Tag Archives: network

Blame the US, not China, for the recent surge in massive cyberattacks

The internet’s new scourge is hugely damaging global attacks that harness armies of routers, cameras, and other connected gadgets—the so-called Internet of Things (IoT)—to direct floods of traffic that can take down swaths of the network. The blame so far has largely fallen on the Chinese manufacturers who churn out devices with shoddy security on the cheap. But all those devices have to be plugged in somewhere for them to used maliciously. And American consumers are increasingly the ones plugging them in. Nearly a quarter of the internet addresses behind these distributed denial-of-service, or DDoS, attacks are located in the United States, newresearch from network services firm Akamai has found. Some 180,000 US IP addresses took part in DDoS attacks in the last quarter of 2016, it found—more than four times as many as addresses originating in China. Akamai’s findings are particularly notable because the armies of hacked devices that carry out DDoS attacks—such as those controlled by the Mirai malware—don’t bother covering their tracks. That means the IP addresses are far more likely to genuinely correspond to a location within a certain country, the report’s authors write. The findings also end an era of Chinese dominance in DDoS attacks. Over the previous year, China has accounted for the highest proportion of IP addresses taking part in such attacks globally. Now the US is the clear leader, accounting for 24% of such addresses. The UK and Germany are a distant second and third. (To be clear, though, wherever the attacking devices’ IP addresses are, the person controlling them could be located anywhere.) The huge number of devices taking part in DDoS attacks in the US means regulation there, and in Europe, could stem the flood of damaging traffic. Of course, IoT regulation is a thorny issue—essentially, no US federal agency really wants to take the problem on—and there remain technical questions over how to actually go about blocking the attacks. Still, it’s a lot clearer now that simply pointing the finger at China isn’t enough. Source: https://qz.com/912419/akamai-akam-report-a-quarter-of-ddos-ip-addresses-are-now-from-the-us/

View article:
Blame the US, not China, for the recent surge in massive cyberattacks

DDoS prevention as part of a robust I.T. Strategy

A decade ago the idea of loss prevention (LP) had been limited to the idea of theft of merchandise. With the advent of online retailing, retailers have discovered that loss must be viewed more broadly to “intended sales income that was not and cannot be realized” [Beck and Peacock, 28]. While Beck and Peacock regard malicious loses such as vandalism as part of sales that cannot be realized, Distributed Denial of Service (DDoS) attacks certainly could fit with that definition. Unlike other kinds of LP, where the attempt of the thief is to conceal their activities, a DDoS attack is designed for maximal visibility so the purpose of the attack is to deny the target customer’s access, and especially susceptible are businesses that have online payment gateways [Gordon, 20] which today includes many business and non-profit entities. Particularly problematic for CIOs is that the nature of DDoS attacks is constantly changing. Many of these attacks occur at networking layers below the application level, which means for the CIO that buying an off-the-shelf software product is unlikely to provide an effective countermeasure [Oliveira et al, 19]. Of course, the determination of financial impact is an important consideration when weighing allocations of the IT security budget. While it is clear that the “loss of use and functionality” constitutes true losses to a company [Hovav and D’Arcy, 98], estimating a potential loss encounters difficulties given the lack of historical data and a perceived risk to putting an exact figure upon security breach losses. This presents a problem for the CIO because of the need to show ROI on security investments [Hovav and D’Arcy, 99]. Yet, a successful DDoS attack has the potential to cost a company millions of dollars in real financial losses from the direct costs of work time, equipment leases, and legal costs to the indirect costs, such as, loss of competitive advantage and damage done to the company’s brand. The direct cost of “a more complex breach that affects a cross-section of a complex organization” can often exceed £500,000 (624,000 USD) and does not include additional five or six figure fines if government regulatory agencies are involved [Walker and Krausz, 30]. If the CIO cannot buy an off-the-shelf software product to prepare against a DDoS attack, how does the CIO develop an I.T. security strategy that is appropriate to this specific threat? While this is by no means an exhaustive list: here are a few approaches that one can take that may help to developing an effective I.T. strategy that can deal with the DDoS threat. (1) Accept that developing an I.T. strategy effective against mitigating loss caused by DDoS requires resources, but your business is worth protecting. (2) Remember that the purpose of technology is to connect your business to people [Sharif, 348], and that connectivity is itself an asset that has real value. (3) Developing effective business partners can help you ensure business continuity. These partnerships could be with consultants, alliance partnerships that have successfully dealt with DDoS attacks, or businesses that specialize in dealing with this kind of security issue. Bibliography Beck, Adrian, and Colin Peacock. New Loss Prevention: Redefining Shrinkage Management. NY: Palgrave Macmillan, 2009. Gordon, Sarah, “DDoS attacks grow,” Network Security (May 2015), 2, 20. Horvav, Anat, and John D’Arcy, “The Impact of Denial-of-Service attack announcements on the market value of firms,” Risk Management and Insurance Review 6 (2003), 97-121. Oliveira, Rui André, Nuno Larajeiro, and Marco Vieira, “Assessing the security of web service frameworks against Denial of Service attacks,” The Journal of Systems and Software 109 (2015), 18-31. Sharif, Amir M. “Realizing the business benefits of enterprise IT,” Handbook of Business Strategy 7 (2006), 347-350. Walker, John, and Michael Krausz, The True Cost of Information Security Breaches: A Business Approach. Cambrigdeshire, UK: IS Governance Publishing, 2013. David A. Falk, , Ph.D. Director of IT DOSarrest Internet Security

