Frequency & Costs of DNS-Based Attacks Soar

The average cost of a DNS attack in the US has climbed 57% over the last year to $654,000 in 2018, a survey from EfficientIP shows.

The frequency of Domain Name System (DNS) attacks and the costs associated with addressing them are both increasing sharply, a new survey by EfficientIP shows.

The DNS management vendor recently had research firm Coleman Parkes poll about 1,000 IT managers in North America, Asia, and Europe on the causes and responses to DNS-based threats.

The results showed that the global average costs of DNS attacks have surged 57% over 2017 to $715,000 in 2018. In the past 12 months, organizations faced an average of seven DNS attacks. Some of the victims ended up paying more than $5 million in associated costs. One in five (22%) organizations suffered business losses to DNS attacks.

The costs per DNS attack associated with remediation, recovery, and business disruption tended to vary by region. In North America, organizations in the US had the highest average costs, at around $654,000. Companies in the region also experienced the steepest year-over-year increase in costs at 82%. Overall, though, organizations in France had higher costs associated with DNS attacks than anywhere else, with victims spending an average of $974,000 on one.

“DNS attacks cost so much because consequences are instantaneous, broad, and very difficult to mitigate without the appropriate technology,” says Ronan David, senior vice president of strategy for EfficientIP. “In modern networks, DNS is routing access to almost all applications.”

Contributing to the high attack costs and overall complexity is the fact that DNS is both an attack vector and a target, he says. Attackers can use the DNS infrastructure as a vector for stealing data, for communicating with command and control servers, for setting up malicious phishing and spam domains, and for enabling other kinds of malicious activity. Other attacks, though, are targeted at disrupting DNS services directly, such as DNS distributed denial-of-service (DDoS) attacks.

DDoS attacks against DNS infrastructure in particular can be very costly to remediate, chiefly because such attacks are asymmetric, says Cricket Liu, chief DNS architect at Infoblox. “An attacker just needs to hire a botnet for a few hours to launch the attack, but the organization targeted needs to build excess capacity and maintain it year-round,” in addition to possibly using a DDoS mitigation service, Liu says.

The five most common DNS-based attacks in EfficientIP’s survey included those in which DNS is used as an attack vector and those in which an organization’s DNS infrastructure is the target. Topping the list for 2018 is DNS-based malware followed by phishing, DNS tunneling, domain lock-up, and DNS-based DDoS attacks.

“With 33% of people having suffered data theft, DNS is certainly one of the most powerful attack vectors,” says EfficientIP’s David from. At the same time, the survey also showed that 40% of cloud-based application downtime is caused by attacks aimed at DNS servers and service.

Hackers are developing sophisticated new multivector, multistage, and distributed DNS attacks. The exponential rise of connected devices, Web-based applications, and interconnected networks is giving them a broader surface to attack as well, David says. “DNS is, therefore, a primary vector and target leading to higher damage costs.”

Merike Kaeo, CTO at Farsight Security, says DNS is a more fundamental and complex protocol than most people realize. “It is critical to not only name and address resolution but can also be utilized to define email servers associated with a domain name, identify service locations, specify type of OS or CPU on a host, and other Internet-related activities.”

As attacks against DNS increase and become more sophisticated, it’s no surprise that remediation costs are increasing as well, Kaeo says. What surveys like those by EfficientIP show is that organizations need to start paying attention to their DNS infrastructure, she says.

“Know which domains you use and what can potentially be abused,” Kaeo notes. Pay attention to the security practices of registries and registrars and implement controls for determining changes in DNS traffic patterns and for blocking unknown domains, she says.

Review your existing mechanisms for dealing with DNS threats as well, says David. Most are simply workarounds that are not designed specifically for dealing with DNS threats. As an example, he points to data exfiltration attacks via DNS. The appropriate detection capacity requires real-time and context-aware DNS traffic analysis for behavioral threat detection, he says.

“DNS is by design an open service on the network which is not correctly monitored, and for which a traditional security solution cannot protect efficiently,” he notes. “DNS is mission-critical. When it goes down, the business is down.”

Source: https://www.darkreading.com/attacks-breaches/frequency-and-costs-of-dns-based-attacks-soar/d/d-id/1331828

  • 0

The end of DDoS? Future promises and current problems with blockchain technology

Blockchain technology is currently being hailed as, well, many things. In any given day you might see it called a disruptor or the future of financial transactions or the answer to data storage and digital identity issues or the technology that will finally put an end to DDoS attacks.

New technologies are never a stranger to massive hype, and the digital landscape is littered with technologies that failed to reach their lofty expectations, and yet, blockchain is looking like it could very well be the real deal and might just become all of the above. Before it can become the answer to the widespread and devastating DDoS attack problem, however, there are a few blockchain cybersecurity issues that need to be addressed.

Blockchain basics

At its core, blockchain is an ever-growing ledger that records transactions. Each transaction’s data is housed in a so-called block and secured via cryptography. Each block also contains a timestamp as well as a cryptographic hash of the content of the block that came before it. This cryptographic hash is what connects each block to the previous block, creating a chain. Ergo, blockchain.

This technology offers a few important benefits over standard transaction technology. Firstly, it eliminates the middleman. If Alexis in Idaho wants to transfer ten Bitcoins to Ashik in Bangladesh, she doesn’t have to go to Western Union or call her bank or consult a lawyer. She simply creates a record in the blockchain. No fees spent, no time wasted. All a transaction needs is data, and that data is securely stored in the blockchain.

Secondly, there is no way to alter a block in the blockchain without altering every block that came after it, as the cryptographic hash in each block depends on the content of the blocks that came before it. Essentially, then, there is no way to alter a block in the blockchain as it would simply require too much collusion.

Thirdly, the very nature of blockchain technology decentralizes data by storing copies of the blockchain across nodes in a peer to peer network instead of in a centralized location, such as a database. There is therefore no one point hackers could crack into in order to access a trove of valuable data. Even if it were possible to get past blockchain’s cryptography, hackers would have to do so one block at a time – a process too burdensome for even the most dedicated cybercriminals.

At this point, you probably have to admit blockchain technology sounds pretty good, but you might be wondering how exactly it’s supposed to become the next big development in DDoS protection.

Denying denial of service?

Blockchain technology in and of itself is impervious to distributed denial of service attacks because of that decentralized nature. Attackers can’t take down a blockchain because it’s spread too widely across the internet.

If financial institutions and other organizations get on board with blockchain technology for transactions, then services related to those transactions are theoretically protected from the threat of DDoS-caused downtime. However, as has been evidenced by the myriad successful DDoS attacks on cryptocurrency exchanges – all of which use blockchain technology for transactions – it isn’t enough for the transaction process to be impervious to these attacks.

This is because even companies or services that have their core business processes taking place on blockchain still require web servers, even if it isn’t for a public-facing website. These servers – which are centralized – represent a single point of failure to DDoS attackers. Take down the server, take down a swath of applications and functions, deny services. This is how margin traders end up losing their minds unable to buy and sell cryptocurrency during DDoS attacks on exchanges, and it’s how businesses of all types will end up being let down if they think blockchain technology on its own right now spells the end of DDoS woes.

Looking to the future

In addition to blockchain technology helping to make DDoS attacks harder to accomplish, it may also be put to work as a direct DDoS mitigation measure in the near future as the idea of making it possible for the average person to make their excess bandwidth available for a per-use fee is currently being explored. This would make bandwidth available in a decentralized blockchain-style manner, as opposed to the centralized bank of bandwidth some DDoS mitigation solutions use, a solution that can be both finite and expensive if the mitigation solution lacks the scalability of the cloud. The idea of the poolable, blockchain-style bandwidth is to increase the resources readily available to absorb DDoS traffic, thereby making attacks cheaper to mitigate and less likely to be successful with attempts and therefore less damaging to the target.

However, while blockchain technology gets to work living up to its heady expectations, businesses who have already hopped on the blockchain bandwagon should get to work protecting that technological investment with scalable cloud-based DDoS protection and/or a leading web application firewall that can shore up vulnerable or weak points while improving availability. A content delivery network may also be an optimal solution depending on how a service’s user base is geographically dispersed, how much content is cacheable, and whether or not any page load time or performance issues are being experienced. With a helping hand from trusted, established technology, the new kid on the disruptor technology block might just become everything it’s supposed to.

Source: https://www.forexcrunch.com/the-end-of-ddos-future-promises-and-current-problems-with-blockchain-technology/

  • 0

Critical infrastructure needs shoring up after U.S., U.K. blame Russia for attacks

The U.S. is prepared to take aggressive action against Russia for a recent, extended campaign of cyberattacks on infrastructure assets around the world by compromising devices such as routers and firewalls, the White House cybersecurity coordinator, who has since left his position, said Monday.

“When we see malicious cyberactivity, whether it be from the Kremlin or other nation-state actors, we are going to push back,” Rob Joyce told reporters after the U.S. and the U.K. laid the blame for the attacks squarely on Russia’s shoulders.

Devices like routers are particularly enticing to hackers. “These devices actually make ideal targets,” said Jeanette Manfra, the top Homeland Security cybersecurity official. “When a malicious actor has access to this, they can monitor, modify, or deny traffic to an organization or from an organization externally.”

Joyce abruptly left his position just hours after speaking with reporters. His departure followed the resignation of White House Homeland Security Adviser Tom Bossert as well as others to who have resigned or been pushed out as John Bolton settles into the role of national security adviser.

David Ginsburg, vice president of Marketing at Cavirin, said the routers that were compromised “are only part of the attack and eventual impact.”

Envisioning what a future attack could look like, he pointed to “Mirai and Reaper, where the ultimate goal was a DDoS attack against other assets, most notably the Dyn attack that took down many internet properties in the U.S. and Europe,” noting that attacks “against servers or the internet infrastructure itself is the most probable scenario, with the routers managed as a botnet against corporate or government assets.”

Marina Kidron, who heads up cyber vulnerabilities research for Skybox Security, said there has “been a 120 percent increase in the vulnerabilities affecting what is known as operational technology in the last 12 months.”

Troubling to cybersecurity pros is that hackers are not relying on cutting edge techniques or “using a stockpile of zero-day vulnerabilities that no one has previously discovered” to do their dirty work, said Nathan Wenzler, chief security strategist at AsTech. Instead, they are plying security holes such as unpatched, misconfigured or neglected devices. “There’s no great skill or trick in this, but they are simply taking advantage of the poor effort we all make to ensure that devices we attach to the internet are configured well and secured.”

Users are unlikely “to know for certain if their router has been compromised or not,” he said. “Since there’s no real exploit being taken advantage of here, it’s likely that everything will look normal from the outside.”

