U.S. Tech Giant Cloudflare Provides Cybersecurity For At Least 7 Terror Groups

American tech firm Cloudflare is providing cybersecurity services to at least seven designated foreign terrorist organizations and militant groups, HuffPost has learned.

The San Francisco-based web giant is one of the world’s largest content delivery networks and boasts of serving more traffic than Twitter, Amazon, Apple, Instagram, Bing and Wikipedia combined. Founded in 2009, it claims to power nearly 10 percent of Internet requests globally and has been widelycriticized for refusing to regulate access to its services.

Among Cloudflare’s millions of customers are several groups that are on the State Department’s list of foreign terrorist organizations, including al-Shabab, the Popular Front for the Liberation of Palestine, al-Quds Brigades, the Kurdistan Workers’ Party (PKK), al-Aqsa Martyrs Brigade and Hamas — as well as the Taliban, which, like the other groups, is sanctioned by the Treasury Department’s Office of Foreign Assets Control (OFAC). These organizations own and operate active websites that are protected by Cloudflare, according to fournational security and counterextremism experts who reviewed the sites at HuffPost’s request.

In the United States, it’s a crime to knowingly provide tangible or intangible “material support” — including communications equipment — to a designated foreign terrorist organization or to provideservice to an OFAC-sanctioned entity without special permission. Cloudflare, which is not authorized by the OFAC to do business with such organizations, has been informed on multiple occasions, dating back to at least 2012, that it is shielding terrorist groups behind its network, and it continues to do so.

The Electronic Frontier Foundation and other free speech advocates have long been critical of material support laws. The foundation described them as tools the government has used to “chill First Amendment protected activities” such as providing “expert advice and assistance” ― including training for peacefully resolving conflicts ― to designated foreign terrorist organizations. Many of the designated groups, the EFF has argued, also provide humanitarian assistance to their constituents.

But so far, free speech advocates’ arguments haven’t carried the day — which means that Cloudflare still could be breaking the law.

‘We Try To Be Neutral’

“We try to be neutral and not insert ourselves too much as the arbiter of what’s allowed to be online,” said Cloudflare’s general counsel, Doug Kramer. However, he added, “we are very aware of our obligations under the sanctions laws. We think about this hard, and we’ve got a policy in place to stay in compliance with those laws.” He declined to comment directly on the list of websites HuffPost provided to Cloudflare, citing privacy concerns.

Cloudflare secures and optimizes websites; it is not a domain host. Although Cloudflare doesn’t host websites, its services are essential to the survival of controversial pages, which would otherwise be vulnerable to vigilante hacker campaigns known as distributed denial-of-service attacks. As the tech firm puts it, “The size and scale of the attacks that can now easily be launched online make it such that if you don’t have a network like Cloudflare in front of your content, and you upset anyone, you will be knocked offline.”

Some of the terrorist sites that HuffPost identified on its server have been used to spread anti-state propaganda, claims of responsibility for terrorist attacks, false information and messages glorifying violence against Americans and civilians. But none of that really matters: Even if al-Shabab were posting cat videos, it would still be a crime to provide material support to the group.

“This is not a content-based issue,” said Benjamin Wittes, the editor in chief of Lawfare and a senior fellow at the Brookings Institution. “[Cloudflare] can be as pure-free-speech people as they want — they have an arguable position that it’s not their job to decide what speech is worthy and what speech is not — but there is a law, a criminal statute, that says that you are not allowed to give services to designated foreign terrorist organizations. Full stop.”

Intermediary websites are shielded from liability for illicit third-party content on their platforms, thanks to the U.S. Communications Decency Act (meaning, for example, that Twitter cannot be held legally accountable for a libelous tweet). This immunity is irrelevant with regard to the material support statute of the USA Patriot Act, which pertains strictly to the provision of a service or resource, not to any offending content, explained Wittes. In this case, Cloudflare’s accountability would not be a question of whether it should be monitoring its users or their content but, in part, whether the company is aware that it is serving terrorist organizations.

“If and when you know or reasonably should know, then you’re in legal jeopardy if you continue to provide services,” said University of Texas law professor Bobby Chesney.

In its terms of use, Cloudflare reserves the right to terminate services “for any reason or no reason at all.” Yet the firm has refused to shut down even its most reprehensible customers, with very few exceptions. Its CEO, former lawyer Matthew Prince, has made it clear that he believes in total content neutrality and that Cloudflare should play no role in determining who’s allowed online. His company is reportedly preparing for an initial public offering that would value it at more than $3.5 billion.

There is a law — a criminal statute — that says that you are not allowed to give services to designated foreign terrorist organizations. Full stop.Benjamin Wittes, senior fellow at the Brookings Institution

Cloudflare’s services range in price from completely free to north of $3,000 per month for advanced cybersecurity. (Kramer declined to say if the sanctioned entities HuffPost identified are paying customers. Material support law applies to both free and paid services.) Its reverse proxy service reroutes visitors away from websites’ IP addresses, concealing their domain hosts and giving them a sense of anonymity. This feature has made Cloudflare especially appealing to neo-Nazis, white supremacists, pedophiles, conspiracy theorists — and terrorists.

