Tag Archives: defend against ddos

The IoT Botnet Wars: How to Harden Linux Devices from DoS Attacks

While fighting botnets like Mirai and BrickerBot with another botnet, Hajime, may help prevent denial-of-service attacks on the IoT, the best defense is a basic system security-hardening plan. An ongoing battle being waged is leveraging insecure Linux-based Internet of Things (IoT) devices. BrickerBot (see “Beware BrickerBot, the IoT Killer”) is a recent malware strain attacking connected devices and causing them to “brick,” making an electronic device completely useless in a permanent denial-of-service (PDoS) attack. It may be a case of grey hat hacking and a direct response to the Mirai botnet distributed denial-of-service (DDoS) attack that enslaved IoT devices. The Mirai botnet consisted of connected printers, IP cameras, residential gateways, and baby monitors that flooded DNS servers. Mirai was behind the largest DDoS attack of its kind ever in October 2016, with an estimated throughput of 1.2 terabits per second. It leveraged these enslaved devices to bring down large portions of the internet, including services such as Netflix, GitHub, HBO, Amazon, Reddit, Twitter, and DIRECTV. BrickerBot’s goal appears to counter Mirai’s: Bricking insecure Linux devices so that malware such as Mirai can’t subjugate these devices in another DDoS attack. An internet service provider in Southern California, Sierra Tel, experienced widespread outages due to this battle. Its Zyxel modems were victim to BrickerBot and another malware, possibly Mirai. It took nearly two weeks to replace all customers’ modems. This was the same modem model that Mirai infected and took out a German ISP’s network, an outage that affected a population size larger than San Francisco. Hajime is another Mirai-like worm that has been spreading during the past several months with similar goals as BrickerBot: Thwarting malware such as Mirai in exploiting poorly secured IoT devices to do their bidding. Hajime accesses devices by scanning the internet and trying a set of default credentials, and then injecting a malicious program. However, Hajime tries to harden the security of these devices by blocking four ports that Mirai is known to attack (23, 7547, 5555, 5358) to deflect further subjugation for DDoS attacks or even Bitcoin mining. Unfortunately, once the Hajime-infected device reboots, it returns to its vulnerable state with these ports open. Thus, Hajime is merely a temporary band-aid. The only real cure is to deploy a software update with new credentials. Leading computer-security expert Gene Spafford said “The only true secure system is one that is powered off, cast in a block of concrete, and sealed in a lead-lined room with armed guards—and even then I have my doubts.” While this may be true, basic security hardening would have helped protect against many of the attacks from malware targeting Linux devices. We will cover some basic system-hardening concepts in the context of these attacks, including closing unused open network ports , intrusion detection systems , enforcing password complexity and policies , removing unnecessary services , and frequent software updates to fix bugs and patch security vulnerabilities. Basic Security Would Deflect Malicious Mirai Malware The Mirai malware caused major outages across the internet by attacking DNS provider Dyn’s servers. The malware infected vulnerable devices by using open Telnet ports to target ARM, MIPS, PPC, and x86 devices that run on Linux. It scanned the internet for the IP address of IoT devices and identified vulnerable ones by using a table of more than 60 common factory credentials. As the malware is stored in memory, the device remains infected until it’s rebooted. Even if the device is rebooted, it can be re-infected in minutes unless the login credentials are changed immediately. Once the device is infected by Mirai, it tries to remove any competing malware and sits idle long enough as a way to avoid detection from security tools. After an extended period, it contacts its Command and Control server for further instruction. Enforcing complex password policies instead of keeping published factory-default credentials would have helped prevent Mirai from enslaving these devices. The challenge of securing consumer-facing IoT is that manufacturers are relying on consumers to change the password from a factory-default login, which typically requires the process of logging into the admin panel and manually changing the password. Will Dormann, senior vulnerability analyst at the CERT Coordination Center, says “Instead of hard-coding credentials or setting default usernames and passwords that many users will never change, hardware makers should require users to pick a strong password when setting up the device.” The ability to deploy software updates is another mandatory capability to fix bugs and patch known security vulnerabilities. In the software-development book Code Complete , author Steve McConnell states that there are 1-25 bugs and vulnerabilities per 1,000 lines of code, where the variable is determined by the practices of the team. Consumer electronics, such as many of the devices listed on Krebs (see figure) , are at the high end of the scale due to the higher focus on features and time-to-market with little security oversight. Many of these devices are already running on thin margins, so having an over-the-air (OTA) update capability with minimal development effort by the manufacturer is an important consideration. These are the known infected devices by Mirai published on Krebs on Security. “When it comes to software updates, automatic updates are good,” says Dormann. “Simple updates that notify the user and require intervention are okay. Updates that require the user to dig around to find and install manually are next to worthless. Devices that don’t have updates at all are completely worthless.” The software update process itself is complex with many security considerations to take into account to protect against things like man-in-the-middle (MitM) attacks. There is also the danger of a device bricking because it loses power mid-update or has intermittent network connectivity. For this reason, updates need to be atomic, meaning the update fully completes or not at all (no partial updates)—even in cases of power loss at any time during the update process. Manufacturers have open-source options available