Noting that “the rise in frequency and scope of cyberattacks on governments and critical infrastructure points to a modern form of stealth warfare that can disrupt the availability of basic goods and services across the world,” Eddie Habibi, founder and CEO of PAS Global, said countries must come together to recognize the seriousness of bad actors’ cyber capabilities” to combat what he sees as a global phenomenon.

“During this time of severe political tension, it’s imperative that countries such as the U.S. and U.K. present a united front to establish global treaties on rules of cybersecurity engagement, as well as create alliances to foster information sharing,” he said. “This, combined with greater collaboration between governments and their local infrastructure companies, is the best way to ensure proactive movement towards greater critical infrastructure security.”

“These are computer-connected control systems for running critical processes in power generation and supply as well as similar functions in other utilities like water,” said Kidron, noting that unless the vulnerabilities are addressed, they “can be exploited by adversaries, as we discovered with the NotPetya and other incidents last year.”

Since attackers will continue to up the level of sophistication in their attacks against infrastructure, “defenders must be equally resourceful,” said Nozomi Networks founder and Chief Product Officer Andrea Carcano. “Organizations need to ensure critical infrastructure resilience so that risks from wherever and in whatever format can be identified and remediated.”

Matt Walmsley, head of EMEA marketing at Vectra, said “enterprises should take another look at how they’re securing their network infrastructure.”

He advised organizations not to “leave the door wide open,” noting that they should be current with network infrastructure software updates and patches. “Then make sure you’re not exposing your equipment’s management interfaces and ensure you have changed the default admin credentials,” said Walmsley. “For perimeter devices with internet connectivity this is doubly important.”

While that may seem like the stuff of “cybersecurity 101,” Walmsley pointed out that “only last month, default settings in some Cisco switches allowed over 168,000 devices exposed to the internet to be identified as vulnerable to illicit remote command execution via an admin protocol.”

Walmsley also contended that “firmware may not be that firm,” leaving it open to compromise by advanced attackers. But “with recent advances in AI-based behavior threat detection, we can now spot in real-time the very subtle signals attackers use to perform command and control orchestration to devices that have compromised firmware by looking for the attacker’s “knocking” signals hidden within legitimate communications,” he said. “With that actionable insight, platforms can be completely reset and their firmware, OS images, and configs reloaded from known good sources.”

Source: https://www.scmagazine.com/critical-infrastructure-needs-shoring-up-after-us-uk-blame-russia-for-attacks/article/759849/

  • 0

33% of businesses hit by DDoS attack in 2017, double that of 2016

Distributed Denial of Service attacks are on the rise this year, and used to gain access to corporate data and harm a victim’s services, according to a Kaspersky Lab report.

Cybercriminals are increasingly turning to Distributed Denial of Service (DDoS) this year, as 33% of organizations faced such an attack in 2017—up from just 17% in 2016, according to a new report from Kaspersky Lab.

These cyber attacks are hitting businesses of all sizes: Of those affected, 20% were very small businesses, 33% were SMBs, and 41% were enterprises.

Half of all businesses reported that the frequency and complexity of DDoS attacks targeting organizations like theirs is growing every year, highlighting the need for more awareness and protection against them, according to Kaspersky Lab.

Of the companies that were hit in 2016, 82% said that they faced more than one DDoS attack. At this point in 2017, 76% of those hit said they had faced at least one attack.

Cybercriminals use DDoS attacks to gain access to valuable corporate data, as well as to cripple a victim’s services, Kaspersky Lab noted. These attacks often result in serious disruption of business: Of the organizations hit by DDoS attacks this year, 26% reported a significant decrease in performance of services, and 14% reported a failure of transactions and processes in affected services.

Additionally, some 53% of companies reported that DDoS attacks against them were used as a smokescreen to cover up other types of cybercrime. Half (50%) of these respondents said that the attack hid a malware infection, 49% said that it masked a data leak or theft, 42% said that it was used to cover up a network intrusion or hacking, and 26% said that it was hiding financial theft, Kaspersky Lab found.

These results are part of Kaspersky Lab’s annual IT Security Risks survey, which included responses from more than 5,200 representatives of small, medium, and large businesses from 29 countries.

“The threat of being hit by a DDoS attack – either standalone or as part of a greater attack arsenal – is showing no signs of diminishing,” said Kirill Ilganaev, head of Kaspersky DDoS protection at Kaspersky Lab, in a press release. “It’s not a case of if an organization will be hit, but when. With the problem growing and affecting every type and size of company, it is important for organizations to protect their IT infrastructure from being infiltrated and keep their data safe from attack.”

Want to use this data in your next business presentation? Feel free to copy and paste these top takeaways into your next slideshow.

  • 33% of organizations experienced a DDoS attack in 2017, compared to 17% in 2016. -Kaspersky Lab, 2017
  • Of organizations hit by DDoS attacks, 20% were very small businesses, 33% were SMBs, and 41% were enterprises. -Kaspersky Lab, 2017
  • 53% of companies reported that DDoS attacks against them were used as a smokescreen to cover up other types of cybercrime, including malware, data leaks, and financial theft. -Kaspersky Lab, 2017

Source: http://www.techrepublic.com/article/33-of-businesses-hit-by-ddos-attack-in-2017-double-that-of-2016/

  • 0

Apache Struts Vulnerabilities and The Equifax Hack, What Happened?

In the wake of the Equifax breach, a lot of people are wondering how the theft of personal information occurred and how it could have been prevented.

Equifax initially reported that a vulnerability in Apache Struts was used to infiltrate their public-facing web server. Apache Struts has faced its fair share of vulnerabilities with 21 having been discovered since the start of 2016.

Which Apache Struts vulnerability was used in the Equifax hack?

At DOSarrest we researched current and past Apache Strut vulnerabilities and determined that they likely were not hacked using the new CVE-2017-9805 but likely CVE-2017-5638.

Equifax released additional details on Sept 13th 2017 confirming that the vulnerability involved was CVE-2017-5638. The CVE-2017-5638 vulnerability dates back to March 2017, which is why people in the security industry are now questioning how they could be so far behind in patching this well-known exploit.

The two vulnerabilities, CVE-2017-5638 and the recently revealed CVE-2017-9805 are very similar in nature and are both considered Remote Code Execution (RCE) vulnerabilities .

How does a RCE vulnerability work and how can they be prevented?

A RCE vulnerability is exploited when an attacker crafts a packet or request containing arbitrary code or commands. The attacker uses a method to bypass security that causes a vulnerable server to execute the code with either user or elevated privileges.

Such vulnerabilities can be prevented with a two-fold approach to web application security:

1) New vulnerabilities will continually be discovered in any web application framework, and it is the duty of IT teams to keep the software patched. This requires regular audits and patches to vulnerable software. Even the most proactive IT teams will not be able to prevent a so-called zero-day attack by patching alone so more must be done to protect the web server from zero-day vulnerabilities.

2) Since there is always a delay between the time a vulnerability is discovered and when a patch is developed by the maintainer of that product, a means to protect your website from undiscovered zero-day vulnerabilities is needed. Web Application Firewall’s (WAF) that typically rely on signatures are unfortunately at a disadvantage because signatures for existing vulnerabilities in most cases do not match newer zero-day vulnerabilities.

If I cannot rely on signature-based WAF options, what can I rely on to protect my business?

At DOSarrest our WAF is different. The problem with relying on signatures is that it requires constant updates as new vulnerabilities become known. Instead our WAF looks for sets of characters (such as /}/,/“/, and /;/) or phrases (like “/bin/bash” or “cmd.exe”) that are known to be problematic for some web applications.

What makes DOSarrest’s WAF even more appealing is that it is fast. Much faster than signature-based solutions that require high CPU use to match signatures–such matching could result in a measurable impact on latency. With DOSarrest’s WAF there is no increase in latency, and vulnerabilities not yet discovered will still be mitigated.

Examples of how the Apache Strut vulnerabilities are performed:

For the benefit of more technical users, some sample requests will be analyzed below. The first example represents a normal non-malicious request sent by millions of people everyday and the following two exploit RCE vulnerabilities in Apache Struts:

We can note the following characteristics in the exploit of CVE-2017-5638:

1. The Content-Type Header starts with %{(, an incorrect format.

2. The payload contains a java function call, java.lang.ProcessBuilder, that is normally regarded as dangerous.

3. The payload contains both windows and Linux command line interpreters: “cmd.exe” (Windows Command Prompt) and “/bin/bash” (Linux Bash shell/terminal).

The RCE vulnerability used to infiltrate Equifax, CVE-2017-5638 exploits a bug in the way Apache Struts processes the “Content-Type” HTTP header. This allows attackers to run an XML script with elevated user access, containing the java.lang.ProcessBuilder is required to execute the commands the attacker has placed within the XML request.

CVE 2017-9805, announced September 2017, is very similar to the previous RCE vulnerability.

With CVE-2017-9805, we can note the following characteristics:

1. The Content-Type is application/xml with the actual content in the request body matching that of the Content-Type.

2) The payload also contains the java function call java.lang.ProcessBuilder.

3) The payload in this case is Linux specific and calls “/bin/bash -c touch ./CVE-2017-9805.txt” to confirm that the exploit works by creating a file, “CVE-2017-9805.txt”.

Are the payloads shown the exact ones used by attackers to obtain data from Equifax?

Although some of the commands may have been used together as part of the information gathering process, the actual commands used to obtain the data from Equifax may only be known by the attackers and possibly Equifax or an auditing security team directly involved in the case. The examples show how the vulnerability could be exploited in the wild and what methods might be used, e.g., setting Content-Type and sending an XML file with a payload. These examples do not represent the actual payload used to obtain the data from Equifax.

Since the payload itself can be completely arbitrary, an attacker can run any commands desired on the victim’s server. Any action the web server software is capable of could be performed by an attacker, which could allow for theft of information or intellectual property if it is accessible from the hacked server.

In the case of Equifax, there was likely an initial vulnerability scan that the attackers used to expose Equifax’s vulnerability to this particular attack. This would have been followed by an effort to determine what files were available or what actions could be performed from the Equifax public-facing web server.At some point the attackers came across a method for accessing personal credit details on millions of Americans and citizens from other countries who had credit checks performed on their identities within the United States.

If Equifax had been using the DOSarrest WAF, they could have avoided a costly mistake. Don’t let your business suffer a damaging security breach that could result in you being out of business for good. Talk to us about our services.

For more information on our services including our Web Application Firewall, see DOSarrest for more information on Security solutions.