Visit link:
DDoS prevention as part of a robust I.T. Strategy

DDoS Attacks on the Rise—Here’s What Companies Need to Do

Distributed denial-of-service (DDoS) attacks have been going on for years. But in recent months they seem to have gained much more attention, in part because of high-profile incidents that affected millions of users. For instance, in late October 2016 a massive DDoS assault on Domain Name System (DNS) service provider Dyn temporarily shut down some of the biggest sites on the Internet. The incident affected users in much of the East Coast of the United States as well as data centers in Texas, Washington, and California. Dyn said in statements that tens of millions of IP addresses hit its infrastructure during the attack. Just how much attention DDoS is getting these days is indicated by a recent blog post by the Software Engineering Institute (SEI) at Carnegie Mellon University. The post, entitled, “Distributed Denial of Service Attacks: Four Best Practices for Prevention and Response,” became SEI’s most visited of the year after just two days, said a spokesman for the institute. To help defend against such attacks, organizations need to understand that this is not just an IT concern. “While DDoS attack prevention is partly a technical issue, it is also largely a business issue,” said Rachel Kartch, analysis team lead at the CERT Division of SEI, a federally funded research and development center sponsored by the U.S. Department of Defense and operated by CMU, and author of the DDoS post. Fortunately there are steps organizations can take to better protect themselves against DDoS attacks, and Kartch describes these in the post. In general, organizations should begin planning for attacks in advance, because it’s much more difficult to respond after an attack is already under way. “While DDoS attacks can’t be prevented, steps can be taken to make it harder for an attacker to render a network unresponsive,” Kartch noted. To fortify IT resources against a DDoS attack, it’s vital to make the architecture as resilient as possible. Fortifying network architecture is an important step not just in DDoS network defense, Kartch said, but in ensuring business continuity and protecting the organization from any kind of outage. To help disperse organizational assets and avoid presenting a single rich target to an attacker. organizations should locate servers in different data centers; ensure that data centers are located on different networks; ensure that data centers have diverse paths, and ensure that the data centers, or the networks that the data centers are connected to, have no notable bottlenecks or single points of failure. For those organizations that depend on servers and Internet presence, it’s important to make sure resources are geographically dispersed and not located in a single data center, Kartch said. “If resources are already geographically dispersed, it is important to view each data center as having more than one pipe to [the] Internet, and ensure that not all data centers are connected to the same Internet provider,” she said. While these are best practices for general business continuity and disaster recovery, they will also help ensure organizational resiliency in response to a DDoS attack. The post also describes other practices for defending against DDoS. One is to deploy appropriate hardware that can handle known attack types and use the options in the hardware that can protect network resources. While bolstering resources will not prevent a DDoS attack from happening, Kartch said, doing so will lessen the impact of an attack. Certain types of DDoS attacks have existed for a long time, and a lot of network and security hardware is capable of mitigating them. For example, many commercially available network firewalls, web application firewalls, and load balancers can defend against protocol attacks and application-layer attacks, Kartch said. Specialty DDoS mitigation appliances also can protect against these attacks. Another good practice is to scale up network bandwidth. “For volumetric attacks, the solution some organizations have adopted is simply to scale bandwidth up to be able to absorb a large volume of traffic if necessary,” Kartch said. “That said, volumetric attacks are something of an arms race, and many organizations won’t be able or willing to pay for the network bandwidth needed to handle some of the very large attacks we have recently seen. This is primarily an option for very large organizations and service providers.” It’s likely that DDoS attacks will continue to be a major issue for organizations. A 2016 study by content delivery network provider Akamai said these types of incidents are rising in number as well as in severity and duration. The company reported a 125% increase in DDoS attacks year over year and a 35% rise in the average attack duration. Cyber security executives need to make it a top priority to protect their organizations against DDoS. Source: http://www.itbestofbreed.com/sponsors/bitdefender/best-tech/ddos-attacks-rise-here-s-what-companies-need-do

Originally posted here:
DDoS Attacks on the Rise—Here’s What Companies Need to Do