to deploy software updates to devices. SWUpdate is a well-known and flexible open-source Linux update agent, while Mender.io (disclaimer: the open-source project I am involved with) provides an end-to-end solution (both agent and management server) to deploy OTA updates fleet-wide. Software updates for IoT has become a hot topic, even getting the attention of the U.S. government and Congress. And Bill Woods from the Atlantic Council international think tank noted that two billion IoT devices currently out there have a 12-year-old secure-shell (SSH) flaw that enables them to be turned into a botnet. Vigilante Hacking In the early 2000s, the Blaster worm was spreading on computers running operating systems such as Windows XP and Windows 2000. DDoS attacks were launched in 2003, causing damages totaling hundreds of millions of dollars. The Welchia worm was a response to Blaster, which exploited a vulnerability in Microsoft’s remote procedure call (RPC) service much like Blaster. However, after infecting a system, it would instead delete Blaster if it existed there, and then tried to download and install security patches from Microsoft that would prevent further infection. Similar to Welchia, Hajime is going head-to-head with Mirai and its malicious variants to minimize the damage they can do. Hajime appears to be a much more advanced botnet, taking steps to camouflage its processes and files, making detection of it much more difficult. And it’s much more refined in cycling through credentials as it parses through information to identify the device manufacturer and uses their combinations by default. For example, when it attacked the MikroTik router, Hajime attempted to log in initially with the factory-default according to MikroTik documentation, and reduced the number of invalid passwords as it tried to reduce the chances of being blacklisted. Hajime closes known network ports that Mirai exploits to secure those devices—a strategy that device manufacturers should use: Closing unnecessary ports reduce their attack surface. Intrusion detection systems (IDS) are also helpful in monitoring unusual network activity. There are two types of network IDS: Signature detection and Anomaly detection. Many open-source solutions are available; Snort and Suricata are popular options. BrickerBot is the first malware of its kind whose goal is to cause a PDoS by bricking devices not fully secure, with the seeming goal of removing them as potential victims of malware that will enslave them for DDoS attacks. There have been multiple versions of BrickerBot, and the suspected author of it claims to have bricked over 2 million devices. BrickerBot 1 targets devices running Linux with BusyBox and an exposed Telnet service. They usually have an older version of Dropbear SSH, and most were identified as Ubiquiti network devices running outdated firmware. BrickerBot 2 targets Linux-based devices more widely using a similar tactic of leveraging an exposed Telnet service with a default or hard-coded password. The most secure software is one that is not installed. All services and applications running on your device should have a fundamental reason to be there. Adding unnecessary features increases the attack surface of your device and will, by definition, make it less secure. Applying Basic Security Principles Will Help Some fundamental system hardening can be the deciding factor on whether a device will be an actor in a DDoS attack or bricked. The results of vigilante hacking, like that of Hajime and BrickerBot, to combat the Mirai-driven DDoS attacks has generated much debate. There are arguments on both sides, with many insisting the amount of warnings on the lack of IoT security has fallen on deaf ears to manufacturers and consumers. And they argue that malware such as BrickerBot is a drastic but necessary measure to hit them where it hurts, and in the process, disable insecure devices from being a part of another DDoS attack. There have been discussions online about a scenario where a consumer would be under warranty from the manufacturer if their devices do get bricked. The cost to the manufacturer to replace it would be too high to ignore security, forcing them to take security much more seriously. A common counter-argument of vigilante hacking is “Why should the consumers be punished? Where is the line someone can cross to anonymously take the law into their own hands?” There is neither accountability nor certainty that the authors of BrickerBot or Hajime are completely well-meaning, or if there’s something nefarious the public has yet to discover. They also use the same techniques that black hats use, potentially leading to a proliferation of more malicious hackers. Another potential scenario is a vigilante malware can brick a device that may potentially kill someone despite it being far from the original intent. Something as simple as an IoT refrigerator can be hacked and bricked without the owner’s knowledge. Subsequently, a person could proceed to unknowingly eat spoiled food that may cause illness and even death. And we know there are much more health-sensitive devices than a refrigerator being connected, such as connected cars, insulin pumps, heart implant devices, and much more. In fact, the FDA recently became involved with Abbott Labs and its new acquisition, St. Jude Medical. St. Jude Medical devices had vulnerable software that allowed unauthorized external control, which could run down the battery or deliver a series of shocks at the wrong time (these devices included defibrillators and pacemakers). The latest correspondence indicates the FDA isn’t satisfied with parent company Abbott Labs’ response to the issue, despite St. Jude’s claims they had developed a software patch that could be applied to remove the vulnerability. While we briefly covered some basic security-hardening concepts, it’s not comprehensive. But these should be a start to conform to industry best practice for securing IoT systems. These steps would have helped to protect or at least mitigate the effects of the malware discussed. Although there’s no silver bullet and security can never be “perfect,” it’s clear that implementing existing solutions to cover basic security around credentials, open ports, and enabling automated software updates will have a massive impact. Source: http://www.electronicdesign.com/industrial-automation/iot-botnet-wars-how-harden-linux-devices-dos-attacks

