Category Archives: DDoS Criminals

Over third of large Dutch firms hit by cyberattack in 2016 – CBS

Large companies are hit by cyberattacks at an above average rate, according to the Cybersecurity Monitor of Dutch statistics bureau CBS for 2018. Among companies of 250+ employees, 39 percent were hit at least once by a cyberattack in 2016, such as a hack or DDoS attack. By contrast, around 9 percent of small companies (2-10 employees) were confronted with such an ICT incident. Of the larger companies, 23 percent suffered from failure of business processes due to the outside cyberattacks. This compares to 6 percent for the smaller companies. Of all ICT incidents, failures were most common, for all sizes, though again, the larger companies were more affected (55%) than the smaller ones (21%). The incidents led to costs for both groups of companies. Chance of incident bigger at large company CBS noted that ICT incidents can arise from both from an outside attack and from an internal cause, such as incorrectly installed software or hardware or from the unintentional disclosure of data by an employee. The fact that larger companies suffer more from ICT incidents can be related to the fact that more people work with computers; this increases the chance of incidents. In addition, larger companies often have a more complex ICT infrastructure, which can cause more problems. The number of ICT incidents also varies per industry. For example, small businesses in the ICT sector (12%) and industry (10%) often suffer from ICT incidents due to external attacks. Small companies in the hospitality sector (6%) and health and welfare care (5%) were less often confronted with cyberattacks. Internal cause more common at smaller companies Compared to larger companies, ICT incidents at small companies more often have an internal cause: 2 out 3, compared to 2 out of 5 for larger companies. ICT incidents at small companies in health and welfare care most often had an internal cause (84%). In the ICT sector, this share was 60 percent. About 7 percent of companies with an ICT incident report them to one or more authorities, including police, the Dutch Data Protection Authority AP, a security team or their bank. The largest companies report ICT incidents much more often (41%) than the smallest companies (6%). Large companies report these ICT incidents most frequently to the AP, complying with law. After that, most reports are made to the police. The smallest companies report incidents most often to their bank. Smaller: less safe Small businesses are less often confronted with ICT incidents and, in comparison with large companies, take fewer security measures. Around 60 percent of small companies take three or more measures. This goes to 98 percent for larger companies. Source: https://www.telecompaper.com/news/over-third-39-of-large-dutch-firms-hit-by-cyberattack-in-2016-cbs–1265851

More here:
Over third of large Dutch firms hit by cyberattack in 2016 – CBS

Serverless botnets could soon become reality

We have been accustomed to think about botnets as a network of compromised machines – personal devices, IoT devices, servers – waiting for their masters’ orders to begin their attack, but Protego researchers say that many compromised machines are definitely not a requirement: botnets can quite as easily be comprised of serverless functions. They created one on the Google Cloud Functions platform as a proof of concept and have calculated that the losses experienced by … More ? The post Serverless botnets could soon become reality appeared first on Help Net Security .