Screen Shot 2018-12-14 at 15.18.33

Cloudflare Knows

Cloudflare has knowingly serviced terrorist-affiliated websites for years. In 2012, Reuters confronted Cloudflare about websites behind its network that were affiliated with al-Quds Brigades and Hamas. Prince argued that Cloudflare’s services did not constitute material support of terrorism. “We’re not sending money, or helping people arm themselves,” he said at the time. “We’re not selling bullets. We’re selling flak jackets.”

That analogy bears little relevance. “Material support,” as defined in 18 U.S.C. § 2339B, refers to “any property, tangible or intangible, or service,” excluding medicine and religious materials. Contrary to Prince’s suggestion, it applies to more than money and weapons. A New York man who provided satellite television services to Hezbollah was sentenced in 2009 to 69 months in prison for material support of terrorism. And although the definition is broad, “it really covers anything of value,” Chesney said. “It’s meant to be like a full-fledged embargo.”

In 2013, after journalist James Cook learned Cloudflare was securing a website affiliated with al Qaeda, he wrote an article arguing that the web giant was turning “a blind eye to terrorism.” Prince published his responses to Cook’s questions about serving terrorist groups in a Q&A-style blog post titled “Cloudflare and Free Speech.”

Cook asked what safeguards Cloudflare had in place to ensure it was not supporting illegal terrorist activity; Prince listed none. Cook inquired whether Cloudflare would investigate the website he had identified; Prince suggested it would not. The site is still online and is still secured by Cloudflare.

“A website is speech. It is not a bomb,” Prince wrote in his post. “We do not believe that ‘investigating’ the speech that flows through our network is appropriate. In fact, we think doing so would be creepy.”

Creepy or not, if a company receives a tip that it has customers who are sanctioned terrorists or has reason to believe that could be the case, it should absolutely investigate so as not to risk breaking the law, experts said. (Kramer noted Prince’s remarks are “from six years ago” and said Cloudflare does take such tips seriously.)

“This is a criminal statute that we’re talking about, so companies bear a risk by putting their heads in the sand,” said Georgetown Law professor Mary McCord, a former head of the Justice Department’s national security division. “A company has got to spend money, resources [and have] lawyers to make sure it’s not running afoul of the law. The risk it takes if it doesn’t is a criminal prosecution.”

President Donald Trump’s administration also urges due diligence. “We encourage service providers to follow the lead of the big social media companies, whose terms of service and community standards expressly enable them to voluntarily address terrorist content on their platforms, while exploring ways to more expeditiously tackle such content,” a White House official told HuffPost.

The international hacktivist group Anonymous accused Cloudflare of serving dozens of ISIS-affiliated websites in 2015, which Prince shrugged off as “armchair analysis” by “15-year-old kids in Guy Fawkes masks.” In media interviews, he maintained that serving a terrorist entity is not akin to an endorsement and said only a few of the sites on Anonymous’ list belonged to ISIS. Prince hinted that government authorities had ordered Cloudflare to keep certain controversial pages online. The FBI, Justice Department, State Department, Treasury Department and White House declined to comment on that assertion.

Last year, Cloudflare disclosed that the FBI subpoenaed the company to hand over information about one of its customers for national security purposes. The FBI, which also uses Cloudflare’s services, rescinded the subpoena and withdrew its request for information after Cloudflare threatened to sue. Neither Cloudflare nor the FBI would comment on this matter.

Over the past two years, the Counter Extremism Project, a nonpartisan international policy organization, has sent Cloudflare four detailed letters identifying a total of seven terrorist-operated websites on its server. HuffPost has viewed these letters, which explicitly address concerns about material support of terrorism, and Kramer acknowledged that Cloudflare received them.

“We’ve never received a response from [Cloudflare],” said Joshua Fisher-Birch, a content review specialist at the Counter Extremism Project. Five of the seven flagged websites remain online behind Cloudflare today, more than a year after they were brought to the firm’s attention.

“I think they’re doubling down on free speech absolutism at all costs,” he added. “In this case, that means they’re going to allow terrorist and extremist organizations to use their services and to possibly spread propaganda, try to recruit or even finance on their websites.”

HUFFPOST

In August 2017, Cloudflare cut off services to the Daily Stormer, a website that had allegedly been involved in a neo-Nazi rally that month in Charlottesville, Virginia, where a counterprotester was killed.

‘Assholes’ vs. Terrorists

Kramer said he was not able to comment in detail on specific cases in which outside actors such as journalists and Anonymous informed Cloudflare about possible terrorist organizations using its services, but he noted that Cloudflare works with government agencies to comply with its legal obligations.