Source: https://www.dosarrest.com/ddos-blog/apache-struts-vulnerabilities-and-the-equifax-hack-what-happened/

  • 0

FCC has no documentation of DDoS attack that hit net neutrality comments

Records request denied because FCC made no “written documentation” of attack.

The US Federal Communications Commission says it has no written analysis of DDoS attacks that hit the commission’s net neutrality comment system in May.

In its response to a Freedom of Information Act (FoIA) request filed by Gizmodo, the FCC said its analysis of DDoS attacks “stemmed from real time observation and feedback by Commission IT staff and did not result in written documentation.” Gizmodo had asked for a copy of any records related to the FCC analysis that concluded DDoS attacks had taken place. Because there was no “written documentation,” the FCC provided no documents in response to this portion of the Gizmodo FoIA request.

The FCC also declined to release 209 pages of records, citing several exemptions to the FoIA law. For example, publication of documents related to “staffing decisions made by Commission supervisors, draft talking points, staff summaries of congressional letters, and policy suggestions from staff” could “harm the Commission’s deliberative processes,” the FCC said. “Release of this information would chill deliberations within the Commission and impede the candid exchange of ideas.”

The FCC also declined to release internal “discussion of the Commission’s IT infrastructure and countermeasures,” because “It is reasonably foreseeable that this information, if released, would allow adversaries to circumvent the FCC’s protection measures.”

The FCC did release 16 pages of records, “though none of them shed any light on the events that led to the FCC’s website crashing on May 8,” Gizmodo wrote yesterday. “The few e-mails by FCC staff that were actually released to Gizmodo are entirely redacted.”

The Gizmodo article comes in the same week that the FCC refused to release the text of more than 40,000 net neutrality complaints that it has received from Internet users since June 2015. Pai has claimed that net neutrality rules were a response to “hypothetical harms and hysterical prophecies of doom,” but most complaints to the FCC about potential net neutrality violations by ISPs are being kept secret. (The FCC did release 1,000 of the complaints to the National Hispanic Media Coalition, which had filed a FoIA request.)

Pai has claimed that his proposed repeal of net neutrality rules is using a “far more transparent” process than the one used to implement net neutrality rules in 2015.

UPDATE: The FCC released a statement this afternoon claiming that it is “categorically false” to suggest that “the FCC lacks written documentation of its analysis of the May 7-8 non-traditional DDoS attack that took place against our electronic comment filing system.” The FCC statement said there is publicly available written analysis in the form of a letter to Congress (which we quoted and linked to in the next section of this article). The FCC statement also said it has “voluminous documentation of this attack in the form of logs collected by our commercial cloud partners,” which has not been released publicly.

But again, the FCC refused to provide its internal analysis of the attack, which is what Gizmodo requested. The FCC’s new statement says that “Gizmodo requested records related to the FCC analysis cited in [CIO] David Bray’s May 8 public statement about this attack. Given that the Commission’s IT professionals were in the midst of addressing the attack on May 8, that analysis was not reduced to writing. However, subsequent analysis, once the incident had concluded, was put in writing.”

We asked the FCC to provide this “subsequent analysis,” and haven’t heard back yet.

The FCC’s position seems to be that it wasn’t asked to provide any analysis that was written down after May 8. But Gizmodo requested “A copy of any records related to the FCC ‘analysis’ (cited in Dr. Bray’s statement) that concluded a DDoS attack had taken place.” The FCC’s analysis after May 8 did not change—the commission continues to say it was hit by DDoS attacks. Yet the FCC refused to provide records related to its analysis that it was hit by DDoS attacks.

“We asked for all records ‘related to’ this analysis (emails, etc.), not just the analysis itself, which they claim does not exist,” Gizmodo reporter Dell Cameron wrote on Twitter.

Ars’ FoIA request denied

Separately, Ars filed a FoIA request on May 9 for e-mails and other communications and records related to the attack on the net neutrality comment system and related downtime. The FCC denied our request on June 21, saying that “due to an ongoing investigation we are not able to release records associated with this incident.”

Ars appealed that decision to the FCC on June 30 in light of Chairman Ajit Pai’s statement to US senators that the FBI is not investigating the comment system attack.

“In speaking with the FBI, the conclusion was reached that, given the facts currently known, the attack did not appear to rise to the level of a major incident that would trigger further FBI involvement,” Pai wrote to Senate Democrats who asked for more details about the attacks and the FCC’s response to the attacks.

The FCC has not responded to our FoIA appeal or to a followup e-mail we sent on Tuesday this week.

UPDATE: The FCC responded to our FoIA appeal two hours after this story published, saying it won’t release the e-mails and other records because of an internal investigation.

“An internal investigation into the matter is under consideration,” the FCC told us. “Agency staff have concluded that release of the records you requested could be reasonably expected to impede and interfere with this investigation.”

Comment system failure and DDoS analysis

The FCC’s website failure temporarily prevented the public from commenting on Pai’s controversial proposal to dismantle net neutrality rules. The downtime coincided with a heavy influx of comments triggered by comedian John Oliver’s HBO segment criticizing Pai’s plan, but the FCC attributed the downtime solely to “multiple distributed denial-of-service attacks.”

We published an analysis of the FCC’s statements in May, concluding that the incident was caused either by “an unusual type of DDoS or poorly written spam bots.” Cloudflare, which operates a global network that protects websites from DDoS attacks, supported the FCC’s statements. The FCC’s descriptions are consistent with “a ‘Layer 7′ or Application Layer attack,” Cloudflare Information Security Chief Marc Rogers told Ars.

“In this type of [DDoS] attack, instead of trying to saturate the site’s network by flooding it with junk traffic, the attacker instead tries to bring a site down by attacking an application running on it,” Rogers said.

The FCC also refused to release server logs related to the attack because they might contain private information such as IP addresses. Security experts who spoke to Ars supported this decision.

There are now more than 10 million comments on Pai’s plan to overturn net neutrality rules, though many contain the same text because they come from spam bots or from campaigns urging people to submit pre-written comments. Pai has said that the number of comments opposing or supporting his plan “is not as important as the substantive comments that are in the record.”

Source: https://arstechnica.com/information-technology/2017/07/fcc-has-no-documentation-of-ddos-attack-that-hit-net-neutrality-comments/

  • 0

Lawmakers seek answers on alleged FCC DDoS attack

Five Democratic senators are seeking an FBI investigation into possible cyberattacks on the Federal Communication Commission’s online comment system.

The FCC’s Electronic Comment Filing System crashed in the early hours of May 8 in what the agency called “deliberate attempts by external actors to bombard” the commission and render its systems unusable by legitimate commenters.

Sens. Brian Schatz (D-Hawaii), Al Franken (D-Minn.), Patrick Leahy (D-Vt.), Ed Markey (D-Mass.) and Ron Wyden (D-Ore.) want acting FBI director Andrew McCabe to make an investigation of that May disruption a priority, and also called for an investigation into the source of the attack. The senators’ letter emphasized that they were especially troubled by the disruption of the process of public commentary given that public participation is crucial to the integrity of the FCC’s regulatory process.

The request comes as FCC Chairman Ajit Pai is moving to roll back Obama-era net neutrality regulations over the objections of Democrats in Congress and internet freedom activists.

“Any cyberattack on a federal network is very serious,” the senators wrote. “This particular attack may have denied the American people the opportunity to contribute to what is supposed to be a fair and transparent process, which in turn may call into question the integrity of the FCC’s rulemaking proceedings.”

The senators seek a reply by June 23.

It’s possible, however, that what the FCC is reporting as a DDoS attack was in fact a traffic spike spurred by TV comedian John Oliver, who urged viewers to register their opposition to the net neutrality rollback in an May 7 broadcast.

The partisan fight over FCC actions on net neutrality has cast a political shadow over the attack, the follow-up and any future investigation. Three of the letter’s five signatories (Schatz, Markey, Franken) also signed a May 17 open letter lambasting the FCC’s possible net neutrality rollback.

Wyden and Schatz also sought clarification from Pai about the ability of the agency to protect against DDoS attacks in a separate May 9 letter. The two sought details on the user capacity of the FCC’s website and requested a reply by June 8.

Meanwhile, the FCC is accepting comments on its net neutrality proceeding through Aug. 16.

Source: https://fcw.com/articles/2017/05/31/fcc-ddos-senators-berliner.aspx

  • 0

Long Before ‘WannaCry’ Ransomware, Decades Of Cyber ‘Wake-Up Calls’

By latest counts, more than 200,000 computers in some 150 countries have been hit by a cyberattack using ransomware called WannaCry or WannaCrypt, which locked the data and demanded payment in bitcoin. The malware was stopped by a young U.K. researcher’s lucky discovery of a kill switch, but not before it caused hospitals to divert patients and factories to shut operations.

The origins of the malicious software — which feeds on a Microsoft vulnerability — trace back to the National Security Agency: cybertools stolen from the government and posted publicly in April. Microsoft had issued a patch in March. (And here are good tips to generally secure yourself.)

“The governments of the world should treat this attack as a wake-up call. … We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits,” Microsoft President Brad Smith wrote in a follow-up blog post. “We need the tech sector, customers, and governments to work together to protect against cybersecurity attacks. … In this sense, the WannaCrypt attack is a wake-up call for all of us.”

This one, it’s a wake-up call. Haven’t we heard that somewhere before? In fact, archival searches show the use of the cliché stretching back decades — as far back as the early viruses and worms of the 1980s.

“I think people use ‘wake-up call’ in different ways, but it’s generally used to mean to treat cybersecurity like a bona fide national security problem, which we still for the most part don’t do,” says Philip Reitinger, head of the nonprofit Global Cyber Alliance. “In general, it’s ‘Gosh, now people will understand, governments and private sector will understand how serious it is — and do something. When the history has shown, no, they won’t.”

Reitinger and numerous others veterans in the field have been making many of the same calls through the years: Commit proper funding, like to any other national security threat; write new laws that would tangibly incentivize and enforce good behavior by companies large and small; put proper priority on creating a system that can defend itself.

“I’m tired of people writing reports and recommendations,” Reitinger says. “We’re not treating this like the moonshot; we just get the words.”

Well, in the spirit of the focus on words, let’s follow it through history. Below is a select taste of some of the major hacks and attacks that were declared to be a “wake-up call” by government officials and security experts.

1998: The Pentagon

The AP reported on Feb. 26: “The Pentagon’s unclassified computer networks were hit this month by the ‘most organized and systematic’ attack yet.” It was later attributed to two California teenagers, guided by an Israeli teen.

The AP cited Deputy Defense Secretary John Hamre saying that the government and the private sector had not done enough to protect sensitive networks from attacks. In a story on NPR’s All Things Considered, Hamre said: “It was certainly a wake-up call. It certainly is indicative of a future we could be facing that’s much more serious. And we need to learn the lessons from this experience and take advantage of it.”

2000: Popular websites

In a highly publicized denial-of-service attack, a 15-year-old known online as Mafiaboy, brought down Amazon, CNN, Dell, E*Trade, eBay and Yahoo!, which was then the largest search engine. On Feb. 15, then-White House Chief of Staff John Podesta appeared on CNN, saying:

“I think these latest attacks have been a wake-up call for Americans that more needs to be done, that we need to get together and do what we did to deal with the Y2K crisis, which is to come together to share ideas, to do more research and development on security measures that can be taken to enhance the network security, and to build a really strong foundation of security and privacy for the information infrastructure as we create this great promise of the digital economy.”

In March, the tech panel of the Senate Judiciary Committee held a hearing on cyberterrorism, where subcommittee chairman Sen. Jon Kyl said the attacks “raised public awareness and hopefully will serve as a wake-up call about the need to protect our critical computer networks.”

2003: Computers worldwide

SQL Slammer became known as “the worm that crashed the Internet in 15 minutes.” In prepared testimony at the House of Representatives, Vincent Gullotto of Anti-Virus Emergency Response Team at Network Associates said:

“During the Slammer virus outbreak, major U.S. banks experienced widespread ATM outages, a major airline canceled or delayed flights, and a large U.S. metropolitan area lost its 911 emergency services. … Attacks such as those that occurred over the last several weeks provide an important wake-up call to governments, industries, and consumers. We must not be complacent; we must act.”

2010: Google

Google disclosed “a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property.” It was later dubbed “Operation Aurora,” said to have targeted dozens of companies.

After Director of National Intelligence Dennis Blair appeared before the Senate intelligence committee, NPR’s Mary Louise Kelly reported on All Things Considered on Feb. 2:

Blair “used much stronger language than I’ve heard him use before, talked about malicious cyberactivity, and I’ll quote him, ‘is occurring on an unprecedented scale with extraordinary sophistication.’ He talked about things like the recent hacking attack on Google, said that should be a wake-up call, said that the U.S. information infrastructure overall [is] severely threatened.”

2010: Iran’s nuclear program

Stuxnet is a massive computer worm that attacked Iran’s industrial equipment, including at a uranium-enrichment facility. On Nov. 17, Symantec executive Dean Turner testified before the Senate Homeland Security Committee:

“Stuxnet demonstrates the vulnerability of critical national infrastructure industrial control systems to attack through widely used computer programs and technology. Stuxnet is a wake-up call to critical infrastructure systems around the world. This is the first publicly known threat to target industrial control systems and grants hackers vital control of critical infrastructures such as power plants, dams and chemical facilities.”

2012: Saudi Aramco

In August, a virus called Shamoon wiped out files from 30,000 corporate computers of the world’s largest oil exporter.

In a Dec. 7 speech, then-Defense Secretary Chuck Hagel called the attacks on Saudi Aramco and a subsequent attack targeting the Qatari natural gas company RasGas, “a serious wake-up call to everyone.” Hagel added: “The United States will continue to help build the capacity of partners and allies to defend their critical infrastructure from cyberattack, especially major energy, infrastructure, and telecommunications facilities.”

2015: Office of Personnel Management

In the massive OPM data breach, hackers stole personal information of more than 20 million current and former federal employees, contractors, family members and others who had undergone federal background checks.

In a Timeop-ed titled “U.S. Cybersecurity Is Too Weak,” Sens. Chris Coons and Cory Gardner of the Senate Foreign Relations Committee wrote:

“The OPM hack remains the largest data breach ever suffered by the federal government and should have served as a wake-up call to Congress. … The United States must develop a robust prevention and recovery policy response that can adapt to current and future technological advancements.”

In his own op-ed for Federal News Radio, House Oversight Chairman Jason Chaffetz wrote: “This should serve as a wake-up call to all in government on how to best secure federal IT and data. A shift toward zero trust is one way to improve federal IT security.”

2016: Dyn

Hackers attacked a major Internet infrastructure company called Dyn, disrupting websites and services such as Twitter, Amazon, Spotify and Airbnb. The disruptions lasted most of the day, a result of a massive distributed denial-of-service attack delivered through millions of hijacked Internet-connected things such as baby monitors, DVRs and CCTV cameras, infected with Mirai malware.

Source: http://www.npr.org/sections/alltechconsidered/2017/05/16/528447819/long-before-wannacry-ransomware-decades-of-cyber-wake-up-calls

“It’s important for [Internet of Things] vendors who haven’t prioritized security to take this escalating series of attacks as a wake-up call,” The Washington Post quoted Casey Ellis of cybersecurity firm Bugcrowd as saying. “We’re entering a period where this is very real, calculable, and painful impact to having insecure products.”

A House Energy and Commerce panel convened to discuss the security of Internet-connected devices. Rep. Bob Latta, R-Ohio, weighed in: “The recent DDoS attack should serve as a wake-up call that our systems are susceptible to attempts to use IoT devices to wreak havoc.”

  • 0

Hackers attacking WordPress sites via home routers

Administrators of sites using the popular blogging platform WordPress face a new challenge: hackers are launching coordinated brute-force attacks on the administration panels of WordPress sites via unsecured home routers, according to a report on Bleeping Computer.

Once they’ve gained access, the attackers can guess the password for the page and commandeer the account.

The home routers are corralled into a network which disseminates the brute-force attack to thousands of IP addresses negotiating around firewalls and blacklists, the report stated.

The flaw was detected by WordFence, a firm that offers a security plugin for the WordPress platform. The campaign is exploiting security bugs in the TR-069 router management protocol to highjack devices. Attackers gain entry by sending malicious requests to a router’s 7547 port.

The miscreants behind the campaign are playing it low-key to avoid detection, attempting only a few guesses at passwords for each router.

While the exact size of the botnet is unknown, WordFence reported that nearly seven percent of all the brute-force attacks on WordPress sites last month arrived from home routers with port 7547 exposed to the internet.

The flaw is exacerbated by the fact that most home users lack the technical know-how to limit access to their router’s 7547 port. In some cases, the devices do not allow the shuttering of the port.

A more practical solution is offered by WordFence: ISPs should filter out traffic on their network coming from the public internet that is targeting port 7547.

“The routers we have identified that are attacking WordPress sites are suffering from a vulnerability that has been around since 2014 when CheckPoint disclosed it,” Mark Maunder, CEO of WordFence CEO, told SC Media on Wednesday.

The specific vulnerability, he pointed out, is the “misfortune cookie” vulnerability. “ISPs have known about this vulnerability for some time and they have not updated the routers that have been hacked, leaving their customers vulnerable. So, this is not a case of an attacker continuously evolving a technique to infect routers. This is a case of opportunistic infection of a large number of devices that have a severe vulnerability that has been known about for some time, but has never been patched.”

There are two attacks, Maunder told SC. The first is the router that is infected through the misfortune cookie exploit. The other is the attacks his firm is seeing on WordPress sites that are originating from infected ISP routers on home networks.

“The routers appear to be running a vulnerable version of Allegro RomPager version 4.07,” Maunders said. “In CheckPoint’s original 2014 disclosure of this vulnerability they specifically note that 4.07 is the worst affected version of RomPager. So there is nothing new or innovative about this exploit, it is simply going after ISP routers that have a large and easy to hit target painted on them.”

The real story here, said Maunder, is that a number of large ISPs, several of them state owned, have gone a few years without patching their customer routers and their customers and the online community are now paying the price. “Customer home networks are now exposed to attackers and the online community is seeing their websites attacked. I expect we will see several large DDoS attacks originating from these routers this year.”

Source: https://www.scmagazine.com/hackers-attacking-wordpress-sites-via-home-routers/article/649992/

  • 0

Activists plan DDoS attack on the White House website during Trump’s inauguration

A software engineer is calling for protesters to flood the site with traffic during the presidential inauguration

It’s almost time. Ex-reality TV host and businessman Donald Trump will be officially sworn in as the US president on Friday January 20. His campaign was divisive, to say the least, and it seems his tenure as president is looking like having a bumpy start, with protests planned in all states of the US, including on the streets of Washington DC.

However, rather than stand outside, some protestors are choosing to target the President-elect with other, indoor-based, means. Software engineer, Juan Soberanis, is calling on protestors to attempt to take down the White House’s website in a DDoS attack – simply by flooding the website with traffic. Soberanis is calling it “Occupy White House”.

According to the International Business Times, Soberanis wrote on his online protest pledge: “”If you can’t make it to Washington DC on inauguration day to protest Trump’s presidency, you can still fight for the cause by helping to take down whitehouse.gov as a show of solidarity for the lives impacted by Trump’s policy agenda.

“It’s simple. By overloading the site with visitors, we will be able to demonstrate the will of the American people,” he continued.

Soberanis then goes on to tell fellow protestors to overwhelm the website by setting up auto-refresh on the WhiteHouse.gov homepage throughout the day.

The San-Francisco engineer is the creator of Protester.io, a Kickstarter-type site that encourages individuals to get involved in online protests. However, only one protest is currently live on the site, a finished protest set up by Soberanis to incite people to join the ACLU as a protest against Trump. The alleged URL for his Occupy White House protest page on the site appears to be inaccessible at the moment.

Hacking group Anonymous is additionally, and allegedly, planning cyber attacks against Trump’s new administration.

It should be noted, though, that this type of attack is considered criminal activity in the US under the Computer Fraud and Abuse Act. The act dictates that sending a command to a protected computer with the intent to cause damage can be judged a criminal offence, and people affiliated with Anonymous have been charged in the past by the US government for launching DDoS attacks on government entities and trade groups.

Screen Shot 2017-01-19 at 14.38.54

Thousands of people are planning to protest Trump’s inauguration on January 20

As well as being a controversial choice for president, Trump’s inauguration is set to be a controversial affair, too. The likes of Cher, Chelsea Handler and Katy Perry have promised to take part in the Women’s March, either in the capital or in the states around, the day after the inauguration, to protest the Republican party’s threats to defund Planned Parenthood.

According to Google, the statewide searches for “inauguration protest” are much higher than “attend inauguration” searches on the site. During the transition from Obama stepping down and Trump stepping up, “Russia” has been one of the top searched-for big issuesin the States on Google, alongside immigration and Obamacare.

Source: http://www.wired.co.uk/article/donald-trump-inauguration-ddos-attack-planned

  • 0