Read the original post:
Serverless botnets could soon become reality

The Haunting Horror Story Of Cybercrime

As the old saying goes, “darkness falls across the land, the midnight hour is close at hand.” Halloween is upon the scene and frightening things are unforeseen. Imagine watching a chilling movie depicting a zombie apocalypse or a deadly virus spreading fast across a metropolis, infecting everything in its wake. Sounds like a monstrous scenario? Sounds analogous to a cyber-attack? You could be onto something. Strap yourself in. It’s going to be a bumpy ride. According to recent F5 Labs threat analysis, the top application breaches haunting companies right now with rapidly mutating sophistication include payment card theft via web injection (70%), website hacking (26%), and app database hacking (4%). Frighteningly, further analysis shows that 13% of all web application breaches in 2017 and Q1 2018 were access related. This bloodcurdling discovery can be dissected as follows: credentials stolen via compromised email (34.29%), access control misconfiguration (22.86%); credential stuffing from stolen passwords (8.57%), brute force attacks to crack passwords (5.71%), and social engineering theft (2.76). The eerie evidence also shows that applications and identities are the initial targets in 86% of breaches. Businesses worldwide now face a sense of creeping dread and imminent disruption. Nowadays, they are more prone than ever to terrors such as malware hijacking browsers to sniff or intercept application authentication credentials. Then there are the strains of malware that target financial logins to menace both browser and mobile clients. There’s no way around it. Getting your cybersecurity posture right is the only way to stay safe. Get it wrong, however, and you’ll get the fright of your life in the shape of EU’s General Data Protection Regulation (GDPR) enforcement. There is definitively nowhere to hide this Halloween if you’re breached or fall short of tightening compliance expectations. Yet, if scary movies have taught us anything about horror stories, it is to never to scream and run away. As this ghoulish season can overshadow any organisation, it’s imperative that preventative measures are in place to protect vital assets. Yes, the findings from F5 Labs may paint a bleak picture but there are plenty of preventative measures you can take to improve your security posture and safeguard your employees’ applications and sensitive data: Understand your threat environment and prioritise defences against grave risk concerns. Know which applications are important and minimise your attack surface. Remember, an app’s surface is broadening all the time, encompassing multiple tiers and the ever-increasing use of application programming interfaces (APIs) to share data with third parties. Use data to drive your risk strategy and identify what attackers would typically target. Beware that any part of an application service visible on the Internet will be probed by fiendish hackers for possible exploitation. Configure your network systems properly or suffer the consequences of applications leaking internal and infrastructure information, including server names, private network addresses, email addresses, and even usernames. This is all valuable ammunition for a horrible hacker to carry out an attack. Be aware of common threats including DDoS attacks, ransomware, malware, phishing, and botnets. Ensure your IT response strategies are built to adapt and update in line with new vulnerabilities and threats will invariably improve survival rates. Implement a strong set of easily manageable and powerful security solutions such as an advanced web application firewall (AWAF). This type of technology is extremely scalable and can protect against the latest wave of attacks using behavioural analytics, proactive bot defence, and application-layer encryption of sensitive data like personal credentials. Ensure the company enforces a proactive culture of security and educates employees on policy, device management, as well as safe internet and cloud usage. When travelling on business, ensure staff never conduct financial transactions requiring a debit or credit card when using public or free Wi-Fi services. Never assume mobiles and laptop devices are safe, even at the local coffee bar. Change your passwords regularly (i.e. every month). This is especially important after travel. Devices may have been compromised during transit. Always perform regular data backups on approved devices and/or secure cloud platforms to ensure sensitive information is not lost or stolen and can be quickly recovered in the event of an attack. Remember, careless employees who feel they are unaccountable for the loss of work devices can damage business reputations. The grim reality Remember this is the time of year when “creatures crawl in search of blood to terrorize the neighbourhood”. Whether you’re expecting a trick or treat this Halloween, neglecting cybersecurity is certain to have ghastly consequences. The business world is littered with victims of cybercrime, so don’t get consigned to the grievous graveyard of cyber fraud. Know what makes your apps vulnerable and how they can be attacked. Makes sure you put the right solutions in place to lower your risk. Now is the time to stop being haunted by cybercriminals draining the lifeblood out of your business. Source: https://www.informationsecuritybuzz.com/articles/the-haunting-horror-story-of-cybercrime/

Six Lessons From Boston Children’s ‘Hacktivist’ Attack

CIO Daniel Nigrin, M.D., says hospitals must prepare for DDoS and ransomware Most health system CIOs have heard about the 2014 attack on Boston Children’s Hospital by a member or members of the activist hacker group Anonymous. The hospital was forced to deal with a distributed denial of service (DDoS) attack as well as a spear phishing campaign. Yesterday, as part of the Harvard Medical School Clinical Informatics Lecture Series, the hospital’s senior vice president and CIO Daniel Nigrin, M.D., discussed six lessons learned from the attack. Although the cyber-attack took place four years ago, there have been some recent developments. The attack was undertaken to protest the treatment of a teenager, Justina Pelletier, in a dispute over her diagnosis and custody between her parents and the hospital. In August 2018 Martin Gottesfeld, 32, was convicted of one count of conspiracy to damage protected computers and one count of damaging protected computers. U.S. District Court Judge Nathaniel Gorton scheduled sentencing for Nov. 14, 2018. Gottesfeld was charged in February 2016. According the U.S. Department of Justice, Gottesfeld launched a massive DDOS attack against the computer network of the Boston Children’s Hospital. He customized malicious software that he installed on 40,000 network routers that he was then able to control from his home computer. After spending more than a week preparing his methods, on April 19, 2014, he unleashed a DDOS attack that directed so much hostile traffic at the Children’s Hospital computer network that he temporarily knocked Boston Children’s Hospital off the Internet. In his Oct. 17 talk, Nigrin said cyber criminals still see healthcare as a soft target compared to other industries. “The bottom line is that in healthcare, we have not paid attention to cybersecurity,” he said. “In the years since this attack, we have seen ransomware attacks that have brought hospital systems to their knees. We have to pay more attention and invest more in terms of dollars and technical people, but it really does extend to entire organizations — educating people about what a phishing attack is, what a social engineering attack is. These need to be made a priority.” He offered six lessons learned from Boston Children’s experience: 1. DDoS countermeasures are critical. No longer can healthcare organizations assume that a DDoS attacks are things that only occur against corporate entities, he said. “Prior to this event, I had never thought about the need to protect our organization against a DDoS attack,” he said. “I will submit that the vast majority of my CIO colleagues were in the same boat. And that was wrong. I think now we have gotten this understanding.” 2. Know what depends on the internet. Having a really detailed understanding of what systems and processes in your organization depend on internet access is critical, Nigrin stressed. You also mush have good mitigation strategies in place to know what to do if you lose internet access — whether it is because you have a network outage due to a technical issue or a malicious issue. “As healthcare has become more automated and dependent on technology, these things are crippling events. You have got to know how you are going to deal with it ahead of time. Figuring it out on the fly is not going to work.” 3. Recognize the importance of email. Email may be seen as old-school, Nigrin noted, but it is still the primary method to communicate, so you have to think about how you can communicate and get the word out in scenarios where you don’t have email or lose voice communication. “In our case, we were super-lucky because we had just deployed a secure texting platform, so we could do HIPAA-compliant texting, and when our email was down, that was how we communicated, and it was very effective,” he explained. 4. Push through security initiatives – no excuses anymore. Because he is a doctor himself, Nigrin feels OK picking on doctors about security. Historically they have always pushed back on security measures such as dual-factor authentication. He paraphrases them saying “Come on, Dan, that is an extra 10 seconds; I have to carry a secure ID, or you have to send me a text message on my phone. It is a pain. I don’t want to do it. I am the highest-paid employee in your organization and that is time better spend on something else.” But Nigrin argues that we can’t afford to think like that anymore. He used the Anonymous attack as an opportunity to push through four or five security initiatives within the next two to three months when he had everyone’s attention. “The platform was burning, and the board of trustees was willing to expend the money to pay for it all. They all of a sudden recognized the risk.” 5. Securing audio- and teleconference meetings. Nigrin said this topic wouldn’t have occurred to Boston Children’s until they were warned by the FBI. “The FBI told us about an attack that affected them when they were dealing with Anonymous. When Anonymous was attacking the FBI, the FBI convened internal conference calls on how to deal with it. Anonymous had already breached their messaging platform and intercepted the calendar invites that invited everyone to dial in. Anonymous basically was called into the meeting. Within 30 minutes of one of those meetings, the entire audio transcript of the conference call was posted to YouTube. “So we took heed of that and made sure that when we had conference calls, we sent out PINs over our secure texting platform,” he said. 6. Separating signal from noise. During the attack, Boston Children’s set up a command center and told employees: if you see something, say something. “We didn’t know what attack was coming next. We were flying blind,” Nigrin said. “We started to get lots of calls into our command center with reports of things that seemed somewhat suspicious,” he remembers. People got calls on their cell phone with a recorded message saying your bank account has been compromised. Press 1 to talk to someone to deal with it. “Today we would recognize this as some type of phishing scam and hang up,” he said, “but at the time it was sort of new. People started calling us and we didn’t know if this was Anonymous trying to get into the bank accounts of our senior clinicians. Was it part of the attack? It was tough for us to detect signal from noise.” In the Q&A after his presentation, listeners were curious about how much the incident cost the hospital. Nigrin said there two big costs incurred: One was the technology it had to deploy in an emergent way to do DDOS protection and penetration testing. The other was revenue lost from philanthropic donations. Together they were close to $1 million. Another person asked if the hospital had cyber insurance. Nigrin said they did, but when they read the fine print it said they were covered only if they were breached and technically they were never breached, so the insurance company was reluctant to pay. Although they eventually got compensated for a good share of it, the hospital also made sure to update its policy. Still another attendee asked Nigrin if ransomware attacks were still targeting hospitals. He said they definitely were. “Think about community hospitals just squeaking by on their budgets,” he said. “They don’t have millions to spend, yet their data is valuable on the black market. Attackers recognize we are dead in the water as entities if we don’t have these systems. We have important data and will do anything to get our systems back up and running.” Nigrin said even large health systems can be vulnerable because some technology they deploy is run by third-party vendors who haven’t upgraded their systems. An example, he said, might be technology to record videos in the operating room setting. Some vendors, he said, are not accustomed to thinking about security. They are unable to update their software so it works on more modern operating systems. That leaves CIOs with a tough choice. “We can shut off the functionality or take the risk of continuing to use outdated and unpatched operating systems. Those vendors now have woken up and realize they have to pay more attention.” Source: https://www.healthcare-informatics.com/article/cybersecurity/six-lessons-boston-children-s-hacktivist-attack

More here:
Six Lessons From Boston Children’s ‘Hacktivist’ Attack

A10 Networks provides cloud, Internet and gaming providers with 1 RU DDoS defense appliance

A10 Networks launched the A10 Thunder 7445 Threat Protection System (Thunder TPS), the performance 1 rack unit (RU) and density of throughput per RU appliance. Now cloud, Internet and gaming providers can protect their infrastructure with A10 DDoS defense while enjoying the cost benefits of 100 GbE networking in the smallest form factor. A10 Network’s Thunder TPS is a DDoS protection solution that offers precision in detecting and mitigating against the full spectrum of DDoS … More ? The post A10 Networks provides cloud, Internet and gaming providers with 1 RU DDoS defense appliance appeared first on Help Net Security .