“Our policy is that if we receive new information that raises a flag or a concern about a potentially sanctioned party, then we’ll follow up to figure out whether or not that’s something that we need to take action on,” he said. “Part of the challenge is really to determine which of those are legitimate inquiries and which of those … are trying to manipulate the complaint process to take down people with whom they disagree.”

Cloudflare was flooded with such complaints in August 2017, when activists pleaded with the firm to terminate its services for the Daily Stormer, a prominent neo-Nazi website that was harassing the family of a woman who had recently been killed in violence surrounding a neo-Nazi rally in Charlottesville, Virginia.

Prince initially refused to drop the Daily Stormer, but as public outrage intensified, he reluctantly pulled the plug. “The people behind the Daily Stormer are assholes and I’d had enough,” he later said in an email to his team. The rationale behind that decision raised questions among Cloudflare’s staff, according to Wired.

“There were a lot of people who were like, ‘I came to this company because I wanted to help build a better internet … but there are some really awful things currently on the web, and it’s because of us that they’re up there,’” one employee said. Another wondered why Cloudflare would consider shutting down Nazis but not terrorists.

Source: https://www.huffingtonpost.ca/entry/cloudflare-cybersecurity-terrorist-groups_us_5c127778e4b0835fe3277f2f

  • 0

SIDN, NBIP warn small businesses of increased risk of DDoS attacks

Small and medium-sized businesses are much more at risk of DDoS attacks than many think, according to research by the Dutch domain registrar SIGN and the internet providers group NBIP. The two groups conducted research on the .nl websites affected by such attacks and the organisations affected. In total, 237 DDoS attacks were identified in the year to June 2018.

Web shops selling consumer goods such as clothes, cosmetics and garden equipment have a bigger chance of being hit by DDoS attacks, the research found. On average the resulting damage costs EUR 1.8 million.

A common cause is the use of shared hosting. To save costs, small online sellers often share a server with other websites. They are then affected if another site on the server is hit by an attack. The chance of collateral damage is 35 times higher in such a case.

The public sector and larger banks remain the most likely target of direct attacks. The study estimates the direct damage cost EUR 59.6 million, while collateral effects cost another EUR 10 million.

The damages are based on the 237 attacks identified and estimates for the consequences if the attacks succeeded. If no protective measures are taken, the total cost to society from DDoS attacks is estimated at EUR 1 billion per year.

Source: https://www.telecompaper.com/news/sidn-nbip-warn-small-businesses-of-increased-risk-of-ddos-attacks–1269808

  • 0

Beware of Torii! Security experts discover the ‘most sophisticated botnet ever seen’ – and say it is targeting smart home gadgets

  • Researchers from Avast have identified a worrying botnet affecting IoT devices
  • Called ‘Torii,’ the virus infects devices at a server level that have weak encryption
  • Virus can fetch and execute different commands, making it ‘very sophisticated’

Keep an eye on your smart home devices.

Security experts have identified what they consider the ‘most sophisticated botnet they’ve ever seen’ and it’s believed to be targeting internet of things gadgets.

Antivirus firm Avast said in a new report they’ve been closely watching a new malware strain, called ‘Torii,’ which uses ‘advanced techniques’ to infect devices.

‘…This one tries to be more stealthy and persistent once the device is compromised, an it does not (yet) do the usual stuff a botnet does like [Distributed Denial of Service attacks], attacking all the devices connected to the internet, or, of course, mining cryptocurrencies,’ Avast researchers wrote in a blog post.

The malware goes after devices that have weak encryption, using the Telnet remote access protocol.

Telnet is a remote access tool that’s primarily used to log into remote servers, but it’s largely been replaced by tools that are more secure.

Once it has identified a poorly secured system, Torii will attempt to steal your personal information.

It’s entirely possible that vulnerable IoT device owners have no idea their device has been compromised.

‘As we’ve been digging into this strain, we’ve found indications that this operation has been running since December 2017, maybe even longer,’ the researchers wrote.

While Torii hasn’t attempted cryptojacking or carried out DDoS attacks, researchers say the malware is capable of fetching and executing commands of different kinds on the infected device, making it very sophisticated.

What’s more, many smart home gadgets are connected to one another, and it’s unclear yet if the malware is capable of spreading to other devices.

‘Even though our investigation is continuing, it is clear that Torii is an example of the evolution of IoT malware, and that its sophistication is a level above anything we have seen before,’ the Avast researchers explained.

Once Torii infects a device, it floods it with information and communicates with the master server, allowing the author of the malware to execute any code or deliver any payload to the infected device, according to researchers.

‘This suggests that Torii could become a modular platform for future use,’ the researchers continued.

‘Also, because the payload itself is not scanning for other potential targets, it is quite stealthy on the network layer. Stay tuned for the follow ups.’

WHAT IS A DDOS ATTACK?

DDoS stands for Distributed Denial of Service.

These attacks attempt to crash a website or online service by bombarding them with a torrent of superfluous requests at exactly the same time.

The surge of simple requests overload the servers, causing them to become overwhelmed and shut down.

In order to leverage the number of requests necessary to crash a popular website or online service, hackers will often resort to botnets – networks of computers brought under their control with malware.

Malware is distributed by tricking users into inadvertently downloading software, typically by tricking users into following a link in an email or agreeing to download a corrupted file.

Source: https://www.dailymail.co.uk/sciencetech/article-6216451/Security-experts-discover-sophisticated-botnet-seen.html

  • 0

DDoS Attacks Increase in Size by 500%

According to the Q2 2018 Threat ReportNexusguard’s quarterly report, the average distributed denial-of-service (DDoS) attack grew to more than 26Gbps, increasing in size by 500%.

The research looked at the same period last year and found that the maximum attack size quadrupled to 359Gbps. Evaluating thousands of worldwide DDoS attacks, researchers reportedly gathered real-time attack data from botnet scanning, honeypots, ISPs and traffic moving between attackers and their targets. Data analysis led researchers to attribute the stark surge to IoT botnets and Satori malware exploits, one of many variants of the Mirai malware.

“Due to the increase in IoT-related malware exploits and the rampant growth of large-scale DDoS attacks, research conclusions point to the continued use of IoT botnets. Cyber-attacks hit the 2018 FIFA World Cup, as well as cryptocurrency-related businesses, maximizing revenue loss,” Nexusguard wrote in a press release. Additionally, attacks on the Verge Network (XVG) resulted in a significant loss of 35 million XVG tokens.

“The biggest zero-day risks can stem from various types of home routers, which attackers can exploit to create expansive DDoS attacks against networks and mission-critical services, resulting in jumbo-sized attacks intended to cripple targets during peak revenue-generating hours,” said Juniman Kasman, chief technology officer for Nexusguard.

“Telcos and other communications service providers will need to take extra precautions to guard bandwidth against these super-sized attacks to ensure customer service and operations continue uninterrupted.”

Nexusguard analysts advise communications service providers (CSPs) and other potentially vulnerable operations to augment their preparedness so that they are able to maintain their bandwidth, especially if they lack full redundancy and failover plans in their infrastructures. CSPs and vulnerable organizations that enhance bandwidth protection will be better positioned to stay ahead of the surging attack sizes.

“In the quarter, increasingly large attacks (a YoY average-size increase of 543.17%) had a severe impact on Communication Service Providers (CSP),” the report said. “Serving as a link between attack sources and victim servers and infrastructures, CSPs bear the burden of the increasing size of traffic, irrespective of its source or destination. As such, Internet service is degraded.”

Source: https://www.infosecurity-magazine.com/news/ddos-attacks-increase-in-size-by/

  • 0

Department of Labour denies server compromise in recent cyberattack

The government department says the attack did not expose any sensitive or confidential information.

The South African Department of Labour has confirmed a recent cyberattack which disrupted the government agency’s website.

In a statement, the Department of Labour said that a distributed denial-of-service (DDoS) attack was launched against the organization’s front-facing servers over the weekend.

According to the department’s acting chief information officer Xola Monakali, the “attempt was through the external Domain Name Server (DNS) server which is sitting at the State Information Technology Agency,” and “no internal servers, systems, or client information were compromised, as they are separated with the relevant protection in place.”

The government agency has asked external cybersecurity experts to assist in the investigation.

DDoS attacks are often launched through botnets, which contain countless enslaved devices — ranging from standard PCs to IoT devices — which are commanded to flood a domain with traffic requests.

  • 0

Lawmakers want to know when Ajit Pai knew FCC’s cyberattack claim was false

Democratic lawmakers want to know why the agency didn’t inform consumers of the falsity of its claim sooner

A group of House democrats want to know when FCC Chairman Ajit Pai knew that the agency’s claims of a DDoS attack were false.

Last week, the FCC’s Office of Inspector General released a report that found no evidence to support the claims of DDoS attacks in May of 2017.

The agency had previously blamed multiple DDoS attacks for temporarily taking down a comment section of its website following a segment of Last Week Tonight, in which comedian John Oliver asked viewers to submit comments to the FCC and speak out in support of net neutrality.

However, viewers were unable to voice their opinion on the proposed rollback of net neutrality because the comment submission section wasn’t available at the time.

Now that it has come to light that the agency’s claims of a DDoS attack were false, a handful of Democratic lawmakers want to know when Pai became aware that there was no DDoS attack and why the agency didn’t correct its public statements alleging a DDoS attack before now.

Misrepresented facts

“We want to know when you and your staff first learned that the information the Commission shared about the alleged cyberattack was false,” Democratic lawmakers wrote in a letter to Pai.

“It is troubling that you allowed the public myth created by the FCC to persist and your misrepresentations to remain uncorrected for over a year,” they wrote. The letter was signed by Representatives Frank Pallone Jr. (NJ), Mike Doyle (PA), Jerry McNerney (CA) and Debbie Dingell (MI).

The results of the investigation concluded that FCC officials deliberately misrepresented facts in responses to Congressional inquiries.

“Given the significant media, public and Congressional attention this alleged cyberattack received for over a year, it is hard to believe that the release of the IG’s report was the first time that you and your staff realized that no cyberattack occurred,” wrote the lawmakers.

“Such ignorance would signify a dereliction of your duty as the head of the FCC, particularly due to the severity of the allegations and the blatant lack of evidence.”

The Democratic lawmakers have asked Pai for complete written responses to their questions by August 28. Pai is also scheduled to appear before a Senate Commerce, Science and Transportation Committee oversight hearing on Thursday where he is expected to face questions about the results of the investigation.

Source: https://www.consumeraffairs.com/news/lawmakers-want-to-know-when-ajit-pai-knew-fccs-cyberattack-claim-was-false-081518.html

  • 0

Russian Hackers Breach US Utility Networks

News broke that hackers working for Russia claimed “hundreds of victims” last year in a giant and long-running campaign that put them inside the control rooms of U.S. electric utilities where they could have caused blackouts, federal officials said. They said the campaign likely is continuing. IT security experts commented below.

Tim Helming, Director of Product Management at DomainTools:

“The goals of nation-state actors are various, but in the case of Russian cyber actions against the United States, it is known that among their chief aims is to destabilize American institutions and to sow uncertainty and fear. With the recent reports of Russian adversaries gaining access to electric utilities in the United States last spring, we could be seeing the leading edge of what most security practitioners have predicted for years–that the next attack on our nation will be one of cyber, rather than kinetic, warfare. However, it is important to note some subtleties in the reporting–it is far from certain that these attacks have resulted in the actual ability to achieve a destructive attack. (There may be hundreds of *victims* but it’s not clear that they breached hundreds of control centers; also, the screenshots that the attackers showed do not necessarily prove that they are able to seize actual control.)

It is not farfetched to foresee adversaries causing a major disruption at some point since the frequency of breaches is on the rise. But, again, while the attackers seem to have gained a worrisome level of access, it is not clear that they have the ‘keys to the kingdom’. If a utility attack attack were to succeed, the level of damage could be high because the electric grid is susceptible to cascading faults, where a localized disruption can rapidly spread. Adversaries could theoretically do a lot of damage. In other regions of the world, we have already seen attacks on hospitals, the electric grid, public transit, entire cities, and more. Recognizing the gravity of the threat is not meant as a scare tactic–cybersecurity practitioners are already aware of all of the risk, and work very hard to minimize the attack surfaces of all critical infrastructure.”

Sean Newman, Director Product Management at Corero Network Security:

“As the old adage goes, you’re only as strong as your weakest link.  And, reports from the US Dept of Homeland Security now suggest this is exactly the situation US utility companies are facing, with respect to alleged nation-state infiltration.  In fact, any organisation which relies on contractors, for specific services they cannot deliver internally, can find themselves in a similarly compromised situation, however strong their own security practices are.  Unfortunately, this is not the preserve of organisations delivering critical national infrastructure, as those at US retailer Target can testify, after their massive data breach, back in 2013, which resulted from the attackers compromising their systems via their HVAC contractor.

“This is a stark reminder that organisations of all types and sizes should assess all aspects of their IT security, including those of their contractors and supply chain, and this doesn’t just pertain to hacking attempts but, also includes their resilience to DDoS attacks, which could impact the ability to provide their regular services, and the knock-on impact that creates.

“As more ICS  infrastructures, such as those used by utility companies, are connected to their broader networking infrastructure, then the risk will continue to grow.”

Ray DeMeo, Co-Founder and COO at Virsec:

“The threat of disruption to our critical infrastructure is very real, as recent attacks in the Middle East and Ukraine have shown. The outcomes may depend on the motivations of the hackers, but recent attacks have included ransoming critical data, service disruptions, or serious damage to control systems and physical equipment.

“The government is raising awareness, but responses need to be more aggressive and coordinated. The needs to shift from chasing endless elusive external threats, to directly protecting systems from attack in real-time.”

“Defense strategies need to pivot away from sole focus on conventional perimeter defenses – the latest attacks have easily bypassed the perimeter. It’s crucial to detect and stop attacks in progress.  Vendors need to do more to bridge a wide gap in technology and understanding between IT and OT (operational technology). We are far too dependent on air-gapping as our primary defense, despite the fact that systems are increasingly connected.”

Michael Magrath, Director, Global Regulations & Standards:

“Hackers, including state sponsored Russian hackers, exploit the weakest link in the security chain – the people.  This was noted in great detail in the Mueller Investigation’s indictments against 12 Russian nationals on July 13 where they spearfished unsuspecting users to steal passwords to gain access to the Clinton Campaign and DNC systems. Do we really expect Russian hackers to exclude critical infrastructure?

As certain as the sun will rise tomorrow, hackers will continue to compromise systems requiring username and password-only authentication.  Weak authentication is akin to having a multi-million dollar physical security system and leaving the front gate unlocked.

Unlike other countries, in the U.S. the private sector owns and operates a vast majority of the nation’s critical infrastructure.  NIST’s Framework for Improving Critical Infrastructure Cybersecurity (CSF) is voluntary consisting of standards, guidelines, and best practices to manage cybersecurity-related risk.  Included in version 1.1 is the recommendation for a risk-based approach to identity proofing and authentication.  With lives at risk coupled with the repeated successful attacks it is negligent if a facility relies on easily compromised passwords to gain entry.

As noted in the WSJ article, DHS is trying to determine whether “the Russians have figured out ways to defeat security enhancements like multifactor authentication.”  To be clear, multifactor authentication is not “one size fits all” there are numerous approaches and technologies available with varying degrees of security and usability.  For example, one time passwords transmitted via SMS are very convenient and widely deployed, however this multifactor authentication approach has been proven to be unsecure with OTPs being intercepted.  Other solutions such as fingerprint biometrics, adaptive authentication, and utilizing public key cryptography techniques are far more secure and have gained widespread adoption. It remains to be seen what DHS learns.

Given the potential catastrophic harm that could be carried out by a hacker on a power plant or water supply, critical infrastructure facilities should patch all software, encrypt all data and deploy the latest identity management and authentication technologies.

David Vergara, Head at Security Product Marketing:

“This is “big game hunting” for cybercriminals. The motivation may pivot between political and monetization, but the impact to the target is the same, terror through vulnerability and exposure. It’s not difficult to extrapolate the outcome when an entire power grid goes offline during peak hours and the attack follows the weakest link, unsophisticated utility vendors or third parties. I would draw a similar parallel to open banking/PSD2 in Europe where third parties are entrusted with vast amounts of bank customer data in order to provide various financial services and all this done via API connections to the large banks. So how are banks securing access and connections? The short answer is multi-factor authentication, risk analytics and mobile application security technology. And don’t think for a second that open banking is just a European thing, US banks are already pressured to satisfy consumer demands for more holistic financial services and visibility. This may happen through commercial partnerships over legislation, but the fact remains, it’s coming.”

Andrea Carcano, Founder and Chief Product Officer at Nozomi Networks:

“The U.S. government has been warning organizations about the vulnerability of critical infrastructure to attack from foreign adversaries. The unprecedented levels of information that is being made public in unclassified settings is a signal that these threats are growing quite rapidly. The successful attack on the Ukraine power grid has continued to serve as a reminder for the wide-spread consequences of this type of attack. In this most recent campaign, attackers used conventional tools to exploit weak third-party vendors in a way that could have led to blackouts – demonstrating that even unsophisticated methods can be successful.

However, blackouts did not occur, which makes us question if the attackers intentionally only went so far. Attacks on the grid will be difficult to control and will undoubtedly lead to lots of collateral damage. This, combined with the risk of retaliation, may be keeping attackers at bay. It is reminiscent of the mutually assured destruction model of the Cold War when restraint was used on all sides. We are likely in the midst of a Cyber Cold War with all sides holding back from enacting the destruction they are truly capable of.”

Pravin Kothari, CEO at CipherCloud:

“The cyberattackers were very successful in their efforts and penetrated completely through to the utility control rooms where they had the ability to disrupt power flows.

The big questions remain open. We still don’t know how many of these utilities, if any, were nuclear powered but the implications obvious. If they had the ability to “throw switches” per an official at DHS, exactly how could they disrupt the operation of nuclear power plants and what risks did this present? How long were they inside the networks of any nuclear-powered plants?

Most utility plants and certainly nuclear-powered utilities are protected by “air gaps.” This implies that there is no network connectivity allowed to the “air-gapped” network. Of course, persistent state-sponsored attackers had the resources to carefully research and identify the key vendors that had trusted relationships with the targeted utilities. These key vendors likely had special network connections into the supposedly “air-gapped” networks. Once identified, the cyberattackers could target and compromise them directly, apparently yielding access to the utility infrastructure.”

Source: https://www.informationsecuritybuzz.com/expert-comments/russian-hackers-breach-us-utility-networks/

  • 0

AppSec in the World of ‘Serverless’

The term ‘application security’ still applies to ‘serverless’ technology, but the line where application settings start and infrastructure ends is blurring.

“Serverless” computing is essentially an application deconstructed to its atomic unit: a function. Function-as-a-Service (FaaS) would actually be a better name, but the whole XaaS naming scheme is a bit, shall I say, PaaSé. (Oops, couldn’t resist!) So, instead, we have “serverless” to drive home the idea that application developers don’t need to think about servers any longer. They can focus their energies on creating countless glorious functions – and in the cloud, no less.

In concept, this continues the industry trend of making a starker separation in software delivery services, as well as extending the micro-services trend to the next stage of decomposition, or the breaking down of monolith applications. Here are some key concepts to understand about serverless in the context of application security (AppSec) and infrastructure.

