Chinese Firm Defends Webcam Security After DDoS Attacks

Hangzhou Xiongmai Technology says devices sold in the US before April 2015 will be recalled after attack on Dyn servers.

China’s Hangzhou Xiongmai Technology, which has issued a recall for thousands of webcams sold in the US that were used in a massive distributed denial of service (DDoS) attack on the servers of US-based internet company Dyn, said the hacks occurred because customers didn’t change the default password, according to the AP.

The attack, which in part came through devices with Xiongmai components, briefly cut access to many sites including Twitter, Netflix, Amazon, and Spotify.

Xiongmai’s Liu Yuexin told AP the company did its best to secure the devices. The company, he added, came to know of the weakness in its webcams and digital recorders in April 2015 and had patched the flaws.

Vulnerabilities in devices by Xiongmai and video surveillance maker Dahua first came to light after an attack on the website of cybersecurity writer Brian Krebs and has highlighted concerns of security risks from interconnected consumer gadgets.


  • 0

​How to defend against the internet’s doomsday of DDoS attacks

Last week assault on Dyn’s global managed DNS services was only the start. Here’s how to fend off hackers’ attacks both on your servers and the internet.

We knew major destructive attacks on the internet were coming. Last week the first of them hit Dyn, a top-tier a major Domain Name System (DNS) service provider, with a global Distributed Denial of Service (DDoS)attack.

As Dyn went down, popular websites such as AirBnB, GitHub, Reddit, Spotify, and Twitter followed it down. Welcome to the end of the internet as we’ve known it.

Up until now we’ve assumed that the internet was as reliable as our electrical power. Those days are done. Today, we can expect massive swaths of the internet to be brought down by new DDoS attacks at any time.

We still don’t know who was behind these attacks. Some have suggested, since Dyn is an American company and most of the mauled sites were based in the US, that Russia or Iran was behind the attack.

It doesn’t take a nation, though, to wreck the internet. All it takes is the hundreds of millions of unsecured shoddy devices of the Internet of Things (IoT).

In the Dyn onslaught , Kyle York, Dyn’s chief strategy officer said the DDoS attack used “tens of millions” devices. Hangzhou Xiongmai Technology, a Chinese technology company, has admitted that its webcam and digital video recorder (DVR) products were used in the assault. Xiongmai is telling its customers to update their device firmware and change usernames and passwords.

Good luck with that. Quick: Do you know how to update your DVR’s firmware?

The attack itself appears to have been made with the Mirai botnet. This open-source botnet scans for devices using their default username and password credentials. Anyone can use it — China, you, the kid next door — to generate DDoS attacks. For truly damaging DDoS barrages, you need to know something about the internet’s architecture, but that’s not difficult.

Or, as Jeff Jarmoc, a Salesforce security engineer, tweeted, “In a relatively short time we’ve taken a system built to resist destruction by nuclear weapons and made it vulnerable to toasters.” That’s funny, but it’s no joke.

Fortunately, you can do some things about it.

Securing the Internet of Things

First, and this unfortunately is a long-term solution, IoT vendors must make it easy to update and secure their devices. Since you can’t expect users to patch their systems — look at how well they do with Windows — patching must be made mandatory and done automatically.

One easy way to do this is to use an operating system, such as Ubuntu with Snap, to update devices quickly and cleanly. These “atomic” style updating systems make patches both easier to write and deploy.

Another method is to lock down IoT applications and operating systems. Just like any server, the device should have the absolute minimum of network services. Your smart TV may need to use DNS, but your smart baby monitor? Not so much.

That’s all fine and dandy and it needs to be done, but it’s not going to help you anytime soon. And, we can expect more attacks at any moment.

Defending your intranet and websites

First, you should protect your own sites by practicing DDoS prevention 101. For example, make sure your routers drop junk packets. You should also block unnecessary external protocols such as Internet Control Message Protocol (ICMP) at your network’s edge. And, as always, set up good firewalls and server rules. In short, block everything you can at your network edge.

Better still, have your upstream ISP block unnecessary and undesired traffic. For example, your ISP can make your life easier simply by upstream blackholing. And if you know your company will never need to receive UDP traffic, like Network Time Protocol (NTP) or DNS, your ISP should just toss garbage traffic into the bit bin.

You should also look to DDoS mitigation companies to protect your web presence. Companies such as Akamai, CloudFlare, and Incapsula offer affordable DDoS mitigation plans for businesses of all sizes.

As DDoS attacks grow to heretofore unseen sizes, even the DDoS prevention companies are being overwhelmed. Akamai, for example, had to stop trying to protect the Krebs on Security blog after it was smacked by a DDoS blast that reached 620 Gbps in size.

That’s fine for protecting your home turf, but what about when your DNS provider get nailed?