Businesses are becoming main target for cybercriminals, report finds

Cybercrime activity continues to expand in scope and complexity, according to the latest report by cybersecurity firm Malwarebytes, as businesses become the preferred target for crooks throughout Q3. Malware detection on businesses shot up 55% between Q2 and Q3, with the biggest attack vector coming from information-stealing trojans such as the self-propagating Emotet and infamous LokiBot. Criminals have likely ramped up attacks on organizations in an attempt to maximize returns, while consumers have seen significantly less action in Q3, with a mere 5% detection increase over the period. This incline toward a more streamlined campaign, as opposed to the wide nets cast in previous quarters, is due to numerous reasons including businesses failing to patch vulnerabilities, weaponized exploits, and possibly even the implementation of privacy-protective legislation such as GDPR. “There was a very long period where ransomware was the dominant malware against everybody,” said Adam Kujawa, director of Malwarebytes Labs, speaking to The Daily Swig about the quarterly report, Cybercrime tactics and techniques: Q3 2018. “We’ve seen the complete evolution of ransomware to what is really just a few families, and whether we’ll see the same distribution and exposure [of ransomware] that we’ve seen in the past few years is unlikely in my opinion.” GandCrab ransomware, however, which first appeared at the beginning of this year, has matured. New versions were discovered during Q3 as the ransomware variant is expected to remain a viable threat to both consumers and to businesses, which are at higher risk due to GandCrab’s advanced ability to encrypt network drives. But despite a recent report by Europol that highlighted ransomware as the biggest threat in 2018, Kujawa isn’t convinced that these campaigns will stick around in the quarters to come. “There are so many solutions out there that can protect users from ransomware, and there are more people that know what to do if you get hit with it,” he said. “When you compare that to is it a good return investment [for cybercriminals], we don’t think it is anymore. Most of what we’ve seen [in Q3] is information-stealers.” Kujawa points to the banking trojan Emotet, that can spread easily and with a primary intent to steal financial data and carry out disturbed denial of service (DDoS) attacks on infected machines. Businesses, particularly small and medium-sized enterprises with less money invested in cyber defenses, have become valuable targets due to the ease in which trojans like Emotet can spread throughout their networks. Changes in global information systems may also be a contributing factor in the revival of data-theft. “That may very well in part play to things like GDPR where you’ve got this data that is no longer legally allowed to be on a server somewhere protected in Europe,” said Kujawa. “Cybercriminals may be more interested in stealing data like they used to because this stuff is no longer as easy to obtain as it was.” While information-stealers hogged the spotlight, the threat landscape remains diverse – targets are predominately concentrated within Western countries, while the use of exploit kits were found mostly in Asian countries including South Korea. Kujawa also noted that social engineering, such as phishing attacks, remains a successful technique for malicious hackers. He said: “Almost all attacks are distributed through social engineering, that’s still the number one way to get past things like security software, firewalls, and things like that.” “The biggest problem in our industry right now is people not taking it [cybersecurity] seriously enough,” Kujawa added. “At the end of the day we’re never going to win the war on cybercrime with just technology because that’s exactly what the bad guys are using against us.” Source: https://portswigger.net/daily-swig/businesses-are-becoming-main-target-for-cybercriminals-report-finds

Read the original:
Businesses are becoming main target for cybercriminals, report finds

Central planning bureau finds Dutch cybersecurity at high level

Dutch businesses and the public sector are well protected against cybersecurity threats compared to other countries, according to a report from the Central Planning Bureau on the risks for cybersecurity. Dutch websites employ encryption techniques relatively often, and the ISPs take measures to limit the impact of DDoS attacks, the report said. Small and medium-sized businesses are less active than large companies in protecting their activities, employing techniques such as data encryption less often, the CPB found. This creates risks for small business and consumers that could be avoided. The report also found that the Dutch are more often victims of cybercrime than other forms of crime. This implies a high cost for society to ensure cybersecurity. In 2016, already 11 percent of businesses incurred costs due to a hacking attempt. The threat of DDoS attacks will only increase in the coming years due to the growing number of IoT devices. This was already evident in the attacks against Dutch bank websites earlier this year. A further risk is that over half the most important banks in the world use the same DDoS protection service. According to the paper Financieele Dagblad, this supplier is Akamai. The company provides DDoS protection for 16 of the 30 largest banks worldwide. The Dutch banks ABN Amro, ING and Rabobank said they were not dependent on a single provider. The CPB report also found that the often reported shortage of qualified ICT staff is less of a threat than thought. The number of ICT students has risen 50 percent in four years and around 100,000 ICT jobs have been added in the country since 2008. Already 5 percent of all jobs are in ICT. This puts the Netherlands at the top of the pack in Europe, alongside the Nordic countries. Source: https://www.telecompaper.com/news/central-planning-bureau-finds-dutch-cybersecurity-at-high-level–1264818

