Californian may not see stars for years after conviction for DDoS attack against telescope retailer

A California man was convicted of launching distributed denial of service (DDoS) attacks against telescope retailer Astronomics and the online astronomy forum the company runs called Cloudy Nights.

David Chesley Goodyear, of El Segundo, Calif., was found guilty by a jury last week of hitting both the Norman, Okla.-based retailer and forum in August 2016, reported Robert J. Troester, Acting United States Attorney for the Western District of Oklahoma. Troester presented evidence to the jury that Goodyear had belonged to the Cloudy Nights forum, but twice had been blocked from the site for violating its terms of service, which included sending threats to users, administrators, and moderators.

Goodyear used two aliases to place posts on Cloudy Nights on August 9 and 13, 2016. In these posts he threatened to “talk with his contacts and hit the forum and Astronomics with a DoS attack, Troester said.

“Evidence further showed that DDoS attacks against Astronomics and Cloudy Nights commenced that night and continued intermittently until the end of August 2016, when Goodyear was interviewed by law enforcement and admitted he was responsible for the attacks,” Troester said.

Goodyear faces up to 10 years in prison and a $250,000 fine.


  • 0

The risks of DDoS and why availability is everything

DDoS attacks bring significant risk to organisations that depend on their networks and websites as an integral part of their business. And these days, that’s just about everyone. Think about online banking, retailing, travel reservations, medical patient portals, telecommunications, B2B e-commerce – virtually every business model today includes a significant online transactional component or, in some cases, has shifted online entirely.

We’ve all experienced the feeling of frustration, or even desperation, when the online services we expect are not available to us instantly when we want or need them. Imagine that happening to thousands or even millions of customers worldwide, simultaneously, and you can understand the potential impact of a single DDoS attack on your organisation. Maintaining availability of digital platforms, networks, applications and services is not simply a security issue – it is a business risk and continuity issue.

It doesn’t take much to take down a substantial section of the internet. In November 2016, an accidental misconfiguration at a major internet infrastructure company led to outages at several large carriers. Although the “route leak” was accidental and not malicious, the resulting 90-minute lack of availability was still painful for the carriers and their customers alike.

A concerted attack can have far more damaging consequences. Unlike advanced threats or data breaches, which are designed for stealth to exfiltrate data of value, a successful DDoS attack is instantly recognisable. The symptoms range from poor performance and intermittent outages, to a stream of customer complaints, all the way to sudden and complete unavailability. Whatever the motive, disruption or denial of service is the goal.

Have threat capabilities leapfrogged your protection capacity?

DDoS attacks have been around just as long as e-commerce itself. Established organisations with a significant online presence have always taken measures to ensure availability. Ask yourself, however, if the protection you may have put in place several years ago is still adequate for a modern-day attack. DDoS threat capabilities have become more complex, dynamic and multi-vector. Increasingly, attackers employ a combination of attack methodologies, on the assumption that at least one will succeed while the others divert defences. These attack types include:

  • Volumetric: Large bandwidth-consuming attacks that essentially “flood” network pipes and router interfaces.
  • TCP State Exhaustion: Attacks that use up all available transmission control protocol (TCP) connections in internet infrastructure devices such as firewalls, load balancers and web servers.
  • Application Layer: “Low and slow” attacks indented to gradually wear down resources in application servers.

Moreover, attacks today are much easier for less sophisticated threat actors to launch, owing to the ready availability of inexpensive do-it-yourself attack tools and DDoS-for-hire services. The threat landscape has been further exacerbated by the rapid proliferation of inadequately secured Internet of Things (IoT) devices, which are being consumed into botnets and weaponised to launch multi-vector DDoS attacks.

Evaluating risks and defences

With the increase in multi-vector attacks, security experts agree that reducing the risk from DDoS attacks requires a defence-in-depth or layered approach utilising multiple, synchronised mitigation approaches.

Firewalls have long stood as the first line of defence, as policy enforcement solutions designed to prevent unauthorised data access. Unfortunately, firewalls are not very effective when it comes to availability threats like the modern-day, multi-vector DDoS attack.

Modern firewalls perform stateful packet inspection—maintaining records of all connections passing through the firewall. They determine whether a packet is the start of a new connection, part of an existing connection or invalid. But as stateful and inline devices, firewalls add to the attack surface and can be DDoS targets.

They have no inherent capability to detect or stop DDoS attacks because attack vectors use open ports and protocols. As a result, firewalls are prone to become the first victims of DDoS as their capacity to track connections is exhausted. Because they are inline, they can also add network latency.

Finally, because they are stateful, they are susceptible to resource-exhausting attacks such as Transmission Control Protocol synchronous (TCP SYN) floods and spoofed Internet Control Message Protocol (ICMP) ping floods.

Intelligent DDoS Mitigation Solutions (IDMS) are purpose built for DDoS defence, they’re deployed on-premise, in front of the firewall. These solutions can handle the majority of attacks, in fact, 80% of DDoS attacks are less than 1Gbps in attack size.

However, they are not adequate for the growing number of large-scale attacks intended to overwhelm internet bandwidth. These larger attacks are best mitigated in the cloud. Best practice defence today is intelligently integrated combination of on-premise and cloud-based solutions.

Recognising that denial of availability is a business risk, it makes sense to undergo a risk analysis to assess your vulnerabilities, understand the impact of a DDoS attack under various scenarios, and determine the measures you need to have in place for optimal risk mitigation.

Today’s DDoS threat is not the same as it was ten or even five years ago. If availability is paramount to your business, then defences need to be updated to match today’s threat.e:


  • 0

Digital transformation in the public sector: balancing the risks with data-driven cyber security

The possibility of falling victim to a cyber attack should not deter the public sector from moving to the cloud.

The 35 million people who saw Skyfall back in 2012 were in for a treat – thrills, tension, and a spectacular hacking attempt against the UK public sector. While many have picked up on the evident flaws in the Bond version of MI6’s approach to cyber security, the film provokes an interesting reminder that in our rush to digitise public services, there is certainly more to be done in ensuring that these services are secure. Cloud adoption in the public sector has risen to 78% in the UK in 2017 according to the Cloud Industry Forum. This is encouraging in showing that the public sector is moving towards adopting digital cloud-based technologies, but it is debatable whether the current cyber-security protocols are up to date for this new type of environment.

Public sector BYOD

These days most employees in both public and private firms have at least two devices connected to the company network – a personal phone and a work computer, often a laptop. While the organisation itself may have robust network security, with these types of devices, it is very easy for users to download confidential information from a cloud server and then access it while connected to a different, less secure network. In fact, 52% of data breaches are attributed to human error, according to CompTIA.

While organisations can ensure they are educating their employees about the importance of not sharing confidential information over unsecure connections, it can also be useful for organisations to be able to track who has accessed which bits of information in the cloud environment. This is especially effective in monitoring for corporate whistle-blowers, or habitual leakers. Data lineage technology can keep track of who is accessing, copying or changing information, while big data analytics can be used to spot erroneous activity from different individuals or groups within an organisation. For example, if a person is channelling terabytes of data out of the organisation, or repeatedly accessing information that isn’t pertinent to them, the system can spot this and alert management. The advantage of automating this is that the system can scale to detect these types of activity across the organisation, in a way that humans cannot.

The rise of DDoS

According to recent research from Corero Network Security, organisations in the US were hit by 237 DDoS attacks per month on average, during Q3 2017. This represents a 91% increase compared to Q1, highlighting that this ever-popular cyber-attack remains a pertinent threat to organisations both in the public and private sectors.

When it comes to public sector services, the damage that downtime can cause is often not just financial, but can severely hamper essential public services. The 2007 cyber-attacks on Estonia impacted the parliament, several news organisations, banks and presented a major threat to national security on a scale that had previously been unprecedented. As we increasingly digitalise services such as health and transport, it’s not hard to imagine the potential for chaos should a successful DDoS take one of these critical infrastructure networks offline.

However, far from being immitigable, sophisticated real-time mitigation software can make use of big data analytics to identify and block IP addresses making repeat suspect requests. The very size of a DDoS attack’s botnet could actually work against it, providing more data to help the intelligent computer system learn to detect and stop current and future threats.

Compared to the traditional approach to mitigating DDoS attacks by preventing all connections to the service, blocking only the suspect IP addresses allows the majority of users to continue accessing the network without experiencing significant disruption. Machine learning and big data processing form the essential backbone of this, allowing computers to bear the brunt of analysing, categorising and pattern detection of different IP addresses.

The threat of malware

The public sector only needs to look back a few months to the Petya, NotPetya and WannaCry malware attacks to see the types of chaos that ransomware Trojan horses can cause. At NHS hospitals in the UK, doctors were unable to check patient records, issue prescriptions, or order vital tests – leading to delays in treatment and risk to patients. Unsurprisingly, the review by the Department of Health found that there were lessons to be learned in developing a response plan for such attacks.

The sad truth of the matter is that ransomware attacks are more likely than ever before. Attacks are increasing in both volume and complexity, and without a more advanced approach to analytics, the public sector risks falling prey to more such attacks in future.

Unlike DDoS attacks where there are identifiable sources that can be blocked and redirected, malware is harder to spot. When a malware threat emerges, there will be certain pieces of information connected to it that remain consistent – either a behavioural pattern or physical bytes of code. Historically, these could be detected by humans, but modern malware tends to adapt and evolve itself. This makes the signatures almost impossible to track manually. However, big data analytics, which can look at a much wider range of the data, can spot larger-scale patterns and trends in malware – helping security experts detect and combat them.

But if big data is the stitch in time that saves nine for many of the cyber-security threats facing organisations today, then efficient data management is the thread without which the solution would be impossible. Without being able to pull together all of the different data streams from a range of different servers and systems into one consistent format, analysis on this sort of large scale would be impossible. This is where a vendor-agnostic, open-source approach to data integration is a crucial part of the digitisation process for security-conscious public sector entities.

The threat of cyber-attacks should not deter the public sector from adopting data-driven, cloud-based technologies. After all, the potential benefits of such technologies – from centralised medical records to sensor-driven city management – are hard to overstate. However, in the process of digitising, public sector organisations need to ensure they are also sparing resources to embrace the data integration and data analysis tools needed to back up their digital technology with robust cyber security provisions. This will be key to ensuring that the public sector is able to keep pace with the 21st century’s rush on innovation, which requires organisations to be flexible and dynamic, but above all, secure.


  • 0

DoubleDoor Botnet Chains Exploits to Bypass Firewalls

Crooks are building a botnet that for the first time is bundling two exploits together in an attempt to bypass enterprise firewalls and infect devices.

Discovered by researchers from NewSky Security, the botnet has been cleverly named DoubleDoor. According to Ankit Anubhav, NewSky Security Principal Researcher, the DoubleDoor malware attempts to execute exploits that take advantage of two backdoors:

CVE-2015–7755 – backdoor in Juniper Networks’ ScreenOS software. Attackers can use the hardcoded password <<< %s(un=’%s’) = %u password with any username to access a device via Telnet and SSH.
CVE-2016–10401 – backdoor in ZyXEL PK5001Z routers. Attackers can use admin:CenturyL1nk (or other) and then gain super-user access with the password zyad5001 to gain control over the device.

Anubhav says DoubleDoor attackers are using the first exploit to bypass Juniper Netscreen firewalls and then scan internal networks for ZyXEL routers to exploit with the second exploit.

First time an IoT botnet chains two exploits

In a conversation with Bleeping Computer, Anubhav says this is the first time that a botnet has chained two exploits together in an attempt to infect devices.

“For the first time, we saw an IoT botnet doing two layers of attacks, and was even ready to get past a firewall,” the expert told Bleeping Computer. “Such multiple layers of attack/evasion are usually a Windows thing.”

“Satori/Reaper have used exploits, but those are exploits for one level of attack for various devices,” Anubhav said. “If the attacker finds a Dlink device, then it uses this exploit; if it finds a Huawei device, then that exploit,” Anubhav added showing the simple exploitation logic that most IoT malware employed in the past.

DoubleDoor botnet is not a major threat, yet

Scans and exploitation attempts for this botnet were spotted between January 18 and January 27, all originating from South Korean IP addresses.

But the botnet is not a major danger just yet. Anubhav says DoubleDoor looks like a work in progress and still under heavy development.

“The attacks are less in number when compared to Mirai, Satori, Asuna, or Daddyl33t,” he said.

The NewSky Security expert says the smaller attack numbers are likely because the botnet only targets a small subset of devices, either Internet-exposed ZyXEL PK5001Z routers, or ZyXEL PK5001Z routers protected by an enterprise-grade Juniper Netscreen firewall.

“Such setups are usually found in corporations,” Anubhav said, raising a sign of alarm of what targets the DoubleDoor author may be trying to infect.

DoubleDoor doesn’t do anything, for the moment

The good news is that DoubleDoor doesn’t do anything special after compromising ZyXEL devices. It just merely adds them to a botnet structure.

“Probably it’s a test run or they are just silently recruiting devices for something bigger down the road,” Anubhav said.