Four evolved cyber-threats APAC organisations must pay attention to in 2017

US$81 million stolen from a Bangladesh bank. 500 million Yahoo! accounts swiped. A DDoS attack that brought down much of the internet. 2016’s cyber-attack headlines proved more than ever that companies have a visibility problem – they cannot see what is happening beneath the surface of their own networks. Based on Darktrace’s observations, the following predictions demonstrate the need for a new method of cyber defence – an immune system approach, to keep up with the fast-evolving threats that await us in 2017. 1. Attackers Will Not Just Steal Data – They Will Change It Today’s most savvy attackers are moving away from pure data theft or website hacking, to attacks that have a more subtle target – data integrity. We’ve seen ex-students successfully hack college computers to modify their grades. In 2013, Syrian hackers tapped into the Associated Press’ Twitter account and broadcasted fake reports that President Obama had been injured in explosions at the White House. Within minutes the news caused a 150-point drop in the Dow Jones. In 2017, attackers will use their ability to hack information systems not to just make a quick buck, but to cause long-term, reputational damage to individuals or groups, by eroding trust in data itself. The scenario is worrying for industries that rely heavily on public confidence. A laboratory that cannot vouch for the fidelity of medical test results, or a bank that has had account balances tampered with, are examples of organisations at risk. Governments may also fall foul of such attacks, as critical data repositories are altered, and public distrust in national institutions rises. These ‘trust attacks’ are also expected to disrupt the financial markets. An example of this is falsifying market information to cause ill-informed investments. We have already glimpsed the potential of disrupted M&A activity through cyber-attacks – is it a coincidence that the recent disclosure of the Yahoo hack happened while Verizon was in the process of acquiring the company? These attacks even have the power to sway public opinion. Hillary Clinton’s election campaign suffered a blow when thousands of emails from her campaign were leaked. An even graver risk would not be simply leaked emails but manipulation to create a false impression that a candidate has done something illegal or dishonourable. 2. More Attacks and Latent Threats Will Come from Insiders Insiders are often the source of the most dangerous attacks. They are harder to detect, because they use legitimate user credentials. They can do maximum damage, because they have knowledge of and privileged access to information required for their jobs, and can hop between network segments. A disgruntled employee looking to do damage stands a good chance through a cyber-attack. But insider threats are not just staff with chips on their shoulders. Non-malicious insiders are just as much of a vulnerability as deliberate saboteurs. How many times have links been clicked before checking email addresses? Or security policy contravened to get a job done quicker, such as uploading confidential documents on less secure public file hosting services? We can no longer reasonably expect 100 percent of employees and network users to be impervious to cyber-threats that are getting more advanced – they won’t make the right decision, every time. Organisations need to combat this insider threat by gaining visibility into their internal systems, rather than trying to reinforce their network perimeter. We don’t expect our skin to protect us from viruses – so we shouldn’t expect a firewall to stop advanced cyber-threats which, in many cases, originate from the inside in the first place. Just in the past year, immune system defence techniques have caught a plethora of insider threats, including an employee deliberately exfiltrating a customer database a week before handing in his notice; a game developer sending source code to his home email address so that he could work remotely over the weekend; a system administrator uploading network information to their home broadband router – the list goes on. Due to the increasing sophistication of external hackers, we are going to have a harder time distinguishing between insiders and external attackers who have hijacked legitimate user credentials. 3. The Internet of Things Will Become the Internet of Vulnerabilities According to IDC, 8.6 billion connected things will be in use across APAC in 2020, with more than half of major new business processes incorporating some element of IoT. These smart devices are woefully insecure in many cases – offering a golden opportunity for hackers. 2016 has seen some of the most innovative corporate hacks involving connected things. In the breach of DNS service Dyn in October, malware spread rapidly across an unprecedented number of devices including webcams and digital video recorders. In Singapore and Germany, we saw smaller but similar incidents with StarHub and Deutsche Telekom. Many of this year’s IoT hacks have gone unreported – they include printers, air conditioners and even a coffee machine. These attacks used IoT devices as stepping stones, from which to jump to more interesting areas of the network. However, sometimes the target is the device itself. One of the most shocking threats that we saw was when the fingerprint scanner that controlled the entrance to a major manufacturing plant was compromised – attackers were caught in the process of changing biometric data with their own fingerprints to gain physical access. In another attack, the videoconferencing unit at a sports company was hacked, and audio files were being transferred back to an unknown server in another continent. Want to be a fly on the wall in a FTSE100 company’s boardroom? Try hacking the video camera. 4. Artificial Intelligence Will Go Dark Artificial intelligence is exciting for many reasons – self-driving cars, virtual assistants, better weather forecasting etc. But artificial intelligence will also be used by attackers to wield highly sophisticated and persistent attacks that blend into the noise of busy networks. We have already seen the first glimpses of these types of attack. Polymorphic malware, which changes its attributes mid-attack to evade detection, has reinforced the obsoleteness of signature-based detection methods. What is emerging is a next generation of attacks that use AI-powered, customised code to emulate the behaviours of specific users so accurately as to fool even skilled security personnel. In 2017, we can expect AI to be applied to all stages of a cyber-attacker’s mission. This includes the ability to craft sophisticated and bespoke phishing campaigns that will successfully dupe even the most threat-conscious employee. Next year’s attacker can see more than your social media profile – they know that your 10am meeting with your supplier is being held at their new headquarters. At 9:15am, as you get off the train, an email with the subject line ‘Directions to Our Office’ arrives in your inbox, apparently from the person that you are meeting. Now, do you click the map link in that email? Source: http://www.mis-asia.com/tech/security/four-evolved-cyber-threats-apac-organisations-must-pay-attention-to-in-2017/?page=3

Originally posted here:
Four evolved cyber-threats APAC organisations must pay attention to in 2017