Taken from:
Central planning bureau finds Dutch cybersecurity at high level

Security automation can help IT teams limit cyberattack risks

Attacks are becoming largely automated forcing security solutions to provide multiple layers of defence. Basic forms of automatioorks and infrastructure secure. Cybersecurity threats have become a grim reality for businesses today. Due to wide-scale digitisation efforts, companies now store customers’ personal and financial information making their systems prime targets for cybercriminals to breach. These kinds of data can easily be sold on the black market. Their rising prices make cyberattacks quite profitable. Companies are also subject to other types of attacks such as ransomware and extortion. Unlike ordinary users, they are the ones likely to spend and pay the ransom in order to avoid downtime or recover critical work products. The FBI estimates an average of 4,000 ransomware attacks daily since 2016. Many of these threats are automated. Malware like Mirai and Reaper have hijacked hundreds of thousands of devices to make them part of botnets capable of carrying out massive distributed denial-of-service (DDoS) attacks on other networks. These malware run using pre-programmed rules that exploit the most common vulnerabilities of network devices. Companies are now under pressure to cope with these threats. Each stolen record costs companies $148 to deal with. A data breach, even to a company holding a few thousand records, can mean a total loss worth hundreds of thousands of dollars. Falling victim to a DDoS attack could also cost larger enterprises at least $2.5 million in damages or downtime. IT teams now have their work cut out for them. Most are already feeling the strain of having to implement further digitisation in the workplace including the adoption of new technologies such as cloud computing, Internet-of-Things (IoT), and big data. Managing security is an added responsibility for them. Fortunately, there are also developments in cybersecurity and IT management automation that could help ease the pressure. Automating security Attacks are becoming largely automated forcing security solutions to provide multiple layers of defence. Basic forms of automation in IT management could already greatly help in keeping networks and infrastructure secure. For example, automated payload deployment and software patching could help keep endpoint software and firmware up-to-date. Outdated software continues to be one of the leading causes of breaches as attackers exploit known vulnerabilities of older software. Patches and updates are designed to plug these holes. Services that provide basic layers of defence such as Cloud Management Suite (CMS) can be used to automate updates and patching. Automation tools can significant boost IT teams’ efficiency and decrease risks especially if enterprises have hundreds of devices connected to their networks. For instance, CMS automatically scans developer releases for software and firmware updates and deploys them to target machines. IT teams can also remotely administer devices over the cloud. They can even secure IoT devices which have now become fashionable in a number of workplaces. The use of cloud-based security services can also automate certain security tasks. Security platforms like Akamai and Imperva, for instance, constantly update their rules and blacklists to mitigate emerging threats. Once these services are integrated to their respective networks, companies are immediately protected from both new and known sources of malicious traffic thanks to updated threat databases. Benefits of automation Here are some of the common benefits of automation. Augments IT teams’ capacity. There is a shortage of capable IT talent in the job market right now which forces companies to make do with limited IT team personnel. Automated solutions help IT teams operate more efficiently and effectively by taking over time-consuming tasks. Using cloud-based services also essentially allow companies to outsource their work and expertise requirement, filling the skills gap in case it exists. Allows IT teams to focus on high-value activities. The time saved through these automation efforts could free up IT teams to allocate their energies to monitoring and other threat mitigation and response tasks. Threats could come from various sources including internal lapses so IT teams even have to take on the task of educating fellow staff concerning best practices in security. Minimises risk of human error. Automation can also help minimise the possibility of injecting human error into security tasks. Phishing emails, which try to trick recipients into clicking links to malware, are among the common ways office networks get compromised. Phishing emails are becoming more sophisticated making manual reviews more challenging. Automated tools could easily weed out such emails from company servers. Improvements needed Unlike in other areas, security automation is only starting to gain traction meaning there are still kinks that have to be ironed out. For instance, it is possible for automated solutions to be too stringent. Firewalls might block legitimate traffic and threat detection mechanisms might report back false positives. Such episodes could hamper user experience and productivity. Tasks such as endpoint management, monitoring, and response could also benefit from orchestration. Many of the available services are currently offered by different providers. Integrations across these services are limited. Having an orchestration layer that could merge these services into customisable workflows would be ideal since companies and organisations typically have their own way of doing things. Giving IT teams a fighting chance IT teams must be able to hold their ground against the rampant threats they face. Most threats are now automated, so automating security would give IT teams a fighting chance to cope with these challenges. While no system is full-proof yet, automation frees IT teams from typical tedious tasks so they can then refocus their energies towards other high-value activities. Having more ways to mitigate risks empowers IT teams to be better guardians of companies’ IT data and resources. Source: https://www.itproportal.com/features/security-automation-can-help-it-teams-limit-cyberattack-risks/

