App security is all about protecting your data and your infrastructure from someone doing something they shouldn’t. Of course, that “something they shouldn’t be doing” is kind of vague.
There are a few different kinds of exploits hackers are trying to execute:
- Ransom: All you gotta do is pay me some anonymous funds and nothing gets broken.
- Vandalism: I hate you. I’m going to burn it all down.
- Hijacking: Just need some compute and connectivity to do my thing
It’s that last one, hijacking, that I think we seriously underrate. Hijacking has nothing to do with you, it’s about what someone can do with your stuff for some completely different reason.
To do things on the internet you need a few things – compute power, connectivity, and probably some storage space. Surprisingly, there is a lot of that laying around, fairly unsecured. We think, “Oh this data isn’t really important… just stuff you could find in the phonebook, so we don’t really need to lock it down like customer sales histories…”
A few years ago a big chunk of the East Coast lost internet service for most of an entire day. This affected data centers like Amazon which, in turn, took down a LOT of Internet based companies. Shopping, entertainment, software as a service were all affected.
It turned out that some script-kiddies hacked into baby monitors because the master admin password on the baby monitors was the same on *all* of them. They turned the baby monitors into a bot network that performed a DDoS (Distributed Denial of Service) attack on the central DNS serves that other DNS servers relied on, so none of the services could look up domain names for things like BigBoxStore.com.
It's pretty clear that whoever wrote the bot that trolled for baby monitors and set up the DDoS attack didn't actually know what they were doing… they just set a script running that replicated itself all over the place and probably had no clue how big a deal it was. They didn’t care about listening in on the radios, they didn’t try to blackmail the baby monitor manufacturer, they probably didn’t even know what devices their code was running on. I always think they were just fooling around, and it really had nothing to do with anyone.
Usually my technical blogs are really focused on technical people, but the point is, everything is a target. If you have an account someplace and you’re using Passowrd123 as your password, you can unwittingly be helping hackers do something very, very bad. When we say security is everyone’s responsibility, it’s because any time we leave an opening to hackers, we make the Internet a little less secure and can create big problems for everyone, without even knowing it.
Listen to the podcast: