Are Hackers Winning The Denial Of Service Wars?

Distributed denial of service (DDoS) attacks are a particularly pernicious form of cyberattack where the bad actor seeks to take down a web site or even an entire corporate network by flooding it with malicious traffic.

DDoS attacks have been around for years – and many cybersecurity vendors have risen to the challenge, bringing increasingly sophisticated DDoS mitigation technologies to market.

The bad actors’ response is woefully predictable: increasingly advanced approaches to DDoS, leading to an escalating cat-and-mouse game, as enterprises and governments seek to stay ahead of the deluge of bad traffic hitting their networks.

Bring in the Bots

DDoS attackers use numerous Internet protocols, from the HTTP at the core of the web to simpler, lower-level protocols that do little more than request a brief acknowledgement from a server as part of an ongoing interaction. Request too many acknowledgements at one time, however, and the server can bog down.

At the next level of sophistication, hackers send such malicious requests from a ‘spoofed’ IP address, fooling the target server into sending a response to a different server, which is the true target. In this way, hackers dupe unwitting organizations into playing a role in the attack, while the victim only sees traffic from presumably trustworthy sites or services, thus amplifying the effect of an attack by a factor of one hundred or more.

DDoS attacks, however, have reached an even higher level of sophistication, as hackers are now able to compromise millions of computers, smartphones, and even Internet of Things (IoT) devices like security cameras and baby monitors, recruiting these devices into botnets that can launch increasingly massive, unpredictable attacks on global targets.

To make matters even worse, DDoS technology is simple and inexpensive to purchase on the Dark Web – leading to a black market for increasingly innovative DDoS malware. “There has been increased innovation in DDoS attack tools and techniques,” according to the NETSCOUT Threat Intelligence Report. “The availability of such improved tools has lowered the barrier of entry, making it easier for a broader spectrum of attackers to launch a DDoS attack.”

Size Matters

The simplest mitigation is for an enterprise or government agency to have on-premises equipment with sufficient capacity to absorb DDoS traffic, filtering out the malicious messages while allowing legitimate requests through, a process the industry calls scrubbing.

However, with the increasing sizes of the attacks, such a do-it-yourself approach rapidly becomes too expensive. “The increase in the impact and complexity of attacks continues unabated,” says Marc Wilczek, COO of Link11. “When faced with DDoS bandwidths well over 100 Gbps and multi-vector attacks, traditional IT security mechanisms are easily overwhelmed, and unprotected companies risk serious business disruption, loss of revenue and even fines.”

To place 100 gigabits per second (Gbps) into context, the fastest enterprise local-area ‘gigabit Ethernet’ networks generally run at one Gbps, and the fastest home Internet service will run around 100 megabits per second (Mbps) or a bit higher, which equals one tenth as much bandwidth as one Gbps.

Volumetric DDoS attacks – that is, attacks that consist of the sheer volume of traffic – can well exceed 100 Gbps. According to James Willett, VP technology at DDoS mitigation vendor Neustar, his company has mitigated attacks in excess of 460 Gbps. The largest attacks on record have exceeded 1,700 Gbps.

However, such volumetric attacks are easy to detect – and thus mitigation vendors with high mitigation capacities like Neustar’s 10+ Terabit per second (10,000+ Gbps) globally-distributed platform are able to deal with them in a straightforward fashion.

To respond to this mitigation capability, bad actors are mounting more complex attacks that typically involve enough volume to take down average Internet connections, but do so with intermittent bursts of diverse types of traffic over longer periods of time. “One of our clients is a gaming company,” Willett explains. “This client experienced an attack that lasted six days across numerous network protocols. It was an intermittent attack that generated 91 alerts for new attacks. The attacker was probing different network segments, but also using different attack vectors looking for weakness.”

Some attacks take even longer. “The longest DDoS attack in 2016 lasted 292 hours according to Kaspersky Lab’s research, or about 12 days,” according toRuss Madley, cybersecurity specialist at SecureData Europe, formerly head of B2B at Kapersky Lab. “Most online businesses can ill-afford to have their ‘doors closed’ for even an hour, let alone for 292 hours, as criminals take advantage of their poor defences.”

Multifaceted DDoS Mitigation

When a Neustar on-demand customer detects an incoming DDoS attack, it redirects its network traffic to the Neustar network, which scrubs it and returns the bona fide traffic back to the customer’s network.

This mitigation technique requires a level of sophistication commensurate to the attacker’s. “An attacker’s goal is to mimic legitimate traffic as closely as possible, so that it’s harder to figure out what to filter,” Willett explains. “Neustar tweaks and adjusts filtering in real-time, often looking inside the packets to identify patterns of good or bad traffic to help with filtering.”

Understanding what to filter is almost as important as what not to filter. “We use tools like ThousandEyes to determine whether we are scrubbing too much, which impacts clean traffic, or under-scrubbing, which allows too much dirty traffic,” Willett continues. “We also use ThousandEyes and our own monitoring toolsets to monitor clean traffic tunnels at key points in the infrastructure after scrubbing to ensure availability.”

Neustar’s approach is similar to other DDoS mitigation vendors in the market, including Radware, NETSCOUT Arbor (which NETSCOUT acquired in 2015), Akamai Prolexic (acquired in 2014), and F5.

Regardless of the vendor, however, proper configuration is essential. “For DDoS mitigation to continue working properly it needs to be perfectly configured to the specific network it is protecting,” according to The State of DDoS Protection Report by MazeBolt Technologies. “The problem is that enterprise networks are constantly changing with servers and services added to networks to meet new demands. In order to ensure that DDoS mitigation is perfectly configured, enterprises need to match each network change with a respective fine-tuning of their DDoS mitigation posture.”

Industry analysts are also quick to sound a warning around the complexity of DDoS mitigation. “For bad traffic to be diverted to a scrubbing centre in a seamless action to reduce any downtime, organisations need to have seamless integration between cloud and on-premise solutions, implemented in front of an infrastructure’s network to help mitigate an attack before it reaches core network assets and data,” says Sherrel Roche, senior market analyst at IDC.

Gartner IT +0.32% also offers words of caution. “To implement multiple denial-of-service defence measures at different layers would go beyond purchasing a single security product or signing up with a single service provider,” warns Gartner senior research analyst Rajpreet Kaur.

Who are the Bad Actors?

Unless you’re in the business of creating and selling malware on the Dark Web, the path to profit for a DDoS attacker is murkier than, say, cryptojacking or ransomware.

The key question: what’s in it for them? “The DDoS landscape is driven by a range of actors, from malware authors to opportunistic entities offering services for hire. They are a busy group, constantly developing new technologies and enabling new services while utilizing known vulnerabilities, pre-existing botnets, and well-understood attack techniques,” continues the NETSCOUT Threat Intelligence Report.

At the core of such threats: nation-states. “State-sponsored activity has developed to the point where campaigns and frameworks are discovered regularly for a broad tier of nations,” the NETSCOUT report continues. “Our findings include campaigns attributed to Iran, North Korea, Vietnam, and India, beyond the actors commonly associated with China and Russia.”

Kaspersky Lab also has an opinion. “We expect the profitability of DDoS attacks to continue to grow,” Madley adds. “As a result, [we] will see them increasingly used to extort, disrupt and mask other more intrusive attacks on businesses.”

In addition, the situation is likely to get worse. “When cybercriminals do not achieve their goals of earning money by launching simple DDoS attacks, they have two options,” says Alexey Kiselev, business development manager on the Kaspersky DDoS Protection team. “They can reconfigure the capacities required for DDoS attacks towards other sources of revenue, such as cryptomining, or malefactors who orchestrate DDoS attacks have to improve their technical skills.”

Kiselev concludes: “Given this, we can anticipate that DDoS attacks will evolve in 2019 and it will become harder for companies to detect them and stay protected.”

DDoS attacks, therefore, may not be the quickest route to profitability for bad actors, but given the importance of this attack technique to nation-state cyberwar adversaries, we can expect continued innovation on the part of the hackers. Enterprises and government agencies cannot afford to relax their efforts to combat such attacks.

Source:https://www.forbes.com/sites/jasonbloomberg/2019/02/12/are-hackers-winning-the-denial-of-service-wars/#4b701bc228ea

  • 0

Number of DDoS attacks falls but sophistication improves

2018 saw a decline of 13 percent in the overall number of DDoS attacks when compared to the previous year, but cybercriminals are turning to longer, more sophisticated, mixed and HTTP flood attack techniques.

This is revealed in Kaspersky Lab’s DDoS Q4 2018 Intelligence Report, which also shows the average attack duration has grown. Compared with the beginning of the year, the average length of attacks has more than doubled — from 95 minutes in Q1 to 218 minutes in Q4 2018.

The most common type of attack is User Datagram Protocol (UDP) flooding (accounting for 49 percent), but these attacks observed over the year rarely last more than five minutes. More sophisticated techniques like the HTTP flood method and mixed attacks with HTTP components account for relatively small numbers of attacks (17 percent and 14 percent respectively), but they last much longer, constituting about 80 percent of DDoS attack time for the whole year.

Looking at targets geographically, China continues to top the list but its share declined significantly from 70.58 percent in Q3 to 43.26 percent while all other top 10 countries increased in their shares. In second place is the US (29.14 percent) with Australia (5.91 percent) in third.

“When cybercriminals do not achieve their goals of earning money by launching simple DDoS attacks, they have two options,” says Alexey Kiselev, business development manager on the Kaspersky DDoS Protection team. “They can reconfigure the capacities required for DDoS attacks towards other sources of revenue, such as cryptomining, or malefactors who orchestrate DDoS attacks have to improve their technical skills, as their customers will look for more experienced attackers. Given this, we can anticipate that DDoS attacks will evolve in 2019 and it will become harder for companies to detect them and stay protected.”

Source: https://betanews.com/2019/02/07/ddos-attacks-down-sophistication-up/

  • 0

The Trouble With Growing Your Own DDoS Protection Methods

If you’re keeping up with what’s happening in the wonderful world of IT, you’re probably reading the blood-curdling headlines about 1.7 Tbps distributed denial of service (DDoS) attacks and gut-wrenching descriptions of average $40,000-per-hour costs of unmitigated attacks. 

You’ve also probably digested the fact that no business is too large or too small to be a target of distributed denial of service attacks. So, it’s natural to start thinking about IT security improvements. In these initial thoughts, it’s tempting to envisage a tidy, on-site operation. It has the latest hardware and software (you’re upgrading), and your IT team is in charge. But hold on a minute. Before you go any further, consider all your options before settling on a DIY security solution. There are many reasons why the wise choice is letting the security pros protect your network.

Five reasons to not DIY

The main reason to pass up DIY mitigation? Its limitations. Although tools and techniques of in-house DDoS mitigation are powerful, they can’t stop swift, massive, and sophisticated volumetric attacks. Remember, in on-premises DIY mitigation plans:

  • Protection starts too late in the attack cycle. DIY protection methods are usually a reaction to the initial attack. By the time the IT security team starts working, much of the damage is done. This is especially relevant in DDoS attacks that include application-layer exploits.
  • The ability to adjust configurations doesn’t always help. IT security pros can respond to an attack by adjusting configuration settings manually. However, this takes valuable time. Also, protection is good only for the same type of attack. This lack of flexibility becomes a problem in multi-vector exploits. When botmasters (human controllers of DDoS bots) change tactics in mid-attack, your protection loses its usefulness. 
  • Your network’s network bandwidth limits DIY protection efforts. Your DDoS protection is only as good as your bandwidth is large. DDoS attacks commonly measure many times more than the volume of enterprise network traffic. 
  • DIY protection can’t always distinguish malware and legitimate users. In-house, DDoS protection methods often involve static traffic rate limitations and IP blacklisting. When you use these relatively old-fashioned methods, legitimate users can be mistaken for malicious software. Being blocked from using your website is a quick way to lose customers. 
  • Prohibitive costs. For many companies wanting to upgrade their DDoS protection, this is the biggest problem of all. Purchasing, installing and deploying hardware appliances carry a hefty price tag that puts DIY protection beyond the budget of most organizations.

Don’t forget to protect your applications

Network users are discovering what IT security pros have known for a while. Volumetric attacks might be the familiar face of DDoS mayhem. In many cases, however, data and application security are also at risk. 

That’s because DDoS attacks are often smokescreens to exploits that look for valuable data and information. In an application-layer DDoS attack, a botnet distracts the security team. While the security pros deal with the immediate problem, bots search for any information that can be sold on the Dark Web. 

If you want to run your own DDoS protection methods, this is bad news. The security of applications that you run onsite is at risk. Given this expanded security scope, you would have to protect your apps by upgrading application-layer security measures. Experts recommend that to secure commercial applications, organizations must have their own remediation process, identity management methods, and infrastructure security procedures.

To run custom applications safely, you should adopt quite a few additional measures. These include application security testing, developer training, DevOps and DevSecOps practices, and maintaining an open source code inventory.

The ace up your sleeve—cloud-based mitigation services

The cloud is where you’ll find a powerful, cost-effective security option. Cloud-based, DDoS mitigation providers offer benefits that DIY methods lack. 

  • Broad DDoS protection. Cloud-based protection secures your infrastructure against attacks on your system’s network and application layers. 
  • No DDoS-related capital or operations costs. Mitigation service specialists offer DDoS protection as a managed service. There’s no need to invest in hardware or software. And, say good-bye to IT labor costs. Your IT staff doesn’t get involved in DDoS mitigation. 
  • No scalability problems. DDoS mitigation providers use large-scale infrastructures, with virtually unlimited bandwidth. 
  • No need to hire expensive talent. In-house DDoS protection solutions require IT pros with expensive, often hard-to-find knowledge and experience. The staffs of DDoS mitigation providers include the security and data specialists needed to keep DDoS attacks at bay.
  • You spend less time and money. When you add up the costs of all required assets and resources, the conclusion is clear. You’ll spend far less time, effort, and budget when you engage off-premises, DDoS protection services.

These are the benefits that most DDoS mitigation services provide. However, advanced mitigation providers go several steps beyond this already high standard of performance. For example, automated defense methods built into DDoS response software eliminate the need for time-consuming human intervention. In fact, these capabilities reduce time to mitigation to mere seconds. (The current industry record is 10 seconds). 

Isn’t it time to take advantage of this IT security firepower? With DDoS mitigation services at your back, you’ll never have to wince at another DDoS screamer headline again.

Source: http://trendintech.com/2019/01/27/the-trouble-with-growing-your-own-ddos-protection-methods/

  • 0

The DDoS landscape: where we are, and where we’re going

If a week is a long time in politics, as former British Prime Minister Harold Wilson observed, a year in cyber security can seem like an eternity. But despite the rapid changes, many things remain constant. We can always expect cyber criminals to embrace new technology as fast as legitimate businesses do, and to use it to launch new types of attacks that are ever more damaging and harder to defend against.

DDoS attacks are a case in point. In April 2018, the UK’s National Crime Agency named DDoS as the leading threat facing businesses. The Agency noted the sharp increase in attacks on a range of organisations during 2017 and into 2018, and advised organisations to take immediate steps to protect themselves against the escalating threat.

DDoS gets bigger, stronger, smarter

This warning was timely, as through late 2017 and into 2018, DDoS attacks got much larger – and that trend is showing no signs of slowing down. In Q3 of 2018, the average DDoS attack volume more than doubled compared to Q1, from 2.2 Gbps to 4.6 Gbps according to Link11´s latest DDoS Report. These attack volumes are far beyond the capacity of most websites, so this is an alarming trend. Compared to Q2, the total number of attacks also grew by 71% in Q3, to an average of over 175 attacks per day.

Attacks also got more sophisticated. 59% of DDoS incidents in Q3 of 2018 used two or more attack vectors, compared with 46% in Q2. Meanwhile, a highly targeted and strategic approach to DDoS attacks was observed as the year went on; our operation centre saw DDoS attacks on e-commerce providers increase by over 70% on Black Friday (23 November) and by a massive 109% on Cyber Monday (26 November) compared with the November average. Attacks are focusing on specific sectors, with the aim of causing more disruption.

DDoS as a service

At the same time, these larger, more sophisticated DDoS attacks are easier for criminals to launch than ever before too, from DDoS-as-a-Service provider. Perhaps the best known of these, Webstresser.org was selling multi-gigabit DDoS attacks on the Darknet for as little as $11 per attack before it was shut down by police in early 2018. Webstresser’s services were used in early 2018 to bring online services from several Dutch banks and numerous other financial and government services in the Netherlands to a standstill. Customers were left without access to their bank accounts for days.

Other services have sprung up to take Webstresser’s place, offering DDoS by the hour for $10, and by the day at bulk discount rates of $200. No expertise is required: just enter your (stolen) credit card details, and the domain you want to target. Even cloud services can be knocked offline, with very little money and little to no technical expertise required to launch an attack.

Web application attacks

Another increasingly targeted component of organisations’ IT estates during 2018 was web applications. 2018 saw high-profile breaches affecting tens of millions of customers from several high-profile companies in the travel and financial sectors. The aim of these attacks is to exfiltrate sensitive data for re-use or resale, with the attackers seeking to exploit weaknesses in the application itself, or the platform it is running on to get access to the data.

2019: predictions and protection

So as 2018 saw attacks growing in volume and complexity, what attacks can we expect to see in 2019?

We have already seen how versatile botnets are for crypto-mining and sending spam – this will extend into DDoS attacks too. Botnets benefit from the ongoing rapid growth in cloud usage and increasing broadband connections as well as the IoT, and the vulnerabilities that they address are on the protocol and application level and are very difficult to protect using standard network security solutions. Bots in public cloud environments can also propagate rapidly to build truly massive attacks.

Attack tactics, for which SSL encryption have long since ceased to be a defence, will gain even more intelligence in the coming months. The only possible answer to this can be defence strategies that cover machine learning and artificial intelligence, which can process large data streams in real time and develop adaptive measures. Highly-targeted attacks, such as those on web applications, will also continue because the rewards are so high – as we’ve seen from the 2018 data breaches we touched on earlier.

Also, 2019 could be the year in which a hacktivist collective or nation-state will launch a coordinated attack against the infrastructure of the internet itself. The 2016 DDoS attack against hosting provider Dyn showed that a single attack against a hosting provider or registrar could take down major websites. DDoS tools and techniques have evolved significantly since then, creating a very real risk of attacks that could take down sections of the Web – as shown by the attack which targeted ISPs in Cambodia. Other forms of critical infrastructure are also vulnerable to DDoS exploits, as we saw in 2018’s attack on the Danish rail network.

In conclusion, tech innovations will continue to accelerate and enable business, and cyber criminals will also take advantage of those innovations for their own gain. With more and more business taking place online, dependence on a stable internet connection rises significantly. Likewise, revenues and reputation are more at risk than ever before. Therefore, organisations must be proactive and deploy defences that can keep pace with even new, unknown threats – or risk becoming the next victim of increasingly sophisticated, highly targeted mega-attacks.

Source: https://www.information-age.com/the-ddos-landscape-123478142/

  • 0

Sunderland City Council hit by 400,000 spam emails in one week

A council has been hit by 400,000 spam emails in one week.

Hackers have targeted Sunderland City Council with phishing and spoofing emails, and at least one Distributed Denial of Service (DDoS) attack.

Officers also experienced a “spray attack” where accounts were locked out after criminals repeatedly used common passwords to try to gain access.

The attacks took place during a week in November and the council has said it will improve its IT security.

The council’s IT security breach was revealed in a scrutiny co-ordinating committee report, the Local Democracy Reporting Service said.

Last year, the Local Government Association published a “cyber-stocktake” based on a questionnaire completed by councils.

Sunderland received green and amber ratings in several areas, but was labelled red in technology standards and compliance and detection.

The council said it planned to improve its security by moving PCs to Windows 10 and making sure default passwords were changed.

It said that although measures were being taken, there was “no silver bullet that guarantees 100% protection”.

Source: https://www.bbc.com/news/uk-england-tyne-46865177

  • 0

Ad Fraud 101: How Cybercriminals Profit from Clicks

Fraud is and always will be a cornerstone of the cybercrime community. The associated economic gains provide substantial motivation for today’s malicious actors, which is reflected in the rampant use of identity and financial theft, and ad fraud. Fraud is, without question, big business. You don’t have to look far to find websites, on both the clear and the darknet, that profit from the sale of your personal information.

Fraud-related cyber criminals are employing an evolving arsenal of tactics and malware designed to engage in these types of activities. What follows is an overview.

Digital Fraud

Digital fraud—the use of a computer for criminal deception or abuse of web enabled assets that results in financial gain—can be categorized and explained in three groups for the purpose of this blog: basic identity theft with the goal of collecting and selling identifiable information, targeted campaigns focused exclusively on obtaining financial credentials, and fraud that generates artificial traffic for profit.

Digital fraud is its own sub-community consistent with typical hacker profiles. You have consumers dependent on purchasing stolen information to commit additional fraudulent crime, such as making fake credit cards and cashing out accounts, and/or utilizing stolen data to obtain real world documents like identification cards and medical insurance. There are also general hackers, motivated by profit or disruption, who publicly post personally identifiable information that can be easily scraped and used by other criminals. And finally, there are pure vendors who are motivated solely by profit and have the skills to maintain, evade and disrupt at large scales.

  • Identity fraud harvests complete or partial user credentials and personal information for profit. This group mainly consists of cybercriminals who target databases with numerous attack vectors for the purposes of selling the obtained data for profit. Once the credentials reach their final destination, other criminals will use the data for additional fraudulent purposes, such as digital account takeover for financial gains.
  • Banking fraud harvests banking credentials, digital wallets and credit cards from targeted users. This group consists of highly talented and focused criminals who only care about obtaining financial information, access to cryptocurrency wallets or digitally skimming credit cards. These criminals’ tactics, techniques and procedures (TTP) are considered advanced, as they often involve the threat actor’s own created malware, which is updated consistently.
  • Ad fraud generates artificial impressions or clicks on a targeted website for profit. This is a highly skilled group of cybercriminals that is capable of building and maintaining a massive infrastructure of infected devices in a botnet. Different devices are leveraged for different types of ad fraud but generally, PC-based ad fraud campaigns are capable of silently opening an internet browser on the victim’s computer and clicking on an advertisement

Ad Fraud & Botnets

Typically, botnets—the collection of compromised devices that are often referred to as a bot and controlled by a malicious actor, a.k.a. a “bot herder—are associated with flooding networks and applications with large volumes of traffic. But they also send large volumes of malicious spam, which is leveraged to steal banking credentials or used to conduct ad fraud.

However, operating a botnet is not cheap and operators must weigh the risks and expense of operating and maintaining a profitable botnet. Generally, a bot herder has four campaign options (DDoS attacks, spam, banking and ad fraud) with variables consisting of research and vulnerability discovery, infection rate, reinfection rate, maintenance, and consumer demand.

With regards to ad fraud, botnets can produce millions of artificially generated clicks and impressions a day, resulting in a financial profit for the operators. Two recent ad fraud campaigns highlight the effectiveness of botnets:

  • 3ve, pronounced eve, was recently taken down by White Owl, Google and the FBI. This PC-based botnet infected over a million computers and utilized tens of thousands of websites for the purpose of click fraud activities. The infected users would never see the activity conducted by the bot, as it would open a hidden browser outside the view of the user’s screen to click on specific ads for profit.
  • Mirai, an IoT-based botnet, was used to launch some of the largest recorded DDoS attacks in history. When the co-creators of Mirai were arrested, their indictments indicated that they also engaged in ad fraud with this botnet. The actors were able to conduct what is known as an impression fraud by generating artificial traffic and directing it at targeted sites for profit. 

The Future of Ad Fraud

Ad fraud is a major threat to advertisers, costing them millions of dollars each year. And the threat is not going away, as cyber criminals look for more profitable vectors through various chaining attacks and alteration of the current TTPs at their disposal.

As more IoT devices continue to be connected to the Internet with weak security standards and vulnerable protocols, criminals will find ways to maximize the profit of each infected device. Currently, it appears that criminals are looking to maximize their new efforts and infection rate by targeting insecure or unmaintained IoT devices with a wide variety of payloads, including those designed to mine cryptocurrencies, redirect users’ sessions to phishing pages or conduct ad fraud.

Source: https://securityboulevard.com/2019/01/ad-fraud-101-how-cybercriminals-profit-from-clicks/

  • 0

U.S. Tech Giant Cloudflare Provides Cybersecurity For At Least 7 Terror Groups

American tech firm Cloudflare is providing cybersecurity services to at least seven designated foreign terrorist organizations and militant groups, HuffPost has learned.

The San Francisco-based web giant is one of the world’s largest content delivery networks and boasts of serving more traffic than Twitter, Amazon, Apple, Instagram, Bing and Wikipedia combined. Founded in 2009, it claims to power nearly 10 percent of Internet requests globally and has been widelycriticized for refusing to regulate access to its services.

Among Cloudflare’s millions of customers are several groups that are on the State Department’s list of foreign terrorist organizations, including al-Shabab, the Popular Front for the Liberation of Palestine, al-Quds Brigades, the Kurdistan Workers’ Party (PKK), al-Aqsa Martyrs Brigade and Hamas — as well as the Taliban, which, like the other groups, is sanctioned by the Treasury Department’s Office of Foreign Assets Control (OFAC). These organizations own and operate active websites that are protected by Cloudflare, according to fournational security and counterextremism experts who reviewed the sites at HuffPost’s request.

In the United States, it’s a crime to knowingly provide tangible or intangible “material support” — including communications equipment — to a designated foreign terrorist organization or to provideservice to an OFAC-sanctioned entity without special permission. Cloudflare, which is not authorized by the OFAC to do business with such organizations, has been informed on multiple occasions, dating back to at least 2012, that it is shielding terrorist groups behind its network, and it continues to do so.

The Electronic Frontier Foundation and other free speech advocates have long been critical of material support laws. The foundation described them as tools the government has used to “chill First Amendment protected activities” such as providing “expert advice and assistance” ― including training for peacefully resolving conflicts ― to designated foreign terrorist organizations. Many of the designated groups, the EFF has argued, also provide humanitarian assistance to their constituents.

But so far, free speech advocates’ arguments haven’t carried the day — which means that Cloudflare still could be breaking the law.

‘We Try To Be Neutral’

“We try to be neutral and not insert ourselves too much as the arbiter of what’s allowed to be online,” said Cloudflare’s general counsel, Doug Kramer. However, he added, “we are very aware of our obligations under the sanctions laws. We think about this hard, and we’ve got a policy in place to stay in compliance with those laws.” He declined to comment directly on the list of websites HuffPost provided to Cloudflare, citing privacy concerns.

Cloudflare secures and optimizes websites; it is not a domain host. Although Cloudflare doesn’t host websites, its services are essential to the survival of controversial pages, which would otherwise be vulnerable to vigilante hacker campaigns known as distributed denial-of-service attacks. As the tech firm puts it, “The size and scale of the attacks that can now easily be launched online make it such that if you don’t have a network like Cloudflare in front of your content, and you upset anyone, you will be knocked offline.”

Some of the terrorist sites that HuffPost identified on its server have been used to spread anti-state propaganda, claims of responsibility for terrorist attacks, false information and messages glorifying violence against Americans and civilians. But none of that really matters: Even if al-Shabab were posting cat videos, it would still be a crime to provide material support to the group.

“This is not a content-based issue,” said Benjamin Wittes, the editor in chief of Lawfare and a senior fellow at the Brookings Institution. “[Cloudflare] can be as pure-free-speech people as they want — they have an arguable position that it’s not their job to decide what speech is worthy and what speech is not — but there is a law, a criminal statute, that says that you are not allowed to give services to designated foreign terrorist organizations. Full stop.”

Intermediary websites are shielded from liability for illicit third-party content on their platforms, thanks to the U.S. Communications Decency Act (meaning, for example, that Twitter cannot be held legally accountable for a libelous tweet). This immunity is irrelevant with regard to the material support statute of the USA Patriot Act, which pertains strictly to the provision of a service or resource, not to any offending content, explained Wittes. In this case, Cloudflare’s accountability would not be a question of whether it should be monitoring its users or their content but, in part, whether the company is aware that it is serving terrorist organizations.

“If and when you know or reasonably should know, then you’re in legal jeopardy if you continue to provide services,” said University of Texas law professor Bobby Chesney.

In its terms of use, Cloudflare reserves the right to terminate services “for any reason or no reason at all.” Yet the firm has refused to shut down even its most reprehensible customers, with very few exceptions. Its CEO, former lawyer Matthew Prince, has made it clear that he believes in total content neutrality and that Cloudflare should play no role in determining who’s allowed online. His company is reportedly preparing for an initial public offering that would value it at more than $3.5 billion.

There is a law — a criminal statute — that says that you are not allowed to give services to designated foreign terrorist organizations. Full stop.Benjamin Wittes, senior fellow at the Brookings Institution

Cloudflare’s services range in price from completely free to north of $3,000 per month for advanced cybersecurity. (Kramer declined to say if the sanctioned entities HuffPost identified are paying customers. Material support law applies to both free and paid services.) Its reverse proxy service reroutes visitors away from websites’ IP addresses, concealing their domain hosts and giving them a sense of anonymity. This feature has made Cloudflare especially appealing to neo-Nazis, white supremacists, pedophiles, conspiracy theorists — and terrorists.

Screen Shot 2018-12-14 at 15.18.33

Cloudflare Knows

Cloudflare has knowingly serviced terrorist-affiliated websites for years. In 2012, Reuters confronted Cloudflare about websites behind its network that were affiliated with al-Quds Brigades and Hamas. Prince argued that Cloudflare’s services did not constitute material support of terrorism. “We’re not sending money, or helping people arm themselves,” he said at the time. “We’re not selling bullets. We’re selling flak jackets.”

That analogy bears little relevance. “Material support,” as defined in 18 U.S.C. § 2339B, refers to “any property, tangible or intangible, or service,” excluding medicine and religious materials. Contrary to Prince’s suggestion, it applies to more than money and weapons. A New York man who provided satellite television services to Hezbollah was sentenced in 2009 to 69 months in prison for material support of terrorism. And although the definition is broad, “it really covers anything of value,” Chesney said. “It’s meant to be like a full-fledged embargo.”

In 2013, after journalist James Cook learned Cloudflare was securing a website affiliated with al Qaeda, he wrote an article arguing that the web giant was turning “a blind eye to terrorism.” Prince published his responses to Cook’s questions about serving terrorist groups in a Q&A-style blog post titled “Cloudflare and Free Speech.”

Cook asked what safeguards Cloudflare had in place to ensure it was not supporting illegal terrorist activity; Prince listed none. Cook inquired whether Cloudflare would investigate the website he had identified; Prince suggested it would not. The site is still online and is still secured by Cloudflare.

“A website is speech. It is not a bomb,” Prince wrote in his post. “We do not believe that ‘investigating’ the speech that flows through our network is appropriate. In fact, we think doing so would be creepy.”

Creepy or not, if a company receives a tip that it has customers who are sanctioned terrorists or has reason to believe that could be the case, it should absolutely investigate so as not to risk breaking the law, experts said. (Kramer noted Prince’s remarks are “from six years ago” and said Cloudflare does take such tips seriously.)

“This is a criminal statute that we’re talking about, so companies bear a risk by putting their heads in the sand,” said Georgetown Law professor Mary McCord, a former head of the Justice Department’s national security division. “A company has got to spend money, resources [and have] lawyers to make sure it’s not running afoul of the law. The risk it takes if it doesn’t is a criminal prosecution.”

President Donald Trump’s administration also urges due diligence. “We encourage service providers to follow the lead of the big social media companies, whose terms of service and community standards expressly enable them to voluntarily address terrorist content on their platforms, while exploring ways to more expeditiously tackle such content,” a White House official told HuffPost.

The international hacktivist group Anonymous accused Cloudflare of serving dozens of ISIS-affiliated websites in 2015, which Prince shrugged off as “armchair analysis” by “15-year-old kids in Guy Fawkes masks.” In media interviews, he maintained that serving a terrorist entity is not akin to an endorsement and said only a few of the sites on Anonymous’ list belonged to ISIS. Prince hinted that government authorities had ordered Cloudflare to keep certain controversial pages online. The FBI, Justice Department, State Department, Treasury Department and White House declined to comment on that assertion.

Last year, Cloudflare disclosed that the FBI subpoenaed the company to hand over information about one of its customers for national security purposes. The FBI, which also uses Cloudflare’s services, rescinded the subpoena and withdrew its request for information after Cloudflare threatened to sue. Neither Cloudflare nor the FBI would comment on this matter.

Over the past two years, the Counter Extremism Project, a nonpartisan international policy organization, has sent Cloudflare four detailed letters identifying a total of seven terrorist-operated websites on its server. HuffPost has viewed these letters, which explicitly address concerns about material support of terrorism, and Kramer acknowledged that Cloudflare received them.

“We’ve never received a response from [Cloudflare],” said Joshua Fisher-Birch, a content review specialist at the Counter Extremism Project. Five of the seven flagged websites remain online behind Cloudflare today, more than a year after they were brought to the firm’s attention.

“I think they’re doubling down on free speech absolutism at all costs,” he added. “In this case, that means they’re going to allow terrorist and extremist organizations to use their services and to possibly spread propaganda, try to recruit or even finance on their websites.”

HUFFPOST

In August 2017, Cloudflare cut off services to the Daily Stormer, a website that had allegedly been involved in a neo-Nazi rally that month in Charlottesville, Virginia, where a counterprotester was killed.

‘Assholes’ vs. Terrorists

Kramer said he was not able to comment in detail on specific cases in which outside actors such as journalists and Anonymous informed Cloudflare about possible terrorist organizations using its services, but he noted that Cloudflare works with government agencies to comply with its legal obligations.