Naming & Shaming Web Polluters: Xiongmai

What do we do with a company that regularly pumps metric tons of virtual toxic sludge onto the Internet and yet refuses to clean up their act? If ever there were a technology giant that deserved to be named and shamed for polluting the Web, it is Xiongmai — a Chinese maker of electronic parts that power a huge percentage of cheap digital video recorders (DVRs) and Internet-connected security cameras. In late 2016, the world witnessed the sheer disruptive power of Mirai, a powerful botnet strain fueled by Internet of Things (IoT) devices like DVRs and IP cameras that were put online with factory-default passwords and other poor security settings. Security experts soon discovered that a majority of Mirai-infected devices were chiefly composed of components made by Xiongmai (a.k.a. Hangzhou Xiongmai Technology Co., Ltd. ) and a handful of other Chinese tech firms that seemed to have a history of placing product market share and price above security. Since then, two of those firms — Huawei and Dahua — have taken steps to increase the security of their IoT products out-of-the-box. But Xiongmai — despite repeated warnings from researchers about deep-seated vulnerabilities in its hardware — has continued to ignore such warnings and to ship massively insecure hardware and software for use in products that are white-labeled and sold by more than 100 third-party vendors. On Tuesday, Austrian security firm SEC Consult released the results of extensive research into multiple, lingering and serious security holes in Xiongmai’s hardware. SEC Consult said it began the process of working with Xiongmai on these problems back in March 2018, but that it finally published its research after it became clear that Xiongmai wasn’t going to address any of the problems. “Although Xiongmai had seven months notice, they have not fixed any of the issues,” the researchers wrote in a blog post published today. “The conversation with them over the past months has shown that security is just not a priority to them at all.” PROBLEM TO PROBLEM A core part of the problem is the peer-to-peer (P2P) communications component called “ XMEye ” that ships with all Xiongmai devices and automatically connects them to a cloud network run by Xiongmai. The P2P feature is designed so that consumers can access their DVRs or security cameras remotely anywhere in the world and without having to configure anything. The various business lines of Xiongmai. Source: xiongmaitech.com To access a Xiongmai device via the P2P network, one must know the Unique ID (UID) assigned to each device. The UID is essentially derived in an easily reproducible way using the device’s built-in MAC address (a string of numbers and letters, such as 68ab8124db83c8db). Electronics firms are assigned ranges of MAC address that they may use, but SEC Consult discovered that Xiongmai for some reason actually uses MAC address ranges assigned to a number of other companies, including tech giant Cisco Systems, German printing press maker Koenig & Bauer AG, and Swiss chemical analysis firm Metrohm AG. SEC Consult learned that it was trivial to find Xiongmai devices simply by computing all possible ranges of UIDs for each range of MAC addresses, and then scanning Xiongmai’s public cloud for XMEye-enabled devices. Based on scanning just two percent of the available ranges, SEC Consult conservatively estimates there are around 9 million Xiongmai P2P devices online. [For the record, KrebsOnSecurity has long advised buyers of IoT devices to avoid those advertise P2P capabilities for just this reason. The Xiongmai debacle is yet another example of why this remains solid advice]. BLANK TO BANK While one still needs to provide a username and password to remotely access XMEye devices via this method, SEC Consult notes that the default password of the all-powerful administrative user (username “admin”) is blank (i.e, no password). The admin account can be used to do anything to the device, such as changing its settings or uploading software — including malware like Mirai. And because users are not required to set a secure password in the initial setup phase, it is likely that a large number of devices are accessible via these default credentials. The raw, unbranded electronic components of an IP camera produced by Xiongmai. Even if a customer has changed the default admin password, SEC Consult discovered there is an undocumented user with the name “default,” whose password is “tluafed” (default in reverse). While this user account can’t change system settings, it is still able to view any video streams. Normally, hardware devices are secured against unauthorized software updates by requiring that any new software pushed to the devices be digitally signed with a secret cryptographic key that is held only by the hardware or software maker. However, XMEye-enabled devices have no such protections. In fact, the researchers found it was trivial to set up a system that mimics the XMEye cloud and push malicious firmware updates to any device. Worse still, unlike with the Mirai malware — which gets permanently wiped from memory when an infected device powers off or is rebooted — the update method devised by SEC Consult makes it so that any software uploaded survives a reboot. CAN XIONGMAI REALLY BE THAT BAD? In the wake of the Mirai botnet’s emergence in 2016 and the subsequent record denial-of-service attacks that brought down chunks of the Internet at a time (including this Web site and my DDoS protection provider at times), multiple security firms said Xiongmai’s insecure products were a huge contributor to the problem. Among the company’s strongest critics was New York City-based security firm Flashpoint, which pointed out that even basic security features built into Xiongmai’s hardware had completely failed at basic tasks. For example, Flashpoint’s analysts discovered that the login page for a camera or DVR running Xiongmai hardware and software could be bypassed just by navigating to a page called “DVR.htm” prior to login. Flashpoint’s researchers also found that any changes to passwords for various user accounts accessible via the Web administration page for Xiongmai products did nothing to change passwords for accounts that were hard-coded into these devices and accessible only via more obscure, command-line communications interfaces like Telnet and SSH. Not long after Xiongmai was publicly shamed for failing to fix obvious security weaknesses that helped contribute to the spread of Mirai and related IoT botnets, Xiongmai lashed out at multiple security firms and journalists, promising to sue its critics for defamation (it never followed through on that threat, as far as I can tell). At the same time, Xiongmai promised that it would be issuing a product recall on millions of devices to ensure they were not deployed with insecure settings and software. But according to Flashpoint’s Zach Wikholm , Xiongmai never followed through with the recall, either. Rather, it was all a way for the company to save face publicly and with its business partners. “This company said they