But as Anubhav points out, because DoubleDoor appears to still be under development, we may soon see its author expand it with even more exploits that target other types of devices, such as those from Dlink, Huawei, Netgear, and others.

Further, the botnet may try to carry out DDoS attacks, spread malware to internal Windows networks, or something more intrusive.

But even if DoubleDoor dies down and is never seen again, its double-exploit firewall bypass technique has already attracted the attention of other IoT botnet operators, and we may see it pretty soon with other malware strains as well. The cat’s out of the bag, as they say.


  • 0

What cybersecurity surprises does 2018 hold?

One thing’s for sure: securing ourselves and our organizations will only get more difficult this year.

Bitcoin, the General Data Protection Regulation in Europe and the Internet of Things (IoT) are just three recent developments that will present security professionals with new challenges in 2018. That’s in addition to the usual raft of malware, DDoS attacks and database thefts that have dominated the headlines for some time.

To get a handle on what to expect, we asked two Keeper Security experts – Director of Security and Architecture Patrick Tiquet and Chief Technology Officer Craig Lurey – to peer into their crystal balls to find what 2018 holds. Here’s what they saw.


IoT has been on Patrick’s mind a lot lately, not just because it represents a vast expansion of the attack surface, but also because it opens whole new types of data to compromise. “Every aspect of your everyday life is potentially accessible to anyone anywhere in the world in seconds,” he says. “All your conversations can be accessed, captured and converted.”

Vulnerabilities have already been reported in voice-activated personal assistants, and attackers years ago figured out how to turn on smart phone microphones and cameras without the owner’s knowledge. “We will see a major IoT security disaster this year, and I think it will be bigger than the Dyn hack of 2016,” which originated with printers, security cameras, residential gateways and baby monitors,” Patrick says.

New attack vectors

New attack vectors have also been on Craig’s mind, particularly in light of recentdisclosures of hardware flaws in microprocessors. “There’ll be more activity by hackers around hardware-based attacks that go after the memory of the device,” he says. Particularly concerning is that “Spectre and Meltdown took advantage of hardware flaws but were able to abstract them to the software level.” That makes them harder to stop with conventional anti-malware protections alone. Hardware vulnerabilities may demand a whole new type of protection.


GDPR has many people spooked because of its onerous penalties – violators can be fined up to four percent of annual revenues per incident – as well as the strict set of controls the regulation imposes upon keepers of personal information. Will the European Union enforce GDPR to the full extent of the law, or will the scope of the penalties cause regulators to pull their punches? Patrick thinks it’s the former. “It’s in the EU’s best interest to aggressively enforce the regulation,” he says. “If they don’t, then people will ignore it.” He expects the EU to penalize an assortment of large, medium and small companies “to show that just because you’re small, you don’t get to skate.”

Password alternatives

Many smart phone makers have lately been showing off alternatives to passwords, such as biometric security controls. While these technologies have some promise, they also create new targets for attackers, Craig believes. Cyber criminals will turn more attention to compromising systems that are supposedly super secure, such as two-factor authentication (2FA), he believes. “Meltdown opened up new ways to get in,” by showing how hardware can be exploited he says. “Attackers will look for ways to sidestep 2FA.”

Emergency warning systems

Another intriguing new target for the bad guys is emergency warning systems. Just since the first of the year, citizens in Hawaii and Japan have received false notifications of impending missile attacks. In both cases, human error was the culprit, but attackers will no doubt look for opportunities to create mayhem using the same channels. Imagine the security implications of being able to clear out entire neighborhoods or cities for burglars to mine. “It’s social engineering on a large scale,” says Craig.


Now that the bitcoin bubble is beginning to melt away, practical applications of blockchain will emerge, Patrick believes. So will questions about the security of various blockchain-based technologies. Crypto currencies will be a viable medium of transactions in the future, but Patrick doesn’t believe bitcoin will be the winner. “It relies on massive amounts of electricity, and I don’t think it’s sustainable,” he says. “What makes a currency valuable over the long term is its stability. Bitcoin looks more like a Ponzi scheme right now.” As an alternative, he suggests Digibyte, which is billed as a set of “digital assets that cannot be destroyed, counterfeited or hacked.”

Our experts also shared these quick predictions:

“The security skills gap will become even more pronounced. Companies will be less time available to patch quickly, which will create even more opportunities for ransomware authors.” –Patrick

“More sites will require strong passwords and start defaulting to much longer generated passwords. There’ll be more attention paid to 2FA, but that approach will also be under fire.” –Craig

“State-sponsored hacking will grow and continue to be a concern. I don’t think it’s going away.” –Patrick

“There’ll be a lot more work around security at the software development stage. New cybersecurity degrees and programs will pop up in this area. It deserves its own field of study.” –Craig

One thing is clear from our experts’ prognostications: Securing ourselves and our organizations will only get more difficult this year.


  • 0

Industry Weighs in on How the Government Can Fight Botnets

Industry Weighs in on How the Government Can Fight Botnets.

Feds need to secure the internet of things and work more closely with private companies, they said.

Government technologists must develop more partnerships with the private sector and flesh out security guidelines to stop botnets from knocking websites and networks offline, cybersecurity experts said.

Cyber policy experts and telecommunications and technology trade groups weighed in on a draft report outlining the government’s plans to reduce cyber threats from internet-connected devices.

The growing number of such devices worldwide has raised fears about cybersecurity and personal privacy. Online bad actors are increasingly hacking and harnessing those devices en masse for large distributed denial-of-service attacks that can knock websites and services offline by overwhelming them with bunk traffic.

In the report, Commerce, Homeland Security and other federal agencies outlined five major goals to mitigate the threat of distributed attacks: strengthen the intrinsic security of software and devices, bolster infrastructure, improve network protections, build partnerships with global tech communities, and increase cybersecurity education and awareness.

While experts largely agreed with the government’s broad goals, they each highlighted certain areas that have particular bag for the buck.

U.S. Telecom, a trade organization for telecommunications groups, stressed the need for agencies to bring companies together to find ways to “share responsibility” in addressing attacks. The administration should also work with industry to improve software security and coordinate efforts with other governments, they said.

“The gross shortfall in investment in the parts of the government that support industry-driven cybersecurity processes and industry-government collaboration constitutes a long-term threat to our national security,” U.S. Telecom said in its comment. “The government should invest in sufficient structural support for these private sector efforts.”

BSA | The Software Alliance emphasized the importance of building protection straight into software and devices to keep them from being co-opted by online bad actors. The group also recommended feds avoid “across-the-board” standards for securing internet-connected devices, as different systems carry a wide array of vulnerabilities and risks.

In their comment, the Coalition for Cybersecurity Policy and Law included a full framework to prevent DDoS and botnet attacks based on existing guidelines from the National Institute for Standards and Technology for security cyber infrastructure. In addition to detailing ways to bolster systems against attacks, the framework outlines steps to detect, respond and recover from them.

The report responds to a directive in President Donald Trump’s executive order on cybersecurity. The Commerce and Homeland Security departments must submit a final report to the White House by May 11.


  • 0

Hackers graduate to financial gain as motivation for IoT attacks

Securing IoT devices is a top priority for organisations looking to implement this new technology.

The phrase Internet-of-Things (IoT) has gone from buzzword to common speech, having had an impact on almost every industry and sector. Once an abbreviation that seemed bound for fad-status among the tech elite, even the average consumer now embraces “IoT” as a category of connected technology that’s increasingly all around us.

In fact, it’s estimated that the IoT market hit a staggering $20.35 billion valuation in 2017 and is only set to continue past $75.44 billion by 2025. That means that the perception that IoT is “all around us” is going to go great leap further in under a decade – and the implications will be dramatic.

Especially in the context of cybersecurity, what will an omnipresence of connected devices tracking our every move mean for the hacking community?

We’re already starting to get a taste of what the future holds today when it comes to hacked IoT, as headlines over the past year have consistently focused on ever-increasing “muscle-flexing” on the part of hackers. As with any major technological change that’s embraced so rapidly by the masses, cracks in the façade will inevitably emerge as best practices catch up with the rate of adoption. IoT devices are especially prone to this chain of events, as industries and individuals are often bringing IoT solutions into their workflows before security is assured or a defense against threats is even mapped.

Evolving from DDoS to Financial Gain

Take, as an example, the distributed denial of service (DDoS) attacks that leveraged common household and office IoT devices over the course of 2016 and 2017. The Mirai attack, for instance, was a DDoS operation that used an army of botnet-infected IoT devices to flood Twitter, GitHub and the PlayStation network – to name just a few victims – with “loud” network traffic that drowned out legitimate directives from network administrators. This overwhelmed the targets’ servers, forcing them to shut down. First detected in October 2016, active strains of the Mirai virus were still being reported as recently as December 2017.

While the Mirai attack continues to be causing financial hurt for those affected parties, it was widely considered an exercise in showboating for the hacker Paras Jha, who recently pleaded guilty to hacking charges alongside two of his classmates. Jha and his cohorts made the vulnerabilities to IoT networks – even those connected to tech giants – glaringly obvious, which only opens the doors for “one-upsmanship” that will give IoT hacking over the next year a new motive: Malicious actors looking for financial gain will inevitably attempt to leverage those vulnerabilities, taking advantage of readily available ransomware and PII for big paydays.

In fact, research group Forrester made this prediction one of its top forecasts for the next year. Instead of being motivated solely by political, social, or military reasons – as had been forecasted in previous years – cybercriminals will likely be driven by financial gain moving forward, as the black market for malware and the Dark Web continue to mature, Forrester noted.

Bracing for the future

Fighting the increasingly persistent threats that will affect enterprise IoT networks requires a similarly comprehensive approach to security that IT takes with their standard network connectivity. For starters, organizations need to immediately ensure the security of their existing IoT infrastructure by assessing their hardware for security gaps, including weak encryption implementation or inadequate patching functions.

When it comes to encryption, IT teams need to ensure that data is encrypted while at rest and in motion. Full Disk encryption, for instance, is one method designed to prevent access to sensitive data only when that content is at rest – as soon as a a device or server is turned on and a user is logged in, anyone, including bad actors who entered the network during downtime, can access that data.

Rather, teams need to ensure their security solutions are encrypting at all times using established industry standards (SSL, for instance). At the same time, businesses need to be sure their encryption keys are held privately and offline – not within a network-accessible server – to ensure that only necessary parties have access to the most sensitive network data.

Organizations also need to be sure they are taking appropriate steps to stop bad actors from entering the network to begin with. This requires a “defense-in-depth” approach to network security that mirrors what’s often touted on the battlefield – putting as many layers between the enemy and the walls of the network as possible. That means not just relying on a next-generation firewall – which only look at packets of data entering the network rather than entire files – or standard proxies. Instead, secure web gateways that feature a consortium of solutions via a single management console are the best path forward.

Stopping cash-grabs on the way out of the network

With financial gain at the core of attacks going forward, businesses need to be extra critical of the vetting they do of content leaving the network as well. This is especially true in the context of IoT devices – which harkens back to our sentiments surrounding encryption – in that many of these devices spend a great deal of time “turned off” before being activated by a beacon or sensor. Sleeping trojans within the network could leverage the data collection of these newly “activated” IoT communications to conduct data exfiltration – essentially exiting the network with cash in hand – if they make it past robust gateway defenses. It’s almost like having all eyes on the front door and no insight into who might be leaving through the window, or a method to chase after them.

Of course, IoT devices make network security more complicated than ever before, and even the most extensive security solutions can’t thwart every threat. But with the mindset of hackers evolving to meet these new threats, the financial downfall of entities who don’t do all they can to secure IoT tech that is otherwise a boon for business can be significant.


  • 0

Let’s Not Make the Distributed Internet Insecure

We built the internet to be fast and efficient, but made mistakes that have led to the security problems we see today: DDoS attacks, massive breaches, thefts of huge amounts of data, and tampering with systems for either profit or political gain. In building the internet, we prioritized performance, and built the infrastructure assuming people would use it for good. Now we know better. The next generation of internet infrastructure needs to be built assuming that everything can and will be attacked.

A key piece of the next-generation internet will be Distributed Ledger technologies (DLTs) like blockchain. DLTs allow a network of actors who don’t necessarily need to know or trust each other to nevertheless come to agreement on the order of some set of transactions – without some specially empowered and trusted third party. This holds value not only for the cryptocurrencies that have rapidly gained popularity, but also for markets, stock exchanges, games, or any other kind of distributed community you want to participate in without having to trust everyone in the community.

Clearly, if DLTs are going to be used for real-world and meaningful use cases, then they must be protected against all sorts of possible malicious activity, as well as the likelihood of network faults. If DLTs are used to track the ownership of valuable resources (whether currency, diamonds, or real estate) then we have to expect them to be targeted – and need to prepare for that.

Two security risks to DLTs arguably do not receive their fair amount of attention: Distributed Denial of Service (DDoS) attacks, and state manipulation. Both attacks ultimately derive from consolidating the nodes that determine consensus – specifically two different types – that of control and location.

Distributed Denial of Service
A Distributed Denial of Service (DDoS) attack occurs when an attacker is able to flood an honest node on a network with meaningless messages, preventing that node from performing other (valid) duties and roles. In a DLT, those other duties would be the processing required to achieve consensus.

