But what if your connection goes down for longer? And what if it wasn’t just your connection but those of thousands, millions or even billions of people? Could this even happen? It’s almost too scary to contemplate but... is it possible to break the internet? TechRadar spoke to leading online security experts to learn more about some of the internet’s biggest vulnerabilities.

The Dyn attack

The internet, of course, has no single ‘off’ switch; it’s a patchwork of networks, servers and nodes, all of which can operate independently of each other – but that doesn’t mean our internet infrastructure is indestructible. And – leaving aside some catastrophic solar flare that wipes out all global electronics – terrestrial cyber threats have the potential to break the internet for millions of people. In October of this year, the hacking groups Anonymous and New World Hackers took responsibility for taking down DNS (domain name system) provider Dyn, which in turn knocked out dozens of the largest web services for millions of users in North America and Europe. Amazon, the BBC, Netflix, Twitter, Spotify, Playstation Network and Xbox Live were among the highest-profile casualties. Even the British government’s website, GOV.UK, was briefly made unavailable by the attack.
Amazon, the BBC, Netflix, Twitter, Spotify, Playstation and Xbox have all been subject to DNS issues
  DNS servers are today’s biggest targets and vectors for hackers,” explains Hervé Dhélin from EfficientIP, a leading provider of support services to internet service providers. “This is because when the DNS server is unavailable nothing can work – without the DNS there is no connection, therefore no business – so hackers achieve their ultimate goal of causing downtime for a company.“
“DNS servers are today’s biggest targets and vectors for hackers.”
Hervé Dhélin, EfficientIP
Attacking DNS servers then, appears to be the most efficient way of doing damage. Bogdan Botezatu, Senior E-Threat Analyst at Bitdefender, described how Dyn’s DNS servers provided this single point of weakness for many users – and how the attack was carried out.
The idea of a genuinely 'broken' internet is to scary to contemplate.
“Since it is responsible for the name to IP resolution of all domain names, overloading the DNS infrastructure with queries will render it inaccessible to other users who need to interrogate what IP a domain name points to,” he said. Essentially, the pipes to the DNS servers were so blocked up, normal requests couldn’t get through. So how was the attack carried out? If hackers want to bombard DNS servers with requests, they need to come from somewhere. The Dyn attack was a distributed denial of service attack, meaning the requests originated from hundreds of thousands of computers, controlled using the Mirai botnet malware – essentially a virus that enables hackers to take control of your computer and direct it to do stuff. In this case, they were directed to attack Dyn.
“There are millions of IoT devices that are not being monitored.”
Matt Little, PKWARE
  Perhaps the most surprising thing about the Dyn attack, though, is the nature of the computers that the hackers managed to load the malware on to: the overwhelming majority of affected devices were not laptop or desktop computers, but internet of things (IoT) devices, such as connected security cameras and thermostats. And it appears that the Dyn attack may have been a mere foretaste of what is likely to become a big security headache as IoT devices become more ubiquitous. “IoT devices have been built with very little security – and even worse, very poor security in most cases”, warns Matt Little, from encryption firm PKWARE. “There are millions of IoT devices that are not being monitored.” Sean Ginevan, from enterprise security firm MobileIron, agrees that the way these devices have been manufactured is the problem. “Manufacturers took security shortcuts, and did not build in mechanisms to secure the devices and patch them in the field without doing a massive device recall,” he explains.
IOT devices need better security, notes PKWARE
And this is why IoT botnets could be a big problem in the future. The Dyn attack is estimated to have used anywhere between a relatively modest 100,000 and two million devices (depending on who you believe), and yet they were able to gunk up the internet’s tubes with 1.2 terabits per second of data – and that number will become a drop in the ocean as more devices come online. It’s conceivable that, right now, there are millions of unsecure connected devices just waiting to be used – and with the manufacturers who created them unable to remotely patch or recall them. “There exists the potential for far bigger botnets, if you look at the poor security track record these devices have had in the past,” a spokesperson for Malwarebytes Labs told us. He added that a larger attack could combine multiple vector techniques to maximise the damage.
“There exists the potential for far bigger botnets."
Malwarebytes Labs
  For example, a ‘SYN Flood’ could tie up server resources by sending malformed connection requests. A very simple way of explaining this might be to imagine someone holding out their hand for you to shake, only for you to leave them hanging, and then that person putting out the other hand and you doing the same thing – meaning they have no hands left to shake anyone else’s hands. There are numerous other types of attack, all of which variously mess with the protocols computers use to connect to each other, such as UDP fragmentation, or DNS Reflection. Crucially, though, Malwarebytes reckons the most damage could be done if multiple DNS services were attacked simultaneously – if a large enough botnet were set against not just Dyn but other providers too, like Akamai, Rackspace, ClouDNS, Namecheap and CloudFlare. This is when we’d all definitely start to notice something was going wrong. Main image: CC image courtesy Sarah Baker

