Lawmakers want to know when Ajit Pai knew FCC’s cyberattack claim was false

Democratic lawmakers want to know why the agency didn’t inform consumers of the falsity of its claim sooner

A group of House democrats want to know when FCC Chairman Ajit Pai knew that the agency’s claims of a DDoS attack were false.

Last week, the FCC’s Office of Inspector General released a report that found no evidence to support the claims of DDoS attacks in May of 2017.

The agency had previously blamed multiple DDoS attacks for temporarily taking down a comment section of its website following a segment of Last Week Tonight, in which comedian John Oliver asked viewers to submit comments to the FCC and speak out in support of net neutrality.

However, viewers were unable to voice their opinion on the proposed rollback of net neutrality because the comment submission section wasn’t available at the time.

Now that it has come to light that the agency’s claims of a DDoS attack were false, a handful of Democratic lawmakers want to know when Pai became aware that there was no DDoS attack and why the agency didn’t correct its public statements alleging a DDoS attack before now.

Misrepresented facts

“We want to know when you and your staff first learned that the information the Commission shared about the alleged cyberattack was false,” Democratic lawmakers wrote in a letter to Pai.

“It is troubling that you allowed the public myth created by the FCC to persist and your misrepresentations to remain uncorrected for over a year,” they wrote. The letter was signed by Representatives Frank Pallone Jr. (NJ), Mike Doyle (PA), Jerry McNerney (CA) and Debbie Dingell (MI).

The results of the investigation concluded that FCC officials deliberately misrepresented facts in responses to Congressional inquiries.

“Given the significant media, public and Congressional attention this alleged cyberattack received for over a year, it is hard to believe that the release of the IG’s report was the first time that you and your staff realized that no cyberattack occurred,” wrote the lawmakers.

“Such ignorance would signify a dereliction of your duty as the head of the FCC, particularly due to the severity of the allegations and the blatant lack of evidence.”

The Democratic lawmakers have asked Pai for complete written responses to their questions by August 28. Pai is also scheduled to appear before a Senate Commerce, Science and Transportation Committee oversight hearing on Thursday where he is expected to face questions about the results of the investigation.

Source: https://www.consumeraffairs.com/news/lawmakers-want-to-know-when-ajit-pai-knew-fccs-cyberattack-claim-was-false-081518.html

  • 0

DDoS attackers increasingly strike outside of normal business hours

DDoS attack volumes have increased by 50% to an average of 3.3 Gbps during May, June and July 2018, compared to 2.2 Gbps during the previous quarter, according to Link11. Attacks are also becoming increasingly complex, with 46% of incidents using two or more vectors.

DDoS attacks outside business hours

While attack volumes increased, researchers recorded a 36% decrease in the overall number of attacks. There was a total of 9,325 attacks during the quarter: an average of 102 attacks per day.

While the number of attacks decreased overall – possibly as a result of DDoS-as-a-service website Webstresser being closed down following an international police operation, both the scale and complexity of the attacks increased. The LSOC registered a 50% increase in hyper-scale attacks (80 Gbps+). The most complex attacks seen used 13 vectors in total.

Link11’s Q2 DDoS Report revealed that threat actors targeted organisations most frequently between 4pm CET and midnight Saturday through to Monday, with businesses in the e-commerce, gaming, IT hosting, finance, and entertainment/media sectors being the most affected.

The report reveals that high volume attacks were ramped up via Memcached reflection, SSDP reflection and CLDAP, with the peak attack bandwidth recorded at 156 Gbps. Other key findings from the Q2 report include:

  • The total duration of attacks during the quarter was 1,221 hours
  • 17% of attacks used two vectors, while 16% used three
  • The most frequently observed attacks were UDP floods (59.7%), TCP SYN floods (3.3%) and ICMP floods (0.9%)
  • Memcached was the most used reflection amplification technique, with 773 attacks observed using this technique, highlighting that Memcached is still an issue. The SSDP reflection technique generated the greatest proportion of DDoS packets.

DDoS attacks outside business hours

“Attacks in Q2 2018 continued to grow in scale and complexity. Nearly half of attacks were multi-vector, making them harder to defend against, and with the rapid growth in ‘hyper attacks’ with volumes of over 80 Gbps, we must now consider these large, complex attacksto be the new normal,” said Aatish Pattni, Regional Director UK & Ireland for Link11.

“It’s only a matter of time until a new DDoS-for-hire service emerges to replace Webstresser, so attacks will inevitably increase over the coming months. Given the scale of the threat that organizations are facing, and the fact that the attacks are deliberately aimed at causing maximum disruption, it’s clear that businesses need to deploy advanced techniques to protect themselves against DDoS exploits,” added Pattni.