Consensus protocols are the engine of DLTs, and all rely on nodes sending & receiving messages, and processing and validating of those messages. In some DLTs, one or some set of nodes are ‘special’ compared to the rest. If an attacker is able to prevent such a special node from performing those consensus operations with a targeted DDoS, then consensus could be inhibited.

Consensus models fall along a spectrum of how much they empower nodes with special privileges. A single central database is at one extreme, and a DLT where no nodes are special is at the other. DLTs that give some special privileges to some nodes sit in the middle of the continuum. Generally, the more privileges a DLT assigns to a particular node, the more vulnerable it will be to DDoS – because a DDoS against a special node will be more damaging than a DDoS against any normal node. It is consolidation of control over consensus that makes a DLT vulnerable to DDoS.

Leader-based DLTs (such as Paxos, Raft, PBFT, and dPOS) elect a leader from amongst the community of nodes. This leader plays a special role in enabling consensus (for the duration of their turn). Because the normal nodes need to know which of them is the current leader to send messages there, that knowledge could be abused by a DDoS attack against that current leader. As the leader changes, the attacker simply adjusts their target in real time, in a ‘follow the leader’ pattern. If the leader can be tied up by the DDoS, they may be unable to play their key role in enabling consensus for the other nodes.

While proof-of-work DLTs, like Bitcoin and Ethereum, also grant particular nodes special privileges, they guard against DDoS by randomizing the selection of that privileged node via the mining process (and the underlying hashing puzzle). If an attacker hoped to target miners with a DDoS to prevent a new block being added to the chain, they would be unlikely to know *which* miner would win the crypto puzzle and be granted the ability to add the block.

Consequently, the attacker wouldn’t be able to target the miner selected until after the fact. However, while proof-of-work provides DDoS resistance, the mining process introduces inefficiency and slowness, leading to expenses that cause consolidation in location.

Other consensus models guard against DDoS by using a more egalitarian distribution of the burden of determining consensus. When all nodes contribute to consensus, then knocking one out with a DDoS will not stop consensus.

DDoS attacks and the risk of government interference both highlight a fundamental reality – when more nodes secure a network, the network is less dependent on any particular nodes, and that makes it more robust. Prioritizing a few nodes to help reach consensus runs the risk of DDoS attacks, while prioritizing one location runs the risk of government interference.

If blockchain and other distributed ledger technologies are to become ubiquitous, we must understand their limitations, evaluate their security risks, and make choices on our architecture, assuming that the bad guys will be looking for ways to ‘break’ these powerful systems to their advantage as soon as we build them.


  • 0

Combating DDoS attacks in Asia Pacific: It’s more than just a defence mechanism

Imagine going to the frontlines of a battlefield wielding a sword and shield only to come face to face with fighter jets from the opponent instead. The crackdown against DDoS attacks is like an arms race enterprises have to face by evolving their weapons and defences against a cyber felon. As attack rates have grown, so has their impact. Despite an increase in DDoS defence spend, Neustar’s recent study found that 90 percent of organisations were hit by breaches that stemmed from DDoS offensives.

IoT as a DDoS attack tool

Just like the hallmarks of a fighter jet are its speed and manoeuvrability, the emergence of cloud computing and IoT devices has streamlined the infrastructure of today’s connected world. As IoT progressed from a stage of nascence to an enterprise driver capable of maintaining inventory levels, delivering real-time metrics on shipments and powering autonomous vehicles, organisations are left with their hands full in attempts to secure the enterprise value chain.

This year was inevitably a watershed moment in IoT security; headlined in the form of IoT botnet Reaper or IoT Troop. The perpetrators infected over a million organisations worldwide by infiltrating routers and smart devices – far more sophisticated than the 2016 Mirai IoT botnet that exploited weak passwords and infected major websites across the U.S. such as Twitter, Netflix and the New York Times.

What’s more dangerous is that some of these attacks were used as smokescreens to disarm an organisation’s cybersecurity shield while simultaneously causing a temporary relaxation of networking defences to alleviate the effects of the DDoS. Neustar found that more than half (51 percent) of Asia Pacific organisations reported falling prey to viruses stemming from DDoS attacks. As IoT adoption increases, the number of IoT-driven botnets is only set to escalate, presenting attackers with more opportunities to elude detection.