Continue Reading:
The IoT Botnet Wars: How to Harden Linux Devices from DoS Attacks

Second Quarter Reported DDoS Attacks Lasting Days, Not Minutes

What would you do if your company was hit with a DDoS attack that lasted 11 days? Perhaps a large organization could withstand that kind of outage, but it could be devastating to the SMB, especially if it relies on web traffic for business transactions. That 11-day – 277 hours to be more exact – attack did happen in the second quarter of 2017. Kaspersky Lab said it was longest attack of the year, and 131 percent longer than the longest attack in the first quarter. And unfortunately, the company’s latest DDoS intelligence report said we should expect to see these long attacks more frequently, as they are coming back into fashion. This is not the news businesses want to hear. Enduring DDoS attacks isn’t new. Igal Zeifman, senior manager at Imperva for the Incapsula product line, told me in an email comment that in 2016, the company tracked a network layer attack that lasted more than 29 days and an application layer assault that persisted for 69 days straight. However, Zeifman argued against the Kaspersky finding, saying that it doesn’t mesh with what his company has seen, despite those extended attacks from last year: For the past four quarters we continued to see a persistent decline in the average attack duration, driven by an increased number of short attack burst of 30 minutes or less. These bursts accounted for over 58 percent of all network layer attacks and more than 90 percent of all assault layer attacks in the first quarter of the year. Interesting to see such disparate results in the length of DDoS attacks . Whether days long or short bursts, one thing is certain – those initiating the attacks have very definite reasons for doing so. As the Kaspersky Lab report stated, financial extortion was a top reason for the attacks in the second quarter: This approach was dubbed “ransom DDoS”, or “RDoS”. Cybercriminals send a message to a victim company demanding a ransom of 5 to 200 bitcoins. In case of nonpayment, they promise to organize a DDoS attack on an essential web resource of the victim. Such messages are often accompanied by short-term attacks which serve as demonstration of the attacker’s power. The victim is chosen carefully. Usually, the victim is a company which would suffer substantial losses if their resources are unavailable. Political hacktivists are hard at work, too, going after news organizations, elections and, in the U.S., the FCC, likely in retaliation for wanting to abolish net neutrality. The FCC has acknowledged the attack, but reports are the agency is making its cybersecurity efforts secret . I’ll be following up more on that story later this week. Source: http://www.itbusinessedge.com/blogs/data-security/second-quarter-reported-ddos-attacks-lasting-days-not-minutes.html