Source: https://www.helpnetsecurity.com/2018/08/15/ddos-attacks-outside-business-hours/

  • 0

The complete guide to understanding web applications security

MODERN businesses use web applications every day to do different things, from interacting and engaging with customers to supporting sales and operations.

As a result, web applications are rich with data and critical to the functioning of the company – which means, special precautions must be taken in order to protect them from hackers.

However, not all organizations or their applications are subject to the same level of threats and attacks. In an exclusive interview with Gartner’s Research Director Dale Gardner, Tech Wire Asia learns how businesses can best protect their web applications.

Gartner splits attacks on web and mobile applications and web APIs into four categories:

# 1 | Denial of service (DoS) 

DoS is a specific subtype of abuse where the attacker’s goal is to disrupt the availability of the web application or service.

In particular, this attack type covers volumetric attacks, which overwhelm network capabilities, and so-called “low and slow” attacks, which overwhelm application or service resources.

# 2 | Exploits 

Exploits take advantage of design, code or configuration issues that cause unintended behaviour of the application.

Some common examples include SQL Injection (SQLi), cross-site scripting (XSS), buffer overflows, and various Secure Sockets Layer (SSL) and Transport Layer Security (TLS) manipulation attacks.

# 3 | Abuse 

Abuse covers many non-exploit types of attack that primarily take advantage of business logic. This includes scraping, aggregating, account brute-forcing, scalping, spamming and other — often automated — scenarios.

# 4 | Access

Access violations occur when an attacker or legitimate user takes advantage of weaknesses in the authentication (AuthN) or authorization (AuthZ) policies of a web application or service.

Of the four categories, Gardner says only exploits can be potentially addressed with secure coding and configuration. The others require design-level considerations that cannot be reasonably compensated for in code.

For example, although it’s arguably possible to defend against account takeovers in individual application code, it is much more economical and error-proof to do so in the identity and access management (IAM) system or another external capability.

In an ideal world, the highest level of protection would be available at all times or as needed, but this isn’t feasible due to complexity and cost factors.

And continuously providing the highest level of protection to all web assets can be an expensive proposition, both from economic and operational perspectives.

Securing web applications and web APIs from attacks and abuse requires businesses to assess what level of protection is necessary.

“Security teams must first pick a protection baseline. Then they must decide what extra protections are necessary to apply to specific assets,” recommends Gardner.

When thinking of protecting web applications, security teams often first look to existing network technologies, such as next-generation firewall (NGFW) platforms and intrusion detection and prevention systems (IDPSs).

But these do not provide strong-enough capabilities in any of the protection areas, warns Gardner.

They are not easily integrated to intercept TLS and do not have the same signatures, rules, behavioral analysis and business logic insight as security solutions that focus on web applications and APIs.

Organizations often first look at a “completely automated public Turing test to tell computers and humans apart” (CAPTCHA) when they suffer from abuse of functionality.

But an always-on CAPTCHA creates user-experience hurdles for legitimate users, and it is also no guarantee to keep the abuser out (attackers keep finding ways to circumvent or solve many CAPTCHAs).

Multifactor authentication (MFA) and out of band (OOB) challenges are often used to enable strong access control, as well as to try to thwart abuse. Unfortunately, they suffer from similar issues as CAPTCHA, and in addition are often complex and expensive to implement.

Currently, no single security platform or solution implements the highest possible level of protection in each of the exploit, abuse of functionality, access violation and DoS mitigation categories.

Some organizations will still be able to start with a single solution to address the biggest potential risks. But they often find themselves needing greater security capabilities over time due to changes in threats and the application landscape.

Web application firewalls (WAFs) are broadly deployed, but buyers routinely express disappointment and frustration over factors such as accuracy, the ability to prevent attacks, the administrative overhead required to maintain attack detection profiles and price.

Incumbent vendors have begun addressing emerging requirements, but many products still lag.

The market for solutions to protect web applications will continue to grow, but given buyer dissatisfaction, vendors with innovative approaches and new product packaging will capture the bulk of new spending.

Buyers are shifting to service-based offerings, and demand for infrastructure as a service (IaaS) deployable products is growing. These shifts pose risks, especially to incumbents, but also present opportunities for new offerings and greater growth.

Gartner believes that by 2020, stand-alone WAF hardware appliances will represent less than 20 percent of new WAF deployments, down from 40 percent today.

By 2020, more than 50 percent of public-facing web applications will be protected by cloud-based WAAP services that combine content delivery networks, DDoS protection, bot mitigation and WAFs, which is an increase from fewer than 20 percent today.