The IoT Culprit

In Asia Pacific, IoT devices remain a tempting target for DDoS attacks – more than 78 percent of enterprises experienced attacks while their IoT devices were in operation. To make matters worse, once attackers get hold of vulnerable IoT devices and exploit the security deficiency, it becomes nearly impossible to prevent infection without issuing a security update or recalling the affected devices. With 89 percent of organisations suffering a breach, including data theft, dangerous ransomware, and network compromise with DDoS attacks, the dream of a connected world might be a disaster in the waiting.

True to its name, the IoT botnet Reaper spreads through the security gaps in IoT software and hardware causing massive destruction at one go – amassing more than 20,000 devices and affecting 2 million hosts that have been identified as potential botnet nodes.

Better Detection = Greater Protection

As attacks scale in complexity, organisations need to prime themselves to be at the vanguard in the fight against cyberattacks. The average organisation needs a couple of hours to definitively detect a DDoS attack with reaction times getting longer – translating to greater vulnerability.

Through an Asia Pacific lens in Singapore, organisations in the financial services sector could be staring at revenue losses upwards of US$15.2m when six hours is taken to respond to a DDoS attack. In Hong Kong, the figure stands at US$29.9m for breaches in the public sector. This threat represents a new reality where the strikes have morphed beyond standard and commonplace into dangerous and continuous. The financial risks alone can exceed far beyond a quarter of a billion dollars and drives home the point that speed in detection and response is an ally to risk mitigation practices.

Neustar found the top three organisational motivations behind DDoS defense investments, namely: preserving customer confidence, prevention of associated attacks including ransomware and proactively strengthening existing protection. It should come as no surprise that those who seek to harm companies use DDoS as a weapon.

There is however, a silver lining. Businesses are acknowledging this threat by deploying Web Application Firewalls (WAF) that filter, analyse and isolate HTTP traffic stemming from web application security flaws. In fact, 53 percent of respondents have added WAF to their combat arsenals against DDoS – tripling in numbers since March 2017.

The future ahead will offer opportunities for bad actors to devise craftier ways to launch far more dangerous DDoS attacks capable of distracting IT teams and stymieing forensics. Understanding the right combination of defences is crucial and this can be achieved by working with security consultants to develop strategies and law enforcement bodies to provide maximum protection for stakeholders, only then will we be able to remain ahead of the curve on the battlefield and defeat the attackers.


  • 0

PyeongChang Winter Games hit by cyber attack

Although critical operations were not affected by the incident, event organisers at the PyeongChang Winter Olympics had to shut down servers and the official games website to prevent further damage.

The ongoing Winter Olympics in South Korea was hit by a cyber attack that affected internet and TV services last Friday, according to the International Olympic Committee (IOC).

After the attack was detected, event organisers had to shut down servers and take the official PyeongChang Winter Olympics website offline to prevent further damage.

During a press briefing on the sidelines of the global sporting event, IOC spokesperson Mark Adams declined to reveal the source of the attack, noting that the issue had been resolved the next day, according to a Reuters report.

“We are not going to comment on the issue. It is one we are dealing with. We are making sure our systems are secure and they are secure,” he told reporters.

Cyber security experts had warned of an increase in cyber attacks on the Winter Games using spear phishing e-mails loaded with suspicious links to lure victims into downloading malware in targeted campaigns, such as GoldDragon which took place in December 2017.

According to threat analysts from McAfee, GoldDragon – directed at organisations affiliated with the Winter Olympics – lets attackers access end-user systems and collect data stored on devices and the cloud. The data may include customer and employee financial or personal data, Winter Games related details and trade secrets.

Although critical operations were not affected by last week’s incident, similar attacks had been launched against critical and non-critical systems in past Olympics games.

During the summer Olympics in London, there were reportedly six major cyber attacks against critical systems, including distributed denial of service attacks on power systems that lasted for 40 minutes. Hacktivists also made calls on social media to launch similar attacks at specific times.

And during the Rio Olympics in 2016, the IOC said it was under regular attack. Phishing emails were also sent to athletes in attempts to steal credentials that could be used to access a World Anti-Doping Agency database.

Japan is already bracing itself for more cyber attacks aimed at the Tokyo Olympics in 2020. For one, the Tokyo 2020 organising committee has been conducting cyber security exercises to simulate potential attacks, both in cities and rural areas.

Cyber security drills would be conducted up to six times a year, rising to 10 in the run-up to Tokyo 2020. The drills, which involve local governments, would also include simulated attacks on mock ticketing websites. Between 300 and 500 people took part in similar exercises in Rio and London.


  • 0