You can mitigate these attacks by using multiple DNS providers. One way to do this is to use Netflix’s open-source program Denominator to support managed, mirrored DNS records. This currently works across AWS Route53, RackSpace CloudDNS, DynECT, and UltraDNS, but it’s not hard to add your own or other DNS providers. This way, even when a DDoS knocks out a single DNS provider, you can still keep your sites up and running.

Which ones will work best for you? You can find out by using Namebench. This is an easy-to-use, open-source DNS benchmark utility.

Even with spreading out your risk among DNS providers, DNS attacks are only going to become both stronger and more common. DNS providers like Dyn are very difficult to secure.

As Carl Herberger, vice president for security solutions at Radware, an Israeli-based internet security company, told Bloomberg, DNS providers are like hospitals: They must admit anyone who shows up at the emergency room. That makes it all too easy to overwhelm them with massive — in the range of 500 gigabits per second — attacks. In short, there is no easy, fast fix here.

One way you can try to keep these attacks from being quite so damaging is to increase the Time to Live (TTL) in your own DNS servers and caches. Typically, today’s local DNS servers have a TTL of 600 seconds, or 5 minutes. If you increased the TTL to say 21,600 seconds, or six hours, your local systems might dodge the DNS attack until it was over.

Protecting the internet

While the techniques might help you, they don’t do that much to protect the internet at large. DNS is the internet’s single point of total failure. That’s bad enough, but as F5, a top-tier ISP notes, DNS is historically under-provisioned. We must set up a stronger DNS system.

ISPs and router and switch vendors should also get off their duffs and finally implement Network Ingress Filtering, better known as Best Current Practice (BCP)-38.

BCP-38 works by filtering out bogus internet addresses at the edge of the internet. Thus, when your compromised webcam starts trying to spam the net, BCP-38 blocks these packets at your router or at your ISP’s router or switch.

It’s possible, but unfortunately not likely, that your ISP has already implemented BCP-38. You can find out by running Spoofer. This is a new, open-source program that checks to see how your ISP handles spoofed packets.

So why wasn’t it implemented years ago? Andrew McConachie, an ICANNtechnical and policy specialist, explained in an article that ISPs are too cheap to pay the small costs required to implement BCP-38.

BCP-38 isn’t a cure-all, but it sure would help.

Another fundamental fix that could be made is response rate limiting (RRL). This is a new DNS enhancement that can shrink attacks by 60 percent.

RRL works by recognizing that when hundreds of packets per second arrive with very similar source addresses asking for similar or identical information, chances are they’re an attack. When RRL spots malicious traffic, it slows down the rate the DNS replies to the bogus requests. Simple and effective.

Those are some basic ideas on how to fix the internet. It’s now up to you to use them. Don’t delay. Bigger attacks are on their way and there’s no time to waste.


  • 0

Chinese firm recalls camera products linked to massive DDOS attack

Hangzhou Xiongmai Technology is recalling earlier models of four kinds of cameras due to a security vulnerability


A Chinese electronics component maker is recalling 4.3 million internet-connected camera products from the U.S. market amid claims they may have played a role in Friday’s massive internet disruption.

On Monday, Hangzhou Xiongmai Technology said it was recalling earlier models of four kinds of cameras due to a security vulnerability that can make them easy to hack.

“The main security problem is that users aren’t changing the device’s default passwords,” Xiongmai said in a Chinese-language statement posted online.

According to security firm Flashpoint, malware known as Mirai has been exploiting the products from Xiongmai to launch massive distributed denial-of-service attacks, including Friday’s, which slowed access to many popular sites, including Netflix, PayPal, and Twitter.

Companies observing Friday’s disruption said botnets powered by the Mirai malware were at least partly responsible for the attack.

Xiongmai, a maker of camera modules and DVR boards, has acknowledged that its products have been a target for hackers, but it said it patched the problem with the default passwords back in April 2015. For older products, the company has come up with a firmware update to fix the flaw.

To prevent the security risks, the company has still decided to recall earlier models. However, Xiongmai has also dismissed news reports that its products were largely behind Friday’s DDOS attack as untrue and is threatening legal action against those who damage its reputation.

“Security vulnerabilities are a common problem for mankind,” the company said. “All industry leaders will experience them.”

Experts have said the Mirai malware is probably targeting products from several vendors, in addition to Xiongmai. The malicious coding is built to try a list of more than 60 combinations of user names and passwords when infecting devices.

So far, the Mirai malware has gone on to infect at least 500,000 devices, according to internet backbone provider Level 3 Communications.


  • 0

Anonymous hacker charged with #opJustina DDoS attacks on hospital

The Anonymous-affiliated hacker who admitted to cyberattacks on two hospitals in the #opJustinaoperation and fled the country while being investigated was indicted last week.

Martin Gottesfeld, 32, a biotechnology information technology professional from Somerville, Massachusetts, is being charged with conspiracy to launch cyberattacks against two local hospitals: Boston Children’s Hospital (BCH) and the Wayside Youth and Family Support Network, a mental health facility.