were going to do a product recall, but it looks like they never got around to it,” Wikholm said. “They were just trying to cover up and keep moving.” Wikholm said Flashpoint discovered a number of additional glaring vulnerabilities in Xiongmai’s hardware and software that left them wide open to takeover by malicious hackers, and that several of those weaknesses still exist in the company’s core product line. “We could have kept releasing our findings, but it just got really difficult to keep doing that because Xiongmai wouldn’t fix them and it would only make it easier for people to compromise these devices,” Wikholm said. The Flashpoint analyst said he believes SEC Consult’s estimates of the number of vulnerable Xiongmai devices to be extremely conservative. “Nine million devices sounds quite low because these guys hold 25 percent of the world’s DVR market,” to say nothing of the company’s share in the market for cheapo IP cameras, Wikholm said. What’s more, he said, Xiongmai has turned a deaf ear to reports about dangerous security holes across its product lines principally because it doesn’t answer directly to customers who purchase the gear. “The only reason they’ve maintained this level of [not caring] is they’ve been in this market for a long time and established very strong regional sales channels to dozens of third-party companies,” that ultimately rebrand Xiongmai’s products as their own, he said. Also, the typical consumer of cheap electronics powered by Xiongmai’s kit don’t really care how easily these devices can be commandeered by cybercriminals, Wikholm observed. “They just want a security system around their house or business that doesn’t cost an arm and leg, and Xiongmai is by far the biggest player in that space,” he said. “Most companies at least have some sort of incentive to make things better when faced with public pressure. But they don’t seem to have that drive.” A PHANTOM MENACE SEC Consult concluded its technical advisory about the security flaws by saying Xiongmai “ does not provide any mitigations and hence it is recommended not to use any products associated with the XMeye P2P Cloud until all of the identified security issues have been fixed and a thorough security analysis has been performed by professionals.” While this may sound easy enough, acting on that advice is difficult in practice because very few devices made with Xiongmai’s deeply flawed hardware and software advertise that fact on the label or product name. Rather, the components that Xiongmai makes are sold downstream to vendors who then use it in their own products and slap on a label with their own brand name. How many vendors? It’s difficult to say for sure, but a search on the term XMEye via the e-commerce sites where Xiongmai’s white-labeled products typically are sold (Amazon, Aliexpress.com, Homedepot.com and Walmart) reveals more than 100 companies that you’ve probably never heard of which brand Xiongmai’s hardware and software as their own. That list is available here (PDF) and is also pasted at the conclusion of this post for the benefit of search engines. SEC Consult’s technical advisory about their findings lists a number of indicators that system and network administrators can use to quickly determine whether any of these vulnerable P2P Xiongmai devices happen to be on your network. For end users concerned about this, one way of fingerprinting Xiongmai devices is to search Amazon.com, aliexpress.com, walmart.com and other online merchants for the brand on the side of your device and the term “XMEye.” If you get a hit, chances are excellent you’ve got a device built on Xiongmai’s technology. Another option: open a browser and navigate to the local Internet address of your device. If you have one of these devices on your local network, the login page should look like the one below: The administrative login screen for IoT devices powered by Xiongmai’s software and hardware. Another giveaway on virtually all Xiongmai devices is pasting “http://IP/err.htm” into a browser address bar should display the following error message (where IP= the local IP address of the device): Ironically, even the error page for Xiongmai devices contains errors. According to SEC Consult, Xiongmai’s electronics and hardware make up the guts of IP cameras and DVRs marketed and sold under the company names below. What’s most remarkable about many of the companies listed below is that about half of them don’t even have their own Web sites, and instead simply rely on direct-to-consumer product listings at Amazon.com or other e-commerce outlets. Among those that do sell Xiongmai’s products directly via the Web, very few of them seem to even offer secure (https://) Web sites. SEC Consult’s blog post about their findings has more technical details, as does the security advisory they released today. In response to questions about the SEC Consult reports, Xiongmai said it is now using a new encryption method to generate the UID for its XMEye devices, and will not longer be relying on MAC addresses. Xiongmai also said users will be asked to change a devices default username and password when they use the XMEye Internet Explorer plugin or mobile app. The company also said it had removed the “default” account in firmware versions after August 2018. It also disputed SEC Consult’s claims that it doesn’t encrypt traffic handled by the devices. In response to criticism that any settings changed by the user in the Web interface will not affect user accounts that are only accessible via telnet, Xiongmai said it was getting ready to delete telnet completely from its devices “soon.” KrebsOnSecurity is unable to validate the veracity of Xiongmai’s claims, but it should be noted that this company has made a number of such claims and promises in the past that never materialized. Johannes Greil, head of SEC Consult Vulnerability Lab, said as far as he could tell none of the proclaimed fixes have materialized. “We are looking forward for Xiongmai to fix the vulnerabilities for new devices as well as all devices in the field,” Greil said. Here’s the current list of companies that white label Xiongmai’s insecure products, according to SEC Consult: 9Trading Abowone AHWVSE ANRAN ASECAM Autoeye AZISHN A-ZONE BESDER/BESDERSEC BESSKY Bestmo BFMore BOAVISION BULWARK CANAVIS CWH DAGRO datocctv DEFEWAY digoo DiySecurityCameraWorld DONPHIA ENKLOV ESAMACT ESCAM EVTEVISION Fayele FLOUREON Funi GADINAN GARUNK HAMROL HAMROLTE Highfly Hiseeu HISVISION HMQC IHOMEGUARD ISSEUSEE iTooner JENNOV Jooan Jshida JUESENWDM JUFENG JZTEK KERUI KKMOON KONLEN Kopda Lenyes LESHP LEVCOECAM LINGSEE LOOSAFE MIEBUL MISECU Nextrend OEM OLOEY OUERTECH QNTSQ SACAM SANNCE SANSCO SecTec Shell film Sifvision/sifsecurityvision smar SMTSEC SSICON SUNBA Sunivision Susikum TECBOX Techage Techege TianAnXun TMEZON TVPSii Unique Vision unitoptek USAFEQLO VOLDRELI Westmile Westshine Wistino Witrue WNK Security Technology WOFEA WOSHIJIA WUSONLUSAN XIAO MA XinAnX xloongx YiiSPO YUCHENG YUNSYE zclever zilnk ZJUXIN zmodo ZRHUNTER Source: https://krebsonsecurity.com/2018/10/naming-shaming-web-polluters-xiongmai/

