Monthly Archives: May 2017

Lawmakers seek answers on alleged FCC DDoS attack

Five Democratic senators are seeking an FBI investigation into possible cyberattacks on the Federal Communication Commission’s online comment system. The FCC’s Electronic Comment Filing System crashed in the early hours of May 8 in what the agency called “deliberate attempts by external actors to bombard” the commission and render its systems unusable by legitimate commenters. Sens. Brian Schatz (D-Hawaii), Al Franken (D-Minn.), Patrick Leahy (D-Vt.), Ed Markey (D-Mass.) and Ron Wyden (D-Ore.) want acting FBI director Andrew McCabe to make an investigation of that May disruption a priority, and also called for an investigation into the source of the attack. The senators’ letter emphasized that they were especially troubled by the disruption of the process of public commentary given that public participation is crucial to the integrity of the FCC’s regulatory process. The request comes as FCC Chairman Ajit Pai is moving to roll back Obama-era net neutrality regulations over the objections of Democrats in Congress and internet freedom activists. “Any cyberattack on a federal network is very serious,” the senators wrote. “This particular attack may have denied the American people the opportunity to contribute to what is supposed to be a fair and transparent process, which in turn may call into question the integrity of the FCC’s rulemaking proceedings.” The senators seek a reply by June 23. It’s possible, however, that what the FCC is reporting as a DDoS attack was in fact a traffic spike spurred by TV comedian John Oliver, who urged viewers to register their opposition to the net neutrality rollback in an May 7 broadcast. The partisan fight over FCC actions on net neutrality has cast a political shadow over the attack, the follow-up and any future investigation. Three of the letter’s five signatories (Schatz, Markey, Franken) also signed a May 17  open letter  lambasting the FCC’s possible net neutrality rollback. Wyden and Schatz also sought clarification from Pai about the ability of the agency to protect against DDoS attacks in a separate May 9 letter. The two sought details on the user capacity of the FCC’s website and requested a reply by June 8. Meanwhile, the FCC is accepting comments on its net neutrality proceeding through Aug. 16. Source: https://fcw.com/articles/2017/05/31/fcc-ddos-senators-berliner.aspx

View article:
Lawmakers seek answers on alleged FCC DDoS attack

7 nightmare cyber security threats to SMEs and how to secure against them

Small businesses face a range of cyber threats daily and are often more vulnerable than the larger organisations. Small businesses that see themselves as too small to be targeted by cyber criminals are putting themselves at direct risk. In fact, small businesses are at an equal, if not greater risk of being victims of cyber crime – two thirds of small UK firms were attacked by hackers between 2014-2016, according to a report from the Federation of Small Businesses. Cyber crime can cause massive damage to a young business’s reputation, result in loss of assets and incur expenses to fix the damage caused. These attacks could mean the difference between cutting a profit or going bust. Legal action could also be taken if businesses are found to have failed to put proper safeguards in place. When new data protection laws are introduced in 2018 under GDPR, complacent businesses risk fines of up to £17 million or 4% of annual turnover (whichever is higher) if they suffer a data breach. So what can small businesses do to protect themselves and the sensitive data of their customers? These are 7 nightmare cyber security threats and how to secure against them. Threat 1: internal attacks This shouldn’t come as a surprise to readers, but internal attacks are one of the largest cyber security threats facing small businesses today. Rogue employees, especially those with access to networks, sensitive data or admin accounts, are capable of causing real damage. Some theories even suggest that the notorious 2014’s Sony Pictures hack – typically linked to North Korea – was actually an insider attack. To reduce the risk of insider threats, businesses must identify privileged accounts – accounts with the ability to significantly affect or access internal systems. Next, terminate those that are no longer in use or are connected with employees no longer working in the business. Businesses can also implement tools to track the activity of privileged accounts. This allows for a swift response if malicious activity from an account is detected before the damage can be dealt. Threat 2: phishing and spear phishing Despite constant warnings from the cyber security industry, people still fall victim to phishing every day. As cyber crime has become well-funded and increasingly sophisticated, phishing remains one of the most effective methods used by criminals to introduce malware into businesses. Spear phishing is a targeted form of phishing in which phishing emails are designed to appear to originate from someone the recipient knows and trusts – like senior management or a valued client. To target victims deemed ‘high value’ — i.e. those with access to privileged accounts — cyber criminals may even study their social media to gain valuable insights which can then be used to make their phishing emails appear highly authentic. If an employee is tricked by a malicious link in a phishing email, they might unleash a ransomware attack on their small business. Once access is gained, ransomware quickly locks down business computers as it spreads across a network. Until a ransom is paid, businesses will be unable to access critical files and services. To mitigate the risk posed by phishing – and ransomware – organisations must ensure staff are aware of the dangers and know how to spot a phishing email. Businesses must also ensure they have secure backups of their critical data. Because ransomware locks down files permanently (unless businesses want to cough up the ransom) backups are a crucial safeguard to recover from the hack. But as ransomware attacks are on the rise, prevention remains better than treatment. Education is the best way of ensuring protection for small businesses. Threat 3: a dangerous lack of cyber security knowledge Entire cyber security strategies, policies and technologies are worthless if employees lack cyber security awareness. Without any kind of drive to ensure employees possess a basic level of cyber security knowledge, any measure or policy implemented will be undermined. A well-targeted spear phishing email could convince an employee to yield their password and user information. An IT team can’t be looking over everyone’s shoulders at once. Because of this, education and training are essential to reduce the risk of cyber crime. Some employees may not know (or care enough) to protect themselves online, and this can put businesses at risk. Hold training sessions to help employees manage passwords (hint: two-factor authentication for business accounts) and identify phishing attempts. Then provide support to ensure employees have the resources they need to be secure. Some small businesses will also consider up-skilling members of their IT teams in incident handling, often through popular GCIH training from security vendor GIAC. Incident handling professionals are able to manage security incidents as they happen, and speed the process of recovery if hacks do occur. Ultimately, even a basic level of knowledge and awareness could mean the difference between being hacked or avoiding the risk altogether. Threat 4: DDoS attacks Distributed Denial of Service (DDoS) attacks have overwhelmed some of the largest websites in the world, including Reddit, Twitter, and Netflix. DDoS attacks, which ambush businesses with massive amounts of web traffic, slow websites to a crawl and, more often than not, force crucial services offline. If a small businesses relies on a website or other online service to function, the outages caused by DDoS attacks will be catastrophic. Most DDoS attacks last between 6-24 hours and cause an estimated £30,000 per hour, according to data from Incapsula, a DDoS prevention firm. Whilst businesses can’t stop a website or service being targeted in a DDoS attack, they can work to absorb some of the increased traffic, giving them more time to form a response or filter out the spam data. Ensuring there is extra bandwidth available, creating a DDoS response plan in the event of an attack or using a DDoS mitigation service are all great steps towards reducing the impact of an attack. But that’s just scratching the surface of DDoS mitigation – here are more ways to prevent a DDoS attack. Threat 5: malware Malware is a blanket term that encompasses any software that gets installed on a machine to perform unwanted tasks for the benefit of a third party. Ransomware is a type of malware, but others exist, including spyware, adware, bots and Trojans. To prevent malware from taking hold, businesses should invest in solid anti-virus technology. Plus, operating systems, firewalls and firmware, and previously mentioned anti-virus software must be kept up-to-date. If services are outdated or not updated regularly, businesses are at a serious risk. Just look at the damage caused when malware infected the UK’s National Health Service through an exploit within an outdated version of Windows XP. And that was just one of the high profile targets affected by the global WannaCry ransomware attack. Threat 6: SQL Injection Almost every business relies on websites to operate and many depend entirely on the service they provide online. However, poorly secured websites could be wide open to data theft by cyber criminals. Of the many attacks that can be staged against a website, SQL injection is amongst the most dangerous and even the largest companies fall victim to it. SQL injection refers to vulnerabilities that allow hackers to steal or tamper with the database sitting behind a web application. This is achieved by sending malicious SQL commands to the database server, typically by inputting code into forms – like login or registration pages. It takes a few well-calculated steps to protect against SQL injection. As a precaution, businesses should assume all user-submitted data is malicious, get rid of database functionality that isn’t needed and consider using a web application firewall. For a closer look at SQL injection, take a look at this documentation from Cisco. Properly preventing SQL injection is primarily a responsibility for a web development or security team, but the change has to be driven from the top. Still not convinced? Take a look at this video from Computerphile to see how effective and dangerous SQL injection can be. Threat 7: BYOD Businesses are vulnerable to data theft, especially if employees are using unsecure mobile devices to share or access company data. As more small businesses make use of bring your own device (BYOD) technology, corporate networks could be at risk from unsecured devices carrying malicious applications which could bypass security and access the network from within the company. The solution is nailing down a defined BYOD policy. A comprehensive BYOD policy educates employees on device expectations and allow companies to better monitor email and documents that are being downloaded to company-owned devices. Ensure employee-owned devices can access the business network through a VPN which connects remote BYOD users with the organisation via an encrypted channel. A VPN is crucial if employees are using public WiFi networks to access business data. Public Wi-Fi is notoriously unsecure and provides little protection against criminals that might be watching the transfer of sensitive data. If an attacker does capture encrypted VPN traffic they will only see incomprehensible characters going from you to a VPN server – meaning no sensitive data is leaked. Source: http://www.information-age.com/7-nightmare-cyber-security-threats-smes-secure-123466495/

See more here:
7 nightmare cyber security threats to SMEs and how to secure against them

8 RCE, DoS holes in Microsoft Malware Protection Engine plugged

After the discovery and the fixing of a “crazy bad” remote code execution flaw in the Microsoft Malware Protection Engine earlier this month, now comes another MMPE security update that plugs eight flaws that could lead to either remote code execution or to denial of service. Given that the Microsoft Malware Protection Engine powers a number of Microsoft antimalware software, DoS vulnerabilities should be considered serious, since a successfully exploited vulnerability could prevent the MMPE … More ?

Continue Reading:
8 RCE, DoS holes in Microsoft Malware Protection Engine plugged

What’s business continuity management and why does your business need it?

Reality check: Modern businesses rely on their digital capabilities now more than ever. Downtime has become a terrifying thing to even utter, let alone consider. This is why an effective business continuity plan has become a cornerstone in every business, with IT-centric businesses being no exception. Business Continuity is all about identifying what your key products are and what you can do to ensure that business continues as usual even in the case of disruptions or catastrophes, no matter the size or cause. In truth, business continuity planning is not such an alien concept even to regular consumers. Ever planned a holiday? Whenever planning a holiday, we think of the worst case scenarios and how we can come out of them unscathed, without ruining our well-earned trip. We set up plans in case something goes wrong with our ‘core services’ and we’re prepared for it. We search for additional taxi services in the area despite having booked a cab already, or we check for alternate routes should we rent a car. It’s never a good idea to go on a vacation unprepared for something to go wrong, and a business should be no different. Being the largest multi-site data centre provider in Malta, we are experienced in the business of keeping our customers’ systems online at all costs. The ideal IT services provider should strive to deliver a redundant solution in every component within their setup. At BMIT, we take great care in adopting this approach, from upgrading our core infrastructure services all the way to training our technical team to adopt best-practice methods for optimal business continuity management. Improving redundancy should always be the utmost priority when it comes to introducing new products within an IT Services provider’s portfolio. Business continuity planning is not such an alien concept even to regular consumers Studies show that the average total cost of unplanned application downtime per year is €1 billion to €2.5 billion for the Fortune 1000 companies. An hour of infrastructure failure costs an average of €100,000 with the number jumping fivefold to €500,000 to €1m in the case of a critical application failure; certainly not numbers to scoff at. The digital world undergoes changes every day and it is imperative to constantly keep working to ensure that the systems are up-to-date and relevant to the present realities. The introduction of new ranges of systems and services that protect customers against common business continuity pitfalls always helps to cement the provider’s commitment to ensure the clients’ uptime. With the world fast approaching an almost completely digitally-dependent era, the dangers of the dark side of the internet become an ever-present reality for the modern digital business. In recent years Distributed Denial of Service attacks, otherwise known as DDoS attacks, have emerged as one of the most disruptive ways in which a business can be brought down to its knees. DDoS attacks are weapons of mass disruption aimed at paralysing internet systems including networks, websites and servers, resulting in lost revenues, compromised site performance and tarnished reputations. BMIT has had to take these dangers into consideration, especially since even ISPs can be targeted, which would put us at a risk of not being able to provide a connection for our customers. In recent years, we’ve launched a multi-tiered DDoS protection and mitigation system to protect our customers from even the most vicious of DDoS attacks. From our experience in the industry, we learnt that best-practice is for our private network’s bandwidth needs to be sourced from multiple providers and delivered across multiple redundant links in order to eliminate the risks of our customers going offline through an outage. This setup ensures that our clients are hosted on a reliable and certified ISO27001 network which does not rely on a singular connection. At BMIT we offer clients various features which help ensure continuity for their business. We now have a multi-tiered DDoS protection and mitigation system protecting our redundant 40gbps private international network. This network consists of multiple geographically-separated links, each of which can take over traffic load should there be any faults in the other links. Moreover, we have multiple data centres and international points of presence which form a key part of business continuity plans for our customers. Geo-redundancy is a critical aspect of business continuity for international customers, and our presence across countries addresses this. For example, some clients mirror their servers from one data centre to another. In addition, we also offer several backup options as well as managed services options to help our clients achieve a robust business continuity plan. As part of our portfolio, our customers can also tap into several tools to manage their systems, including advanced firewall solutions as well as virtual load-balancing services. Ultimately, each of our redundant service offerings is a step forward in our customers’ pursuit to ensuring their business stays up. Customers’ feedback is vital and should always be taken into consideration. Good business continuity practices are a top priority for clients and usually the main reason why providers with great core infrastructures for business continuity retain customers. Sources: https://www.timesofmalta.com/articles/view/20170528/business-news/What-s-business-continuity-management-and-why-does-your-business-need.649236

See more here:
What’s business continuity management and why does your business need it?

The dark, dangerous, and insanely profitable world of DDoS attacks

Imagine a business model with a 95 percent profit margin. As wonderful as this sound, this business is certainly not something that most would want to get into. We’re talking, of course, about the criminal enterprise of Distributed Denial of Service (DDoS) attacks. This form of cyber-crime has grown exponentially over the past few years, giving CIOs and digital business leaders sleepless nights about whether they’ll be the next victim. Powerful DDoS attacks have a devastating effect: flooding web servers and hauling companies offline, causing untold financial and reputational damage. “The popularity of DDoS has spawned a criminal underworld, with thousands of service providers hiding out on the so-called ‘Dark Web’,” explains Arbor Network’s territory manager for Sub-Sahara, Bryan Hamman. These nefarious organisations offer to execute DDoS attacks for as little as just a few dollars. One simply chooses the type of attack (do you want to use web servers or connected botnets?), the magnitude, the duration, and indicates the victim that they’re targeting. “These Dark Web services have made it very simple to enlist the resources needed for a DDoS attack. Self-service portals and bitcoin payment systems guarantee one’s anonymity and eliminate the need for direct contact with the service provider,” says Hamman. He adds that reports and status updates are all published via these portals, allowing customers to track the impact of their attacks. In some cases, there are even bonuses for each attack that’s commissioned – so DDoS providers even have a form of loyalty programme. Soft targets Cyber-security company Kaspersky Lab recently found that the most basic attack (sold at about USD25 per hour) resulted in a profit to the service provider of about USD18 per hour. But the second revenue stream emerges with those DDoS attacks that demand a ransom from companies in return for restoring services and bringing the victim back online. In these cases, profit shares from the ransoms can push the overall profit margins to over 95 percent. The intended victims themselves are priced differently – with the likes of government websites, and organisations known to have some form of defence in place, commanding a much higher premium, notes Hamman. “It’s interesting to note the level of awareness and information held by the DDoS service providers, as they distinguish between the soft targets and the more difficult quests. Those organisations with the most advanced DDoS defences are far less likely to be targeted,” he explains. The answer “With such rich pickings available for cyber-criminals, it shows that the scourge of DDoS isn’t likely to slow down anytime soon,” highlights Hamman. Almost all types of organisations today are totally dependent on connectivity to sustain their business. As we rapidly adopt Cloud architectures and new mobility or virtual office solutions, all of our data, applications and services are only available when we’re connected. So it stands to reason that organisations should ensure they have professional and dedicated DDoS prevention solutions in place. “Companies need to have what we term ‘layered protection’ – incorporating broad DDoS attack detection and mitigation, alongside network visibility and actionable security intelligence.” “By remaining on the cusp of the latest DDoS protection tools, it becomes possible to thwart any attacks from the growing legion of DDoS attackers out there,” he adds. And, when these criminal services are so immediately available for hire, with just a few clicks of the mouse, the threat of DDoS is ever-present for all businesses and industries. By Bryan Hamman, Arbor Network’s territory manager for Sub-Sahara Source: http://www.itnewsafrica.com/2017/05/the-dark-dangerous-and-insanely-profitable-world-of-ddos-attacks/

More here:
The dark, dangerous, and insanely profitable world of DDoS attacks

Report: DDoS attacks are less common, but they’re bigger

Information security company Verisign just published its Distributed Denial of Trends Report for Q1 2017. This report talks about changes in the frequency, size, and type of DDoS attack that the company has observed over the first few months of this year. The main takeaway is this: The number of DDoS attacks has plunged by 23 percent compared to the previous quarter. That’s good! However, the average peak attack size has increased by almost 26 percent, making them vastly more potent at taking down websites and critical online infrastructure. That’s bad. The report also notes that attacks are sophisticated in nature, and use several different attack types to take down a website. While 43 percent use just one attack vector, 25 percent use two, and six percent use five. This, obviously, makes it much more difficult to mitigate against. Verisign’s report also talks about the largest DDoS attack observed by the company in Q1. This was a multi-vector attack that peaked at 120 Gbps, and with a throughput of 90 Mpps. Per the report: This attack sent a flood of traffic to the targeted network in excess of 60 Gbps for more than 15 hours. The attackers were very persistent in their attempts to disrupt the victim’s network by sending attack traffic on a daily basis for over two weeks. The attack consisted primarily of TCP SYN and TCP RST floods of varying packet sizes and employed one of the signatures associated with the Mirai IoT botnet. The event also included UDP floods and IP fragments which increased the volume of the attack. So, in short. The attackers were using several different attack types, and they were able to sustain the attack over a long period of time. This shows the attacker has resources, either to create or rent a botnet of that size, and to sustain an attack over two weeks. The fact that DDoS attacks have increased in potency is hardly a surprise. They’ve been getting bigger and bigger, as bad actors figure out they can easily rope insecure Internet of Things (IoT) devices into their botnets. The Mirai botnet, for example, which took down Dyn last year, and with it much of the Internet, consisted of hundreds of thousands of insecure IoT products. The main thing you can gleam from the Verisign report is that DDoS attacks are increasingly professional, for lack of a better word. It’s not 2005 anymore. We’ve moved past the halcyon days of teenagers taking down sites with copies of LOIC they’d downloaded off Rapidshare. Now, it’s more potent. More commoditized. And the people operating them aren’t doing it for shits and giggles. Source: https://thenextweb.com/insider/2017/05/24/report-ddos-attacks-are-less-common-but-theyre-bigger/#.tnw_RJHfi1AZ

Originally posted here:
Report: DDoS attacks are less common, but they’re bigger

Examining the FCC claim that DDoS attacks hit net neutrality comment system

Attacks came from either an unusual type of DDoS or poorly written spam bots. On May 8, when the Federal Communications Commission website failed and many people were prevented from submitting comments about net neutrality, the cause seemed obvious. Comedian John Oliver had just aired a segment blasting FCC Chairman Ajit Pai’s plan to gut net neutrality rules, and it appeared that the site just couldn’t handle the sudden influx of comments. But when the FCC released a statement explaining the website’s downtime, the commission didn’t mention the Oliver show or people submitting comments opposing Pai’s plan. Instead, the FCC attributed the downtime solely to “multiple distributed denial-of-service attacks (DDoS).” These were “deliberate attempts by external actors to bombard the FCC’s comment system with a high amount of traffic to our commercial cloud host,” performed by “actors” who “were not attempting to file comments themselves; rather, they made it difficult for legitimate commenters to access and file with the FCC.” The FCC has faced skepticism from net neutrality activists who doubt the website was hit with multiple DDoS attacks at the same time that many new commenters were trying to protest the plan to eliminate the current net neutrality rules. Besides the large influx of legitimate comments, what appeared to be spam bots flooded the FCC with identical comments attributed to people whose names were drawn from data breaches, which is another possible cause of downtime. There are now more than 2.5 million comments on Pai’s plan. The FCC is taking comments until August 16 and will make a final decision some time after that. The FCC initially declined to provide more detail on the DDoS attacks to Ars and other news organizations, but it is finally offering some more information. A spokesperson from the commission’s public relations department told Ars that the FCC stands by its earlier statement that there were multiple DDoS attacks. An FCC official who is familiar with the attacks suggested they might have come either from a DDoS or spam bots but has reason to doubt that they were just spam bots. In either case, the FCC says the attacks worked differently from traditional DDoSes launched from armies of infected computers. A petition by activist group Fight for the Future suggests that the FCC “invent[ed] a fake DDoS attack to cover up the fact that they lost comments from net neutrality supporters.” But while FCC commissioners are partisan creatures who are appointed and confirmed by politicians, the commission’s IT team is nonpartisan, with leadership that has served under both Presidents Obama and Trump. There’s no consensus among security experts on whether May 8 was or wasn’t the result of a DDoS attack against the FCC comments site. One security expert we spoke to said it sounds like the FCC was hit by an unusual type of DDoS attack, while another expert suggested that it might have been something that looked like a DDoS attack but actually wasn’t. Breaking the silence FCC CIO David Bray offered more details on how the attack worked in an interview with ZDNet published Friday. Here’s what the article said: According to Bray, FCC staff noticed high comment volumes around 3:00 AM the morning of Monday, May 8. As the FCC analyzed the log files, it became clear that non-human bots created these comments automatically by making calls to the FCC’s API. Interestingly, the attack did not come from a botnet of infected computers but was fully cloud-based. By using commercial cloud services to make massive API requests, the bots consumed available machine resources, which crowded out human commenters. In effect, the bot swarm created a distributed denial-of-service attack on FCC systems using the public API as a vehicle. It’s similar to the distributed denial of service attack on Pokemon Go in July 2016. This description “sounds like a ‘Layer 7’ or Application Layer attack,” Cloudflare Information Security Chief Marc Rogers told Ars. This is a type of DDoS, although it’s different from the ones websites are normally hit with. “In this type of [DDoS] attack, instead of trying to saturate the site’s network by flooding it with junk traffic, the attacker instead tries to bring a site down by attacking an application running on it,” Rogers said. “I am a little surprised that people are challenging the FCC’s decision to call this a DDoS,” Rogers also said. Cloudflare operates a global network that improves performance of websites and protects them from DDoS attacks and other security threats. When asked if the FCC still believes it was hit with DDoS attacks, an FCC spokesperson told Ars that “there have been DDoS attacks during this process,” including the morning of May 8. But the FCC official we talked to offered a bit less certainty on that point. “The challenge is someone trying to deny service would do the same thing as someone who just doesn’t know how to write a bot well,” the FCC official said. FCC officials said they spoke with law enforcement about the incident. Spam bots and DDoS could have same effect DDoS attacks, according to CDN provider Akamai, “are malicious attempts to render a website or Web application unavailable to users by overwhelming the site with an enormous amount of traffic, causing the site to crash or operate very slowly.” DDoS attacks are “distributed” because the attacks generally “use large armies of automated ‘bots’—computers that have been infected with malware and can be remotely controlled by hackers.” (Akamai declined to comment on the FCC downtime when contacted by Ars.) In this case, the FCC’s media spokesperson told Ars the traffic did not come from infected computers. Instead, the traffic came from “cloud-based bots which made it harder to implement usual DDoS defenses.” The FCC official involved in the DDoS response told us that the comment system “experienced a large number of non-human digital queries,” but that “the number of automated comments being submitted was much less than other API calls, raising questions as to their purpose.” If these were simply spammers who wanted to flood the FCC with as many comments as possible, like those who try to artificially inflate the number of either pro- or anti-net neutrality comments, they could have used the system’s bulk filing mechanism instead of the API. But the suspicious traffic came through the API, and the API queries were “malformed.” This means that “they aren’t formatted well—they either don’t fit the normal API spec or they are designed in such a way that they excessively tax the system when a simpler call could be done,” the FCC official said. Whether May 8 was the work of spam bots or DDoS attackers, “the effect would have been the same—denial of service to human users” who were trying to submit comments, the FCC official said. But these bots were submitting many fewer comments than other entities making API calls, suggesting that, if they were spam bots, they were “very poorly written.” The official said a similar event happened in 2014 during the previous debate over net neutrality rules, when bots tied up the system by filing comments and then immediately searching for them. “One has to ask why a bot would file, search, file, search, over and over,” the official said. If it was just a spam bot, “one has to wonder why, if the outside entity really wanted to upload lots of comments in bulk, they didn’t use the alternative bulk file upload mechanism” and “why the bots were submitting a much lower number of comments relative to other API calls,” the official said. The FCC says it stopped the attacks by 8:45am ET on May 8, but the days that followed were still plagued by intermittent downtime. “There were other waves after 8:45am that slowed the system for some and, as noted, there were ‘bots’ plural, not just one,” the FCC official said. On May 10, “we saw other attempts where massive malformed search queries also have hit the system, though it is unclear if the requestors meant for them to be poorly formed or not. The IT team has implemented solutions to handle them even if the API requests were malformed.” Was it a DDoS, or did it just look like one? There is some history of attackers launching DDoS attacks from public cloud services like Amazon’s. But the kind of traffic coming into the FCC after the John Oliver show might have looked like DDoS traffic even if it wasn’t, security company Arbor Networks says. Arbor Networks, which sells DDoS protection products, offered some analysis for its customers and shared the analysis with Ars yesterday. Arbor says: When a client has an active connection to a website which is under heavy load, there is a risk that the server will be unable to respond in a timely fashion. The client will then start to automatically resend its data, causing increased load. After a while, the user will also get impatient and will start to refresh the screen and repeatedly press the “Submit” button, increasing the load even further. Finally, the user will, in most cases, close the browser session and will attempt to reconnect to the website. This will then generate TCP SYN packets which, if processed correctly, will move to the establishment of the SSL session which involves key generation, key exchange, and other compute intensive processes. This will most likely also timeout, leaving sessions hanging and resulting in resource starvation on the server. A spam bot would behave in the same manner, “attempting to re-establish its sessions, increasing the load even further,” Arbor says. “Also, if the bot author wasn’t careful with his error handling code, the bot might also have become very aggressive and start to flood the server with additional requests.” What the FCC saw in this type of situation might have looked like a DDoS attack regardless of whether it was one, Arbor said: When viewed from the network level, there will be a flood of TCP SYN packets from legitimate clients attempting to connect; there will be a number of half-open SSL session which are attempting to finalize the setup phase and a large flood of application packets from clients attempting to send data to the Web server. Taken together, this will, in many ways, look similar to a multi-faceted DDoS attack using a mix of TCP-SYN flooding, SSL key exchange starvation, and HTTP/S payload attacks. This traffic can easily be mistaken for a DDoS attack when, in fact, it is the result of a flash crowd and spam bot all attempting to post responses to a website in the same time period. DDoS attacks generally try to “saturate all of the bandwidth that the target has available,” Fastly CTO Tyler McMullen told Ars. (Fastly provides cloud security and other Web performance tools.) In the FCC’s case, the attack sounds like it came from a small number of machines on a public cloud, he said. “Another form of denial-of-service attack is to make requests of a service that are computationally expensive,” he said. “By doing this, you don’t need a ton of infected devices to bring down a site—if the service is not protected against this kind of attack, it often doesn’t take much to take it offline. The amount of traffic referenced here does not make it obvious that it was a DDoS [against the FCC].” Server logs remain secret The FCC declined to publicly release server logs because they might contain private information such as IP addresses, according to ZDNet. The logs reportedly contain about 1GB of data per hour from the time period in question, which lasted nearly eight hours. The privacy concerns are legitimate, security experts told Ars. “Releasing the raw logs from their platform would almost certainly harm user privacy,” Rogers of Cloudflare told Ars. “Finally, redacting the logs would not be a simple task. The very nature of application layer attacks is to look exactly like legitimate user traffic.” McMullen agreed. “Releasing the logs publicly would definitely allow [the details of the attack] to be confirmed, but the risk of revealing personal information here is real,” he said. “IP addresses can sometimes be tied to an individual user. Worse, an IP address combined with the time at which the request occurred can make the individual user’s identity even more obvious.” But there are ways to partially redact IP addresses so that they cannot be tied to an individual, he said. “One could translate the IP addresses into their AS numbers, which is roughly the equivalent of replacing a specific street address with the name of the state the address is in,” he said. “That said, this would still make it clear whether the traffic was coming from a network used by humans (e.g. Comcast, Verizon, AT&T, etc) or one that primarily hosts servers.” Open by design The FCC’s public comments system is supposed to allow anyone to submit a comment, which raises some challenges in trying to prevent large swarms of traffic that can take down the site. The FCC has substantially upgraded its website and the back-end systems that support it since the 2014 net neutrality debate. Instead of ancient in-house servers, the comment system is now hosted on the Amazon cloud, which IT departments can use to scale computing resources up and down as needed. But this month’s events show that more work needs to be done. The FCC had already implemented a rate limit on its API, but the limit “is tied to a key, and, if bots requested multiple keys, they could bypass the limit,” the FCC official told us. The FCC has avoided using CAPTCHA systems to distinguish bots from humans because of “challenges to individuals who have different visual or other needs,” the official said. Even “NoCAPTCHA” systems that only require users to click a box instead of entering a hard-to-read string of characters can be problematic. “Some stakeholders who are both visually impaired and hearing impaired have reported browser issues with NoCAPTCHA,” the FCC official said. “Also a NoCAPTCHA would mean you would have to turn off the API,” but there are groups who want to use the API to submit comments on behalf of others in an automated fashion. Comments are often submitted in bulk both by pro- and anti-net neutrality groups. The FCC said it worked with its cloud partners to stop the most recent attacks, but it declined to share more details on what changes were made. “If folks knew everything we did, they could possibly work around what we did,” the FCC official said. Senate Democrats asked the FCC to provide details on how it will prevent future attacks. While the net neutrality record now contains many comments of questionable origin and quality, the FCC apparently won’t be throwing any of them out. But that doesn’t mean they’ll hold any weight on the decision-making process. “What matters most are the quality of the comments, not the quantity,” Pai said at a press conference this month. “Obviously, fake comments such as the ones submitted last week by the Flash, Batman, Wonder Woman, Aquaman, and Superman are not going to dramatically impact our deliberations on this issue.” There is “a tension between having open process where it’s easy to comment and preventing questionable comments from being filed,” Pai said. “Generally speaking, this agency has erred on the side of openness. We want to encourage people to participate in as easy and accessible a way as possible.” Source: https://arstechnica.com/information-technology/2017/05/examining-the-fcc-claim-that-ddos-attacks-hit-net-neutrality-comment-system/

Excerpt from:
Examining the FCC claim that DDoS attacks hit net neutrality comment system

DDoS attacks shorter and more frequent: 80% now take less than an hour

During Q1 2017, a reduction in average DDoS attack duration was witnessed, thanks to the prevalence of botnet-for-hire services that commonly used short, low-volume bursts. Imperva Incapsula’s latest Global DDoS Threat Landscape Reportanalysed more than 17,000 network and application layer DDoS attacks that were mitigated during Q1 2017. Igal Zeifman, Incapsula security evangelist at Imperva told SC Media UK: “These attacks are a sign of the times; launching a DDoS assault has become as simple as downloading an attack script or paying a few dollars for a DDoS-for-hire service. Using these, non-professionals can take a website offline over a personal grievance or just as an act of cyber-vandalism in what is essentially a form of internet trolling.” The research found that more and more assaults occurred in bursts, as 80 percent of attacks lasted less than an hour. Three-quarters of targets suffered repeat assaults, in which 19 percent were attacked 10 times or more. For the first time, 90 percent of all network layer attacks lasted less than 30 minutes, while only 0.1 percent of attacks continued for more than 24 hours. The longest attack of the quarter continued for less than nine days. Researchers observed a higher level of sophistication on the part of DDoS offenders, reflected by the steep rise in multi-vector attacks. These accounted for more than 40 percent of all network layer assaults in Q1 2017. In terms of worldwide botnet activity, 68.8 percent of all DDoS attack requests originated in just three countries; China (50.8 percent), South Korea (10.8 percent) and the US (7.2 percent). Others on the attacking country list included Egypt (3.2 percent), Hong Kong (3.2 percent), Vietnam (2.6 percent), Taiwan (2.4 percent), Thailand (1.6 percent), UK (1.5 percent) and Turkey (1.4 percent). The US, UK and Japan continued to top the list of most targeted countries. Over the past year Singapore and Israel joined that list for the first time. Source: https://www.scmagazineuk.com/ddos-attacks-shorter-and-more-frequent-80-now-take-less-than-an-hour/article/663591/

Link:
DDoS attacks shorter and more frequent: 80% now take less than an hour

There’s now a WannaCry decryptor tool for most Windows versions

As the criminals behind the WannaCry ransomware are trying to make it work again, security researchers have created tools for decrypting files encrypted by it. DDoS attacks against the killswitch domains Since researcher Marcus Hutchins (aka MalwareTech) registered a (previously non-existent) killswitch domain for the malware and stopped its onslaught, the domain has been under attack by Mirai-powered botnets. Today’s Sinkhole DDoS Attack pic.twitter.com/wxT2YUrdOF — MalwareTech (@MalwareTechBlog) May 18, 2017 That particular domain has been … More ?

See more here:
There’s now a WannaCry decryptor tool for most Windows versions

‘Cyberattacks could contribute to a dramatic shift in world power’