Those two hospitals were at the center of a case that attracted masses of media attention: that of Justina Pelletier, the then-15-year-old who was caught in a 16-month custody battle as her parents tried to have her treated for mitochondrial disease at one hospital, while Boston Children’s Hospital treated her in a psychiatric unit as a ward of the state.

Gottesfeld’s indictment, handed down on Wednesday, also charges him with intentional damage to a protected computer.

Both are felony hacking charges.

Gottesfeld admitted to the attacks last month, explaining how he did it and why in an editorial published by the Huffington Post.

I had heard many, too many, such horror stories of institutionalized children who were killed or took their own lives in the so-called “troubled teen industry”. I never imagined a renowned hospital would be capable of such brutality and no amount of other good work could justify torturing Justina.

The distributed denial of service (DDoS) attack against BCH was planned for maximum financial damage, Gottesfeld said: he knew that the hospital was planning a big fundraising drive and that most donors gave online.

In his editorial, he went on to scoff at BCH for making it easy for him to attack it, since the hospital kept its donation page on the same public network as the rest of its systems:

Rookie mistake. To take it down, I’d have to knock the whole hospital off the internet.

He also claimed that no patients would be harmed:

There’s no such thing as an outage-proof network, so hospitals have to be able to function without the internet. It’s required by federal law, and for accreditation. The only effects would be financial and on BCH’s reputation.

That’s not how the hospital, or the prosecution, sees it. The indictment states that BCH had to shut down its access to the internet and email servers to protect patient medical records.

That meant that physicians outside the hospital couldn’t get at patients’ records. Nor could patients communicate with their doctors.

BCH claims that responding to, and mitigating, the damage of the attack cost $300,000, while the disruption in fundraising meant another $300,000 hit, for a total loss of $600,000.

Gottesfeld claims that the attack against BCH was a justifiable reaction to the actions of the hospital, which was described as  a “parentectomy”.

Gottesfeld’s defence, to blame the hospital for the attack, is all too commonly heard. The blame-the-victim reasoning is often voiced by other cyberattackers, be it from people who guess at weak passwords and use them to waltz into accounts without authorization, or those who launch crippling attacks such as those that Gottesfeld admits to.

But just because it’s easy to do doesn’t make those or other cybercrimes OK. They’re illegal, and they can result in jail time, fines or both.

Each of the charges Gottesfeld’s facing carry a maximum sentence of five years in jail, along with fines.

Gottesfeld has been detained in Rhode Island since he and his wife were plucked off their boat near the coast of Cuba and arrested in Florida.

When the indictment was handed down last Wednesday, Gottesfeld was reportedly on day 16 of a hunger strike over the appointment of the office of Carmen Ortiz as his prosecutor. Ortiz was the prosecutor in the cases against both Aaron Swartz and Jonathan James, who both later took their own lives. She has faced sharp criticism over her approach to those cases.

In spite of his admission to the DDoS attacks, Gottesfeld is likely to plead not guilty at his arraignment this week before US Magistrate Judge Marianne B. Bowler, his wife told the Washington Times.


  • 0

How Hackers Make Money from DDoS Attacks

Attacks like Friday’s are often financially motivated.

Yesterday’s attack on the internet domain directory Dyn, which took major sites like Twitter and Paypal offline, was historic in scale. But the motivation for the attack may seem opaque, since no valuable information seems to have been stolen. A group called New World Hackers is claiming credit, but giving conflicting accounts of their motives—and security experts have called them “impostors.”

So why else might someone have done it? This class of hack, known as a distributed denial of service (DDoS) attack, has been around for a while. And while many DDoS attacks are indeed motivated by politics, revenge, or petty trolling, there’s frequently money involved.

For instance, DDoS attacks are often used as leverage for blackmail. Once a hacking group has a reputation for being able to field a large and dangerous botnet to knock servers offline, they can demand huge ‘protection’ payments from businesses afraid of facing their wrath. In fact, they don’t even have to do the hacking in the first place—in one recent case, someone posing as a notorious cabal merely emailed blackmail messages and managed to pocket tens of thousands of dollars before they were exposed.

In the current case, there are rumors that Dyn was a target of extortion attempts before the attack. And the hackers behind what may be the biggest DDoS attack in history could demand a pretty penny to leave other companies alone. A wave of impostors will likely give it a shot, too.

There’s another, even darker money-driven application of DDoS attacks—industrial sabotage. Companies seeking to undermine their competition can hire hackers to take the other guys offline. DDoS services are often contracted through so-called “booter” portals where anyone can hire a hacker’s botnet in increments as small as 15 minutes. Researchers found last year that three of the most prominent booter services at the time had over 6,000 subscribers in total, and had launched over 600,000 attacks. (And despite the criminal reputation of Bitcoin, by far the largest method used to pay for DDoS-for-hire was Paypal.)

But it’s unlikely that this was some sort of hit called in by a competitor of Dyn—that tactic seems to primarily appeal to already-shady dealers, including online gambling operations.

