Monthly Archives: August 2018

Alleged head of BitConnect cryptocurrency scam arrested in Dubai

BitConnect has been accused of operating an exit scam after duping investors out of millions of rupees. If it sounds too good to be true, it probably is — and certainly appears to have been the case when it comes to BitConnect, a folded cryptocurrency project that has been accused of scamming millions out of investors. BitConnect, touted as a “self-regulating financial system” which is part of the “cryptocurrency revolution,” used many buzzwords and the hype of celebrities to lure investors to participate, and also offered an incredibly high interest rate of at least one percent per day, leading many to believe it was a scam. Investors would “lend” funds in Bitcoin (BTC) to various projects and these funds were converted to the platform’s coin, BCC. Divyesh Darji, the Indian head of BitConnect and believed to be a core promoter of the scheme, has reportedly been arrested by the Gujarat Criminal Investigation Department (CID) after arriving in Dubai on his way from Ahmedabad. According to local publication the Financial Express, law enforcement believes that the promoters of BitConnect gained Rs 1.14 crore, roughly $14.5 million, from “thousands of investors” before the exchange closed its doors. BitConnect launched after India’s Prime Minister Narendra Modi demonetized 500 and 1000 rupee notes in the region. In 2016, 90 percent of the country’s financial transactions were made in cash and the change was apparently made in order (.PDF) to crack down on corruption, counterfeiters and so-called “black money,” otherwise known as undeclared income. The unexpected changes caused economic chaos. From farmers struggling to keep their businesses afloat to banks attempting to cope with floods of customers, India’s upheaval was severe — and while the country has pulled through, at the time, the option of a digital currency outside of the government’s grasp may have been extremely enticing. However, the dream of controlling currency outside of the government’s demonetization efforts and earning interest by the day did not last. In January, BitConnect closed its exchange platform, with all loans offered on the platform released — but all were converted to BCC rather than reverted to investors’ original Bitcoin. The price of BCC at the time was $363.62. However, now the system has closed and the founders are silent, the coin is worth $0.67, rendering the virtual asset effectively useless and leaving investors severely out of pocket. “The company was registered in the UK and had an office in Surat,” said DGP Ashish Bhatia of CID crime. “They launched their own ‘Bitconnect coins’ soon after demonetization. They promoted the company on social media and by holding gala functions in cities across the world. They lured investors with 60 percent monthly interest and incentives in the form of ‘referral interest.” The only exchange which still permits the trade of BCC is Trade Satoshi, which intends to delist the coin in September. BitConnect cited bad press, distributed denial-of-service (DDoS) attacks and US regulator scrutiny as reasons for the closure. Source: https://www.zdnet.com/article/alleged-bitconnect-head-arrested-in-dubai/

See the article here:
Alleged head of BitConnect cryptocurrency scam arrested in Dubai

Lawmakers want to know when Ajit Pai knew FCC’s cyberattack claim was false

Democratic lawmakers want to know why the agency didn’t inform consumers of the falsity of its claim sooner A group of House democrats want to know when FCC Chairman Ajit Pai knew that the agency’s claims of a DDoS attack were false. Last week, the FCC’s Office of Inspector General released a report that found no evidence to support the claims of DDoS attacks in May of 2017. The agency had previously blamed multiple DDoS attacks for temporarily taking down a comment section of its website following a segment of Last Week Tonight, in which comedian John Oliver asked viewers to submit comments to the FCC and speak out in support of net neutrality. However, viewers were unable to voice their opinion on the proposed rollback of net neutrality because the comment submission section wasn’t available at the time. Now that it has come to light that the agency’s claims of a DDoS attack were false, a handful of Democratic lawmakers want to know when Pai became aware that there was no DDoS attack and why the agency didn’t correct its public statements alleging a DDoS attack before now. Misrepresented facts “We want to know when you and your staff first learned that the information the Commission shared about the alleged cyberattack was false,” Democratic lawmakers wrote in a letter to Pai. “It is troubling that you allowed the public myth created by the FCC to persist and your misrepresentations to remain uncorrected for over a year,” they wrote. The letter was signed by Representatives Frank Pallone Jr. (NJ), Mike Doyle (PA), Jerry McNerney (CA) and Debbie Dingell (MI). The results of the investigation concluded that FCC officials deliberately misrepresented facts in responses to Congressional inquiries. “Given the significant media, public and Congressional attention this alleged cyberattack received for over a year, it is hard to believe that the release of the IG’s report was the first time that you and your staff realized that no cyberattack occurred,” wrote the lawmakers. “Such ignorance would signify a dereliction of your duty as the head of the FCC, particularly due to the severity of the allegations and the blatant lack of evidence.” The Democratic lawmakers have asked Pai for complete written responses to their questions by August 28. Pai is also scheduled to appear before a Senate Commerce, Science and Transportation Committee oversight hearing on Thursday where he is expected to face questions about the results of the investigation. Source: https://www.consumeraffairs.com/news/lawmakers-want-to-know-when-ajit-pai-knew-fccs-cyberattack-claim-was-false-081518.html