Original post:
Second Quarter Reported DDoS Attacks Lasting Days, Not Minutes

DDoS Extortionist Who Posed as Anonymous Hacker Arrested in the US

On Friday, US authorities arrested a man on charges of launching DDoS attacks and making death and bomb threats against several targets including Leagle.com, the Sydney Morning Herald, the Canadian Broadcasting Corporation (CBC), Metro News Canada, the official website of the Canadian government, and others. The man’s name is Kamyar Jahanrakhshan, a man born in Iran, who later obtained US citizenship in 1991, and then a permanent residency in Canada in 1995. Following two criminal cases of theft in 2005 and fraud in 2011, Jahanrakhshan was deported from Canada to the US in 2014. Suspect wanted his criminal past erased from the Internet According to court documents obtained by Bleeping Computer, after his deportation, Jahanrakhshan started sending emails to online websites that had written articles or had copies of his past criminal record. The first organization that Jahanrakhshan targeted was Leagle.com, a website that offers copies of court opinions and decisions. In the beginning, Jahanrakhshan contacted the site’s team from his personal email address, asking them nicely to remove copies of past court decisions mentioning his name on the premise that it was tarnishing his reputation and violating his privacy. When the Leagle team refused, the suspect even offered to pay a $100 fee to have the documents removed. When Leagle refused again, Jahanrakhshan — who also used the name “Andrew Rakhshan” — sent them a threatening email saying he made friends with dangerous hackers and they should heed his final warning. Suspect poses as group of Anonymous hackers After Leagle had ignored him again, US authorities say Jahanrakhshan launched a DDoS attack on the site’s servers and sent an email from a Yahoo account posing as a member of the Anonymous hacker collective. Copy of the message the suspect sent Leagle US authorities say they found evidence linking Jahanrakhshan to this email account, but also to others emails linked to other DDoS extortions. Because they couldn’t handle the DDoS attack, Leagle eventually removed a decision that Jahanrakhshan had asked. The DDoS attacks stopped after. Initial success leads to more DDoS extortions The FBI says that after having forced Leagle to remove a damaging report on his past criminal record, Jahanrakhshan moved on to other targets. During 2015 and 2016, Jahanrakhshan would allegedly engage in a similar behavior and take aim at other online publications that had written articles on his past crimes, such as the Sydney Morning Herald, Canadian Broadcasting Corporation (CBC), Metro News Canada, and the official website of the Canadian government. To put extra pressure on his targets to remove damaging articles, authorities say he also launched DDoS attacks on the websites of customers advertising on CBC and Canada.com — Postmedia and the Inspiration Foundation. Seeing that all this failed and none of his targets removed the incriminating articles, Jahanrakhshan also moved on to sending bomb threats at the offices of targeted organizations and death threats on family members of employees working for the targeted organizations. He was arrested this week and arraigned in court on Friday. The suspect, if found guilty, could face up to five years in prison and a fine of up to $250,000. The damaging articles Jahanrakhshan was trying to take down described how he used fake credit cards to buy a fleet of luxury cars and a boat Source: https://www.bleepingcomputer.com/news/security/ddos-extortionist-who-posed-as-anonymous-hacker-arrested-in-the-us/

Taken from:
DDoS Extortionist Who Posed as Anonymous Hacker Arrested in the US

UK Teen Charged with Running DDoS Booter Service

UK authorities have charged an eighteen-year-old with running a DDoS booter service that was used to launch DDoS attacks on legitimate businesses across the world. According to authorities, the teenager’s name is Jack Chappell, 18, of Stockport, a small town southeast of Manchester, UK. Investigators say Chappell created malware that he installed on devices around the world. He used this malware to create a DDoS botnet to which he then granted access to paying customers. Clients used this DDoS booter service to launch attacks on various companies across the globe. Investigators say that Chappell’s booter was the one that took down NatWest’s online banking system several times in the summer of 2015. Authorities say Chappell’s DDoS-for-hire platform was also responsible for DDoS attacks on the infrastructure of T-Mobile, EE, Vodafone, O2, BBC, BT, Amazon, Netflix, Virgin Media, and the UK’s National Crime Agency (NCA). Following years of investigations, the West Midlands Regional Cyber Crime Unit, together with Israeli Police, the FBI, and Europol’s European Cybercrime Centre, have tracked down the teenager, currently a student at an unnamed university. Authorities say Chappell had a partner, an American national, about whom they did not reveal any information. West Midlands Police charged the teenager today with impairing the operation of computers under the Computer Misuse Act and encouraging or assisting an offense and money laundering crime proceeds. Chappell will appear in a Manchester court tomorrow, July 4, 2017. Authorities did not release the name of Chappell’s DDoS booter service. Source: https://www.bleepingcomputer.com/news/security/uk-teen-charged-with-running-ddos-booter-service/

See the original article here:
UK Teen Charged with Running DDoS Booter Service

Why the Internet of Things could lead to the next great wave of DDoS attacks

Businesses should ensure that they are still securely protected against DDoS attacks, despite the recent growth of other trends such as ransomware. That’s the warning from Arbor Networks, which is urging organisations of all sizes to make sure they stay safe online as DDoS attacks are still rife around the world. Speaking to ITProPortal at the recent InfoSecurity Europe 2017 event in London, Arbor CTO Darren Anstee reinforced the need for businesses to maintain their DDoS protection, despite it being hard to predict who might be hit next. “DDoS is all about targeting the availability of those services that modern businesses rely on,” he noted. In order to combat this growing threat, the company recently revealed an updated version of its APS on-premise, distributed DDoS detection and mitigation platform for enterprise customers. The new release includes Arbor’s latest Cloud Signalling tool, which can help reduce the time to attack mitigation, bringing together on-premise and hybrid cloud migration efforts. The Internet of Things is also set to provide a major new threat landscape for DDoS attacks, Arbor Networks believes, with past attacks such as Mirai and Dyn showing the potential for chaos. “There are a lot of IoT DDoS attacks going on out there”, Anstee says, noting that most people only hear about these assaults when a big brand is affected. Poor regulation of IoT products has not helped with the spread of potential attacks, with many consumers unaware that the items they are buying will pose some kind of security risk. But Anstee says that commercial pressure could instead play a big role in changing the current landscape, as vendors often return to market trends faster than regulatory pressure. “If you want things to change quickly, you have to get people to get security implemented into their buying process,” he notes, adding that it is a “valid worry” that IoT attacks could scale to affect areas such as smart cities and infrastructure networks soon. “We are going to see IoT devices being used for more nefarious purposes over the next few years…I don’t see the problem going away”. As the recent WannaCry ransomware attack showed, however, businesses need to be protected against all kinds of threats. Anstee noted that ransomware should remain a major concern for companies both large and small likely to be targeted. “It’s a numbers game when it comes to ransomware,” he noted, “it is a very broad brush – if just one or two people pay, it makes it all worthwhile.” In order to stay protected, there are several central steps that companies can take, Anstee added. This includes network segmentation, which would allow infections such as WannaCry to be quickly and easily contained. “It’s not a sexy topic, but it needs to happen in many businesses,” he says. “We’ve all focused on agility, and flattening network infrastructure…but this is really important, as it can stop such attacks propagating within networks, if it’s done properly.” But companies also need to ensure they have proper IT risk management systems, with Anstee noting that some infections WannaCry could have been blocked quickly if proper processes had been in place – and various departments had communicated properly. “You can’t really blame anyone for this,” he concludes, “it really is a lot about talking to each other.” Source: http://www.itproportal.com/news/why-the-internet-of-things-could-lead-to-the-next-great-wave-of-ddos-attacks/