Finally, DDoS attacks can serve as a kind of smokescreen for more directly lucrative crimes. While a security team is struggling to deal with an army of zombie DVRs pummeling their system, attackers can grab passwords, credit card numbers, or identity information.

In weighing possible explanations for Friday’s attack, it’s important to note the massive scale of the thing. Even if their claims of responsibility aren’t credible, New World Hackers’ description of about 1.2 terabits of data per second thrown at Dyn’s servers is both vaguely plausible and utterly mind-boggling. That’s around a thousand times as powerful as the huge 620 gigabit per second attack that knocked out a single website, Krebs on Security, last month. Dyn has also described the attack as sophisticated, arriving in three separate waves that targeted different parts of their systems.

That kind of operation could have been pulled off by a gang of kids doing it for kicks—and maybe that’s the scarier scenario. But such a massive undertaking suggests bigger, and possibly more lucrative, motivations.


  • 0

How massive DDoS attacks are undermining the Internet

On Friday morning, I awoke to find that our company-wide single sign-on and cloud storage was disrupted due to the massive distributed denial of service (DDoS) attack against domain host Dyn.

This attack was big, disrupting consumer services like Spotify and Netflix, all the way to enterprise-grade providers like Heroku and Zendesk. Once the dust has settled, it’s likely that this attack will have impacted more people, in more ways, than any other in memory.

A DoS attack is an attempt to make something on the network unavailable to users, for example, a website. A distributed denial-of-service (DDoS) is when the attack is launched by many unique IP addresses—or, as in this case, devices—all aiming traffic at one or multiple targets. The target simply crumbles under the pressure of so much traffic.

In the past few weeks, hackers have upped the DDoS stakes in a big way. Starting with the attack on and increasing in severity from there, hundreds of thousands of devices have been used to perpetrate these actions. A number that dwarfs previous attacks by orders of magnitude.

While it isn’t yet confirmed, evidence points to the attack that we saw on Friday morning following this same playbook, but being perpetrated on a much larger scale, relying on Internet of Things (IoT) devices rather than computers and servers to carry out an attack.

In fact, in all likelihood an army of surveillance cameras attacked Dyn. Why surveillance cameras?  Because many of the security cameras used in homes and business around the world typically run the same or similar firmware produced by just a few companies.

This firmware is now known to contain a vulnerability that can easily be exploited, allowing the devices to have their sights trained on targets like Dyn. What’s more, many still operate with default credentials — making them a simple, but powerful target for hackers.

Why is this significant? The ability to enslave these video cameras has made it easier and far cheaper to create botnets at a scale that the world has never seen before. If someone wants to launch a DDoS attack, they no longer have to purchase a botnet—they can create their own using a program that was dumped on the internet just a few weeks ago.

Moreover, DDoS attacks aren’t the only problem with vulnerable IoT devices: these devices can also be a pathway for hackers to get behind a company’s firewall.

The other reason why this is so significant is that, by most accounts, we are extremely unprepared to secure our devices from being taken over. Early government and commercial efforts have focused on how manufacturers can build better security into devices. But this is problematic for a couple reasons, not the least of which is that IoT devices cannot run traditional

But this is problematic for a couple reasons, not the least of which is that IoT devices cannot run traditional cyber security software.

As a result, there are fewer “tools in the shed” to protect the IoT than there are for computers that run traditional operating systems. Some IoT devices can be patched, others can’t. For the device that can be patched, this is a very manual process and not something that is routinely done.

What’s the answer here?  As with everything with cybersecurity, there is no silver bullet. Even when it comes to IoT, we have to remember one of the fundamental tenets of this field: defense in depth. Moving beyond the acknowledged need to be better at patching devices, we must then ask if devices are protected by a robust perimeter security solution and are continuously monitored for suspicious behavior.

We can debate the merits of the different approaches but the point is that all of the necessary levels and approaches are being considered and that we do not have device tunnel vision.

We do not need to reinvent the wheel when it comes to protecting networks from IoT.  But we need to recognize that massive DDoS attacks utilizing IoT devices have the potential to undermine the reliability and availability of the internet. With the backbone of our economy relying on it, it’s time to get serious about fighting these hackers. The first thing we need is to prevent our devices from being used as ammunition.


  • 0

Twitter, Amazon, other top websites shut in cyber attack

Major internet services including Twitter, Spotify and Amazon suffered service interruptions and outages on Friday as a US internet provider came under a cyber attack.

The internet service company Dyn, which routes and manages internet traffic, said that it had suffered a distributed denial of service (DDoS) attack on its domain name service shortly after 1100 GMT.

The service was restored in about two hours, Dyn said.

The attack meant that millions of internet users could not access the websites of major online companies such as Netflix and Reddit as well as the crafts marketplace Etsy and the software developer site Github, according to media reports.

The website Gizmodo said it had received reports of difficulty at sites for media outlets including CNN, The Guardian, Wired, HBO and People as well as the money transfer service PayPal.

Dyn, which is headquartered in New Hampshire, said the attack went after its domain name service, causing interruptions and slowdowns for internet users.

“This morning, October 21, Dyn received a global DDoS attack on our Managed DNS infrastructure in the east coast of the United States,” Scott Hilton, executive vice president for products at Dyn, said in a statement.

“We have been aggressively mitigating the DDoS attack against our infrastructure.”

The company said it was continuing to investigate.

A map published by the website showed service interruptions for Level3 Communications, a so-called “backbone” internet service provider, across much of the US east coast and in Texas.

Amazon Web Services, which hosts some of the most popular sites on the internet, including Netflix and the homestay network Airbnb, said on its website that users experienced errors including “hostname unknown” when attempting to access hosted sites but that the problem had been resolved by 1310 GMT.

Domain name servers are a crucial element of internet infrastructure, converting numbered Internet Protocol addresses into the domain names that allow users to connect to internet sites.

Distributed denial of service or DDoS attacks involve flooding websites with traffic, making them difficult to access or taking them offline entirely. Attackers can use them for a range of purposes, including censorship, protest and extortion.

The loose-knit hacktivist network Anonymous in 2010 targeted the DNS provider EveryDNS among others in 2010 as retribution for denying service to the anti-secrecy organization WikiLeaks.

“The internet continues to rely on protocols and infrastructure designed before cyber security was an issue,” said Ben Johnson, a former engineer at the National Security Agency and founder of the cybersecurity company Carbon Black.

He said that growing interconnection of ordinary devices to the internet, the so-called “internet of things,” increased the risks to networks.

“DDoS, especially with the rise of insecure IOT devices, will continue to plague our organizations. Sadly, what we are seeing is only the beginning in terms of large scale botnets and disproportionate damage done.”


  • 0

Martin Gottesfeld, Anonymous hacktivist, charged over hospital DDoS attacks

Felony hacking charges were handed down Wednesday to a Massachusetts man accused of disrupting the computer networks of Boston-area hospitals with a 2014 digital protest waged under the name of hacktivist group Anonymous.

Martin Gottesfeld, 32, was indicted by a grand jury Wednesday on one count each of computer hacking and conspiracy related to distributed denial-of-service (DDoS) attacks suffered by Boston Children’s Hospital and the Wayside Youth and Family Support Network, a residential treatment facility in nearby Framingham.

Mr. Gottesfeld was arrested in February, and has been held at a detention center in Rhode Island for the last eight months while investigators assembled their case. He’ll likely plead not guilty when formally arraigned next week before U.S. Magistrate Judge Marianne B. Bowler, his wife, Dana Gottesfeld, told The Washington Times on Thursday. The charges each carry a maximum prison sentence of five years apiece.

Prosecutors say Mr. Gottesfeld plotted and participated in a cyber campaign against facilities he perceived to be part of “the troubled teen industry,” or institutions involved in the the treatment of adolescents with serious emotional, psychological and medical problems.

By overloading their computer networks with illegitimate internet traffic, authorities say the self-described human rights activist caused the facilities’ systems to suffer from setbacks that disrupted operations and resulted in hundreds of thousands of dollars in losses and damages.

Investigators say Mr. Gottesfeld led DDoS attacks in March 2014 that “lasted for more than a week, crippled Wayside’s website during that time and caused it to spend more than $18,000 on response and mitigation efforts.”

A subsequent campaign launched against Children’s is described in charging documents as “particularly disruptive,” and reportedly caused the hospital to lose upwards of $600,000.

The hospital said it spent around $300,000 responding to the DDoS attack, but also lost approximately $300,000 because its systems were knocked offline in the midst of a fundraiser.

The FBI had already interviewed Mr. Gottesfeld about the DDoS attacks and made it clear he was under investigation when he and his wife suddenly went missing earlier this year. The couple was eventually rescued in the the Bahamas by a Disney cruise ship in February, and law enforcement filed a criminal complaint charging Mr. Gottesfeld with conspiracy to commit computer hacking while the two were being brought back to land.

Writing while in custody last month, Mr. Gottesfeldadmitted waging DDoS attacks in response to the alleged mistreatment suffered by a 15-year-old patient, Justina Pelletier. Now 17, her parents have since sued Boston Children’s Hospital and four of its doctors for claims including gross negligence and civil rights violations.

“I had heard many, too many, such horror stories of institutionalized children who were killed or took their own lives in the so-called ‘troubled teen industry.’ I never imagined a renowned hospital would be capable of such brutality and no amount of other good work could justify torturing Justina,” he wrote for Huffington Post last month.

“Justina wasn’t defenseless. Under the banner of Anonymous, she and other institutionalized children could and would be protected,” he wrote in an op-ed titled “Why I Knocked Boston Children’s Hospital Off The Internet.”

