Lawmakers want to know when Ajit Pai knew FCC’s cyberattack claim was false

Democratic lawmakers want to know why the agency didn’t inform consumers of the falsity of its claim sooner

A group of House democrats want to know when FCC Chairman Ajit Pai knew that the agency’s claims of a DDoS attack were false.

Last week, the FCC’s Office of Inspector General released a report that found no evidence to support the claims of DDoS attacks in May of 2017.

The agency had previously blamed multiple DDoS attacks for temporarily taking down a comment section of its website following a segment of Last Week Tonight, in which comedian John Oliver asked viewers to submit comments to the FCC and speak out in support of net neutrality.

However, viewers were unable to voice their opinion on the proposed rollback of net neutrality because the comment submission section wasn’t available at the time.

Now that it has come to light that the agency’s claims of a DDoS attack were false, a handful of Democratic lawmakers want to know when Pai became aware that there was no DDoS attack and why the agency didn’t correct its public statements alleging a DDoS attack before now.

Misrepresented facts

“We want to know when you and your staff first learned that the information the Commission shared about the alleged cyberattack was false,” Democratic lawmakers wrote in a letter to Pai.

“It is troubling that you allowed the public myth created by the FCC to persist and your misrepresentations to remain uncorrected for over a year,” they wrote. The letter was signed by Representatives Frank Pallone Jr. (NJ), Mike Doyle (PA), Jerry McNerney (CA) and Debbie Dingell (MI).

The results of the investigation concluded that FCC officials deliberately misrepresented facts in responses to Congressional inquiries.

“Given the significant media, public and Congressional attention this alleged cyberattack received for over a year, it is hard to believe that the release of the IG’s report was the first time that you and your staff realized that no cyberattack occurred,” wrote the lawmakers.

“Such ignorance would signify a dereliction of your duty as the head of the FCC, particularly due to the severity of the allegations and the blatant lack of evidence.”

The Democratic lawmakers have asked Pai for complete written responses to their questions by August 28. Pai is also scheduled to appear before a Senate Commerce, Science and Transportation Committee oversight hearing on Thursday where he is expected to face questions about the results of the investigation.

Source: https://www.consumeraffairs.com/news/lawmakers-want-to-know-when-ajit-pai-knew-fccs-cyberattack-claim-was-false-081518.html

  • 0

DDoS attackers increasingly strike outside of normal business hours

DDoS attack volumes have increased by 50% to an average of 3.3 Gbps during May, June and July 2018, compared to 2.2 Gbps during the previous quarter, according to Link11. Attacks are also becoming increasingly complex, with 46% of incidents using two or more vectors.

DDoS attacks outside business hours

While attack volumes increased, researchers recorded a 36% decrease in the overall number of attacks. There was a total of 9,325 attacks during the quarter: an average of 102 attacks per day.

While the number of attacks decreased overall – possibly as a result of DDoS-as-a-service website Webstresser being closed down following an international police operation, both the scale and complexity of the attacks increased. The LSOC registered a 50% increase in hyper-scale attacks (80 Gbps+). The most complex attacks seen used 13 vectors in total.

Link11’s Q2 DDoS Report revealed that threat actors targeted organisations most frequently between 4pm CET and midnight Saturday through to Monday, with businesses in the e-commerce, gaming, IT hosting, finance, and entertainment/media sectors being the most affected.

The report reveals that high volume attacks were ramped up via Memcached reflection, SSDP reflection and CLDAP, with the peak attack bandwidth recorded at 156 Gbps. Other key findings from the Q2 report include:

  • The total duration of attacks during the quarter was 1,221 hours
  • 17% of attacks used two vectors, while 16% used three
  • The most frequently observed attacks were UDP floods (59.7%), TCP SYN floods (3.3%) and ICMP floods (0.9%)
  • Memcached was the most used reflection amplification technique, with 773 attacks observed using this technique, highlighting that Memcached is still an issue. The SSDP reflection technique generated the greatest proportion of DDoS packets.

DDoS attacks outside business hours

“Attacks in Q2 2018 continued to grow in scale and complexity. Nearly half of attacks were multi-vector, making them harder to defend against, and with the rapid growth in ‘hyper attacks’ with volumes of over 80 Gbps, we must now consider these large, complex attacksto be the new normal,” said Aatish Pattni, Regional Director UK & Ireland for Link11.

“It’s only a matter of time until a new DDoS-for-hire service emerges to replace Webstresser, so attacks will inevitably increase over the coming months. Given the scale of the threat that organizations are facing, and the fact that the attacks are deliberately aimed at causing maximum disruption, it’s clear that businesses need to deploy advanced techniques to protect themselves against DDoS exploits,” added Pattni.

Source: https://www.helpnetsecurity.com/2018/08/15/ddos-attacks-outside-business-hours/

  • 0

The complete guide to understanding web applications security

MODERN businesses use web applications every day to do different things, from interacting and engaging with customers to supporting sales and operations.

As a result, web applications are rich with data and critical to the functioning of the company – which means, special precautions must be taken in order to protect them from hackers.

However, not all organizations or their applications are subject to the same level of threats and attacks. In an exclusive interview with Gartner’s Research Director Dale Gardner, Tech Wire Asia learns how businesses can best protect their web applications.

Gartner splits attacks on web and mobile applications and web APIs into four categories:

# 1 | Denial of service (DoS) 

DoS is a specific subtype of abuse where the attacker’s goal is to disrupt the availability of the web application or service.

In particular, this attack type covers volumetric attacks, which overwhelm network capabilities, and so-called “low and slow” attacks, which overwhelm application or service resources.

# 2 | Exploits 

Exploits take advantage of design, code or configuration issues that cause unintended behaviour of the application.

Some common examples include SQL Injection (SQLi), cross-site scripting (XSS), buffer overflows, and various Secure Sockets Layer (SSL) and Transport Layer Security (TLS) manipulation attacks.

# 3 | Abuse 

Abuse covers many non-exploit types of attack that primarily take advantage of business logic. This includes scraping, aggregating, account brute-forcing, scalping, spamming and other — often automated — scenarios.

# 4 | Access

Access violations occur when an attacker or legitimate user takes advantage of weaknesses in the authentication (AuthN) or authorization (AuthZ) policies of a web application or service.

Of the four categories, Gardner says only exploits can be potentially addressed with secure coding and configuration. The others require design-level considerations that cannot be reasonably compensated for in code.

For example, although it’s arguably possible to defend against account takeovers in individual application code, it is much more economical and error-proof to do so in the identity and access management (IAM) system or another external capability.

In an ideal world, the highest level of protection would be available at all times or as needed, but this isn’t feasible due to complexity and cost factors.

And continuously providing the highest level of protection to all web assets can be an expensive proposition, both from economic and operational perspectives.

Securing web applications and web APIs from attacks and abuse requires businesses to assess what level of protection is necessary.

“Security teams must first pick a protection baseline. Then they must decide what extra protections are necessary to apply to specific assets,” recommends Gardner.

When thinking of protecting web applications, security teams often first look to existing network technologies, such as next-generation firewall (NGFW) platforms and intrusion detection and prevention systems (IDPSs).

But these do not provide strong-enough capabilities in any of the protection areas, warns Gardner.

They are not easily integrated to intercept TLS and do not have the same signatures, rules, behavioral analysis and business logic insight as security solutions that focus on web applications and APIs.

Organizations often first look at a “completely automated public Turing test to tell computers and humans apart” (CAPTCHA) when they suffer from abuse of functionality.

But an always-on CAPTCHA creates user-experience hurdles for legitimate users, and it is also no guarantee to keep the abuser out (attackers keep finding ways to circumvent or solve many CAPTCHAs).

Multifactor authentication (MFA) and out of band (OOB) challenges are often used to enable strong access control, as well as to try to thwart abuse. Unfortunately, they suffer from similar issues as CAPTCHA, and in addition are often complex and expensive to implement.

Currently, no single security platform or solution implements the highest possible level of protection in each of the exploit, abuse of functionality, access violation and DoS mitigation categories.

Some organizations will still be able to start with a single solution to address the biggest potential risks. But they often find themselves needing greater security capabilities over time due to changes in threats and the application landscape.

Web application firewalls (WAFs) are broadly deployed, but buyers routinely express disappointment and frustration over factors such as accuracy, the ability to prevent attacks, the administrative overhead required to maintain attack detection profiles and price.

Incumbent vendors have begun addressing emerging requirements, but many products still lag.

The market for solutions to protect web applications will continue to grow, but given buyer dissatisfaction, vendors with innovative approaches and new product packaging will capture the bulk of new spending.

Buyers are shifting to service-based offerings, and demand for infrastructure as a service (IaaS) deployable products is growing. These shifts pose risks, especially to incumbents, but also present opportunities for new offerings and greater growth.

Gartner believes that by 2020, stand-alone WAF hardware appliances will represent less than 20 percent of new WAF deployments, down from 40 percent today.

By 2020, more than 50 percent of public-facing web applications will be protected by cloud-based WAAP services that combine content delivery networks, DDoS protection, bot mitigation and WAFs, which is an increase from fewer than 20 percent today.

Web applications, mobile applications, and web APIs are subject to increased numbers and complexity of attacks.

Gardner, who will be speaking at the Gartner Security & Risk Management Summit in Sydney later this month explains what organizations must keep in mind when planning and implementing solutions:

  • Public, limited-access external, and internal applications require different levels of security.
  • No one capability covers all types of attack.
  • No two capabilities have interchangeable protection efficacy.
  • Some of the capabilities have strong overlaps in addressing specific attack subcategories.
  • Enforcement of policy may be centralized or distributed (for example, use of micro-gateways).

“As a result, a mix of capabilities, though not necessarily separate products, have to be put in place as a layered approach,” concludes Gardener.

Considering the range of exploits and abuse that can occur with web and mobile applications and web APIs, technical professionals must leverage a mix of externalized security controls to deliver appropriate protection and alleviate burdens to development staff.

Source: https://techwireasia.com/2018/08/the-complete-guide-to-understanding-web-applications-security/

  • 0

DDoS Attacks Target Partypoker, PokerStars

Major online poker sites partypoker and PokerStars have been disrupted in recent days by apparent DDoS attacks, launched by party or parties unknown at present.

Two of the world’s largest online poker sites, partypoker and PokerStars, have endured periods of downtime and forced cancellations of tournaments in recent days after being targeted by confirmed or suspected DDoS (distributed denial of service) attacks. Both of the attack waves targeted the sites’ global “dot-com” gaming offerings, rather than being launched against their firewalled, single-jurisdiction offerings.

The attacks targeting partypoker began on August 9 and continued into August 11 or 12, with each attack wave consisting of a massive flood of data requests targeting its gaming servers. Partypoker confirmed the DDoS nature of the attacks late on August 9 and updated its customers via social media about the recurring waves and the ongoing mitigation efforts. Partypoker also released a formal statement about the attacks, the cancellation of tournaments, and an ongoing refund process for affected players.

That statement, issued as a formal apology for the unexpected downtime, expressed frustration about the nature of the DDoS attacks, without speculation as to the motive behind them. Tom Waters, partypoker managing director said: “The unfortunate events…were understandably frustrating for our players. After consideration, the decision was taken to pause and then subsequently cancel all affected tournaments.

“Our team worked hard to try to resolve the key issues. As poker players ourselves, we fully understand how frustrating it can be when an online poker room suffers technical issues, and we fully appreciate the considerable patience and understanding shown by our players in light of these difficulties.”

Additional commentary from partypoker

Partypoker received widespread praise from both its players and industry onlookers for its rapid response to the attacks, even as those attacks continued. VegasSlotsOnline received an additional statement from Colette Stewart, partypoker player rep and social specialist, who said: “The recent DDoS attacks were very unfortunate; however, we feel the team have done their very best to communicate and respond to as many of our players as possible during this very frustrating time. We greatly value our relationship with the player community and feel it is vital to be as open and transparent with our players as possible during such issues and, most importantly, ensure that we are available for player feedback and communication.

“In refunding affected players, we have ensured that every single cent collected in buy-ins, bounties, and fees has been refunded to players in addition to honoring the guarantees of tournaments that didn’t make the required entries due to the issues faced.

“All refunds have now been issued and, of course, should players wish to follow up in more detail or ask more questions about their specific refund, they should contact our 24/7 customer service line. The nature of ensuring the refunds were correct led to a delay that we simply hadn’t anticipated. We are sorry that it took us until Sunday to complete the process; however, we refunded players based on their chip stacks at the time that the disruption began and the data evaluation process was complex and took some time to complete.

“Finally, we are all poker players ourselves and fully appreciate the patience and loyalty of our players.”

PokerStars becomes the latest target

About the time the wave of attacks against partypoker ceased, a new wave of apparent DDoS attacks began targeting PokerStars. That attack wave started on August 12; Stars has not confirmed that these were explicitly DDoS attacks, but the recurring and intermittent nature of the “technical issues,” including forced disconnections affecting legitimate players, bears all the hallmarks of another DDoS attack.

Like partypoker and a third, smaller network (the Winning Poker Network) that also suffered several waves of DDoS attacks earlier in August, PokerStars has attempted to keep its players informed on the situation via social media.

“Apologies to all our players for the recent issues on PokerStars,” reads one of the site’s official Twitter posts, after nearly two days of the “technical issues.” “The players affected by this morning’s issues have already been credited & we aim to refund players affected by yesterday’s problems, with their equity at the time of disconnection, within 72 hours.”

Extortion central to most DDoS attacks

Modern DDoS attacks typically employ tens or hundreds of thousands of “zombie” computers — virus-laden devices scattered around the globe — that are commanded in harmony to send data requests to the targeted site to slow traffic to a crawl and make it useless for gambling-business activities. The “DDoS” moniker is commonly used to label several different forms of traffic-based online attacks designed to cripple the target site’s activity.

DDoS attacks have been an intermittent but occasionally recurring threat that has existed since online gambling’s earliest days. Similar attacks have targeted other forms of online commerce as well. Extortion, in the form of a promise to halt the attacks when the target pays a ransom to the attacker or attackers, is the most common motive behind the attacks.

One twist frequently seen in recent years is a demand by the blackmailers that payments be made in hard-to-trace cryptocurrencies such as Bitcoin. Whether a site victimized by an attack has made such a payment is virtually never disclosed in public, especially by publicly-traded firms. Most websites and networks impacted by such attacks incur heavy losses due to downtime and increased customer-service cost, but would rather incur that form of operating expense rather than give in to any kind of blackmail.

Source: http://www.vegasslotsonline.com/news/2018/08/14/ddos-attacks-target-partypoker-pokerstars/

  • 0

How to Improve Website Resilience for DDoS Attacks – Part II – Caching

In the first post of this series, we talked about the practices that will optimize your site and increase your website’s resilience to DDoS attacks. Today, we are going to focus on caching best practices that can reduce the chances of a DDoS attack bringing down your site.

Website caching is a technique to store content in a ready-to-go state without the need (or with less) code processing. When a CDN is in place, cache stores the content in a server location closer to the visitor. It’s basically a point-in-time photograph of the content.

Caching

When a website is accessed, the server usually needs to compile the website code, display the end result to the visitor, and provide the visitor with all the website’s assets. This all takes a toll on your server resources, slowing down the total page load time. To avoid this overhead, it’s necessary to leverage certain types of caching whenever possible.

Caching not only will decrease load time indications, such as time to first byte (TTFB), it also saves your server resources.

Types of Caching

There are all sorts of caching types and strategies, but we won’t cover them all. In this article, we’ll approach three that we see most in practice.

Static Files

The first type is the simplest one, called static files caching.

Images, videos, CSS, JavaScript, and fonts should always be served from a content delivery network(CDN). These network providers operate thousands of servers, spread out across global data centers. This means they can deliver more data much faster than your server ever could on its own.

When using a CDN, the chances of your server suffering from bandwidth exhaustion attacks are minimal.

Your website will also be much faster given the fact that a large portion of website content is composed of static files, and they would be served by the CDN.

Page Caching

This is definitely the most powerful type of cache. The page caching will convert your dynamic website into HTML pages when possible, making the website a lot faster and decreasing the server resource usage.

A while ago, I wrote an article about Testing the Impacts of Website Caching Tools.

In that article, with the help of a simple caching plugin, the web server was able to provide 4 times more requests using ¼ of the server resources when compared to the test without the caching plugin.

However, as you may know not every page is “cacheable”. This leads us to the next type…

In-Memory Caching

By using a software such as Redis or Memcached, your website will be able to retrieve part of your database information straight from the server memory.

Using in-memory caching improves the response time of SQL queries. It also decreases the volume of read and write operations on the web server disk.

All kinds of websites should be able to leverage in-memory caching, but not every hosting provider supports it. Make sure your hosting does before trying to use such technology.

Conclusion

We highly recommend you to use caching wisely in order to spare your server bandwidth and to make your website work faster and better.

Or Website Application Firewall (WAF) provides a variety of caching options that can suit your website needs. It also works as a CDN, improving your website performance. Not only do we protect your website from DDoS attacks, but we also make it up to 90% faster with our WAF.

We are still planning to cover other best practices about how to improve website resilience for DDoS attacks in other posts. Subscribe to our email feed and don’t miss our educational content based on research from our website security team.

Source: https://securityboulevard.com/2018/08/how-to-improve-website-resilience-for-ddos-attacks-part-ii-caching/

  • 0

Even ‘Regular Cybercriminals’ Are After ICS Networks

A Cybereason honeypot project shows that ordinary cybercriminals are also targeting weakly secured environments.

Contrary to what some might perceive, state-backed groups and advanced persistent threat (APT) actors are not the only adversaries targeting industrial control system (ICS) environments.

A recent honeypot project conducted by security firm Cybereason suggests that ICS operators need to be just as concerned about ordinary, moderately skilled cybercriminals looking to take advantage of weakly secured environments as well.

“The biggest takeaway is that the threat landscape extends beyond well-resourced nation-state actors to criminals that are more mistake-prone and looking to disrupt networks for a payday,” says Ross Rustici, senior director of intelligence services at Cybereason. “The project shows that regular cybercriminals are interested in critical infrastructure, [too].”

Cybereason’s honeypot emulated the power transmission substation of a major electricity provider. The environment consisted of an IT side, an operational technology (OT) component, and human-machine interface (HMI) management systems. As is customary in such environments, the IT and OT networks in Cybereason’s honeypot were segmented and equipped with security controls that are commonly used by ICS operators.

To lure potential attackers to its honeypot, Cybereason used bait such as Internet-connected servers with weak passwords and remote access services such as RDP and SSH enabled. But the security firm did not do anything else besides that to promote the honeypot.

Even so, just two days after the honeypot was launched a threat actor broke into it and installed a toolset designed to allow an attacker and a victim use the same access credentials to log into a machine via Remote Desktop Protocol (RDP). The toolset, commonly found on compromised systems advertised on xDedic, a Russian-language cybercrime market, suggested that the threat actor planned to sell access to Cybereason’s honeypot to others.

The threat actor also created additional user accounts on the honeypot in another indication that the servers were being prepared for sale to other criminals. “The backdoors would allow the asset’s new owner to access the honeypot even if the administrator passwords were changed,” Cybereason said in a blog describing the results of its honeypot project.

Cybereason deliberately set up the honeypot with relatively weak controls so it would take little for the attacker to break into it by brute-forcing the RDP, Rustici says. The skill level to prepare the server for sale was also fairly rudimentary and could have been accomplished by a high-level script kiddie.

Slightly more than a week after the initial break-in, Cybereason researchers observed another threat actor connecting to the honeypot via one of the backdoor user accounts. In this instance, the attacker was focused solely on gaining access to the OT environment. The threat actor’s scanning activities and lateral movement within the honeypot environment was focused on finding a way to access the HMI and OT environments.

The threat actor showed no interest in activities such as using the honeypot for cryptomining, launching DDoS attacks, or any of the other activities typically associated with people who buy and sell access to compromised networks.

The adversary’s movements in the honeypot suggested a high degree of familiarity with ICS networks and the security controls in them, Cybereason said. At the same time, the attackers, unlike more sophisticated adversaries, also raised several red flags that suggested a certain level of amateurishness on their part.

“The way they operated makes us think this group was a mid- to high-level cybercrime group,” Rustici says. “Based on their capabilities, it is likely they were either trophy hunting to improve their reputation or looking for a ransom payday.”

The data from the honeypot project shows attackers have a new way of sourcing ICS assets, Cybereason noted. Rather than select, target, and attack a victim on their own, adversaries can simply buy access to an already compromised network.

Source: https://www.darkreading.com/vulnerabilities—threats/even-regular-cybercriminals-are-after-ics-networks/d/d-id/1332505

  • 0

Report Looks at Future Trends in Cyber Security

The Future Today Institute, an organization that provides forecasts about how emerging technology will disrupt business and transform the workforce, has once again looked into its crystal ball—and cyber security executives might not be thrilled with the predictions.

In its 2018 Tech Trends Report, the institute said organizations and individuals can expect to see more sophisticated data breaches, advanced hacker tactics, and targeted ransomware against devices in offices and homes.

Here are some of the key security-related prognostications:

  • The historical tension between security and privacy domains will unleash new challenges this year, report said. Individuals are providing more data each day, and as more connected devices enter the marketplace the volume of available data will continue to rise. But the companies making devices and managing consumer data are not planning for future scenarios, and off-the-shelf compliance checklists will not be sufficient. Managers will need to develop and constantly update their security policies and make the details transparent. Today, most organizations aren’t devoting enough budget to securing their data and devices, the report said.
  • Distributed denial of service attacks (DDoS) will increase. In the past few years the number of DDoS attacks have spiked, the report said. The U.S. was hit with 122 million DDoS attacks between April and June 2017 alone. One of the more notable DDoS incidents was a massive attack that shut down many leading Internet cites, caused by the Mirai botnet and infecting Dyn, a company that controls a large portion of the Internet domain name system infrastructure. Cyber criminals are leveraging more sophisticated tools, and that means future attacks will be larger in scope and could have greater impact.
  • Ransomware will continue to be a threat with the growth of cryptocurrencies. There was a spread of ransomware attacks, including WannaCry, Petya, and NotPetya, during 2017. In England, WannaCry shut down systems in dozens of medical centers, which resulted in hospitals diverting ambulances and 20,000 cancelled appointments. Because cash and online bank transfers are easy to track, the currency of choice for ransomware attacks is bitcoin, which moves through an encrypted system and can’t be traced. The rise of blockchain and cryptocurrencies have transformed ransomware into a lucrative business, according to the report. Just backing up data will probably not be enough of a measure against these attacks.
  • Russia will remain a big source of hacker attacks. The country is home to the world’s most gifted and prolific hackers, who are motivated both by a lack of economic opportunity and weak law enforcement, according to the report. In the past two years it has become clear that Russia’s military and government intelligence agencies are eager to put home-grown hackers to work, infiltrating the Democratic National Committee, Olympic organizations and European election commissions, it said.
  • Zero-day exploits will be on the rise. These attacks are dangerous, and finding vulnerabilities is a favorite activity of malicious hackers, the report noted. A number of zero-day exploits have been lying dormant for years—and two emerged late in 2017. A flaw found on chips made by Intel and ARM led to the realization that virtually every Intel processor shipped since 1995 was vulnerable to two new attacks called Spectre and Meltdown.
  • There will be more targeted attacks on digital assistants. Now that digital assistants such as Alexa, Siri, and Cortana have moved from the fringe to the mainstream, expect to see targeted attacks, the report said. Whether they target the assistants or their hardware (Amazon Echo, Apple HomePod, Google Home), it’s clear that the next frontier in hacking are these platforms.
  • In the wake of several hacking attacks during elections around the world, several government agencies are now making public their plans to hack offensively, according to the report. The U.K.’s National Health Service has started hiring white hat hackers to safeguard it against a ransomware attack such as WannaCry, which took the nation’s health care system offline. Singapore’s Ministry of Defense is hiring white hat hackers and security experts to look for critical vulnerabilities in its government and infrastructure systems. And in the U.S., two agencies responsible for cyberwarfare—the U.S. Cyber Command and the National Security Agency—are looking to leverage artificial intelligence (AI) as a focus for the U.S. cyber strategy.
  • Also thanks to advancements in AI, one of the big trends in security is automated hacking—software designed to out-hack human hackers. The report said the Pentagon’s research agency DARPA launched a Cyber Grand Challenge project in 2016, with a mission to design computer systems capable of beating hackers at their own game. The agency wanted to show that smarter automated systems can reduce the response time—and develop fixes in system flaws—to just a few seconds. Spotting and fixing critical vulnerabilities is a process that can take human hackers months or even years to complete, the report said.

Source: https://securityboulevard.com/2018/08/report-looks-at-future-trends-in-cyber-security/

  • 0

Sinking feeling: Hacktivist rescued by Disney cruise ship convicted for DDoS attacks against health facilities

It was not a fairy-tale ending in court yesterday for a criminal hacktivist who had to be rescued by a Disney Cruise ship in 2016, after attempting to flee to Cuba to escape charges of attacking two health care providers.

Martin Gottesfeld, 32, of Somerville, Mass., was convicted in his home state yesterday of one count of conspiracy to damage protected computers and one count of damaging protected computers, for launching distributed denial of service (DDoS) attacks against Boston Children’s Hospital and the Wayside Youth & Family Support Network, a health counseling and family support services provider in Framingham, Mass.

For the conspiracy charge, Gottesfeld faces a maximum of five years in prison, with three years of supervised release, and a fine of $250,000 plus restitution. The charge of damaging protected computers carries a penalty of no greater than 10 years in prison with three years of supervised release, and a fine of up to $250,000.

According to a press release from the Massachusetts U.S. Attorney’s Office, Gottesfeld in 2014 launched a DDoS assault against Wayside, disrupting the non-profit’s network for a week and costing the organization $18,000. Later that year, he would execute another attack against Boston Children’s Hospital, using a botnet composed of roughly 40,000 routers. The blitz not only knocked his intended target offline, but also several more hospitals in the Longwood Medical Area. Boston Children’s Hospital’s network was disrupted for at least two weeks, resulting in approximately $600,000 in repairs and lost donations.

As cyber investigators closed in on Gottesfeld, he fled with his wife by boat on Feb. 16, 2016. But when the vessel became stranded at sea, the couple placed a distress call for help. A Disney Cruise Line ship picked up the couple and dropped them off in Miami, where Gottesfeld was arrested.

DOJ officials say that Gottesfeld identified himself as a member of the hacking group Anonymous, and launched the attack on Boston Children’s Hospital in protest of how the medical facility had handled handled a high-profile custody case.

Source: https://www.scmagazine.com/sinking-feeling-hacktivist-rescued-by-disney-cruise-ship-convicted-for-ddos-attacks-against-health-facilities/article/785468/

  • 0

10 Big Security Concerns About IoT For Business (And How To Protect Yourself)

In recent years, the Internet of Things (IoT) has vastly changed the way we view, use and interact with smart devices, especially in the business world. Internet-connected virtual assistants, appliances, security systems and more can all communicate and coordinate with each other, allowing business owners to automate and streamline mundane, time-consuming activities.

But for all the conveniences IoT devices afford us, there’s still one major concern that users need to consider: security. Anything that’s connected to the internet has the potential to be hacked and misused. This is especially unsettling considering the amount of personal data IoT devices collect and use.

Members of Young Entrepreneur Council discussed their top security concerns related to IoT, as well as how they’re protecting their businesses and customers.

1. Default ‘Raw Data’ Storage

Many developers default to saving data in raw form, provided they have the storage capacity to do so. But in an age when federal law enforcement officers choose to follow unconstitutional orders, storing data can be life-threatening. Whether a company sells a product to law enforcement officers or merely retains data that could be subpoenaed, evaluating how IoT devices and the data they collect can be used to endanger people is a part of modern risk assessment. Setting clear policies on anonymizing user data, as well as data retention, can help limit potential problems. But if you work with a homogeneous team, you won’t be equipped to see how some data may be used. While consultants can help on this point, hiring diversely is more effective and less expensive. – Thursday Bram, The Responsible Communication Style Guide

2. Insecure Devices

Software security is a fundamental problem for the Internet of Things. Before the IoT, businesses had to worry about updating their servers, content management systems, and desktop computers. Today, they have to worry about updating everything from connected coffee machines to security cameras. Businesses are bringing insecure devices into their networks, and then failing to update the software. Failing to apply security patches is not a new phenomenon, but insecure IoT devices with a connection to the open internet are a disaster waiting to happen. Criminals can hack insecure security cameras, for example, and use them as beachheads to access the rest of the company’s network or combine thousands together into botnets to launch devastating DDOS attacks. – Vik Patel, Future Hosting

3. Trolls And Bad Players

One of the most notorious examples of IoT and security involves a troll who managed to send white supremacist literature to online printers all over the world simultaneously. This action showed both the overwhelming reach that this new technology holds and its vast potential for corruption. This single action terrified me more than any other exploit, leak, or hack since it showed me how vulnerable we are to those who may want to use this technology for evil purposes. To prevent this, I have adopted IoT technology sparingly and only after an exhaustive vetting process. Despite all of the amazing possibilities this phenomenon can provide, I just can’t trust its security and the intentions of those around me. I’ve passed this paranoia on to my clients, and they seem to appreciate my concern. – Bryce Welker, Crush The LSAT

4. Surveillance

With devices all around us, all collecting data, all accessible remotely, there is a new ability to measure and monitor individuals and groups behavior. Organizations have to have a new level of protective measures to ensure this data is not able to be hacked into from the outside. Two key aspects are network security and the encryption of the data. You can go to providers such as Cisco, Bayshore Networks, or Senrio to get new levels of network security. For encryption, look to providers such as Cisco, Entrust Datacard, Gemalto, HPE, Lynx Software Technologies and Symantec. There are many limitations to securing IoT devices so you’ll need to find solutions that work best for your organization and specific device types. – Baruch Labunski, Rank Secure

5. Lack Of Updates

Without a verified update cycle, most IoT devices will eventually get hacked. It may not be in one year, but it could happen as devices get several years old. It is not uncommon to see devices five to seven years old in use in offices and at home. After many years, the original manufacturer could be out of business. Even if in business, their teams could have moved on to other projects and lack support of the product. Thus, the reliability of future updates is at stake. When purchasing IoT devices, we try to pinpoint manufacturers who we believe will be around for years to come and have proven to update older products when there is an issue. – Peter Boyd, PaperStreet Web Design

6. Data Breaches

As we have learned from the recent Facebook debacle and the millions of personal data that they have shared with its partners, the IoT faces a similar threat as more and more devices join the network and share data. Millions of data points will be collected as devices track our every behavior (for example from when we wake up to how many times we open our refrigerator door) and this data can potentially be shared among a number of different network participants. Unlike Facebook, which is a single entity that controls most of the data, the IoT will see various major players. Managing (and protecting) user’s private data will be a challenge new to this industry. – Diego Orjuela, Cables & Sensors

7. Compliant Data Storage

The Internet of Things is generating a huge amount of data that must be processed and stored. Millions of devices will generate petabytes of data, some of which will be linked to identifiable individuals. Canada (PIPEDA) and Europe (GDPR) — and the U.S. to a more limited degree — have regulatory regimes around the privacy of personal data and the penalties can be devastating. As businesses collect more data via the IoT, they must take care not to suck up personal data without storing it securely and in accordance with international privacy standards. As a server hosting provider with data centers in Canada, Europe, and the US, we are compliant with the GDPR and implement a huge range of server, network, and physical security measures to ensure that data is kept safe. – Justin Blanchard, ServerMania Inc.

