Cyber Week in Review: Dyn, St. Jude & OPM

Media Division | November 4, 2016

It’s the week of stopping in the cyberverse—from virtually the entire internet screeching to a halt, to hearts threatening to stop and Chinese hackers putting a stop on government workers.  So press “pause” for a moment and read about three major stops this week, before you go.

A Dyn Disaster

Dyn is huge, the Domain Name System (DNS) host for sites such as Twitter, Spotify, Netflix, PayPal and more.  DNS turns URLs into their underlying IP addresses, but on October 21st all those URLs were going nowhere: a massive DDoS (Distributed Denial of Service) attack slowed these sites down for hours, primarily across the eastern United States.

DDoS attackers turn your Tivo into a weapon of terror.  The Internet of Things (IoT) of everything from ATM cameras and baby monitors, to your digital recording device and blu-ray player into a robot army (botnet) of attackers.  Malware on these devices hijacks them and directs them to tie up traffic on a site (in this case the support system for multiple sites), thereby rendering service to legitimate customers slowed or stopped.  This time the virus was the Mirai malware, which is known to have infected some half a million devices.

Another form of DDoS attack is to pay for a booter or a stresser service, a server-for-hire DDoS attack method.  But go ahead and virus scan that Tivo, just in case its IP address was part of this botnet disaster.

Hacking a Heart

We have reported on troll hack attacks and remote-access automotive attacks, well the St. Jude heart device hack could be where these two things come together.  St Jude Medical manufactures heart devices that thousands of Americans have installed, may have what experts are calling “serious vulnerabilities” in their device communication systems.  That means that, in the event of an attack, a pacemaker could become a weapon: either disabling its care or even delivering a shock to a patient on the orders of a hacker.

St. Jude’s chief technology officer, Phil Ebeling, stated, “The allegations are untrue. There are several layers of security measures in place.”  The FDA is also encouraging people to not panic, saying the lifesaving capabilities of the devices outweigh the risks.  There’s currently a series of lawsuits going on in St. Jude’s home state of Minnesota.

In the meantime, if you have such a device, maybe just don’t stand within 10 feet of anyone with malicious intentions toward you.

OPM Update: a Massive Government Hack

By now you have likely heard of the 2015 hack on the US Office of Personnel Management (OPM), the human resources department of the U.S. government, compromising the records of millions of current and former federal employees.  The hack made headlines, if for no other reason than because it was quite possibly the largest government hack ever. A long article was just released by Wired magazine, with interesting details about how such an attack is carried out.  Here are some of the more interesting unanswered questions:

• Were the Chinese really behind the attack?  And while we are discussing Chinese attacks, what about the idea of a large military branch of the Red Army devoting efforts to cyber attack?

• What was the purpose of the attack?  OPM manages employee health benefits and background checks, but the kind of information stolen is usually what would sell on the cyber black market.  A state-sponsored attack, however, would more likely be part of a larger agenda and merely a means-to-an-end.

• What about the millions of fingerprints stolen in the attack?  A reported 5.6 million fingerprints were filched.  When your social security number gets compromised, you can call the office of Social Security Administration and put a freeze on the use of your number, but there’s no “freezing” a fingerprint, it’s yours for life.

• The OPM was a sitting duck, according to reports.  What other massive stores of personnel or government information are being hacked, or are hacked already, seeing as it takes an average of 200 days to discover a major attack.

One take away from the hack: a reminder that personal information these days is far from protected.  From job applications to credit cards and websites: everywhere you divulge personal information you put that data potentially at risk, so choose wisely.

Massive's Media Division publishes timely news and insights based on current events, trends, and actionable cross-industry expertise.