New Mirai Worm Knocks 900K Germans Offline

More than 900,000 customers of German ISP Deutsche Telekom (DT) were knocked offline this week after their Internet routers got infected by a new variant of a computer worm known as Mirai. The malware wriggled inside the routers via a newly discovered vulnerability in a feature that allows ISPs to remotely upgrade the firmware on the devices. But the new Mirai malware turns that feature off once it infests a device, complicating DT’s cleanup and restoration efforts. Security experts say the multi-day outage is a sign of things to come as cyber criminals continue to aggressively scour the Internet of Things (IoT) for vulnerable and poorly-secured routers, Internet-connected cameras and digital video recorders (DVRs). Once enslaved, the IoT devices can be used and rented out for a variety of purposes — from conducting massive denial-of-service attacks capable of knocking large Web sites offline to helping cybercriminals stay anonymous online. This new variant of Mirai builds on malware source code released at the end of September. That leak came a little more a week after a botnet based on Mirai was used in a record-sized attack that caused KrebsOnSecurity to go offline for several days. Since then, dozens of new Mirai botnets have emerged, all competing for a finite pool of vulnerable IoT systems that can be infected. Until this week, all Mirai botnets scanned for the same 60+ factory default usernames and passwords used by millions of IoT devices. But the criminals behind one of the larger Mirai botnets apparently decided to add a new weapon to their arsenal, incorporating exploit code published earlier this month for a security flaw in specific routers made by Zyxel and Speedport. These companies act as original equipment manufacturers (OEMs) that specialize in building DSL modems that ISPs then ship to customers. The vulnerability exists in communications protocols supported by the devices that ISPs can use to remotely manage all of the customer-premises routers on their network. According to BadCyber.com, which first blogged about the emergence of the new Mirai variant, part of the problem is that Deutsche Telekom does not appear to have followed the best practice of blocking the rest of the world from remotely managing these devices as well. “The malware itself is really friendly as it closes the vulnerability once the router is infected,” BadCyber noted. “It performs [a] command which should make the device ‘secure,’ until next reboot. The first one closes port 7547 and the second one kills the telnet service, making it really hard for the ISP to update the device remotely.” [For the Geek Factor 5 readership out there, the flaw stems from the way these routers parse incoming traffic destined for Port 7547using communications protocols known as TR-069]. DT has been urging customers who are having trouble to briefly disconnect and then reconnect the routers, a process which wipes the malware from the device’s memory. The devices should then be able to receive a new update from DT that plugs the vulnerability. That is, unless the new Mirai strain gets to them first. Johannes Ullrich , dean of security research at The SANS Technology Institute , said this version of Mirai aggressively scans the Internet for new victims, and that SANS’s research has shown vulnerable devices are compromised by the new Mirai variant within five to ten minutes of being plugged into the Internet. Ullrich said the scanning activity conducted by the new Mirai variant is so aggressive that it can create hangups and crashes even for routers that are are not vulnerable to this exploit. “Some of these devices went down because of the sheer number of incoming connections” from the new Mirai variant, Ullrich said. “They were listening on Port 7547 but were not vulnerable to this exploit and were still overloaded with the number of connections to that port.” FEEDING THE CRIME MACHINE Allison Nixon , director of security research at Flashpoint, said this latest Mirai variant appears to be an attempt to feed fresh victims into one of the larger and more established Mirai botnets out there today. Nixon said she suspects this particular botnet is being rented out in discrete chunks to other cybercriminals. Her suspicions are based in part on the fact that the malware phones home to a range of some 256 Internet addresses that for months someone has purchased for the sole purpose of hosting nothing but servers used to control multiple Mirai botnets. “The malware points to some [Internet addresses] that are in ranges which were purchased for the express purpose of running Mirai,” Nixon said. “That range does nothing but run Mirai control servers on it, and they’ve been doing it for a while now. I would say this is probably part of a commercial service because purchasing this much infrastructure is not cheap. And you generally don’t see people doing this for kicks, you see them doing it for money.” Nixon said the criminals behind this new Mirai variant are busy subdividing their botnet — thought to be composed of several hundred thousand hacked IoT devices — among multiple, distinct control servers. This approach, she said, addresses two major concerns among cybercriminals who specialize in building botnets that are resold for use in huge distributed denial of service (DDoS) attacks. The first is that extended DDoS attacks which leverage firepower from more bots than are necessary to take down a target host can cause the crime machine’s overall bot count to dwindle more quickly than the botnet can replenish itself with newly infected IoT devices — greatly diminishing the crime machine’s strength and earning power. “I’ve been watching a lot of chatter in the DDoS community, and one of the topics that frequently comes up is that there are many botnets out there where the people running them don’t know each other, they’ve just purchased time on the botnet and have been assigned specific slots on it,” Nixon said. “Long attacks would end up causing the malware or infected machines to crash, and the attack and would end up killing the botnet if it was overused. Now it looks like someone has architected a response to that concern, knowing that you have to preserve bots as much as you can and not be excessive with the DDoS traffic you’re pushing.” Nixon said dividing the Mirai botnet into smaller sections which each answer to multiple control servers also makes the overall crime machine more resistant to takedown efforts by security firms and researchers. “This is an interesting development because a lot of the response to Mirai lately has been to find a Mirai controller and take it down,” Nixon said. “Right now, the amount of redundant infrastructure these Mirai actors have is pretty significant, and it suggests they’re trying to make their botnets more difficult to take down.” Nixon said she worries that the aggressive Mirai takedown efforts by the security community may soon prompt the crooks to adopt far more sophisticated and resilient methods of keeping their crime machines online. “We have to realize that the takedown option is not going to be there forever with these IoT botnets,” she said. Source: https://krebsonsecurity.com/2016/11/new-mirai-worm-knocks-900k-germans-offline/