Taken from:
Why the Internet of Things could lead to the next great wave of DDoS attacks

Final Fantasy 14 is experiencing DDoS attacks

Trouble logging in? It may be due to hackers Final Fantasy 14’s servers have been under intense strain this past weekend. It now seems that these issues are the direct result of distributed denial-of-service attacks, Square Enix stated today. The attacks have apparently been going on since June 16, the first day that the game’s second expansion, Stormblood, went live for early access. This past weekend, early adopters were met with congested servers that were filled to capacity. Some queues just to log in surpassed 6,000 users. In the game proper, overwhelmed servers have lead to increased load times and made some quests impossible to complete. Stormblood was officially released yesterday and as of today, massive amounts of access requests due to the alleged hack are continuing to occur. Square Enix has stated that its technicians are doing all they can to defend against the attacks, but they are “continuing to take place by changing their methods at every moment.” The company also assured players that character data and private information associated with accounts have not been affected. Source: https://www.polygon.com/2017/6/21/15845898/final-fantasy-14-stormblood-servers-ddos-attack

View the original here:
Final Fantasy 14 is experiencing DDoS attacks

DDoS attacks continue to morph

According to Bryan Hamman, territory manager for sub-Saharan Africa at Arbor Networks, while reflection and amplification techniques have come to characterise a large number of complex, multi-vector DDoS attacks, the latest approach is to use reflection to exploit connection-less lightweight directory access protocols (CLDAPs). Traditionally, large attacks based on reflection or amplification were the likes of NTP, DNS, SNMP, SSDP, SQL RS or Chargen. “But this new trend has now been discovered ‘in the wild’, with the force to generate highly efficient and destructive results,” he says. What is CLDAP? CLDAP is essentially a computer networking protocol designed for legitimate users to query and modify stored data on X.500 directory systems. It is typically used on Windows Exchange servers and domain controllers. By providing directory and access control, one can use CLDAP to locate printers on a network, find a phone number of an employee, or see the security groups a user belongs to, for instance. The modus operandi involves the attacker spoofing the source of a connectionless protocol, pinging the server with ultra-small queries. The server then responds to the victim with a far larger response. Initial findings suggest that this approach can amplify the initial response in the region of 46 to 55 times the size. “This makes CLDAP attacks highly efficient. A well-orchestrated attack that exploits an organisation’s vulnerabilities could very quickly achieve massive total attack size, and bring down the digital systems of all but the largest and best-protected organisations.” Primary targets Reports* from cloud giant Akamai show that the largest example of CLDAP reflection as the sole vector resulted in a payload of 52 bytes, amplified to as much as 70 times in this case – creating an attack data payload of 3,662 bytes, a peak bandwidth of 24Gbps, and 2 million packets per second. CLDAP attacks have primarily targeted the software and technology industry. Other industries targeted include internet and telecom, media and entertainment, education, retail and consumer goods, and financial services. Fighting back To effectively resist this type of DDoS attack, organisations need to thoroughly address the potential threat at a network level, by covering a number of bases: Prevent abuse: Ensure that you have anti-spoofing deployed at the edges of your networks. Detect attacks: Leverage flow telemetry exported from all network edges to Arbor technology, to automatically detect, classify, traceback, and alert on DDoS attacks. Ready mitigation techniques: Deploy network infrastructure-based reaction/ mitigation techniques such as Source-Based Remotely-Triggered Blackholing (S/RTBH) and flowspec at all network edges. Mitigate attacks: Deploy intelligent DDoS mitigation systems at strategic points within your network. Minimise damage: Deploy Quality-of-Service (QoS) mechanisms at all network edges to police CLDAP traffic down to an appropriate level. Remediate CLDAP services: Proactively scan for and remediate abusable CLDAP services on the ISP and customer networks to reduce the number of abusable CLDAP servers. “Like many other reflection techniques, organisations must always have ingress filtering in place. Unless there is a real need for your firm to have CLDAP available over the internet, you shouldn’t expose this protocol,” concludes Hamman. Source: http://www.bizcommunity.com/Article/196/661/163351.html