Web applications, mobile applications, and web APIs are subject to increased numbers and complexity of attacks.

Gardner, who will be speaking at the Gartner Security & Risk Management Summit in Sydney later this month explains what organizations must keep in mind when planning and implementing solutions:

  • Public, limited-access external, and internal applications require different levels of security.
  • No one capability covers all types of attack.
  • No two capabilities have interchangeable protection efficacy.
  • Some of the capabilities have strong overlaps in addressing specific attack subcategories.
  • Enforcement of policy may be centralized or distributed (for example, use of micro-gateways).

“As a result, a mix of capabilities, though not necessarily separate products, have to be put in place as a layered approach,” concludes Gardener.

Considering the range of exploits and abuse that can occur with web and mobile applications and web APIs, technical professionals must leverage a mix of externalized security controls to deliver appropriate protection and alleviate burdens to development staff.

Source: https://techwireasia.com/2018/08/the-complete-guide-to-understanding-web-applications-security/

  • 0

DDoS Attacks Target Partypoker, PokerStars

Major online poker sites partypoker and PokerStars have been disrupted in recent days by apparent DDoS attacks, launched by party or parties unknown at present.

Two of the world’s largest online poker sites, partypoker and PokerStars, have endured periods of downtime and forced cancellations of tournaments in recent days after being targeted by confirmed or suspected DDoS (distributed denial of service) attacks. Both of the attack waves targeted the sites’ global “dot-com” gaming offerings, rather than being launched against their firewalled, single-jurisdiction offerings.

The attacks targeting partypoker began on August 9 and continued into August 11 or 12, with each attack wave consisting of a massive flood of data requests targeting its gaming servers. Partypoker confirmed the DDoS nature of the attacks late on August 9 and updated its customers via social media about the recurring waves and the ongoing mitigation efforts. Partypoker also released a formal statement about the attacks, the cancellation of tournaments, and an ongoing refund process for affected players.

That statement, issued as a formal apology for the unexpected downtime, expressed frustration about the nature of the DDoS attacks, without speculation as to the motive behind them. Tom Waters, partypoker managing director said: “The unfortunate events…were understandably frustrating for our players. After consideration, the decision was taken to pause and then subsequently cancel all affected tournaments.

“Our team worked hard to try to resolve the key issues. As poker players ourselves, we fully understand how frustrating it can be when an online poker room suffers technical issues, and we fully appreciate the considerable patience and understanding shown by our players in light of these difficulties.”

Additional commentary from partypoker

Partypoker received widespread praise from both its players and industry onlookers for its rapid response to the attacks, even as those attacks continued. VegasSlotsOnline received an additional statement from Colette Stewart, partypoker player rep and social specialist, who said: “The recent DDoS attacks were very unfortunate; however, we feel the team have done their very best to communicate and respond to as many of our players as possible during this very frustrating time. We greatly value our relationship with the player community and feel it is vital to be as open and transparent with our players as possible during such issues and, most importantly, ensure that we are available for player feedback and communication.

“In refunding affected players, we have ensured that every single cent collected in buy-ins, bounties, and fees has been refunded to players in addition to honoring the guarantees of tournaments that didn’t make the required entries due to the issues faced.

“All refunds have now been issued and, of course, should players wish to follow up in more detail or ask more questions about their specific refund, they should contact our 24/7 customer service line. The nature of ensuring the refunds were correct led to a delay that we simply hadn’t anticipated. We are sorry that it took us until Sunday to complete the process; however, we refunded players based on their chip stacks at the time that the disruption began and the data evaluation process was complex and took some time to complete.

“Finally, we are all poker players ourselves and fully appreciate the patience and loyalty of our players.”

PokerStars becomes the latest target

About the time the wave of attacks against partypoker ceased, a new wave of apparent DDoS attacks began targeting PokerStars. That attack wave started on August 12; Stars has not confirmed that these were explicitly DDoS attacks, but the recurring and intermittent nature of the “technical issues,” including forced disconnections affecting legitimate players, bears all the hallmarks of another DDoS attack.

Like partypoker and a third, smaller network (the Winning Poker Network) that also suffered several waves of DDoS attacks earlier in August, PokerStars has attempted to keep its players informed on the situation via social media.

“Apologies to all our players for the recent issues on PokerStars,” reads one of the site’s official Twitter posts, after nearly two days of the “technical issues.” “The players affected by this morning’s issues have already been credited & we aim to refund players affected by yesterday’s problems, with their equity at the time of disconnection, within 72 hours.”

Extortion central to most DDoS attacks

Modern DDoS attacks typically employ tens or hundreds of thousands of “zombie” computers — virus-laden devices scattered around the globe — that are commanded in harmony to send data requests to the targeted site to slow traffic to a crawl and make it useless for gambling-business activities. The “DDoS” moniker is commonly used to label several different forms of traffic-based online attacks designed to cripple the target site’s activity.

DDoS attacks have been an intermittent but occasionally recurring threat that has existed since online gambling’s earliest days. Similar attacks have targeted other forms of online commerce as well. Extortion, in the form of a promise to halt the attacks when the target pays a ransom to the attacker or attackers, is the most common motive behind the attacks.

One twist frequently seen in recent years is a demand by the blackmailers that payments be made in hard-to-trace cryptocurrencies such as Bitcoin. Whether a site victimized by an attack has made such a payment is virtually never disclosed in public, especially by publicly-traded firms. Most websites and networks impacted by such attacks incur heavy losses due to downtime and increased customer-service cost, but would rather incur that form of operating expense rather than give in to any kind of blackmail.

Source: http://www.vegasslotsonline.com/news/2018/08/14/ddos-attacks-target-partypoker-pokerstars/

  • 0

Black Hat 2018: IoT Security Issues Will Lead to Legal ‘Feeding Frenzy’

A “wave of litigation over IoT liability is on the horizon,” according to an attorney who has represented plaintiffs in the 2015 Jeep hack.

LAS VEGAS – The troves of insecure internet of things (IoT) devices have not yet led to widespread legal implications. But that’s set to change, a well-known attorney warned at Black Hat USA last week.

Ijay Palansky, partner at the law firm Armstrong Teasdale, said at the conference last week that IoT-related security issues have been challenging from a lawsuit perspective; despite high-profile headlines, there haven’t been that many IoT hacks, and there’s a lack of understanding of the technology and how the law applies to it, said Palansky.

However, he said that this is on the verge of changing.

“There will be more hacks,” he said from the stage during a session at the show. “The plaintiff’s bar has been salivating over [IoT] – it’s going to be a feeding frenzy.”

Palansky said that the IoT market is set to explode – particularly in the smart-home market, with consumer IoT spending set to reach $62 billion in 2018, making it the fourth-largest industry segment, according to market research firm IDC. Many of these devices are built with little to no security in mind: “Everyone’s been trying to get the latest and greatest device out – but haven’t been accurately valuing defense, and underinvesting in it,” said Palansky. “So the product won’t reach the right level of cybersecurity.”

IoT security reached its first big breaking point in 2016 during the Mirai botnet attack, which was orchestrated as a distributed denial of service (DDoS) attack through 300,000 vulnerable connected devices, like webcams, routers and video recorders. The DDoS attack brought down the DNS giant Dyn, along with a number of large web services, like CNN, the Guardian, Netflix, Reddit,  Twitter and many others.

However, there are several other threats that insecure IoT devices pose beyond DDoS attacks, stressed Palansky – from privacy issues in connected consumer devices all the way up to dangerous industrial IoT system hacks.

Even the 2016 DDoS attack, which led to an outcry for more regulations around IoT security, has ultimately not yet led to any widespread changes: “Statutes and regulations are an important piece of the puzzle for IoT security – but it’s going to be hard,” stressed Palansky.

Many experts in the legal space are not pursuing IoT security issues due to an array of challenges, said Palansky.

He added that he represented plaintiffs and class members who alleged in a 2015 Jeep hacking class-action lawsuit that the 3G “infotainment” center in those cars were vulnerable to hacking. Security researchers Charlie Miller and Chris Valasek were able to demonstrate how they were wirelessly able to hack into a Jeep Cherokee – taking control of the entertainment system, windshield wipers, and accelerator. A year later, they were able to find yet more flaws.

However, the Jeep hack is one of the few IoT-related attacks that has garnered legal attention. Another 2012 incident involved the hack of TrendNet Webcams, where hackers posted live feeds from 700 webcams in 2012. In 2013, the FTC reached a settlement with TrendNet – disallowing the company to misrepresent its software as “secure” and requiring it to get an independent assessment of its security programs once a year for 20 years.

Beyond these incidents, there’s really no precedence in legal implications for insecure IoT devices that are attacked and how security is enforced, said Palansky.

Another issue revolves around the interconnectedness of the supply ecosystem behind IoT systems, he said. IoT is difficult because partnerships are not only necessary, but required, for everything from connected cars to smart thermostats.

Beyond the technology security liability is complex even at a business-model level – an IoT implementation can involve different manufacturers, as well as OEMs or commercial buyers, plus of course end users.

“The ecosystem on the supply side is so interconnected that it creates risks and a lack of responsibility,” said Palansky. “Vendors will end up pointing fingers at each other when it comes to security.”

And on the other side of the coin, security experts working on IoT  products should be “guided by an understanding of liability risk,” he said.

Despite these challenges, a “wave of litigation over IoT liability is on the horizon,” said Palansky – and this could be dire for IoT manufacturers who aren’t properly prepared.

There are varying ways that insecure IoT systems and devices could be impacted: “IoT products have certain characteristics – they have a wide variety of code that is often proprietary and makes detection and patching of code more difficult,” he said. “There are so many devices and configurations and many ways these products can cause harm.”

For instance, possible claims against IoT devices include strict product liability (in the case of a design defect) or negligence. The damages, which vary by legal claim, include compensation for anyone injured by the product (including bystanders), property damage, cost of repair or diminished value of the product.

Moving forward, Palansky stressed that for IoT manufacturers and those involved in IoT product design and engineering, decisions about the right level of security should be informed by considerations of potential liability.

“Companies need to be paranoid and allocate risk,” he said. “There needs to be a clear process involving hazard identification, design response, risk assessment and testing… that goes along way to minimizing liability risk.”

Source: https://threatpost.com/black-hat-2018-iot-security-issues-will-lead-to-legal-feeding-frenzy/134997/

  • 0

How to Improve Website Resilience for DDoS Attacks – Part II – Caching

In the first post of this series, we talked about the practices that will optimize your site and increase your website’s resilience to DDoS attacks. Today, we are going to focus on caching best practices that can reduce the chances of a DDoS attack bringing down your site.

Website caching is a technique to store content in a ready-to-go state without the need (or with less) code processing. When a CDN is in place, cache stores the content in a server location closer to the visitor. It’s basically a point-in-time photograph of the content.

Caching

When a website is accessed, the server usually needs to compile the website code, display the end result to the visitor, and provide the visitor with all the website’s assets. This all takes a toll on your server resources, slowing down the total page load time. To avoid this overhead, it’s necessary to leverage certain types of caching whenever possible.

Caching not only will decrease load time indications, such as time to first byte (TTFB), it also saves your server resources.

Types of Caching

There are all sorts of caching types and strategies, but we won’t cover them all. In this article, we’ll approach three that we see most in practice.

Static Files

The first type is the simplest one, called static files caching.

Images, videos, CSS, JavaScript, and fonts should always be served from a content delivery network(CDN). These network providers operate thousands of servers, spread out across global data centers. This means they can deliver more data much faster than your server ever could on its own.

When using a CDN, the chances of your server suffering from bandwidth exhaustion attacks are minimal.

Your website will also be much faster given the fact that a large portion of website content is composed of static files, and they would be served by the CDN.

Page Caching

This is definitely the most powerful type of cache. The page caching will convert your dynamic website into HTML pages when possible, making the website a lot faster and decreasing the server resource usage.

A while ago, I wrote an article about Testing the Impacts of Website Caching Tools.

In that article, with the help of a simple caching plugin, the web server was able to provide 4 times more requests using ¼ of the server resources when compared to the test without the caching plugin.

However, as you may know not every page is “cacheable”. This leads us to the next type…

In-Memory Caching

By using a software such as Redis or Memcached, your website will be able to retrieve part of your database information straight from the server memory.

Using in-memory caching improves the response time of SQL queries. It also decreases the volume of read and write operations on the web server disk.

All kinds of websites should be able to leverage in-memory caching, but not every hosting provider supports it. Make sure your hosting does before trying to use such technology.

Conclusion

We highly recommend you to use caching wisely in order to spare your server bandwidth and to make your website work faster and better.

Or Website Application Firewall (WAF) provides a variety of caching options that can suit your website needs. It also works as a CDN, improving your website performance. Not only do we protect your website from DDoS attacks, but we also make it up to 90% faster with our WAF.

We are still planning to cover other best practices about how to improve website resilience for DDoS attacks in other posts. Subscribe to our email feed and don’t miss our educational content based on research from our website security team.

Source: https://securityboulevard.com/2018/08/how-to-improve-website-resilience-for-ddos-attacks-part-ii-caching/

  • 0

Even ‘Regular Cybercriminals’ Are After ICS Networks

A Cybereason honeypot project shows that ordinary cybercriminals are also targeting weakly secured environments.

Contrary to what some might perceive, state-backed groups and advanced persistent threat (APT) actors are not the only adversaries targeting industrial control system (ICS) environments.

A recent honeypot project conducted by security firm Cybereason suggests that ICS operators need to be just as concerned about ordinary, moderately skilled cybercriminals looking to take advantage of weakly secured environments as well.

“The biggest takeaway is that the threat landscape extends beyond well-resourced nation-state actors to criminals that are more mistake-prone and looking to disrupt networks for a payday,” says Ross Rustici, senior director of intelligence services at Cybereason. “The project shows that regular cybercriminals are interested in critical infrastructure, [too].”

Cybereason’s honeypot emulated the power transmission substation of a major electricity provider. The environment consisted of an IT side, an operational technology (OT) component, and human-machine interface (HMI) management systems. As is customary in such environments, the IT and OT networks in Cybereason’s honeypot were segmented and equipped with security controls that are commonly used by ICS operators.

To lure potential attackers to its honeypot, Cybereason used bait such as Internet-connected servers with weak passwords and remote access services such as RDP and SSH enabled. But the security firm did not do anything else besides that to promote the honeypot.

Even so, just two days after the honeypot was launched a threat actor broke into it and installed a toolset designed to allow an attacker and a victim use the same access credentials to log into a machine via Remote Desktop Protocol (RDP). The toolset, commonly found on compromised systems advertised on xDedic, a Russian-language cybercrime market, suggested that the threat actor planned to sell access to Cybereason’s honeypot to others.

The threat actor also created additional user accounts on the honeypot in another indication that the servers were being prepared for sale to other criminals. “The backdoors would allow the asset’s new owner to access the honeypot even if the administrator passwords were changed,” Cybereason said in a blog describing the results of its honeypot project.

Cybereason deliberately set up the honeypot with relatively weak controls so it would take little for the attacker to break into it by brute-forcing the RDP, Rustici says. The skill level to prepare the server for sale was also fairly rudimentary and could have been accomplished by a high-level script kiddie.

Slightly more than a week after the initial break-in, Cybereason researchers observed another threat actor connecting to the honeypot via one of the backdoor user accounts. In this instance, the attacker was focused solely on gaining access to the OT environment. The threat actor’s scanning activities and lateral movement within the honeypot environment was focused on finding a way to access the HMI and OT environments.

The threat actor showed no interest in activities such as using the honeypot for cryptomining, launching DDoS attacks, or any of the other activities typically associated with people who buy and sell access to compromised networks.

The adversary’s movements in the honeypot suggested a high degree of familiarity with ICS networks and the security controls in them, Cybereason said. At the same time, the attackers, unlike more sophisticated adversaries, also raised several red flags that suggested a certain level of amateurishness on their part.

“The way they operated makes us think this group was a mid- to high-level cybercrime group,” Rustici says. “Based on their capabilities, it is likely they were either trophy hunting to improve their reputation or looking for a ransom payday.”

The data from the honeypot project shows attackers have a new way of sourcing ICS assets, Cybereason noted. Rather than select, target, and attack a victim on their own, adversaries can simply buy access to an already compromised network.

Source: https://www.darkreading.com/vulnerabilities—threats/even-regular-cybercriminals-are-after-ics-networks/d/d-id/1332505

  • 0

Report Looks at Future Trends in Cyber Security

The Future Today Institute, an organization that provides forecasts about how emerging technology will disrupt business and transform the workforce, has once again looked into its crystal ball—and cyber security executives might not be thrilled with the predictions.

In its 2018 Tech Trends Report, the institute said organizations and individuals can expect to see more sophisticated data breaches, advanced hacker tactics, and targeted ransomware against devices in offices and homes.

Here are some of the key security-related prognostications:

  • The historical tension between security and privacy domains will unleash new challenges this year, report said. Individuals are providing more data each day, and as more connected devices enter the marketplace the volume of available data will continue to rise. But the companies making devices and managing consumer data are not planning for future scenarios, and off-the-shelf compliance checklists will not be sufficient. Managers will need to develop and constantly update their security policies and make the details transparent. Today, most organizations aren’t devoting enough budget to securing their data and devices, the report said.
  • Distributed denial of service attacks (DDoS) will increase. In the past few years the number of DDoS attacks have spiked, the report said. The U.S. was hit with 122 million DDoS attacks between April and June 2017 alone. One of the more notable DDoS incidents was a massive attack that shut down many leading Internet cites, caused by the Mirai botnet and infecting Dyn, a company that controls a large portion of the Internet domain name system infrastructure. Cyber criminals are leveraging more sophisticated tools, and that means future attacks will be larger in scope and could have greater impact.
  • Ransomware will continue to be a threat with the growth of cryptocurrencies. There was a spread of ransomware attacks, including WannaCry, Petya, and NotPetya, during 2017. In England, WannaCry shut down systems in dozens of medical centers, which resulted in hospitals diverting ambulances and 20,000 cancelled appointments. Because cash and online bank transfers are easy to track, the currency of choice for ransomware attacks is bitcoin, which moves through an encrypted system and can’t be traced. The rise of blockchain and cryptocurrencies have transformed ransomware into a lucrative business, according to the report. Just backing up data will probably not be enough of a measure against these attacks.
  • Russia will remain a big source of hacker attacks. The country is home to the world’s most gifted and prolific hackers, who are motivated both by a lack of economic opportunity and weak law enforcement, according to the report. In the past two years it has become clear that Russia’s military and government intelligence agencies are eager to put home-grown hackers to work, infiltrating the Democratic National Committee, Olympic organizations and European election commissions, it said.
  • Zero-day exploits will be on the rise. These attacks are dangerous, and finding vulnerabilities is a favorite activity of malicious hackers, the report noted. A number of zero-day exploits have been lying dormant for years—and two emerged late in 2017. A flaw found on chips made by Intel and ARM led to the realization that virtually every Intel processor shipped since 1995 was vulnerable to two new attacks called Spectre and Meltdown.
  • There will be more targeted attacks on digital assistants. Now that digital assistants such as Alexa, Siri, and Cortana have moved from the fringe to the mainstream, expect to see targeted attacks, the report said. Whether they target the assistants or their hardware (Amazon Echo, Apple HomePod, Google Home), it’s clear that the next frontier in hacking are these platforms.
  • In the wake of several hacking attacks during elections around the world, several government agencies are now making public their plans to hack offensively, according to the report. The U.K.’s National Health Service has started hiring white hat hackers to safeguard it against a ransomware attack such as WannaCry, which took the nation’s health care system offline. Singapore’s Ministry of Defense is hiring white hat hackers and security experts to look for critical vulnerabilities in its government and infrastructure systems. And in the U.S., two agencies responsible for cyberwarfare—the U.S. Cyber Command and the National Security Agency—are looking to leverage artificial intelligence (AI) as a focus for the U.S. cyber strategy.
  • Also thanks to advancements in AI, one of the big trends in security is automated hacking—software designed to out-hack human hackers. The report said the Pentagon’s research agency DARPA launched a Cyber Grand Challenge project in 2016, with a mission to design computer systems capable of beating hackers at their own game. The agency wanted to show that smarter automated systems can reduce the response time—and develop fixes in system flaws—to just a few seconds. Spotting and fixing critical vulnerabilities is a process that can take human hackers months or even years to complete, the report said.

Source: https://securityboulevard.com/2018/08/report-looks-at-future-trends-in-cyber-security/

  • 0

FCC Admits It Lied About the DDoS Attack During Net Neutrality Comment Process – Ajit Pai Blames Obama

During the time the Federal Communications Commission (FCC) was taking public comments ahead of the rollback of net neutrality rules, the agency had claimed its comments system was knocked offline by distributed denial-of-service (DDoS) attacks.

These attacks were used to question the credibility of the comment process, where millions of Americans had voiced against the net neutrality rollback. The Commission then chose to ignore the public comments altogether.

FCC now admits it’s been lying about these attacks all this time

No one bought the FCC’s claims that its comment system was targeted by hackers during the net neutrality comment process. Investigators have today validated those suspicions revealing that there is no evidence to support the claims of DDoS attacks in 2017. Following the investigation that was carried out after lawmakers and journalists pushed the agency to share the evidence of these attacks, the FCC Chairman Ajit Pai has today released a statement, admitting that there was no DDoS attack.

This statement would have been surprising coming from Pai – an ex-Verizon employee who has continued to disregard public comments, stonewall journalists’ requests for data, and ignore lawmakers’ questions – if he hadn’t thrown the CIO under the bus, taking no responsibility whatsoever for the lies. In his statement, Pai blamed the former CIO and the Obama administration for providing “inaccurate information about this incident to me, my office, Congress, and the American people.”

He went on to say that the CIO’s subordinates were scared of disagreeing with him and never approached Pai. If all of that is indeed true, the Chairman hasn’t clarified why he wouldn’t demand to see the evidence despite everyone out of the agency already believing that the DDoS claim was nothing but a lie to invalidate the comment process.

“It has become clear that in addition to a flawed comment system, we inherited from the prior Administration a culture in which many members of the Commission’s career IT staff were hesitant to express disagreement with the Commission’s former CIO in front of FCC management. Thankfully, I believe that this situation has improved over the course of the last year. But in the wake of this report, we will make it clear that those working on information technology at the Commission are encouraged to speak up if they believe that inaccurate information is being provided to the Commission’s leadership.”

The statement comes as the result of an independent investigation by the Government Accountability Office that is to be published soon. However, looking at Pai’s statement it is clear what this report is going to say.

As a reminder, the current FCC leadership didn’t only concoct this story of the DDoS attack. It had also tried to bolster its false claims by suggesting that this wasn’t the first such incident as the FCC had suffered a similar attack in 2014 under the former chairman Tom Wheeler. It had also tried to claim that Wheeler had lied about the true nature of the attack back in 2014 to save the agency from embarrassment. The former Chairman then went on record to call on Pai’s FCC for lying to the public as there was no cyberattack under his leadership.

Pai throws CIO under the bus; takes no responsibility

And now it appears the FCC was also lying about the true nature of the failure of comment system in 2017. In his statement released today, Pai is once again blaming [PDF] the Obama administration for feeding him inaccurate information.

I am deeply disappointed that the FCC’s former [CIO], who was hired by the prior Administration and is no longer with the Commission, provided inaccurate information about this incident to me, my office, Congress, and the American people. This is completely unacceptable. I’m also disappointed that some working under the former CIO apparently either disagreed with the information that he was presenting or had questions about it, yet didn’t feel comfortable communicating their concerns to me or my office.

It remains unclear why the new team that replaced Bray nearly a year ago didn’t debunk what is being called a “conspiracy theory” and came clean about it.

Some redacted emails received through the Freedom of Information Act (FOIA) by the American Oversight had previously revealed that the false theory around 2014 cyberattack in order to justify 2017 attack also appeared in a draft copy of a blog post written on behalf of Pai. That draft was never published online to keep Pai’s hands clean since there was no evidence to support FCC’s claims of a malicious attack. These details were then instead sent out to media through which this narrative was publicized.

“The Inspector General Report tells us what we knew all along: the FCC’s claim that it was the victim of a DDoS attack during the net neutrality proceeding is bogus,” FCC Commissioner Jessica Rosenworce wrote. “What happened instead is obvious – millions of Americans overwhelmed our online system because they wanted to tell us how important internet openness is to them and how distressed they were to see the FCC roll back their rights. It’s unfortunate that this agency’s energy and resources needed to be spent debunking this implausible claim.”

Source: https://wccftech.com/fcc-admits-lied-ddos-ajit-pai-obama/

  • 0

Sinking feeling: Hacktivist rescued by Disney cruise ship convicted for DDoS attacks against health facilities

It was not a fairy-tale ending in court yesterday for a criminal hacktivist who had to be rescued by a Disney Cruise ship in 2016, after attempting to flee to Cuba to escape charges of attacking two health care providers.

Martin Gottesfeld, 32, of Somerville, Mass., was convicted in his home state yesterday of one count of conspiracy to damage protected computers and one count of damaging protected computers, for launching distributed denial of service (DDoS) attacks against Boston Children’s Hospital and the Wayside Youth & Family Support Network, a health counseling and family support services provider in Framingham, Mass.

For the conspiracy charge, Gottesfeld faces a maximum of five years in prison, with three years of supervised release, and a fine of $250,000 plus restitution. The charge of damaging protected computers carries a penalty of no greater than 10 years in prison with three years of supervised release, and a fine of up to $250,000.

According to a press release from the Massachusetts U.S. Attorney’s Office, Gottesfeld in 2014 launched a DDoS assault against Wayside, disrupting the non-profit’s network for a week and costing the organization $18,000. Later that year, he would execute another attack against Boston Children’s Hospital, using a botnet composed of roughly 40,000 routers. The blitz not only knocked his intended target offline, but also several more hospitals in the Longwood Medical Area. Boston Children’s Hospital’s network was disrupted for at least two weeks, resulting in approximately $600,000 in repairs and lost donations.

As cyber investigators closed in on Gottesfeld, he fled with his wife by boat on Feb. 16, 2016. But when the vessel became stranded at sea, the couple placed a distress call for help. A Disney Cruise Line ship picked up the couple and dropped them off in Miami, where Gottesfeld was arrested.

DOJ officials say that Gottesfeld identified himself as a member of the hacking group Anonymous, and launched the attack on Boston Children’s Hospital in protest of how the medical facility had handled handled a high-profile custody case.

Source: https://www.scmagazine.com/sinking-feeling-hacktivist-rescued-by-disney-cruise-ship-convicted-for-ddos-attacks-against-health-facilities/article/785468/

  • 0