In addition to his admission in the press, investigators said they found hundreds of private Twitter messages on Mr. Gottesfeld’s computer in which he allegedly plotted DDoS attacks with an unindicted co-conspirator, as well as other digital evidence linking him to the disruptions.

Evidence aside, Mr. Gottesfeld has been protesting his prosecution while in detention, and was on the sixteenth day of a hunger strike when Wednesday’s indictment was handed down.

Facing the same federal prosecutor’s office responsible for pursuing a pair of particularly notable hacking cases, Mr. Gottesfeld has been forgoing food in an effort to raise awareness about both the “troubled teen industry” as well as U.S. Attorney Carmen Otiz’s handling of alleged computer crimes.

“The fact that Ortiz’s office indicted on debate day, and without a press release, shows they are aware of the unconscionable human rights violations they are attempting to sweep under the rug and the precedence of impunity that would be even more firmly established,” Mr. Gottesfeld said Thursday in an email shared by his wife with The Washington Times. “They have no compassion for the suffering of Justina Pelletier, a mentally and physically challenged child, ripped from her family, left in agony without her painkillers, and locked in an abusive psych ward. Nor are they concerned with any real semblance of true justice.”

“This indictment, and the manner in which it was unsealed, were cowardly acts,” he said.

Internet activist Aaron Swartz was facing charges related to multiple alleged violations of the federal Computer Fraud and Abuse Act brought by Ms. Ortiz’s office when he committed suicide in 2013. Five years earlier, hacker Jonathan James took his own life while being investigated by the same prosecutor’s office in the District of Massachusetts.

The Department of Justice did not immediately respond to requests for comment on Thursday.



  • 0

Bitter feud between partners as IBM deflects eCensus blame

NextGen, Vocus refute claims of error.

A bitter feud has broken out between IBM and its internet service provider partners for the 2016 eCensus as the main contractor tried to deflect blame for the site’s meltdown on August 9

In its first detailed response to the failure, IBM said it had plans in place for the risk of DDoS attacks, but its efforts were to no avail thanks to a failure at an upstream provider.

The ABS at the time said it had been forced to take the site offline on Census night following a series of DDoS attacks combined with the failure of the network geoblocking function and the collapse of a router.

The statistics body has publicly criticised IBM for failing to properly implement a geoblocking service, which would have halted the international DDoS attack targeted at the Census site.

But IBM is now laying blame squarely at the feet of its internet service provider partner NextGen and NextGen’s upstream supplier Vocus for the geoblocking bungle.

It claimed NextGen had provided “repeated” assurances – including after the day’s third DDoS attack – that a geoblocking strategy that IBM codenamed ‘Island Australia’ had been correctly put in place.

However, when the fourth and biggest DDoS attack of the day hit at around 7:30pm, IBM said it became clear that a Singapore link operated by Vocus had not been closed off, allowing the attack traffic to pass through to the Census site.

“Vocus admitted the error in a teleconference with IBM, NextGen and Telstra around 11.00 pm on 9 August 2016,” IBM said.

“Had NextGen (and through it Vocus) properly implemented Island Australia, it would have been effective to prevent this DDoS attack and the effects it had on the eCensus site. As a result, the eCensus site would not have become unavailable to the public during the peak period on 9 August 2016.”

IBM said while it accepted its responsibility as the head contractor for the eCensus, it could not have avoided using ISPs to provide links for the website.

“It is not possible for an IT services company such as IBM to implement the 2016 eCensus without engaging ISPs. It was necessary for IBM to involve the ISPs in the implementation of the geoblocking solution as they have control over their respective data networks and are in a position to block internet traffic originating from particular domains or IP addresses.”

IBM did, however, admit what many security experts speculated had occured – that following the fourth DDoS a system monitoring dashboard showed an apparent spike in outbound traffic, causing its staff to wrongly assume data was being exfiltrated from the website, prompting IBM to shut down the website.

The contractor also revealed that a configuration error meant a manual reboot of one of its routers – which was needed after the eCensus firewall became overloaded with traffic – took much longer to rectify than it should have, keeping the site offline for a further hour and a half.

NextGen, Vocus fight back

But Vocus said NextGen was well aware that Vocus would not provide geoblocking services, and had instead recommended its own DDoS protection.

IBM declined the offer, Vocus said. NextGen and Vocus instead agreed on remote triggered black hole (RTBH) route advertisements with international carriers.

“If Vocus DDoS protection product was left in place the eCensus website would have been appropriately shielded from DDoS attacks,” Vocus said in its submission to the inquiry.

Vocus refuted IBM’s claim that it had failed to implement geoblocking, revealing that it had not been made aware of IBM’s DDoS mitigation strategy – including ‘Island Australia’ – until after the fourth attack on August 9.

“As a result, any assumption that Vocus was required to, or had implemented Island Australia or geo-blocking including, without limitation … are inaccurate,” Vocus said.

“Once Vocus was made aware of the fourth DDoS attack, it implemented a static null route to block additional DDoS traffic at its international border routers within 15 minutes.”