Excerpt from:
DDoS attacks continue to morph

Lawmakers seek answers on alleged FCC DDoS attack

Five Democratic senators are seeking an FBI investigation into possible cyberattacks on the Federal Communication Commission’s online comment system. The FCC’s Electronic Comment Filing System crashed in the early hours of May 8 in what the agency called “deliberate attempts by external actors to bombard” the commission and render its systems unusable by legitimate commenters. Sens. Brian Schatz (D-Hawaii), Al Franken (D-Minn.), Patrick Leahy (D-Vt.), Ed Markey (D-Mass.) and Ron Wyden (D-Ore.) want acting FBI director Andrew McCabe to make an investigation of that May disruption a priority, and also called for an investigation into the source of the attack. The senators’ letter emphasized that they were especially troubled by the disruption of the process of public commentary given that public participation is crucial to the integrity of the FCC’s regulatory process. The request comes as FCC Chairman Ajit Pai is moving to roll back Obama-era net neutrality regulations over the objections of Democrats in Congress and internet freedom activists. “Any cyberattack on a federal network is very serious,” the senators wrote. “This particular attack may have denied the American people the opportunity to contribute to what is supposed to be a fair and transparent process, which in turn may call into question the integrity of the FCC’s rulemaking proceedings.” The senators seek a reply by June 23. It’s possible, however, that what the FCC is reporting as a DDoS attack was in fact a traffic spike spurred by TV comedian John Oliver, who urged viewers to register their opposition to the net neutrality rollback in an May 7 broadcast. The partisan fight over FCC actions on net neutrality has cast a political shadow over the attack, the follow-up and any future investigation. Three of the letter’s five signatories (Schatz, Markey, Franken) also signed a May 17 open letter lambasting the FCC’s possible net neutrality rollback. Wyden and Schatz also sought clarification from Pai about the ability of the agency to protect against DDoS attacks in a separate May 9 letter. The two sought details on the user capacity of the FCC’s website and requested a reply by June 8. Meanwhile, the FCC is accepting comments on its net neutrality proceeding through Aug. 16. Source: https://fcw.com/articles/2017/05/31/fcc-ddos-senators-berliner.aspx

