11 January 2017

Could 2017 be the year of the super-hack?


For anyone worried that 2017 is going to be as volatile as the year before, there is a new concern to throw into the mix. According to this article on Business Insider, some of the tech world’s best minds believe this could be the year that hackers succeed in taking down the internet entirely.

“In 2017 we are going to see it hit big sometime, somewhere,” LogRhythym’s chief information security officer, James Carder, told the site. “If the internet goes down, financial markets will tank.”

The logic is that the hacks seen last year, from taking down websites used by millions like Twitter, to knocking out the heavily protected website of cybersecurity expert Brian Krebs, were just “testing missiles by shooting them into the ocean”.

Like Kim Jong-un finding his range before launching the big attack on Tokyo or San Francisco, the next stage could see hacking networks causing a complete internet meltdown. The willingness is there; and as hackers become more creative, their abilities to cause damage are also becoming much grander.

Looking at the anatomy of the hacks mentioned by Carder, what is particularly striking about is their simplicity. In the case of the recent strike on Twitter and other sites, rather than target the heavily guarded websites themselves, hackers targeted the means by which the outside world communicates with them.

The attack, which also knocked out other major websites such as Spotify and Tumblr, succeeded by targeting the sites’ Domain Names Systems, commonly called DNS servers. These work like the internet’s telephone directories.

When you enter text such as twitter.com into your taskbar, it is the DNS servers which matches this text (easy for humans to remember) to the convoluted numbers (difficult for humans to remember) which make up that site’s actual IP address and establish a connection. It is the translation service which matches your words with your chosen website.

The hack which took out Twitter and Spotify last year was an attack on a mega DNS Server called DynDNS. By using a distributed denial of service attack (DDOS), which normally uses a network of hacked computers to overload a site with multiple requests at the same time, the hackers were able to temporarily knock out DynDNS and with it the internet’s method of communication.

Twitter was still available if you knew how to find the site via its IP address ( Most people did not, so to all intents and purposes, the sites were out of action.

It is this attack which Carder believes was a test-run for something much more dramatic. Twitter and Spotify were only offline for a matter of hours. But a heavier DDOS attack on the same servers, a successful assault on hitherto unscathed DNS servers such as Google Public DNS, could shut things down for much longer.

So is this scenario even possible?

One reassuring note comes from Simon Edwards, whose company SE Labs conducts mock attacks on internet software to test its vulnerabilities. He suggests that the diverse nature of the internet and the refusal to silo information may serve to protect it: “What I would say is that the internet was designed specifically to survive a nuclear attack. There are little boxes scattered around everywhere precisely so that if you drop a bomb on the US or UK the internet would work regardless.”

This means that were the internet to fail in one place it would still be accessible elsewhere. However the biggest danger would still be attacks such as those on DynDNS which target the internet where it is most vulnerable. “By taking out means of useful communication  and attacking routers you could potentially stop the internet from working. But can you take down the entire world? I don’t think so.”

What does not seem in doubt though, is that the scale for cyberattacks is growing exponentially. As more and more of our devices, from fridges to lightbulbs, start to transmit to the internet, they lay themselves open to being hacked and potentially co-opted for nefarious ends.

“We came across a case in a prison in America where one PC was controlling access to all the prison doors,” Edwards tells CapX. “The guards were using the same PC to access their Facebook accounts. It does not take a complicated piece of malware to attack the computer from these accounts and take over control of the prison.”

The film Die Hard 4 shows hackers taking over everything from a city’s traffic lights to the stock market. Subsequent research revealed that every step the criminals took had already taken place in the real world.

Everyday examples could soon include new technologies such as smart lightbulbs, which their owners can operate remotely over the internet. “Imagine a hostile state taking over millions of lightbulbs and switching them all on at the same time to overload the power supply,” says Edwards.

Even more worryingly, he adds, attacks on such scales may not even require much sophistication: “We have seen examples where free hacking tools can bypass the best security of a nation state.”

With our critical national infrastructure, our bank accounts, and our toasters at the mercy of the internet, this is not particularly reassuring.

As the scale of the internet increases, and its penetration of our everyday lives, so do the opportunities for hackers – whether state-sponsored, criminal networks, or bored malcontents – to harness this vast power for their own purposes. It’s easy to imagine right-on hacking organisations such as Anonymous looking to take out right-wing news websites – or alt-right activists taking on the mainstream media.

Given that every security system will have its holes, the best defence is a diversity of techniques and infrastructure rather than a Maginot Line of firewalls.

But the most alarming thing is that we only tend to find out about these attackers when they are caught – or when they strike. Which means that their best infiltration techniques may still be under wraps. As Edwards points out: “We only know about the cases when the bad guys are found.”

Henry Williams is a freelance journalist based in London