Juha Saarinen: The asymmetry of internet warfare

We need to stop handing criminals easy access to digital weapons of mass destruction like we do now. Photo / Getty

Last week, we had two reminders just how big the internet is, and how its almost infinite scalability can be leveraged to do really bad stuff as well as good.

The first affected New Zealand users as well as people worldwide: Yahoo owned up to a data breach in 2014, that may have spilt the beans on as many as half a billion users. Yahoo is of course linked to New Zealand via Telecom (now Spark) joining up the Xtra brand with the internet portal. To this day, xtra.co.nz emails still go through Yahoo's servers.

Half a billion accounts is a colossal amount of user data, but it looks like the passwords at least were obfuscated using an algorithm or function that's particularly slow to crack, so that's something.

Either way, if you have or have had a Yahoo or Xtra account, change the password on it immediately, and enable two-factor authentication. If you no longer use it, delete the account. Spark says up to 130,000 accounts are at risk.

What's odd about the Yahoo leak is that it was first said in August this year to contain "only" 200 million accounts, which a hacker put up for sale for just three Bitcoin (NZ$2,480 or so).

A discrepancy of 300 million is huge, and the hacker's sample data has not checked out so far. Yahoo later came out and said the two events are not related.

Thanks to the marketing of the hack though, millions of Yahoo account holders are now having to reset passwords, and the internet portal company's being sued ahead of its pending sale to US telco Verizon.

A single hacker, a singular impact, but why? Because they could?

A second case that illustrated the asymmetry of power that the internet offers involved journalist Brian Krebs, who covers hacking, cybercrime and fraud, having his site taken offline with a denial of service attack.

Distributed denial of service (DDoS) attacks are common, and involve swamping websites and other internet services with large amounts requests, constantly, and for longish periods of time. Servers try to process the data they receive, use up system memory, processor resources, storage and when it becomes just too much to handle, they fall over and give up.

Result: the site targeted is no longer reachable. It's a bit like getting the population of Shanghai to go to a gig in a small club, and totally overwhelm the place.

We really need to stop handing criminals and spies easy access to digital weapons of mass destruction like we do now.

Krebs' site was protected by Akamai's Prolexic anti-DDoS service. This was a very large attack however, reaching 620 gigabits per second, and battling it would've cost Akamai millions of dollars. As they hosted Krebs site on a pro-bono basis, that was not viable so a business decision was made to kick KrebsOnSecurity off Akamai.

How was Krebs silenced then?

Simple: by activating a "botnet" of routers, internet-connected cameras and digital video recorders, and commanding it to connect and send traffic to Krebs' site.

Akamai estimated over a hundred thousand devices were involved in the attack, which is something of a record. It used to be that DDoS attacks over a 100 Gbps were difficult to orchestrate - not so anymore. One or just a few people can pull them off.

If you're wondering whether or not such denial of service attacks could threaten New Zealand's internet connectivity, wonder no more: they can.

Around the same time Krebs' website was hit, someone took aim at French hosting service provider OVH and dumped 1.5 terabit per second traffic on their network.

In comparison, the Southern Cross Cable has lit, or used capacity, of 5.8 Tbps in total. It didn't take that many hijacked devices either to create such a massive traffic flood, just over 145,000 networked cameras and digital video recorders sending between one to 30 megabit per second.

Krebs is back online now, via Google Project Shield programme that was set up to protect independent news sites against attacks.

Even so, we really need to stop handing criminals and spies easy access to digital weapons of mass destruction like we do now. If not, sometime soon, someone, maybe just the one person, will figure out how to take down the internet.