Accessing the internet became a trial today for some university students. The culprit? Seafood and weak passwords.
Verizon’s 2017 Data Breach Digest tells the story in a sneak peek released today. It sounds both too weird to be real, and too bizarre to be fake.
A member of the IT Security Team at an unnamed university noticed a number of previously-dismissed complaints about slow or nonexistent internet connectivity. Looking more closely, they found the name servers were accessing thousands of seafood-related sub-domains.
This fishy activity was so burdensome it blocked legitimate queries from actual students. Correctly assessing that nobody likes seafood that much, the Security Team contacted the Verizon RISK Team.
RISK found over 5000 systems were making the seafood-related DNS look-ups every 15 minutes. Most of the systems were on the university’s Internet of Things (IoT) infrastructure. In the school’s case, that was “everything from lightbulbs to vending machines.”
Apparently, the university’s mistake was connecting its administrative network with its IoT device network. An attacking botnet accessed the admin network and used brute force against weak passwords to gain control, then changed all of the device passwords. This botnet attack almost necessitated replacing every IoT device on the campus.
Luckily for the hapless security team, they were able to access unencrypted commands via a packet sniffer, which allowed them to write a script that recaptured their control of the devices.
NetworkWorld called it “a cautionary tale” about what can go wrong on with an IoT solution.
We would be grateful the only major DNS lookups were for seafood-related websites.