In our five-minute CIO series, Lior Tabansky explains how cyberattacks could have a seismic effect on the world order. Lior Tabansky is a cyber power scholar at the Blavatnik Interdisciplinary Cyber Research Center (ICRC) and the director of strategy in Tel-Aviv-based cybersecurity consultancy firm CSG. Tabansky brings a refreshing interdisciplinary approach to cybersecurity to the table, facilitated by his political science and security studies, 15 years of hands-on IT professional practice, and high-level think tank, policy and corporate experience. His strategic cybersecurity expertise stems from a unique combination: service in the Israeli Air Force, subsequent career designing and managing business ICT infrastructure, postgraduate political science education and a proven commitment to interdisciplinary, academic policy-oriented research. Tabansky recently wrote an insightful and timely book – Cybersecurity in Israel – co-authored with Prof Isaac Ben-Israel and published by Springer. This comprehensive yet concise work offers an ‘insider’ strategic analysis of Israeli cyber power, with invaluable lessons to be learned by governments and corporations alike. How does one become a cyber scholar? I was always interested in politics and international relations because, since high school, I figured out this was important and I wanted to know how the world works. In parallel, around the mid-90s, the whole PC revolution happened and it fascinated me. And then you realise that things don’t work like they are supposed to, and I learned on my own to play with it and fix it and from there on, I pursued parallel academic tracks. One track was political science and security studies and, in parallel, I began working in IT as an admin because they paid more than other professions. Around 2003, I was doing a master’s on the role of IT in counter-terrorism and that’s how I became more established academically in this field. From there on, technology changed, and I was studying mostly the development of how it can challenge national security. Is most of your work academic? First of all, this subject is not very fashionable in academia because it is mostly current affairs; it relates to policy issues and is constantly moving, so it is on the fringes of the academic world. I had a lot of backlash for trying to pursue proper academic research with things that are constantly moving. It’s a conceptual issue. On top of that, the centre we established at Tel-Aviv University is more like a think tank in terms of influencing policy debates –it is mostly pure research. We also hold our Cyber Week conference in the summer, which attracts 5,000 people and delegations from 50 countries. With cyberattacks on the rise, every individual is threatened. How do you see the world we are in? This is not a purely defence issue, each one of us is affected. This is precisely why, as a civilisation, we build societies, states, cities and so on. The primary duty of the state is to provide security for society. Of course, you need to change a lot and adapt and this is where I think the west, and particularly the US, are doing a particularly bad job. They were the first to develop the whole field, to recognise and publish the deep implications of technology, and yet they are still all the time complaining about China, and now it has switched to Russia; but their governments fail to protect the companies, the citizens and civil society, and maybe they are not even trying. So, the failure is not even trying. This is a very typical problem. We are in the midst of a revolution similar to the industrial revolution and, unless society and states adapt, we will see dramatic shifts in world power. And, sitting where we are sitting, that is not a good thing. The shakes and tremors will come at everyone’s expense. Most of the rest of the world doesn’t like the western world’s dominance, and these are the ones who will continue to challenge the western way of life – it is a dangerous situation. Do you feel that the way the western world is going about cybersecurity – with an emphasis on surveillance rather than defence – is the wrong approach? Yes. It is not a resource issue. The US, for example, has by far the largest resources of all their competitors combined, definitely in defence and security. The NSA has been the largest employer of mathematicians for decades, so they are way ahead of all of us in that field. The problem is politics. How you work these things out and the balance between all sorts of values and security is very difficult, and, of course, no one knows how to get it right. It’s not a resource issue. The US has unlimited resources, manpower and technology, and they can get it right. If you try to focus too much on defence and security, you will harm civil liberties and so on, and no one wants that. The thing is, while we are figuring out how to solve it over the last few decades, your adversaries will try to act more and more in their interests. Has Israel gotten it right? There is much more to be done. We are relatively in a good situation compared to other western democracies. However, it is far away from the ideal situation that we have in security affairs. We pay taxes, we get security, and it works pretty well. Europe is in a great historic anomaly of having several decades of zero wars. This is only because societies got the defence issue right, which includes economics, diplomacy and other things. Unless we get it right in the cyber area, there will be changes. This is what history is about. And if we don’t get it right? Will some countries do better than others? There are a lot of instruments for cooperation between like-minded countries in terms of official bodies such as the EU and NATO and, more importantly, bilateral. This is where the strengths of the west lie, in the freedom to have people meet and develop new ideas. This is our best chance. It is a case of western civilisation versus the rest of the world that wants to compete with us. And yet, when it comes to security, organisations spend a fortune on cyber defence, only to have it unravel because one individual opens a phishing email … I’m happy to hear from you as a technology journalist acknowledge that technology can have human failure. From an information security perspective, we have a good empirical knowledge of how things happen. Most of the important breaches involve insiders; everything involves human behaviour. The top four strategies for cyber defence will mitigate 94pc of all breaches. There are already so many readily available, built-in technology solutions that we can use and yet we don’t, and the problem is with humans. This again brings me to society and politics, and policy and government issues, which are more complicated than a single solution or bunch of solutions. The other issue is, we do not know what the threats will look like. It is much worse when it is cyber because of the rate of change. Therefore, I don’t know if that is the official position of Israeli strategy but the underlying notion is, we don’t know what capability we will need in the future. It’s not like we can design a great aeroplane and it would take 20 years and we get there; we need to have an ecosystem in place that’s dynamic enough to identify changes and to adapt rapidly. It’s a dramatically different mindset from other defence issues. You can’t just plan ahead. It is much more complicated and you need to involve sectors of society, the private sector (whether they like it or not), the education system, academia. The main responsibility for national defence should be the defence organisations. In the last year, attacks such as WannaCry, and the various DDOS attacks on the internet of things and cloud organisations, suggest a worrying spike in attack capabilities. Do you agree? It is very predictable: if you take Moore’s Law and subsequent laws in networking and memory, and continue to extrapolate forward, yes, the internet of things is definitely going to happen. The complexity is growing, the number of potential threat vectors is growing, and it only means that you need to put in place better policies and prioritise where to put the limited funds we have. Unlike the Americans who have unlimited resources, in Israel, we don’t consider DDOS attacks a big problem, but of course we do things to prevent them. The Israeli government’s networks have been withstanding DDOS attacks, larger than the Estonians suffered in 2007, routinely. You need to assume things will go wrong and focus on the more narrow, more critical elements, because we cannot cover everything. Has the best attack not yet been invented? Since 2002, the government has legislated an arrangement for critical infrastructure protection. The concern was not information under threat, but the symbiosis between the operational technology and the information technology. I think this remains the major threat scenario: a disruptive or destructive attack on the systems that underpin our modern life. What would be the typical attack volume on Israel, what are you dealing with? State of the art! Whatever appears on the market, we usually get it first. Even 10 years ago, we had a lot of solutions readily available to deploy to mitigate massive DDOS attacks; even today, it is a matter of where you put your investment. If you spend enough money, you can mitigate any volume of DDOS attack, but is it worth the effort? Attackers are not interested in achieving the specific volume of attack, they are interested in achieving an effect. And the better your defences are, the more it helps you to incur higher costs on them. Source: https://www.siliconrepublic.com/enterprise/israel-cyber-defence

View article:
‘Cyberattacks could contribute to a dramatic shift in world power’