Code Still Matters
A serverless function is a piece of application code. As such, little changes when it comes to AppSec fundamentals – for example, defending against injection attacks. Query strings and string concatenation of file names are still bad. Not paying attention to encoding is bad. Serialization attacks still occur, and so on. Similarly, applications still use third-party libraries, which could have known vulnerabilities and should be vetted. Serverless doesn’t make those problems go away. (For an excellent talk, see “Serverless Security: What’s Left To Protect,” by Guy Podjarny.)

On the other hand, because security practitioners have placed a great deal of attention on infrastructure settings and services, the line where application settings start and infrastructure ends is now blurry.

Infrastructure Shift
Because serverless extends what the infrastructure provides, it shifts the shared security model. Just as in the case of cloud computing, where the provider takes responsibility for the security “of the cloud” (hardware, network, compute, storage, etc.) while leaving the customer responsible solely for security “in the cloud” (operating system, authentication, data, etc.), serverless reduces the responsibility of the customer further.

Serverless infrastructure eliminates the need for operations to constantly update OS patches. Further, the execution environment is in an ephemeral container, with a read-only file system and highly restrictive permissioning. Controls like these greatly improve inherent security. But they also have their own limitations, such as /tmp being writable, and “ephemeral” doesn’t strictly mean a repaved instance between each invocation.

Most attacks against serverless applications succeed through a combination of the aforementioned limitations (which are still significant improvements over typical containerized instances), app-level exploits, and taking advantage of services in the cloud infrastructure, such as poorly configured AWS IAM. (The talk “Gone in 60 Milliseconds,” by Rich Jones, outlines chaining examples.) It’s highly instructive to understand the anatomy of such attacks. My main takeaway: The road to hell is paved with default settings.

Greater dependency on infrastructure also mutates some of the threats. In the case of DDoS attacks, the infrastructure can scale to meet the demands; hence, DDoS effectiveness is diminished. However, it’s not the sky that’s the limit but your wallet. Major cloud providers simply do not put utilization caps in place for many reasons. One reason? They don’t want to be held responsible for an involuntary shutdown of service based on a monetary threshold. The most you can do is set up billing alerts – and thus was born the “denial of wallet” attack.

The Threat of Serverless Sprawl
Fundamentally, the above concerns present few unique risks not shared by customers with apps running on plain EC2 instances. However, managing sprawl does present a novel challenge for serverless. The reason: Serverless functions are like tribbles. They start out small and cute, but then they proliferate, and you end up neck-deep in them. Suddenly, what was meant to be simple is simple no longer.

As the number of functions multiply without a means of easily managing the access controls of serverless functions, the application security posture is greatly threatened. For instance, the principle of least privilege is easy with few functions, but as functions proliferate, often with ill-defined requirements, maintaining secure settings rapidly becomes harder.

Fighting Fire with Fire
Serverless provides a way to scale, so why not use it to scale serverless security? When it comes to the “three R’s of security” (rotate, repave, repair), serverless functions provide an excellent mechanism to build security into deployment. For instance, AWS already provides a means to rotate keys using Lambda functions. Moreover, serverless functions are basically in continuously repaved containers, and practitioners have been writing lambdas to automatically fix security mistakes. In fact, there’s a lot of untapped potential in No. 10 on the OWASP Top Ten: Insufficient Logging and Monitoring. Lambda functions that operate on CloudTrail logs to identify threats and perform automatic remediation have intriguing potential.

Serverless is neither the end-all and be-all, nor does it make irrelevant lessons learned from AppSec. It nonetheless provides an exciting opportunity to build more secure apps in the cloud (serverless or otherwise), with some pitfalls to beware of along the way.

The Future 
Vendors, tools, and processes will need to evolve to fit naturally into the structure of serverless application construction. Some solutions, such as host/container security tools, may become less relevant in some respects due to the shift in responsibility. But those that can manage security concerns on the functional level (both build and run times) and manage infrastructure at scale will enable serverless to fulfill its goal of providing a more secure means of delivering cloud applications.

Source: https://www.darkreading.com/cloud/appsec-in-the-world-of-serverless/a/d-id/1332078

  • 0

Mylobot is sophisticated malware on the hunt for PCs to enslave

The botnet-making malware employs a suite of anti-detection techniques

A HIGHLY SPOHISTICATED BOTNET is on the hunt for PCs to enslave and use as malware-spreading machines.

The botnet-recruiting malware has been dubbed Mylobot by Deep Instinct security researcher Tom Nipravsky, who discovered the malicious code after it was detected and prevented from causing chaos in one of the company’s client’s live IT environments.

Not only can the malware add an infected machine into a botnet suitable for spreading more malware, launching DDoS attacks, and powering ransomware campaigns, it’s also pretty good at evading detection.