View article:
Lawmakers seek answers on alleged FCC DDoS attack

7 nightmare cyber security threats to SMEs and how to secure against them

Small businesses face a range of cyber threats daily and are often more vulnerable than the larger organisations. Small businesses that see themselves as too small to be targeted by cyber criminals are putting themselves at direct risk. In fact, small businesses are at an equal, if not greater risk of being victims of cyber crime – two thirds of small UK firms were attacked by hackers between 2014-2016, according to a report from the Federation of Small Businesses. Cyber crime can cause massive damage to a young business’s reputation, result in loss of assets and incur expenses to fix the damage caused. These attacks could mean the difference between cutting a profit or going bust. Legal action could also be taken if businesses are found to have failed to put proper safeguards in place. When new data protection laws are introduced in 2018 under GDPR, complacent businesses risk fines of up to £17 million or 4% of annual turnover (whichever is higher) if they suffer a data breach. So what can small businesses do to protect themselves and the sensitive data of their customers? These are 7 nightmare cyber security threats and how to secure against them. Threat 1: internal attacks This shouldn’t come as a surprise to readers, but internal attacks are one of the largest cyber security threats facing small businesses today. Rogue employees, especially those with access to networks, sensitive data or admin accounts, are capable of causing real damage. Some theories even suggest that the notorious 2014’s Sony Pictures hack – typically linked to North Korea – was actually an insider attack. To reduce the risk of insider threats, businesses must identify privileged accounts – accounts with the ability to significantly affect or access internal systems. Next, terminate those that are no longer in use or are connected with employees no longer working in the business. Businesses can also implement tools to track the activity of privileged accounts. This allows for a swift response if malicious activity from an account is detected before the damage can be dealt. Threat 2: phishing and spear phishing Despite constant warnings from the cyber security industry, people still fall victim to phishing every day. As cyber crime has become well-funded and increasingly sophisticated, phishing remains one of the most effective methods used by criminals to introduce malware into businesses. Spear phishing is a targeted form of phishing in which phishing emails are designed to appear to originate from someone the recipient knows and trusts – like senior management or a valued client. To target victims deemed ‘high value’ — i.e. those with access to privileged accounts — cyber criminals may even study their social media to gain valuable insights which can then be used to make their phishing emails appear highly authentic. If an employee is tricked by a malicious link in a phishing email, they might unleash a ransomware attack on their small business. Once access is gained, ransomware quickly locks down business computers as it spreads across a network. Until a ransom is paid, businesses will be unable to access critical files and services. To mitigate the risk posed by phishing – and ransomware – organisations must ensure staff are aware of the dangers and know how to spot a phishing email. Businesses must also ensure they have secure backups of their critical data. Because ransomware locks down files permanently (unless businesses want to cough up the ransom) backups are a crucial safeguard to recover from the hack. But as ransomware attacks are on the rise, prevention remains better than treatment. Education is the best way of ensuring protection for small businesses. Threat 3: a dangerous lack of cyber security knowledge Entire cyber security strategies, policies and technologies are worthless if employees lack cyber security awareness. Without any kind of drive to ensure employees possess a basic level of cyber security knowledge, any measure or policy implemented will be undermined. A well-targeted spear phishing email could convince an employee to yield their password and user information. An IT team can’t be looking over everyone’s shoulders at once. Because of this, education and training are essential to reduce the risk of cyber crime. Some employees may not know (or care enough) to protect themselves online, and this can put businesses at risk. Hold training sessions to help employees manage passwords (hint: two-factor authentication for business accounts) and identify phishing attempts. Then provide support to ensure employees have the resources they need to be secure. Some small businesses will also consider up-skilling members of their IT teams in incident handling, often through popular GCIH training from security vendor GIAC. Incident handling professionals are able to manage security incidents as they happen, and speed the process of recovery if hacks do occur. Ultimately, even a basic level of knowledge and awareness could mean the difference between being hacked or avoiding the risk altogether. Threat 4: DDoS attacks Distributed Denial of Service (DDoS) attacks have overwhelmed some of the largest websites in the world, including Reddit, Twitter, and Netflix. DDoS attacks, which ambush businesses with massive amounts of web traffic, slow websites to a crawl and, more often than not, force crucial services offline. If a small businesses relies on a website or other online service to function, the outages caused by DDoS attacks will be catastrophic. Most DDoS attacks last between 6-24 hours and cause an estimated £30,000 per hour, according to data from Incapsula, a DDoS prevention firm. Whilst businesses can’t stop a website or service being targeted in a DDoS attack, they can work to absorb some of the increased traffic, giving them more time to form a response or filter out the spam data. Ensuring there is extra bandwidth available, creating a DDoS response plan in the event of an attack or using a DDoS mitigation service are all great steps towards reducing the impact of an attack. But that’s just scratching the surface of DDoS mitigation – here are more ways to prevent a DDoS attack. Threat 5: malware Malware is a blanket term that encompasses any software that gets installed on a machine to perform unwanted tasks for the benefit of a third party. Ransomware is a type of malware, but others exist, including spyware, adware, bots and Trojans. To prevent malware from taking hold, businesses should invest in solid anti-virus technology. Plus, operating systems, firewalls and firmware, and previously mentioned anti-virus software must be kept up-to-date. If services are outdated or not updated regularly, businesses are at a serious risk. Just look at the damage caused when malware infected the UK’s National Health Service through an exploit within an outdated version of Windows XP. And that was just one of the high profile targets affected by the global WannaCry ransomware attack. Threat 6: SQL Injection Almost every business relies on websites to operate and many depend entirely on the service they provide online. However, poorly secured websites could be wide open to data theft by cyber criminals. Of the many attacks that can be staged against a website, SQL injection is amongst the most dangerous and even the largest companies fall victim to it. SQL injection refers to vulnerabilities that allow hackers to steal or tamper with the database sitting behind a web application. This is achieved by sending malicious SQL commands to the database server, typically by inputting code into forms – like login or registration pages. It takes a few well-calculated steps to protect against SQL injection. As a precaution, businesses should assume all user-submitted data is malicious, get rid of database functionality that isn’t needed and consider using a web application firewall. For a closer look at SQL injection, take a look at this documentation from Cisco. Properly preventing SQL injection is primarily a responsibility for a web development or security team, but the change has to be driven from the top. Still not convinced? Take a look at this video from Computerphile to see how effective and dangerous SQL injection can be. Threat 7: BYOD Businesses are vulnerable to data theft, especially if employees are using unsecure mobile devices to share or access company data. As more small businesses make use of bring your own device (BYOD) technology, corporate networks could be at risk from unsecured devices carrying malicious applications which could bypass security and access the network from within the company. The solution is nailing down a defined BYOD policy. A comprehensive BYOD policy educates employees on device expectations and allow companies to better monitor email and documents that are being downloaded to company-owned devices. Ensure employee-owned devices can access the business network through a VPN which connects remote BYOD users with the organisation via an encrypted channel. A VPN is crucial if employees are using public WiFi networks to access business data. Public Wi-Fi is notoriously unsecure and provides little protection against criminals that might be watching the transfer of sensitive data. If an attacker does capture encrypted VPN traffic they will only see incomprehensible characters going from you to a VPN server – meaning no sensitive data is leaked. Source: http://www.information-age.com/7-nightmare-cyber-security-threats-smes-secure-123466495/

See more here:
7 nightmare cyber security threats to SMEs and how to secure against them

What’s business continuity management and why does your business need it?