View article:
New Mirai Worm Knocks 900K Germans Offline

Three ways to prevent a DDoS disaster this Black Friday

Black Friday will be a big day for retailers — and hopefully for all the right reasons. Some of the biggest shopping days of the year are upon us. But while retailers are focused on ensuring that they cope with huge peaks in online and in-store sales, are they as prepared as they need to be to defend against major distributed denial of service (DDoS) attacks? Avoiding a cyber-crime catastrophe Black Friday is here (along with the increasingly popular Cyber Monday). As ever, crowds of shoppers will flock to retailers’ stores and websites in search of rock-bottom prices. And this will mean a huge increase in sales for both physical and online stores. Black Friday may be a sales bonanza but it’s also a period of high vulnerability that criminals could exploit to maximise the threat to a retailer’s business. With Christmas sales accounting for a sizeable chunk of most retailers’ annual revenues, from a criminal’s perspective, there could hardly be a better time to launch a cyber attack. What’s more, with systems already creaking under the load of peak volumes, it might not take much of a straw to break the camel’s back. The last thing a retailer wants is for their business to spectacularly and very visibly come to a sudden halt because they can’t defend against and mitigate a major distributed denial of service (DDoS) attack. Retailers face a growing threat Talk of cyber attacks are more than mere scaremongering – the threat is very real. For example, in September, the release of the Mirai code — a piece of malware that infects IoT devices enabling them to be used for DDoS attacks — opened a Pandora’s box of opportunities for ruthless cyber entrepreneurs who want to disrupt their target markets and exploit the vulnerabilities and weaknesses of companies who honestly serve their customers. This code gives criminals the ability to orchestrate legions of unsecured Internet of Things (IoT) devices to act as unwitting participants in targeted DDoS attacks. These objects could be anything from domestic hubs and routers, to printers and digital video recorders — as long as they’re connected to the internet. The latest large DDoS attacks have used botnets just like this — proving that the bad guys are multiplying and, perhaps, gearing up for bigger things. Prevention is better than the cure There are no easy answers to the question of how to secure IoT smart devices — especially at the ‘budget conscious’ end of the market. That’s why we expect that these DDoS attacks will continue to proliferate, meaning that targeted DDoS attacks of increasing scale and frequency will almost certainly occur as a result. So how can retailers defend themselves against the threat of an attack on Black Friday? Organisations have to use a combination of measures to safeguard against even the most determined DDoS attack. These include: Limiting the impact of an attack by absorbing DDoS traffic targeted at the application layer, deflecting all DDoS traffic targeted at the network layer and authenticating valid traffic at the network edge. Choosing an ISP that connects directly to large carriers and other networks, as well as internet exchanges — allowing traffic to pass efficiently. Employing the services of a network-based DDoS provider — with a demonstrable track record of mitigating DDoS attacks and sinking significant data floods. This will safeguard specific IP address ranges that organisations want to protect. Black Friday will be a big day for retailers — and hopefully for all the right reasons. But in an increasingly digital world, consideration needs to be given to the IT infrastructure that underpins today’s retail business and the security strategy that protects it. Source: http://www.itproportal.com/features/three-ways-to-prevent-a-ddos-disaster-this-black-friday/

View original post here:
Three ways to prevent a DDoS disaster this Black Friday

How hackers could wreak havoc on the US election

AS VOTES are counted and polls close across America, security experts have warned that hackers could disrupt the presidential election process. “Anything that unsettles the election process would be a complete disaster,” explained Stephen Gates, chief research intelligence analyst at security specialist NSFOCUS. “Misinformation on exit polls, widespread internet and media outages, and delays in reporting could seriously impact people’s desire to vote and even worse — trust the results.” Mr Gates pointed to the mysterious cyber attacks that recently snarled East Coast Web traffic as evidence of hackers’ ability to cause disruption. A number of major sites including Twitter, Netflix, Spotify and Reddit were impacted by the October 21 distributed denial of service attacks (DDoS), on internet services company Dyn. DDoS attacks, which often occur when a hacker “floods” a network with information, are a popular method for disrupting websites and services. Mr Gates warned that, in addition to large DDoS attacks on internet infrastructure, online news and media outlets, attackers could target voter registration systems by launching smaller attacks on individual polling centres. “Many of these verification systems are likely online and need to access state databases where voter registration and verification is required to cast a vote,” he said. “Attacks against registered voter databases themselves would also be highly likely.” DDoS attacks and bogus election posts could also flood social media sites and spread misinformation, he warned, noting that so-called ‘man-in-the-middle’ attacks against polling centres as they report their final numbers to collection centres are also possible. In a man-in-the-middle attack a hacker secretly intercepts, and potentially alters, information as it is sent between two parties. Roger Kay, president of Endpoint Technologies Associates, also sees a potential DDoS threat. “I have considered it a real possibility, not only are the cyber tools available, but the motivation is there as well, from anyone — they could be state actors, they could be malicious hackers.” Hackers, for example, could use the internet of Things, where even household devices are web-enabled, as a launch pad for their attacks, according to Mr Kay. The analyst, however, notes that major DDoS attacks are difficult for hackers to sustain, and also cites the low-tech nature of some US election infrastructure. “If you look at the safety of the democratic structure, there’s all these decentralised activities, many of which are paper[-based].” Nonetheless, a Department of Homeland Security report obtained by FoxNews.com warns that parts of America’s election infrastructure are vulnerable to cyber attack. While the risk to computer-enabled election systems varies from county to county, targeted attacks against individual voter registration databases are possible, it said. One technology being touted as a potential solution to cyber threats and voter fraud is blockchain. Blockchain, which uses a decentralised security protocol, could be used to safely record and transmit votes. Because blockchain messages are distributed and not kept in one central location, they are very difficult to tamper with, say experts. “The technology could be used to prevent voter fraud (e.g., multiple votes by a single person) through use of private keys for each voter and storage of votes on an immutable blockchain ledger,” Joe Guagliardo, chair of the Blockchain Technology Group at law firm Pepper Hamilton, in an email to FoxNews.com. “Once the vote has been cast and verified, it cannot be changed without verification by all of the nodes in the network (potentially millions or more) — fraudulent activity would require computational power to overcome the resources of the collective nodes in the net.” Source: http://www.ntnews.com.au/technology/how-hackers-could-wreak-havoc-on-the-us-election/news-story/4f732c684f8f14eeee46e82641bcd5f8