Mylobot has one particularly interesting trait in that it hunts down and terminates instances of other malware and deletes the folders associated with other botnets, such as DorkBot.

“We estimate this rare and unique behaviour is because of money purposes within the Dark web. Attackers compete against each other to have as many ‘zombie computers’ as possible in order to increase their value when proposing services to other attackers, especially when it comes to spreading infrastructures,” explained Nipravsky.

“The more computers – the more money an attacker can make. This is something we’re seeing here as well.”

The sophistication of the malware and the botnet it creates is likely due to it being designed to generate money for hackers and people who lurk on the Dark Web.

Mylobot is also a dab hand at shutting down Windows Defender and Windows Update while locking additional ports on an infected machine’s firewall. It also deletes the ‘%APPDATA% folder, which can trigger a data loss.

But a lot of the damage the malware can cause depends on the payload it has been equipped with. It’s main aim, though, appears to be the complete takeover of a victim’s computer and then its enslavement into a botnet – and depending on what the affected machine is used for, the damage to it can become pretty nasty.

“This can result in loss of tremendous amount of data, the need to shut down computers for recovery purposes, which can lead to disasters in enterprises,” said Nipravsky.

“The fact that the botnet behaves as a gate for additional payloads, puts the enterprise in risk for leak of sensitive data as well, following the risk of keyloggers / banking trojans installations.”

Such sophisticated malware is rare and, despite its smart design, it was still detected by Deep Instinct’s security tech, though it’s worth noting the firm uses deep learning techniques to dig out cyber nasties, something run-of-the-mill anti-virus software doesn’t offer.

 So best be extra vigilant for the time being to what your downloading or what’s lurking behind the processes of your PC.
Source: https://www.theinquirer.net/inquirer/news/3034597/mylobot-is-sophisticated-malware-on-the-hut-for-pcs-to-enslave
  • 0

Website of a Mexican political opposition party hit by cyber attack

The website of a Mexican political opposition party was hit by a cyber attack during Tuesday’s final television debate between presidential candidates ahead of the July 1 vote, after the site had published documents critical of the leading candidate.

The National Action Party (PAN) said that its website, targeting front-runner Andres Manuel Lopez Obrador, likely suffered a distributed denial of service (DDoS) cyber attack with the bulk of traffic to the site nominally coming from Russia and China.

Lopez Obrador’s Morena party said it had nothing to do with the outage. The Chinese and Russian embassies in Mexico did not immediately respond to requests for comment. Reuters could not confirm the PAN’s account of the attack.

 Although there have been no clear signs of foreign meddling in Mexican campaigns, a U.S. probe into possible Russian interference in the 2016 U.S. election has made Mexicans watchful for possible foreign virtual attacks that could muddy the country’s biggest-ever election.
However, the countries where the traffic to the PAN site were generated could be entirely unrelated to the true source and the attack could be intended to create confusion, cyber security experts said.
Cyber experts said they did not know who was behind the attack, but pointed out that it could have been done by hackers for hire working on behalf of somebody looking to prevent people from accessing the PAN website.
“These could be third-parties offering services-for-hire, proxies or a politically motivated group,” said Carles Lopez-Penalver, an analyst at cyber security firm Flashpoint.
 Barrett Lyon, a security solutions executive at U.S. telecommunications firm Neustar, agreed, saying the computers in Russia and China that apparently generated the visits could have been hacked.

The site crashed during Tuesday’s televised presidential debate, the PAN said, shortly after its candidate Ricardo Anaya brandished a black-and-white placard with the site address. It remained down for hours.

The coalition leader, second in most polls, said the site would offer evidence that Lopez Obrador had awarded contracts without public tenders when he was Mexico City mayor. Lopez Obrador denied any wrongdoing.

“On this website, 185,000 visits were registered within 15 minutes, with the attacks coming mainly from Russia and China,” PAN said in a statement, citing information from web security firm Cloudflare and Google Analytics.

Cloudflare said in a statement that its clients can typically access data showing the locations of site visitors, but declined to comment on Tuesday’s incident.

The PAN’s secretary, Damian Zepeda, suggested Lopez Obrador, known as AMLO, was behind the attack using fake “robot” accounts.

“The AMLO bots have been activated to try to crash the page debate2018.mx where there are proofs of contracts worth millions given to AMLO’s friend,” Zepeda wrote on Twitter.

Juan Pablo Espinosa de los Monteros, coordinator for the promotional arm of Lopez Obrador’s campaign, dismissed suggestions the leftist had backed a bot operation.

“We don’t use them,” Espinosa de los Monteros told Reuters on Wednesday, saying the campaign instead focuses on reaching undecided voters.

Lopez Obrador has laughed off suggestions of Russian ties, jokingly calling himself “Andres Manuelovich.”

Like a virtual flash mob, cyber attackers can flood a particular site with thousands of information requests at once, overwhelming capacity and forcing a site to crash.

Source: https://www.deccanchronicle.com/technology/in-other-news/140618/we

  • 0