The massive distributed denial of service late last week used technology on the Internet of Things. The IoT or Internet of Everything includes all of those things we do not consider to be computers – house security, refrigerators, baby cams and monitors, &c. – that are network-enabled. They represent the balance between convenience and catastophe. In this case, one vendor’s CCTV cameras and DVRs had flaws that enabled the attack against Dyn. As the network hardware giant Cisco’s slogan says, “see how increased connectedness creates unprecedented opportunities.”
First, Check Shodan
Shodan.io is a database of vulnerable systems. The site scans thousands of network addresses and stores information when a system responds. Not surprisingly, some of those devices shouldn’t be available to the public internet. Some security vendors talk about Shodan as a security threat, but it’s just showing devices that haven’t been hardened. If you don’t want to be found, then fix your stuff. I don’t like when these sorts of services are dinged for shining a light on others; better than proactive hacking patches. For certain, your network and home internet connection are being scanned non-stop by plenty of others than Shodan.
You can either create an account on Shodan, like I have, to check periodically that you (or someone else) isn’t in the database, or you can use a scanner to see if you are in it. Security vendor Bullguard has an IoT scanner that you can use to see if your current IP address is in Shodan. Keep in mind, though, that if you’re on an ISP that changes your IP address, you might not get a match even if you are in Shodan.
Scan Your Ports
Bullguard also has what they call a deep scan which is just a port scanner that you can aim at your home or law office network. I like GRC’s port scanner as well, but you can use any port scanner. The trick is to know whether the port scanner is scanning all ports or just a selection. I’d be surprised if you’d have any reason to have ports open from home, but your firm may have some so don’t assume that just because the port scanner returns open ports, that there’s a problem.
If I were at a law firm that hosted any of those services – email servers have open ports, web sites have open ports – I’d also look at a service like Qualys that goes beyond just port scans. You can determine whether your web site’s secure layer (SSL) is exploitable, for example, or susceptible to any of threats OWASP tests for.
I often say to lawyers that they are unlikely to be the target of these sorts of attacks, although that’s no reason to slack off. The owners of these cameras and DVRs were selected because the product they owned was flawed and susceptible to this exploit. Make sure your home and law firm networks aren’t able to communicate in ways you don’t intend. If devices in your network can be joined to a botnet, that means they can also access your network. There are no good endings to that story when you’re protecting client confidential and private information.