Read More:
Lawmakers want to know when Ajit Pai knew FCC’s cyberattack claim was false

The complete guide to understanding web applications security

MODERN businesses use web applications every day to do different things, from interacting and engaging with customers to supporting sales and operations. As a result, web applications are rich with data and critical to the functioning of the company – which means, special precautions must be taken in order to protect them from hackers. However, not all organizations or their applications are subject to the same level of threats and attacks. In an exclusive interview with Gartner’s Research Director Dale Gardner, Tech Wire Asia learns how businesses can best protect their web applications. Gartner splits attacks on web and mobile applications and web APIs into four categories: # 1 | Denial of service (DoS)  DoS is a specific subtype of abuse where the attacker’s goal is to disrupt the availability of the web application or service. In particular, this attack type covers volumetric attacks, which overwhelm network capabilities, and so-called “low and slow” attacks, which overwhelm application or service resources. # 2 | Exploits  Exploits take advantage of design, code or configuration issues that cause unintended behaviour of the application. Some common examples include SQL Injection (SQLi), cross-site scripting (XSS), buffer overflows, and various Secure Sockets Layer (SSL) and Transport Layer Security (TLS) manipulation attacks. # 3 | Abuse  Abuse covers many non-exploit types of attack that primarily take advantage of business logic. This includes scraping, aggregating, account brute-forcing, scalping, spamming and other — often automated — scenarios. # 4 | Access Access violations occur when an attacker or legitimate user takes advantage of weaknesses in the authentication (AuthN) or authorization (AuthZ) policies of a web application or service. Of the four categories, Gardner says only exploits can be potentially addressed with secure coding and configuration. The others require design-level considerations that cannot be reasonably compensated for in code. For example, although it’s arguably possible to defend against account takeovers in individual application code, it is much more economical and error-proof to do so in the identity and access management (IAM) system or another external capability. In an ideal world, the highest level of protection would be available at all times or as needed, but this isn’t feasible due to complexity and cost factors. And continuously providing the highest level of protection to all web assets can be an expensive proposition, both from economic and operational perspectives. Securing web applications and web APIs from attacks and abuse requires businesses to assess what level of protection is necessary. “Security teams must first pick a protection baseline. Then they must decide what extra protections are necessary to apply to specific assets,” recommends Gardner. When thinking of protecting web applications, security teams often first look to existing network technologies, such as next-generation firewall (NGFW) platforms and intrusion detection and prevention systems (IDPSs). But these do not provide strong-enough capabilities in any of the protection areas, warns Gardner. They are not easily integrated to intercept TLS and do not have the same signatures, rules, behavioral analysis and business logic insight as security solutions that focus on web applications and APIs. Organizations often first look at a “completely automated public Turing test to tell computers and humans apart” (CAPTCHA) when they suffer from abuse of functionality. But an always-on CAPTCHA creates user-experience hurdles for legitimate users, and it is also no guarantee to keep the abuser out (attackers keep finding ways to circumvent or solve many CAPTCHAs). Multifactor authentication (MFA) and out of band (OOB) challenges are often used to enable strong access control, as well as to try to thwart abuse. Unfortunately, they suffer from similar issues as CAPTCHA, and in addition are often complex and expensive to implement. Currently, no single security platform or solution implements the highest possible level of protection in each of the exploit, abuse of functionality, access violation and DoS mitigation categories. Some organizations will still be able to start with a single solution to address the biggest potential risks. But they often find themselves needing greater security capabilities over time due to changes in threats and the application landscape. Web application firewalls (WAFs) are broadly deployed, but buyers routinely express disappointment and frustration over factors such as accuracy, the ability to prevent attacks, the administrative overhead required to maintain attack detection profiles and price. Incumbent vendors have begun addressing emerging requirements, but many products still lag. The market for solutions to protect web applications will continue to grow, but given buyer dissatisfaction, vendors with innovative approaches and new product packaging will capture the bulk of new spending. Buyers are shifting to service-based offerings, and demand for infrastructure as a service (IaaS) deployable products is growing. These shifts pose risks, especially to incumbents, but also present opportunities for new offerings and greater growth. Gartner believes that by 2020, stand-alone WAF hardware appliances will represent less than 20 percent of new WAF deployments, down from 40 percent today. By 2020, more than 50 percent of public-facing web applications will be protected by cloud-based WAAP services that combine content delivery networks, DDoS protection, bot mitigation and WAFs, which is an increase from fewer than 20 percent today. Web applications, mobile applications, and web APIs are subject to increased numbers and complexity of attacks. Gardner, who will be speaking at the Gartner Security & Risk Management Summit in Sydney later this month explains what organizations must keep in mind when planning and implementing solutions: Public, limited-access external, and internal applications require different levels of security. No one capability covers all types of attack. No two capabilities have interchangeable protection efficacy. Some of the capabilities have strong overlaps in addressing specific attack subcategories. Enforcement of policy may be centralized or distributed (for example, use of micro-gateways). “As a result, a mix of capabilities, though not necessarily separate products, have to be put in place as a layered approach,” concludes Gardener. Considering the range of exploits and abuse that can occur with web and mobile applications and web APIs, technical professionals must leverage a mix of externalized security controls to deliver appropriate protection and alleviate burdens to development staff. Source: https://techwireasia.com/2018/08/the-complete-guide-to-understanding-web-applications-security/

Continue Reading:
The complete guide to understanding web applications security

DDoS attackers increasingly strike outside of normal business hours

DDoS attack volumes have increased by 50% to an average of 3.3 Gbps during May, June and July 2018, compared to 2.2 Gbps during the previous quarter, according to Link11. Attacks are also becoming increasingly complex, with 46% of incidents using two or more vectors. While attack volumes increased, researchers recorded a 36% decrease in the overall number of attacks. There was a total of 9,325 attacks during the quarter: an average of 102 attacks … More ? The post DDoS attackers increasingly strike outside of normal business hours appeared first on Help Net Security .

Read the original:
DDoS attackers increasingly strike outside of normal business hours

Week in review: IoT security, cyber hygiene, Social Mapper

Here’s an overview of some of last week’s most interesting news and articles: Intensifying DDoS attacks: ?Choosing your defensive strategy One of the biggest misconception regarding DDoS attacks is that they are a once-in-a-lifetime event for organizations, says Josh Shaul, VP of Web Security at Akamai. “Our State of the Internet Report found that companies suffered 41 DDoS attacks on average over the last six months,” he points out. August Patch Tuesday forecast: Looking ahead … More ? The post Week in review: IoT security, cyber hygiene, Social Mapper appeared first on Help Net Security .

Taken from:
Week in review: IoT security, cyber hygiene, Social Mapper

A botnet of smart irrigation systems can deplete a city’s water supply

Ben-Gurion University of the Negev (BGU) cyber security researchers warn of a potential distributed attack against urban water services that uses a botnet of smart irrigation systems that water simultaneously. The researchers analyzed and found vulnerabilities in a number of commercial smart irrigation systems, which enable attackers to remotely turn watering systems on and off at will. They tested three of the most widely sold smart irrigation systems: GreenIQ, BlueSpray, and RainMachine smart irrigation systems. … More ? The post A botnet of smart irrigation systems can deplete a city’s water supply appeared first on Help Net Security .

See original article:
A botnet of smart irrigation systems can deplete a city’s water supply

Researchers open source tools to identify Twitter bots at scale

Duo Security published technical research and methodology detailing how to identify automated Twitter accounts, known as bots, at a mass scale. Using machine learning algorithms to identify bot accounts across their dataset, Duo Labs researchers also unraveled a sophisticated cryptocurrency scam botnet consisting of at least 15,000 bots, and identified tactics used by malicious bots to appear legitimate and avoid detection, among other findings. The research From May to July 2018, researchers collected and analyzed … More ? The post Researchers open source tools to identify Twitter bots at scale appeared first on Help Net Security .

Read More:
Researchers open source tools to identify Twitter bots at scale

Intensifying DDoS attacks: ?Choosing your defensive strategy

One of the biggest misconception regarding DDoS attacks is that they are a once-in-a-lifetime event for organizations, says Josh Shaul, VP of Web Security at Akamai. “Over the last six months, our State of the Internet Report found that companies suffered 41 DDoS attacks on average over the last six months,” he points out. The rise and rise of DDoS attacks As Arbor Networks CTO Darren Anstee recently pointed out, DDoS attacks have become a … More ? The post Intensifying DDoS attacks: ?Choosing your defensive strategy appeared first on Help Net Security .

Read more here:
Intensifying DDoS attacks: ?Choosing your defensive strategy

Castaway hacker guilty of sedating children’s hospital computers

He’ll almost certainly get more than a three-hour tour after DDoS strike on medics A self-styled Anonymous hacker who attempted to flee the US in a sailboat has been convicted of two felonies for his role in a 2014 distributed denial-of-service (DDoS) attack on a children’s hospital.…

Read the original post:
Castaway hacker guilty of sedating children’s hospital computers