More:
How hackers could wreak havoc on the US election

?How to defend against the internet’s doomsday of DDoS attacks

Last week assault on Dyn’s global managed DNS services was only the start. Here’s how to fend off hackers’ attacks both on your servers and the internet. We knew major destructive attacks on the internet were coming. Last week the first of them hit Dyn, a top-tier a major Domain Name System (DNS) service provider, with a global Distributed Denial of Service (DDoS)attack. As Dyn went down, popular websites such as AirBnB, GitHub, Reddit, Spotify, and Twitter followed it down. Welcome to the end of the internet as we’ve known it. Up until now we’ve assumed that the internet was as reliable as our electrical power. Those days are done. Today, we can expect massive swaths of the internet to be brought down by new DDoS attacks at any time. We still don’t know who was behind these attacks. Some have suggested, since Dyn is an American company and most of the mauled sites were based in the US, that Russia or Iran was behind the attack. It doesn’t take a nation, though, to wreck the internet. All it takes is the hundreds of millions of unsecured shoddy devices of the Internet of Things (IoT). In the Dyn onslaught , Kyle York, Dyn’s chief strategy officer said the DDoS attack used “tens of millions” devices. Hangzhou Xiongmai Technology, a Chinese technology company, has admitted that its webcam and digital video recorder (DVR) products were used in the assault. Xiongmai is telling its customers to update their device firmware and change usernames and passwords. Good luck with that. Quick: Do you know how to update your DVR’s firmware? The attack itself appears to have been made with the Mirai botnet. This open-source botnet scans for devices using their default username and password credentials. Anyone can use it — China, you, the kid next door — to generate DDoS attacks. For truly damaging DDoS barrages, you need to know something about the internet’s architecture, but that’s not difficult. Or, as Jeff Jarmoc, a Salesforce security engineer, tweeted, “In a relatively short time we’ve taken a system built to resist destruction by nuclear weapons and made it vulnerable to toasters.” That’s funny, but it’s no joke. Fortunately, you can do some things about it. Securing the Internet of Things First, and this unfortunately is a long-term solution, IoT vendors must make it easy to update and secure their devices. Since you can’t expect users to patch their systems — look at how well they do with Windows — patching must be made mandatory and done automatically. One easy way to do this is to use an operating system, such as Ubuntu with Snap, to update devices quickly and cleanly. These “atomic” style updating systems make patches both easier to write and deploy. Another method is to lock down IoT applications and operating systems. Just like any server, the device should have the absolute minimum of network services. Your smart TV may need to use DNS, but your smart baby monitor? Not so much. That’s all fine and dandy and it needs to be done, but it’s not going to help you anytime soon. And, we can expect more attacks at any moment. Defending your intranet and websites First, you should protect your own sites by practicing DDoS prevention 101. For example, make sure your routers drop junk packets. You should also block unnecessary external protocols such as Internet Control Message Protocol (ICMP) at your network’s edge. And, as always, set up good firewalls and server rules. In short, block everything you can at your network edge. Better still, have your upstream ISP block unnecessary and undesired traffic. For example, your ISP can make your life easier simply by upstream blackholing. And if you know your company will never need to receive UDP traffic, like Network Time Protocol (NTP) or DNS, your ISP should just toss garbage traffic into the bit bin. You should also look to DDoS mitigation companies to protect your web presence. Companies such as Akamai, CloudFlare, and Incapsula offer affordable DDoS mitigation plans for businesses of all sizes. As DDoS attacks grow to heretofore unseen sizes, even the DDoS prevention companies are being overwhelmed. Akamai, for example, had to stop trying to protect the Krebs on Security blog after it was smacked by a DDoS blast that reached 620 Gbps in size. That’s fine for protecting your home turf, but what about when your DNS provider get nailed? You can mitigate these attacks by using multiple DNS providers. One way to do this is to use Netflix’s open-source program Denominator to support managed, mirrored DNS records. This currently works across AWS Route53, RackSpace CloudDNS, DynECT, and UltraDNS, but it’s not hard to add your own or other DNS providers. This way, even when a DDoS knocks out a single DNS provider, you can still keep your sites up and running. Which ones will work best for you? You can find out by using Namebench. This is an easy-to-use, open-source DNS benchmark utility. Even with spreading out your risk among DNS providers, DNS attacks are only going to become both stronger and more common. DNS providers like Dyn are very difficult to secure. As Carl Herberger, vice president for security solutions at Radware, an Israeli-based internet security company, told Bloomberg, DNS providers are like hospitals: They must admit anyone who shows up at the emergency room. That makes it all too easy to overwhelm them with massive — in the range of 500 gigabits per second — attacks. In short, there is no easy, fast fix here. One way you can try to keep these attacks from being quite so damaging is to increase the Time to Live (TTL) in your own DNS servers and caches. Typically, today’s local DNS servers have a TTL of 600 seconds, or 5 minutes. If you increased the TTL to say 21,600 seconds, or six hours, your local systems might dodge the DNS attack until it was over. Protecting the internet While the techniques might help you, they don’t do that much to protect the internet at large. DNS is the internet’s single point of total failure. That’s bad enough, but as F5, a top-tier ISP notes, DNS is historically under-provisioned. We must set up a stronger DNS system. ISPs and router and switch vendors should also get off their duffs and finally implement Network Ingress Filtering, better known as Best Current Practice (BCP)-38. BCP-38 works by filtering out bogus internet addresses at the edge of the internet. Thus, when your compromised webcam starts trying to spam the net, BCP-38 blocks these packets at your router or at your ISP’s router or switch. It’s possible, but unfortunately not likely, that your ISP has already implemented BCP-38. You can find out by running Spoofer. This is a new, open-source program that checks to see how your ISP handles spoofed packets. So why wasn’t it implemented years ago? Andrew McConachie, an ICANNtechnical and policy specialist, explained in an article that ISPs are too cheap to pay the small costs required to implement BCP-38. BCP-38 isn’t a cure-all, but it sure would help. Another fundamental fix that could be made is response rate limiting (RRL). This is a new DNS enhancement that can shrink attacks by 60 percent. RRL works by recognizing that when hundreds of packets per second arrive with very similar source addresses asking for similar or identical information, chances are they’re an attack. When RRL spots malicious traffic, it slows down the rate the DNS replies to the bogus requests. Simple and effective. Those are some basic ideas on how to fix the internet. It’s now up to you to use them. Don’t delay. Bigger attacks are on their way and there’s no time to waste. Source: http://www.zdnet.com/article/how-to-defend-against-the-internets-doomsday-of-ddos-attacks/

