On Christmas Day, a group of anonymous mischief-makers who call themselves Lizard Squad crippled Microsoft’s and Sony’s online gaming networks with simple, but effective, “denial of service” attacks. The attacks stopped gamers from connecting their consoles to the Internet for days, at least on Sony’s side, and followed on a string of similar attacks on gaming targets earlier in the year, also attributed to Lizard Squad.
But why? And how? And what can be done to prevent future attacks?
Ask Brian Krebs, a former Washington Post reporter and longtime security blogger, who last week dug into just what it would take to bring two tech giants to their knees. The answer: Not much. The keys to Lizard Squad’s success were apparently thousands of hacked home and commercial routers — the run-of-the-mill kind that likely delivered this article to you.
Krebs spoke with Re/code this morning about what we now know about the Christmas attacks, and what all that means going forward.
This interview has been edited for brevity and clarity.
Re/code: What’s your read on who Lizard Squad is, and why they would attack places like Xbox Live and the PlayStation Network?
Brian Krebs: Well, because they can, for starters. The attacks they’re launching are not technically sophisticated at all. They’re about the equivalent of a bunch of kids standing in front of a business to keep people from getting in or out of the store. The reason they do it, I think is pretty obvious: They’re extremely attention-starved, and it’s some kind of validation for what they’re doing. This is a way for them to get at least Internet-famous for a short period of time. It’s going to take a while for the Feds to catch up to them, and meanwhile they’re just going to have fun messing things up. And unfortunately, the way the Internet is today, it’s really easy to mess things up.
What can Sony, Microsoft and other companies do in response to attacks like these?
The timing is never on your side when the attacks happen on the same day that you get millions of new customers. You’d already be stressed, and they hit them on probably the busiest day of the year, because every kid wants to play with his new Xbox or PlayStation. It’s kind of the same thing as Target having its cash registers all compromised on Black Friday. Tactically, there are things businesses should be doing to prepare for when — not if — these attacks happen, but I don’t care how sophisticated or how big an organization’s pipe or network is: They get hit with a big enough attack, they and their customers are going to feel it. The problem is that right now, there are way too many ill-protected or ill-configured systems that can be conscripted at a moment’s notice to launch pretty big attacks. There’s just too much firepower out there.
So you have all these consumer-owned Internet routers that have been compromised and don’t immediately seem to be sending an onslaught of suspicious requests — is that right?
Well, the routers can be used for brute force or just direct attacks. And yes, how is Microsoft or Sony supposed to know that that’s not just some consumer trying to connect to their system? It looks like a home router. Each of the thousands of systems that they’ve compromised is made to make a request to, say, a misconfigured modem that responds with a response. The compromised system will go, “Okay, router, tell me how to find example.com and send that request back to me at this IP address.” If it’s misconfigured or really old, it can be made to respond regardless of whether that request is legitimate, and whether that IP address it’s responding to is the one that made the request. You have a “reflected” attack. And the response can be made to be much larger than the request.
What should the average, non-technical person do? Is there a way to know if one’s router has been compromised and is part of an attack?
If you’re not sure, you can just reset the firmware of the router. It’s just a little button on the back that you hold down for 30 seconds and it resets the thing to the factory-default settings. At that point, you can change those settings, including the password, hopefully to something that isn’t super-easy to guess.
What else should we know about or learn from these attacks?
We need to be doing something as a nation, or as a group of nations — developed countries have the most to lose from these sorts of attacks. The urgency, or lack of urgency, to address this problem is shocking, given how much we depend on the availability of these systems and the integrity of them, and how easy it is for kids just goofing off in high school to cause serious problems for companies [that] end up costing tens of millions of dollars. This is a big deal. I don’t see any concerted effort to go after the low-hanging fruit here. Yeah, something like that would be expensive and resource-intensive, but it’s worth doing. The more we ignore this problem, the worse it’s going to get. The threat that’s coming down the road is a more sophisticated actor than Lizard Squad. It behooves us to use this as a learning period. We all come to rely on connectivity more and more each day, and these attacks are not getting easier.
So that might be the longer-term solution? Even though the average consumer can reset the firmware and change the password, does there need to be something bigger happening?
Yeah, and frankly, everyone talks about the Internet of Things and all this crap. From my perspective, the Internet of Things is a whole bunch of stuff that’s really hard to update, or isn’t as easy to update as it should be. I would like to see more discussion and leadership on how to address the Internet of things-that-we-already-have and get some of those things locked down and cleaned up rather than worrying about a pie-in-the-sky threat of our refrigerators attacking us. We have to think about the things that are already out there like, oh, I don’t know, routers. It’s a huge problem, and not many people are doing anything about it.
This article originally appeared on Recode.net.