Vocus also argued that the fourth DDoS was not as large as IBM claimed, comprising of attack traffic that peaked at 563Mbps and lasting only 14 minutes – which it said was “not considered significant in the industry”.

“Such attacks would not usually bring down the Census website which should have had relevant preparations in place to enable it to cater for the expected traffic from users as well as high likelihood of DDoS attacks.”

NextGen, in its own submission, claimed it had “strongly recommended” to IBM that it take up a DDoS protection product like that on offer by Vocus, but the contractor declined.

The ISP said it was not made aware of details of IBM’s ‘Island Australia’ strategy until six days before the eCensus went live in late July.

At that point it told IBM that an IP address range it had provided was part of a larger aggregate network and therefore would not respond to “specific international routing restrictions” if ‘Island Australia’ was implemented.

“Nextgen recommended using an alternative IP address range, which would give IBM better control, but this was rejected by IBM,” the ISP said.

IBM instead chose to request NextGen’s upstream suppliers apply IP address blocking filters and international remote black holes for 20 host routes.

“Nextgen believes that the individual host routes picked by IBM may not be exhaustive, and DDoS attacks could come from other routes in the IP address range (which they did in the third DDoS attack on Census day),” NextGen said.

“There were a number of routes without geoblocking during the fourth DDoS attack, and which were not identified during testing, along with the [Vocus] Singapore link.”

NextGen said it again offered to implement DDoS protection, this time at its own cost, which IBM agreed to four days after the events of August 9.


  • 0

Media vulnerable to Election Night cyber attack

A hack on the AP and its results tally could have chaos-inducing consequences.

Despite spending hundreds of millions of dollars on security upgrades, U.S. media organizations have failed to properly protect their newsrooms from cyberattacks on their websites, communications systems and even editing platforms — opening themselves up to the possibility of a chaos-creating hack around Election Day.

In just the past month, BuzzFeed has been vandalized, and both Newsweek and a leading cybersecurity blog were knocked offline after publishing articles that hackers apparently didn’t appreciate. Federal law enforcement is investigating multiple attacks on news organizations, and journalists moderating the presidential debates say they’ve even gotten briefings from the FBI on proper cyber hygiene, prompting them to go back to paper and pens for prep work.

“We do a lot of printing out,” said Michele Remillard, an executive producer at C-SPAN, the network home to the backup moderator for all the debates.

Journalists are seen as especially vulnerable soft targets for hackers. Their computers contain the kinds of notes, story ideas and high-powered contact lists coveted by foreign intelligence services. They also work in an environment that makes them ripe for attack, thanks to professional demands like the need for a constant online presence and inboxes that pop with emails from sources whom they don’t always know and which frequently contain the kinds of suspicious links and attachments that can expose their wider newsroom networks.

Senior U.S. officials, current and former lawmakers and cybersecurity pros told POLITICO the threat against the media is real — and they fret the consequences. Specifically, the security community is worried The Associated Press’ army of reporters could get hacked and the wire service — the newsroom that produces the results data on which the entire media world relies — inadvertently starts releasing manipulated election tallies or that cybercriminals penetrate CNN’s internal networks and change Wolf Blitzer’s teleprompter.

“It’s the art of possible is what really scares me,” said Tony Cole, chief technology officer of FireEye, a Silicon Valley-based cybersecurity firm that works with some of the country’s major television and newspaper companies. “Everything is hackable.”

“No site is safe,” added Tucker Carlson, editor-in-chief of The Daily Caller. “If the federal government can be hacked, and the intelligence agencies have been hacked, as they’ve been then, can any news site say we have better cybersecurity than the FBI or Google?”

The media have long been a spy’s best friend. Intelligence community sources say that foreign and U.S. agents use local newspapers to look for clues about their targets, and that strategy has only grown more sophisticated in an all-online era in which foreign intelligence is reportedly known to hover over a media company’s servers searching for any kind of heads-up on relevant stories inching closer to publication. Reporters on the campaign trail and back in their home bureaus said in interviews that they’ve become increasingly aware of their status as potential hacking victims. The spate of recent attacks — involving their sites and their competitors’ — are more than ample warning of what’s possible. Several journalists said they now use email and other communication with the expectation they’re being watched, and under the assumption that their messages can and will be hacked and shared publicly with the wider world.

“We’re a bigger target than the 7-Eleven down the street,” said Mark Leibovich, chief national correspondent for The New York Times Magazine. “Presumably, we have really good, smart IT people who know what they’re doing, who are taking all kinds of precautions, who are acutely in tune with what the risks are and what the threats are.”

There is perhaps no greater target in election journalism than the AP, the venerable wire service that will have more than 5,000 reporters, editors and researchers working across the country, tabulating results, calling races and feeding a much wider network of subscribers. Often other news outlets refer to the AP before making calls on races, and AP projections on the East Coast can have effects on West Coast voting, which closes hours later thanks to the time differences. Multiple sources in media, government and the security industry fretted about the effect if the AP were to get hit, and what that would do to their ability to get the news out.