View article:
?How to defend against the internet’s doomsday of DDoS attacks

Anonymous hacker charged with #opJustina DDoS attacks on hospital

The Anonymous-affiliated hacker who admitted to cyberattacks on two hospitals in the #opJustinaoperation and fled the country while being investigated was indicted last week. Martin Gottesfeld, 32, a biotechnology information technology professional from Somerville, Massachusetts, is being charged with conspiracy to launch cyberattacks against two local hospitals: Boston Children’s Hospital (BCH) and the Wayside Youth and Family Support Network, a mental health facility. Those two hospitals were at the center of a case that attracted masses of media attention: that of Justina Pelletier, the then-15-year-old who was caught in a 16-month custody battle as her parents tried to have her treated for mitochondrial disease at one hospital, while Boston Children’s Hospital treated her in a psychiatric unit as a ward of the state. Gottesfeld’s indictment, handed down on Wednesday, also charges him with intentional damage to a protected computer. Both are felony hacking charges. Gottesfeld admitted to the attacks last month, explaining how he did it and why in an editorial published by the Huffington Post. I had heard many, too many, such horror stories of institutionalized children who were killed or took their own lives in the so-called “troubled teen industry”. I never imagined a renowned hospital would be capable of such brutality and no amount of other good work could justify torturing Justina. The distributed denial of service (DDoS) attack against BCH was planned for maximum financial damage, Gottesfeld said: he knew that the hospital was planning a big fundraising drive and that most donors gave online. In his editorial, he went on to scoff at BCH for making it easy for him to attack it, since the hospital kept its donation page on the same public network as the rest of its systems: Rookie mistake. To take it down, I’d have to knock the whole hospital off the internet. He also claimed that no patients would be harmed: There’s no such thing as an outage-proof network, so hospitals have to be able to function without the internet. It’s required by federal law, and for accreditation. The only effects would be financial and on BCH’s reputation. That’s not how the hospital, or the prosecution, sees it. The indictment states that BCH had to shut down its access to the internet and email servers to protect patient medical records. That meant that physicians outside the hospital couldn’t get at patients’ records. Nor could patients communicate with their doctors. BCH claims that responding to, and mitigating, the damage of the attack cost $300,000, while the disruption in fundraising meant another $300,000 hit, for a total loss of $600,000. Gottesfeld claims that the attack against BCH was a justifiable reaction to the actions of the hospital, which was described as a “parentectomy”. Gottesfeld’s defence, to blame the hospital for the attack, is all too commonly heard. The blame-the-victim reasoning is often voiced by other cyberattackers, be it from people who guess at weak passwords and use them to waltz into accounts without authorization, or those who launch crippling attacks such as those that Gottesfeld admits to. But just because it’s easy to do doesn’t make those or other cybercrimes OK. They’re illegal, and they can result in jail time, fines or both. Each of the charges Gottesfeld’s facing carry a maximum sentence of five years in jail, along with fines. Gottesfeld has been detained in Rhode Island since he and his wife were plucked off their boat near the coast of Cuba and arrested in Florida. When the indictment was handed down last Wednesday, Gottesfeld was reportedly on day 16 of a hunger strike over the appointment of the office of Carmen Ortiz as his prosecutor. Ortiz was the prosecutor in the cases against both Aaron Swartz and Jonathan James, who both later took their own lives. She has faced sharp criticism over her approach to those cases. In spite of his admission to the DDoS attacks, Gottesfeld is likely to plead not guilty at his arraignment this week before US Magistrate Judge Marianne B. Bowler, his wife told the Washington Times. Source: https://nakedsecurity.sophos.com/2016/10/24/anonymous-hacker-charged-with-opjustina-ddos-attacks-on-hospitals/