“Our policy is that if we receive new information that raises a flag or a concern about a potentially sanctioned party, then we’ll follow up to figure out whether or not that’s something that we need to take action on,” he said. “Part of the challenge is really to determine which of those are legitimate inquiries and which of those … are trying to manipulate the complaint process to take down people with whom they disagree.”

Cloudflare was flooded with such complaints in August 2017, when activists pleaded with the firm to terminate its services for the Daily Stormer, a prominent neo-Nazi website that was harassing the family of a woman who had recently been killed in violence surrounding a neo-Nazi rally in Charlottesville, Virginia.

Prince initially refused to drop the Daily Stormer, but as public outrage intensified, he reluctantly pulled the plug. “The people behind the Daily Stormer are assholes and I’d had enough,” he later said in an email to his team. The rationale behind that decision raised questions among Cloudflare’s staff, according to Wired.

“There were a lot of people who were like, ‘I came to this company because I wanted to help build a better internet … but there are some really awful things currently on the web, and it’s because of us that they’re up there,’” one employee said. Another wondered why Cloudflare would consider shutting down Nazis but not terrorists.

Source: https://www.huffingtonpost.ca/entry/cloudflare-cybersecurity-terrorist-groups_us_5c127778e4b0835fe3277f2f

  • 0

Nokia: IoT Botnets Comprise 78% of Malware on Networks

Nokia is warning of a deluge of IoT malware after revealing a 45% increase in IoT botnet activity on service provider networks since 2016.

The mobile networking firm’s Threat Intelligence Report for 2019 is is based on data collected from its NetGuard Endpoint Security product, which it says monitors network traffic from over 150 million devices globally.

It revealed that botnet activity represented 78% of malware detection events in communication service provider (CSP) networks this year, more than double the 33% seen in 2016.

Similarly, IoT bots now make up 16% of infected devices on CSP networks, a near-five-fold increase from 3.5% a year ago.

“Cyber-criminals are switching gears from the traditional computer and smartphone ecosystems and now targeting the growing number of vulnerable IoT devices that are being deployed,” said Kevin McNamee, director of Nokia’s Threat Intelligence Lab. “You have thousands of IoT device manufacturers wanting to move product fast to market and, unfortunately, security is often an afterthought.”

This is a threat that first came to light with the Mirai attacks of 2016, when the infamous IoT malware sought out and infected tens of thousands of smart devices protected only by factory default passwords.

That ended up launching some of the largest DDoS attacks ever seen, although Nokia also called out crypto-mining as a potential new use of IoT botnets made up of compromised smartphones and web browsers.

“Cyber-criminals have increasingly smart tools to scan for and to quickly exploit vulnerable devices, and they have new tools for spreading their malware and bypassing firewalls. If a vulnerable device is deployed on the internet, it will be exploited in a matter of minutes,” McNamee warned.

IoT adoption is expected to accelerate with 5G, potentially exposing even more devices to cyber risk, Nokia claimed.

Yossi Naar, co-founder at Cybereason, argued that attackers can also use compromised IoT endpoints to move into corporate networks and high-value servers.

“Simply put, security needs to be a primary design consideration, as fundamental as any other measure of performance,” he added. “There should be a focus on tight mechanisms for strong authentication and the minimization of the potential attack surface. It’s a fundamental design philosophy that responsible companies have, but it’s not a reflex for all companies — yet.”

Source: https://www.infosecurity-magazine.com/news/iot-botnets-78-of-malware-on/

  • 0

The CoAP protocol is the next big thing for DDoS attacks

CoAP DDoS attacks have already been detected in the wild, some clocking at 320Gbps.

RFC 7252, also known as the Constrained Application Protocol (CoAP), is about to become one of the most abused protocols in terms of DDoS attacks, security researchers have told ZDNet.

If readers don’t recognize the name of this protocol that’s because it’s new –being formally approved only recently, in 2014, and largely unused until this year.

WHAT IS COAP?

CoAP was designed as a lightweight machine-to-machine (M2M) protocol that can run on smart devices where memory and computing resources are scarce.

In a very simplistic explanation, CoAP is very similar to HTTP, but instead of working on top of TCP packets, it works on top of UDP, a lighter data transfer format created as a TCP alternative.

Just like HTTP is used to transport data and commands (GET, POST, CONNECT, etc.) between a client and a server, CoAP also allows the same multicast and command transmission features, but without needing the same amount of resources, making it ideal for today’s rising wave of Internet of Things (IoT) devices.

But just like any other UDP-based protocol, CoAP is inherently susceptible to IP address spoofing and packet amplification, the two major factors that enable the amplification of a DDoS attack.

An attacker can send a small UDP packet to a CoAP client (an IoT device), and the client would respond with a much larger packet. In the world of DDoS attacks, the size of this packet response is known as an amplification factor, and for CoAP, this can range from 10 to 50, depending on the initial packet and the resulting response (and the protocol analysis you’re reading).

Furthermore, because CoAP is vulnerable to IP spoofing, attackers can replace the “sender IP address” with the IP address of a victim they want to launch a DDoS attack against, and that victim would receive the blunt force of the amplified CoAP traffic.

The people who designed CoAP added security features to prevent these types of issues, but as Cloudflare pointed out in a blog post last year, if device makers implement these CoAP security features, the CoAP protocol isn’t so light anymore, negating all the benefits of a lightweight protocol.

That’s why most of today’s CoAP implementations forgo using hardened security modes for a “NoSec” security mode that keeps the protocol light, but also vulnerable to DDoS abuse.

THE RISE OF COAP

But because CoAP was a new protocol, a few hundreds of vulnerable devices here and there would have never been a problem, even if all were running in NoSec modes.

Unfortunately, things started to change. According to a talk that Dennis Rand, founder of eCrimeLabs, gave at the RVAsec security conference over the summer (19:40 mark), the number of CoAP devices has exploded since November 2017.