8. DDoS Attacks

The rise of IoT has meant there’s a huge amount of internet-connected computing power that simply didn’t exist before. If hackers can gain access to insecure devices, they can take down huge portions of the internet by simply hammering servers with relentless requests from thousands or millions of connected devices (DDoS, or distributed denial-of-service). Even if you’re not an IoT company, you probably rely on the services that will be the targets — Amazon AWS, Google Cloud, Github, or Facebook, all of which have a big target on their back and all of which are now providing critical infrastructure to businesses. You should always have a Plan B, or at the very least, elegant fallback for if and when you lose access to key technological components of your software setup. – Tim Chaves, ZipBooks Accounting Software

9. Sensitive Data Storage

To be honest, I’m not sure if there is anything anyone can do to stop the world’s best hackers. Many of them are even capable of hacking into government systems. I take a different approach of not storing super sensitive data in our own database. For example, my e-commerce company does not store credit card information in our database. Even when you offer a recurring billing service, you can always store that sensitive info in a payment gateway’s server (Braintree, PayPal Pro, Authorize.net, etc.). This will allow you to manage recurring billing services without needing to save credit card data on your server, further protecting this information in the event of a data breach. – Shu Saito, All Filters LLC

10. Smartphone Security

While my business is about SMS marketing rather than IoT, the common denominator is the widespread use of smartphones. I always urge my clients and employees to be vigilant about safeguarding their phones and apps as this is the entry point hackers often use to gain access to private data. Be sure to use secure passwords and be careful about who you share them with. Be cautious about downloading apps connected to smart devices. Make sure the vendor is trustworthy and be careful about the permissions you set on your apps. When it comes to IoT, you might also want to think about how much automation you really need. Sometimes it just makes your life more complicated, as well as less secure, to have everything connected and automated. – Kalin Kassabov, ProTexting

Source: https://www.forbes.com/sites/theyec/2018/07/31/10-big-security-concerns-about-iot-for-business-and-how-to-protect-yourself/#4bd33ebe7416

  • 0

Researchers Uncover Massive Malvertising Operation

While analyzing recent drive-by download attacks, security researchers have uncovered a large malvertising operation that infiltrated the legitimate online ad ecosystem and abuses more than 10,000 compromised websites.

Malicious advertising, or malvertising, is the practice of displaying rogue ads on legitimate websites without their owners’ consent or knowledge. This has been a very popular attack vector for many years and even led to an investigation by the U.S. Senate in 2014.

In response, ad networks, which are responsible for delivering ads to content publishers, have strengthened their defenses against fraud and abuse, but as researchers from Check Point recently found, cybercriminals still find ways to bypass those checks on a large scale.

In addition to scam and scareware, malicious ads are frequently used to direct unsuspecting users to exploit kits, web-based attack tools that attempt to exploit vulnerabilities in browsers or their plug-ins. Flash Player, Java and Silverlight have been common targets over the years.

Exploit kits are not as popular with cybercriminals as they used to be, because the targeted applications have incorporated sandboxing and other mechanisms that make exploitation more difficult. However, they’re still around and new ones are being created.

“Check Point Research has uncovered a large Malvertising campaign that starts with thousands of compromised WordPress websites, involves multiple parties in the online advertising chain and ends with distributing malicious content, via multiple Exploit Kits,” researchers from the security company said in a new report.

The researchers uncovered that a single threat actor, whom they dubbed Master134, is in control of more than 10,000 compromised websites. The sites all run an older version of WordPress that is vulnerable to remote code execution.

The threat actor appears to be posing as a publisher and sells ad space on these compromised websites through a large advertising network called AdsTerra. In turn, that ad space is bid on and bought through AdsTerra by several other reseller companies, which then sell it to advertisers who turn out to be almost exclusively cybercriminal groups that operate exploit kits.

This seems to be a full abuse of the advertising supply chain and it’s not clear if the advertising companies involved are having their security checks bypassed or are intentionally turning a blind eye to the malicious activity.

“Indeed, threat actors never cease to look for new techniques to spread their attack campaigns, and do not hesitate to utilize legitimate means to do so,” the researchers said. “However, when legitimate online advertising companies are found at the heart of a scheme, connecting threat actors and enabling the distribution of malicious content worldwide, we can’t help but wonder – is the online advertising industry responsible for the public’s safety? Indeed, how can we be certain that the advertisement we encounter while visiting legitimate websites are not meant to harm us?”

Unfortunately, malvertising is likely to remain a common attack vector for years to come, if not to direct users to exploit kits, then to trick them into downloading potentially unwanted applications. Malicious and annoying advertisements are frequently cited as the primary reasons for users installing ad blockers in their browsers, which hurts the entire online ecosystem and content creators in particular.

Source: https://securityboulevard.com/2018/07/researchers-uncover-massive-malvertising-operation/

  • 0