Taken from:
Anonymous hacker charged with #opJustina DDoS attacks on hospital

Leaked Mirai source code already being tested in wild, analysis suggests

Since the source code to the Mirai Internet of Things botnet was publicly leaked on Sept. 30, researchers at Imperva have uncovered evidence of several low-level distributed denial of serviceattacks likely perpetrated by new users testing out this suddenly accessible DDoS tool. With its unusual ability to bombard targets with traffic in the form of generic routing encapsulation (GRE) data packets, Mirai was leveraged last month to launch a massive DDoS attack against Internet security researcher Brian Krebs’ blog site KrebsonSecurity. Soon after, a Hackforums user with the nickname Anna-senpai publicly posted the botnet’s source code – quite possibly a move by the malware’s original author to impede investigators from closing in on him. In a blog post this week, Imperva reported several low-level DDoS attacks taking place in the days following the leak. Consisting of low-volume application layer HTTP floods leveraging small numbers of source IPs, these attacks “looked like the experimental first steps of new Mirai users who were testing the water after the malware became widely available,” the blog post read. But Imperva also found evidence of much stronger Mirai attacks on its network prior to the leak. On Aug. 17, Imperva mitigated numerous GRE traffic surges that peaked at 280 Gbps and 130 million packets per second. Traffic from this attack originated from nearly 50,000 unique IPs in 164 countries, many of which were linked to Internet-enabled CCTV cameras, DVRs and routers – all infected by Mirai, which continuously scans the web for vulnerable devices that use default or hard-coded usernames and passwords. An Imperva analysis of the source code revealed several unique traits, including a hardcoded blacklist of IPs that the adversary did not want to attack, perhaps in order to keep a low profile. Some of these IPs belonged to the Department of Defense, the U.S. Postal Service and General Electric. Ben Herzberg, security group research manager with Imperva Incapsula, told SCMagazine.com in a phone interview that the Marai’s author may have truncated the complete blacklist before publishing it – possibly because such information could offer a clue as to the attacker’s identity. Imperva also found Mirai to be territorial in nature, using killer scripts to eliminate other worms, trojans and botnet programs that may have infiltrated the same IoT devices. Moreover, the company noted traces of Russian-language strings, which could offer a clue to the malware’s origin. Herzberg said it’s only a matter of time before Mirai’s newest users make their own modifications. “People will start playing with the code and say, ‘Hey, let’s modify this, change this,” said Herzberg. “They have a nice base to start with.” Web performance and security company Cloudflare also strongly suspects it has encountered multiple Mirai DDoS attacks, including one HTTP-based attack that peaked at 1.75 million requests per second. According to a company blog post, the assault leveraged a botnet composed of over 52,000 unique IP addresses, which bombarded the Cloudflare network – primarily its Hong Kong and Prague data centers – with a flurry of short HTTP requests designed to use up server resources and take down web applications. A second HTTP-based attack launched from close to 129,000 unique IP addresses generated fewer requests per second, but consumed up to 360Gbps of inbound HTTP traffic – an unusually high number for this brand of attack. In this instance, much of the malicious traffic was concentrated in Frankfurt. Cloudflare concluded that the attacks were launched from compromised IoT devices, including a high concentration of connected CCTV cameras running on Vietnamese networks and multiple unidentified devices operating in Ukraine. “Although the most recent attacks have mostly involved Internet-connected cameras, there’s no reason to think that they are likely the only source of future DDoS attacks,” the Imperva report warns. “As more and more devices (fridges, fitness trackers, sleep monitors…) are added to the Internet they’ll likely be unwilling participants in future attacks.” Of course, compromised IoT devices can be used for more than just DDoS attacks. Today, Akamai Technologies released a white paper warning of a new in-the-wild exploit called SSHowDowN that capitalizes on a 12-year-old IoT vulnerability. According to Akamai, cybercriminals are remotely converting millions of IoT devices into proxies that route malicious traffic to targeted websites in order to check stolen log-in credentials against them and determine where they can be used. Bad actors can also use the same exploit to check websites for SQL injection vulnerabilities, and can even launch attacks against the internal network hosting the Internet-connected device. The vulnerability, officially designated as CVE-2004-1653, affects poorly configured devices that use default passwords, including video surveillance equipment, satellite antenna equipment, networking devices and Network Attached Storage devices. It allows a remote user to create an authorized Socket Shell (SSH) tunnel and use it as a SOCKS proxy, even if the device is supposedly hardened against SSH connections. “What we’re trying to do is raise awareness,” especially among IoT vendors said Ryan Barnett, principal security research at Akamai, in an interview with SCMagazine.com. Barnett noted that when the CVE first came out, an exploit on it was “more theoretical,” but now “we want to show it is actively being used in a massive attack campaign.” Source: http://www.scmagazine.com/leaked-mirai-source-code-already-being-tested-in-wild-analysis-suggests/article/547313/

More:
Leaked Mirai source code already being tested in wild, analysis suggests