The AP will deploy reporters across the country to send up vote tallies, usually by phone, the wire service explained to The Washington Post in May. It also has multiple checks and balances in place to monitor for errors. But as with many other news organizations contacted by POLITICO, AP spokesman Paul Colford said the wire service’s policy is to refrain from making public comments about its security measures.

“Given the extraordinary interest in the presidential election and thousands of other state and local contests, we would add that AP has been working diligently to ensure that vote counts will be gathered, vetted and delivered to our many customers on Nov. 8,” he said.

Federal and state officials stress that even a successful hack on a major news outlet around Election Day would not affect the final results, which typically take weeks to certify. The vote tallies, after all, will be available on official sites and in many instances on special social media feeds. And if a news site did get defaced with incorrect information, the results would be more like a modern-day version of the famous ‘Dewey Defeats Truman’ headline that President Harry Truman triumphantly held aloft the day after his 1948 reelection.

Still, there is a widespread recognition — from the White House down to the local precinct level — that a hack on the media could be damaging given the role it plays in getting election news out to satisfy the country’s insatiable information appetite. Misinformation circulated in the early hours of Nov. 8 about the race’s trajectory, for example, could factor into a voter’s decision to even show up during the election’s final hours, especially in Western states. There’s also concern that false media reports spread via a hacked news account could be a potential spark for violence in an already exceptionally charged atmosphere. On the flip side, there’s a recognition that the media can help build public confidence in the final results, especially following a campaign that’s been engulfed in its closing weeks by Russian-sponsored hacking of the Democratic National Committee, the hacking of Hillary Clinton’s campaign chairman’s personal emails, and Donald Trump’s unfounded charges of vote rigging.

“To the degree that foreign hackers could prevent the dissemination of good information around the election, that can be a problem,” said Rep. Adam Schiff, the top Democrat on the House Intelligence Committee. The California congressman said he frets that media outlets, like many other industries, face “massive costs” in protecting themselves against cyberattacks with “no end in sight” to the potential risks. Schiff added that he is especially concerned about smaller news organizations without major IT budgets or the backing of larger parent companies. “They’re much more vulnerable,” he said.

Cybersecurity experts say media spending to protect news organizations against cyberattack has grown substantially in the past three years, especially in the wake of North Korea’s attack on Sony Pictures in late 2014. The price tag for vulnerability audits and other techniques varies by the size of the newsroom and the surface area for potential attacks, but multiple sources said quarterly audits can easily cost $50,000 or more.

Cyber experts and media officials from newsrooms across the country said they’re prepped to deal with a range of threats to their sites, including the kinds of malware that can infect a computer network and give hackers an entry point to manipulate a home site. They’re also building backup capacity in the event of a DDoS attack, or distributed denial of service, that tries to overwhelm a website or server with fake traffic. News sites, they note, are already prepping for monster traffic around the election, which can surge as much as 30 times compared with other big events this cycle, such as a debate or primary.

At the staffing level, newsrooms have also been pushing for better cyber habits by hosting training seminars, requiring employees to take must-pass exams and requiring double-authentication before granting access to a newsroom’s internal filing system and social media accounts.

But cyber experts warn that all the preparatory work in the world can matter little for a news organization if it’s facing an attack from a more sophisticated actor.

“If all of a sudden your adversary becomes a nation-state, like Sony or the DNC with Russia, you see those kind of procedures aren’t worth a darn,” said Robert Anderson, a former senior FBI cyber official and a managing director at the Navigant consulting firm.

The press has indeed been a familiar target for hackers. In 2013, hackers hit the AP’s Twitter account and posted a false report about a bombing at the White House, sending the stock market into a five-minute spiral. In more recent incidents, a USA Today columnist wrote an article in February admitting he was hacked midair while using his commercial flight’s WiFi, and the New York Times reported in August that its Moscow bureau was targeted by what were believed to be Russian hackers.

Newsweek blamed hackers for a DDoS attack that took down its site last month soon after it published an article about Trump’s company allegedly violating the U.S. embargo against Cuba through secret business dealings in the 1990s. And BuzzFeed had several articles on its site altered earlier this month after it ran a story identifying a person allegedly involved in the hacking of tech CEOs and celebrities.

“I’m sure that lots of newsrooms are having this conversation right now, particularly as we get closer to the election and people have a lot more to lose when things don’t go their way,” said Brian Krebs, the cybersecurity blogger and former Washington Post reporter whose site went down last month after a major DDoS attack that he says was spawned by his reporting about the arrest of two Israeli hackers.

With the threat of hackings against the media reaching such a heightened pace, many election observers urged both reporters and the reading public to take a deep breath as the results start coming in.

“If Twitter is reporting that Jill Stein wins South Carolina, that should probably give you pause,” said David Becker, executive director of the Center for Election Innovation and Research.





  • 0