Reality check: Modern businesses rely on their digital capabilities now more than ever. Downtime has become a terrifying thing to even utter, let alone consider. This is why an effective business continuity plan has become a cornerstone in every business, with IT-centric businesses being no exception. Business Continuity is all about identifying what your key products are and what you can do to ensure that business continues as usual even in the case of disruptions or catastrophes, no matter the size or cause. In truth, business continuity planning is not such an alien concept even to regular consumers. Ever planned a holiday? Whenever planning a holiday, we think of the worst case scenarios and how we can come out of them unscathed, without ruining our well-earned trip. We set up plans in case something goes wrong with our ‘core services’ and we’re prepared for it. We search for additional taxi services in the area despite having booked a cab already, or we check for alternate routes should we rent a car. It’s never a good idea to go on a vacation unprepared for something to go wrong, and a business should be no different. Being the largest multi-site data centre provider in Malta, we are experienced in the business of keeping our customers’ systems online at all costs. The ideal IT services provider should strive to deliver a redundant solution in every component within their setup. At BMIT, we take great care in adopting this approach, from upgrading our core infrastructure services all the way to training our technical team to adopt best-practice methods for optimal business continuity management. Improving redundancy should always be the utmost priority when it comes to introducing new products within an IT Services provider’s portfolio. Business continuity planning is not such an alien concept even to regular consumers Studies show that the average total cost of unplanned application downtime per year is €1 billion to €2.5 billion for the Fortune 1000 companies. An hour of infrastructure failure costs an average of €100,000 with the number jumping fivefold to €500,000 to €1m in the case of a critical application failure; certainly not numbers to scoff at. The digital world undergoes changes every day and it is imperative to constantly keep working to ensure that the systems are up-to-date and relevant to the present realities. The introduction of new ranges of systems and services that protect customers against common business continuity pitfalls always helps to cement the provider’s commitment to ensure the clients’ uptime. With the world fast approaching an almost completely digitally-dependent era, the dangers of the dark side of the internet become an ever-present reality for the modern digital business. In recent years Distributed Denial of Service attacks, otherwise known as DDoS attacks, have emerged as one of the most disruptive ways in which a business can be brought down to its knees. DDoS attacks are weapons of mass disruption aimed at paralysing internet systems including networks, websites and servers, resulting in lost revenues, compromised site performance and tarnished reputations. BMIT has had to take these dangers into consideration, especially since even ISPs can be targeted, which would put us at a risk of not being able to provide a connection for our customers. In recent years, we’ve launched a multi-tiered DDoS protection and mitigation system to protect our customers from even the most vicious of DDoS attacks. From our experience in the industry, we learnt that best-practice is for our private network’s bandwidth needs to be sourced from multiple providers and delivered across multiple redundant links in order to eliminate the risks of our customers going offline through an outage. This setup ensures that our clients are hosted on a reliable and certified ISO27001 network which does not rely on a singular connection. At BMIT we offer clients various features which help ensure continuity for their business. We now have a multi-tiered DDoS protection and mitigation system protecting our redundant 40gbps private international network. This network consists of multiple geographically-separated links, each of which can take over traffic load should there be any faults in the other links. Moreover, we have multiple data centres and international points of presence which form a key part of business continuity plans for our customers. Geo-redundancy is a critical aspect of business continuity for international customers, and our presence across countries addresses this. For example, some clients mirror their servers from one data centre to another. In addition, we also offer several backup options as well as managed services options to help our clients achieve a robust business continuity plan. As part of our portfolio, our customers can also tap into several tools to manage their systems, including advanced firewall solutions as well as virtual load-balancing services. Ultimately, each of our redundant service offerings is a step forward in our customers’ pursuit to ensuring their business stays up. Customers’ feedback is vital and should always be taken into consideration. Good business continuity practices are a top priority for clients and usually the main reason why providers with great core infrastructures for business continuity retain customers. Sources: https://www.timesofmalta.com/articles/view/20170528/business-news/What-s-business-continuity-management-and-why-does-your-business-need.649236

See more here:
What’s business continuity management and why does your business need it?