Trust issues

While DDOS attacks understandably get the most attention – they’re the cyber-attack version of a bomb – there are other, more subtle ways of undermining internet infrastructure. And these happen because of a commodity the internet depends on, but does not necessarily enjoy in abundance: trust. The proper functioning of the internet relies on trust – and that trust is unfortunately easily abused,” says Sean Sullivan of cyber security company F-Secure. Sullivan points to the Border Gateway Protocol (BGP) as an example of where trust is vital, and where problems can occur. Bogdan Botezatu of Bitdefender told us why BGP is important. “Routing takes place when our information is leaving our home network and heads to its destination,” he explains. “In passing, it goes through multiple service providers that use the Border Gateway Protocol to determine what path our information should take, until it reaches the destination. “By manipulating the BGP, hostile parties (governments and large cybercrime groups) can actually force your data on a different route, which allows them to intercept and modify traffic.” And this has happened before: in 2008, when when Pakistan accidentally took down YouTube for the whole world, when it was simply trying to ban the site in its own territory. This happened because the BGP routing system uses a ‘transitive trust’ model, which (to cut a long story short) enables changes to cascade around the world, meaning that when Pakistan Telecom changed its settings for YouTube, the rest of the world briefly followed suit. A number of more secure alternatives to the current BGP system have been proposed – and with increased urgency following the Pakistan incident – but none of these seem to have taken off as yet. Another big risk that relates to trust is cryptography – the practice of writing and testing computer code – and how the internet spots and handles vulnerabilities. For example, in 2014 the software OpenSSL – a key component of the security of countless pieces of software – was found to have a major vulnerability. Nicknamed ‘Heartbleed’, the bug was found to have been introduced into the open-source software on New Year’s Eve 2011, meaning that for three years every website, app and service that relied on OpenSSL was vulnerable.
CC image courtesy Sarah Baker
“Cryptography is a mission-critical component to communication, integrity and authentication, and yet the bulk of internet users are taking it for granted,” Botezatu explains. “Cryptographic algorithms are transposed into code by a handful of programmers doing pro-bono work. When their efforts can’t meet the complexity of implementing, testing and auditing code, the whole world learns about it.” In essence, the argument is that relying on the goodwill of a handful of coders to maintain the software that’s a major part of the internet’s backbone is probably a bad idea. And if that doesn’t have you worried, consider this. Internet security is predicated on complex cryptographic algorithms that, in theory, keep us secure because doing the maths to crack the encryption keys would take far too long. But, Bogdan warns, if the quantum computing breakthrough is ever made, current crypto-algorithms will be rendered useless.

The legal threats

So we know the internet is perhaps more fragile than we had assumed. But could the internet – in its role as a tool of liberation – also be broken not with DDOS attacks or hacks, but by laws? It’s a philosophical question: but what is it that makes the internet the internet? Perhaps it’s the fact that it’s an expression of freedom – we can communicate relatively freely, without restriction, and in that sense it has liberated us. However, right now there are trends in both technology and politics that threaten to undermine this core. For example, some ISPs are lobbying hard for the right to charge companies for bandwidth – the implication being that, for example, an established video streaming service could fork over cash to enable HD streaming, while newer players wouldn’t have access to the bandwidth to compete. This has given rise to the net neutrality debate, which has yet to be resolved. There are also increasing moves to legitimise bulk surveillance of the kind that Edward Snowden and others have exposed. In Britain, MPs recently voted to explicitly legalise this sort of data collection, meaning your every action online can now, legally, be logged and looked at by the government. In countries less fortunate than our own, internet censorship is commonplace – and even in the UK there have been calls for the government to have powers to, for example, block messaging services during riots. Given that such moves would fundamentally change what we can do with the internet, and what it can do for us, would this count as breaking the internet? If so, then regardless of whether or not the internet could ever be broken in one massive, catastrophic attack, we could be already breaking it ourselves in less dramatic but more insidious ways. Source: TechRadar.com