Rand says the CoAP device count jumped from a lowly 6,500 in November 2017 to over 26,000 the next month. Things got even worse in 2018 because by May that number was at 278,000 devices, a number that today is hovering at 580,000-600,000, according to Shodan, a search engine for Internet-connected devices.

coap-shodan.png

Rand suggests the reason for this explosion is CoAP’s use as part of QLC Chain (formerly known as QLink), a project that aims build a decentralized blockchain-based mobile network using WiFi nodes available across China.

But this sudden rise in readily available and poorly secured CoAP clients hasn’t gone unnoticed. Over the past few weeks, the first DDoS attacks carried out via CoAP have started to leave their mark.

A security researcher who deals with DDoS attacks but who couldn’t share his name due to employment agreements told ZDNet that CoAP attacks have happened on an occasional basis over the past months, with increasing frequency, reaching 55Gbps on average, and with the largest one clocking at 320Gbps.

The 55Gbps average is an order of magnitude superior to the average size of a normal DDoS attack, which is 4.6Gbps, according to DDoS mitigation firm Link11.

Of the 580,000 CoAP devices currently available on Shodan today, the same researcher told ZDNet that roughly 330,000 could be (ab)used to relay and amplify DDoS attacks with an amplification factor of up to 46 times.

Of the attacks the researcher has recorded, most have targeted various online services in China, but also some MMORPGs platforms outside of mainland China.

It is unclear if CoAP has been added as an attack option to DDoS-for-hire platforms, but once this happens, such attacks will intensify even more.

Furthermore, CoAP’s use in the real world has exploded this year but was mainly restricted to China. It is safe to assume that once CoAP has already become popular in China, today’s main manufacturing hub, vulnerable devices will also spread to other countries as devices made in the communist state are sold overseas.

WE’VE BEEN WARNED

Just like with the case with most protocols developed with IoT in mind, the issue doesn’t seem to reside in the protocol design, which includes some basic security features, but in how device makers are configuring and shipping CoAP in live devices.

Sadly, this isn’t something new. Many protocols are often misconfigured, by accident or intentionally, by device makers, which often choose interoperability and ease of use over security.

But the thing that will annoy some security researchers is that some predicted this would happen even before CoAP was approved as an official Internet standard, way back in 2013.

 

 

 

 

 

 

 

This was a totally avoidable disaster if only countries around the world had more stringent rules about IoT devices and their security features.

On a side note –and coincidentally– as CoAP DDoS attacks are now beginning to get noticed, Federico Maggi, a security researcher with Trend Micro, has also taken a look at CoAP’s DDoS amplification capabilities, research which he’s set to present at the Black Hat security conference this week in London.

The same research also looked at a fellow M2M protocol, MQTT, also known to be a mess, and in which the researcher has identified several vulnerabilities.

Source: https://www.zdnet.com/article/the-coap-protocol-is-the-next-big-thing-for-ddos-attacks/

  • 0

Small Businesses Lose $80K on Average to Cybercrime Annually, Better Business Bureau Says

The growth of cybercrime will cost the global economy more than $2 trillion by 2019, according to the Better Business Bureau’s 2017 State of Cybersecurity Among Small Businesses in North America report.

Cost of a Cyber Attack

When it comes to small businesses, the report said the overall annual loss was estimated at almost $80K or $79,841 on average. And as more small businesses become equal parts digital and brick-and-mortar, securing both aspects of their company is more important than ever.

The risks small business owners face in the digital world has increased their awareness of the dangers of this ecosystem. A survey conducted by GetApp in 2017 revealed security concerns ranked second as the challenges small businesses were facing.

In its report GetApp says, small businesses have to implement a multipronged approach with defense mechanism designed to “Ward off attacks from different fronts.”

However, the company doesn’t forget to address the challenges small business owners face when it comes to tackling cybersecurity with limited budgets and IT expertise while at the same time running their business.

Adopting a Small Business Cybersecurity Strategy

Why is adopting a cybersecurity strategy important for small businesses? Because according to eMarketer, in 2017 retail e-commerce sales globally reached $2.304 trillion, which was a 24.8% increase over the previous year.





Of this total, mCommerce accounted for 58.9% of digital sales and overall eCommerce made up 10.2% of total retail sales worldwide in 2017, an increase of 8.6% for the year.

What this means for small businesses is they can’t afford not to be part of this growing trend in digital commerce. They have to ensure the digital platform they have protects their organization and customers whether they are on a desktop, laptop or mobile device.

Have Clear Goals and Objectives

When it comes to cybersecurity, having clear goals and objectives will greatly determine the success of the tools, processes, and governance you put in place to combat cybercriminals.

According to GetApp, with the right cybersecurity solution in place, your small business will be able to detect and prevent a cyber-attack before it takes place.

It is important to note, there is no such thing as 100% security, whether it is in the digital or physical world. Given enough time and resources, bad actors may be able to find a vulnerability in any system. The data breaches at some of the largest organizations in the world are proof of this fact.

As a small business, your goal is to make it as difficult as possible for these bad actors to penetrate the security protocols you have in place.

Don’t Rely on a Single Solution

The GetApp report says small businesses have to fortify their organization against different threats emerging from multiple fronts.

The company says there is no single cybersecurity solution which offers complete defense against all the different types of threats that are out there. At any given time a small business can be under attack from a distributed denial of service or DDoS attack, ransomware attacks, cryptojacking, and others.

To address these challenges, GetApp recommends small businesses to implement a cybersecurity strategy with investments which include a combination of antivirus, firewall, spam filter, data encryption, data backup, and password management applications.

Last but not least, even if you have the best system in place, you have to stay vigilant at all times. Cybercriminals rely on complacency.

Source: https://smallbiztrends.com/2018/12/cost-of-a-cyber-attack-small-business.html

  • 0