Excerpt from:
Naming & Shaming Web Polluters: Xiongmai

In Blockchain, There is no Checkmate

During my time as a Chairman of NATO’s Intelligence Committee and advising government and private companies on cybersecurity, I have noticed the same hacker-shaped hole in the industry. For the past 35 years, huge companies, organizations, charities and nation states have succumbed to cyber-criminals. Let me explain why. In a game of chess, you can win by either taking out all of your opponent’s pieces one-by-one, or by trapping the opposing side’s king in a checkmate. This is true of today’s cybersecurity model. One piece, in the wrong place at the wrong time could cost the entire game. Not just that, but any device in a network, whether it be a phone or a smart fridge, is a “king” that can be trapped and cost the integrity of an entire network. In this way, the “king” is a weakness. A weakness that costs companies and countries millions, a weakness that could mean loss of life in the healthcare industry or military systems – indeed, cybersecurity is not a game. Fighting cyber-criminals whilst being constrained by the rules of this chess match means we’ll never win. The centralized model where the hacking of a single device could compromise a network is categorically flawed. This needs to change: we don’t need to play a better game against cyber-criminals, we need to play a different game. Blockchain technology is arguably one of the most significant innovations for decades, and it extends beyond the vestiges of crypto currencies. At its core, the Blockchain is immutable, transparent, encrypted and fragmented (decentralized). As such, Blockchain and cybersecurity seem like a match made in heaven and for the most part, they are. For instance, right now, all the data of our personal or business devices – passwords, applications, files etc. – are stored on a centralized data server. Blockchain decentralizes the systems by distributing ledger data on many systems rather than storing them on one single network. There is no single point of failure, one central database or middleman that could potentially serve as a source of leaks or compromised data. The underpinnings of Blockchain architecture are based on time-stamped cryptographic nodes (the computer and servers that create blocks on a chain). Every time our data is stored or inserted into Blockchain ledgers, a new block is created. Each block has a specific summary of the previous block in the form of a secure digital signature. More sophisticated systems combine Blockchain and AI technologies to confirm each other based on previous signatures. If there is a discrepancy, threat, or a device steps outside of a set of pre-determined rules, the surrounding nodes will flag it for action. Since these blocks are linked in the form of a chain sequence, the timing, order and content of transactions cannot be manipulated. Just like crypto transactions, the Blockchain operates upon a democratic consensus. Any transfer of data would require a majority approval of the network participants; therefore, attackers can only impact a network by getting control of most of the network nodes. However, the nodes are random and the number of them stored on a given network can be in the millions. In the metaphorical game of chess, “the collective” Blockchain has an advantage. Imagine if team hackers could not eliminate a single piece, not a pawn nor rook, unless they could eliminate all million pieces on the entire board at once. If they fail to do that, all of the pieces remain untouchable – including the “king”. There is no checkmate, and no hope for hackers. Even still, since domain editing rights are only verified through nodes, hackers won’t get the right to edit and manipulate the data even after hacking a million of systems. As all transactions are cryptographically linked, the modification or tampering of the data at any given time would alert all those with access to the ledger, exposing the infected dataset near-instantaneously. The Blockchain does not linger or rely on any central point of failure to command changes; that allows for fixes to occur before attacks have time to spread. In other words, hacking a Blockchain with any scale is virtually impossible. For instance, in the case of DDoS attacks that crash large data servers, Blockchain technology would disrupt this completely by decentralizing the DNS (Domain Name Systems) and distributing the content to a greater number of nodes. The idea is clearly an attractive one. It can help save the billions that are being spent on developing arenas in which cybersecurity firms are fighting the hacker’s fight, especially in hard to defend environments. We have already seen a number of companies utilize Blockchain technology to safeguard networks. Companies such as Naoris bring this consensual Blockchain technology and link devices as blocks on a chain so that no single end-point or terminal exists in a silo. Current structures with multiple devices each act as a point of entry for a hacker into the network, however, as we know, the more nodes a network possesses on the Blockchain, the harder it becomes to infiltrate. Therefore, as the network expands and more devices are connected, the network becomes increasingly more resilient. This is only the beginning for Blockchain. As it develops, it’s only going to get smarter and better. New technologies have the potential to provide a robust and effective alternative way of ensuring that we evolve to compete with concerns surrounding our security. With the Blockchain, such concerns can be a thing of the past. Source: https://www.infosecurity-magazine.com/opinions/blockchain-no-checkmate/

Original post:
In Blockchain, There is no Checkmate