Lawmakers want to know when Ajit Pai knew FCC’s cyberattack claim was false

Democratic lawmakers want to know why the agency didn’t inform consumers of the falsity of its claim sooner

A group of House democrats want to know when FCC Chairman Ajit Pai knew that the agency’s claims of a DDoS attack were false.

Last week, the FCC’s Office of Inspector General released a report that found no evidence to support the claims of DDoS attacks in May of 2017.

The agency had previously blamed multiple DDoS attacks for temporarily taking down a comment section of its website following a segment of Last Week Tonight, in which comedian John Oliver asked viewers to submit comments to the FCC and speak out in support of net neutrality.

However, viewers were unable to voice their opinion on the proposed rollback of net neutrality because the comment submission section wasn’t available at the time.

Now that it has come to light that the agency’s claims of a DDoS attack were false, a handful of Democratic lawmakers want to know when Pai became aware that there was no DDoS attack and why the agency didn’t correct its public statements alleging a DDoS attack before now.

Misrepresented facts

“We want to know when you and your staff first learned that the information the Commission shared about the alleged cyberattack was false,” Democratic lawmakers wrote in a letter to Pai.

“It is troubling that you allowed the public myth created by the FCC to persist and your misrepresentations to remain uncorrected for over a year,” they wrote. The letter was signed by Representatives Frank Pallone Jr. (NJ), Mike Doyle (PA), Jerry McNerney (CA) and Debbie Dingell (MI).

The results of the investigation concluded that FCC officials deliberately misrepresented facts in responses to Congressional inquiries.

“Given the significant media, public and Congressional attention this alleged cyberattack received for over a year, it is hard to believe that the release of the IG’s report was the first time that you and your staff realized that no cyberattack occurred,” wrote the lawmakers.

“Such ignorance would signify a dereliction of your duty as the head of the FCC, particularly due to the severity of the allegations and the blatant lack of evidence.”

The Democratic lawmakers have asked Pai for complete written responses to their questions by August 28. Pai is also scheduled to appear before a Senate Commerce, Science and Transportation Committee oversight hearing on Thursday where he is expected to face questions about the results of the investigation.

Source: https://www.consumeraffairs.com/news/lawmakers-want-to-know-when-ajit-pai-knew-fccs-cyberattack-claim-was-false-081518.html

  • 0

Russian Hackers Breach US Utility Networks

News broke that hackers working for Russia claimed “hundreds of victims” last year in a giant and long-running campaign that put them inside the control rooms of U.S. electric utilities where they could have caused blackouts, federal officials said. They said the campaign likely is continuing. IT security experts commented below.

Tim Helming, Director of Product Management at DomainTools:

“The goals of nation-state actors are various, but in the case of Russian cyber actions against the United States, it is known that among their chief aims is to destabilize American institutions and to sow uncertainty and fear. With the recent reports of Russian adversaries gaining access to electric utilities in the United States last spring, we could be seeing the leading edge of what most security practitioners have predicted for years–that the next attack on our nation will be one of cyber, rather than kinetic, warfare. However, it is important to note some subtleties in the reporting–it is far from certain that these attacks have resulted in the actual ability to achieve a destructive attack. (There may be hundreds of *victims* but it’s not clear that they breached hundreds of control centers; also, the screenshots that the attackers showed do not necessarily prove that they are able to seize actual control.)

It is not farfetched to foresee adversaries causing a major disruption at some point since the frequency of breaches is on the rise. But, again, while the attackers seem to have gained a worrisome level of access, it is not clear that they have the ‘keys to the kingdom’. If a utility attack attack were to succeed, the level of damage could be high because the electric grid is susceptible to cascading faults, where a localized disruption can rapidly spread. Adversaries could theoretically do a lot of damage. In other regions of the world, we have already seen attacks on hospitals, the electric grid, public transit, entire cities, and more. Recognizing the gravity of the threat is not meant as a scare tactic–cybersecurity practitioners are already aware of all of the risk, and work very hard to minimize the attack surfaces of all critical infrastructure.”

Sean Newman, Director Product Management at Corero Network Security:

“As the old adage goes, you’re only as strong as your weakest link.  And, reports from the US Dept of Homeland Security now suggest this is exactly the situation US utility companies are facing, with respect to alleged nation-state infiltration.  In fact, any organisation which relies on contractors, for specific services they cannot deliver internally, can find themselves in a similarly compromised situation, however strong their own security practices are.  Unfortunately, this is not the preserve of organisations delivering critical national infrastructure, as those at US retailer Target can testify, after their massive data breach, back in 2013, which resulted from the attackers compromising their systems via their HVAC contractor.

“This is a stark reminder that organisations of all types and sizes should assess all aspects of their IT security, including those of their contractors and supply chain, and this doesn’t just pertain to hacking attempts but, also includes their resilience to DDoS attacks, which could impact the ability to provide their regular services, and the knock-on impact that creates.

“As more ICS  infrastructures, such as those used by utility companies, are connected to their broader networking infrastructure, then the risk will continue to grow.”

Ray DeMeo, Co-Founder and COO at Virsec:

“The threat of disruption to our critical infrastructure is very real, as recent attacks in the Middle East and Ukraine have shown. The outcomes may depend on the motivations of the hackers, but recent attacks have included ransoming critical data, service disruptions, or serious damage to control systems and physical equipment.

“The government is raising awareness, but responses need to be more aggressive and coordinated. The needs to shift from chasing endless elusive external threats, to directly protecting systems from attack in real-time.”

“Defense strategies need to pivot away from sole focus on conventional perimeter defenses – the latest attacks have easily bypassed the perimeter. It’s crucial to detect and stop attacks in progress.  Vendors need to do more to bridge a wide gap in technology and understanding between IT and OT (operational technology). We are far too dependent on air-gapping as our primary defense, despite the fact that systems are increasingly connected.”

Michael Magrath, Director, Global Regulations & Standards:

“Hackers, including state sponsored Russian hackers, exploit the weakest link in the security chain – the people.  This was noted in great detail in the Mueller Investigation’s indictments against 12 Russian nationals on July 13 where they spearfished unsuspecting users to steal passwords to gain access to the Clinton Campaign and DNC systems. Do we really expect Russian hackers to exclude critical infrastructure?

As certain as the sun will rise tomorrow, hackers will continue to compromise systems requiring username and password-only authentication.  Weak authentication is akin to having a multi-million dollar physical security system and leaving the front gate unlocked.

Unlike other countries, in the U.S. the private sector owns and operates a vast majority of the nation’s critical infrastructure.  NIST’s Framework for Improving Critical Infrastructure Cybersecurity (CSF) is voluntary consisting of standards, guidelines, and best practices to manage cybersecurity-related risk.  Included in version 1.1 is the recommendation for a risk-based approach to identity proofing and authentication.  With lives at risk coupled with the repeated successful attacks it is negligent if a facility relies on easily compromised passwords to gain entry.

As noted in the WSJ article, DHS is trying to determine whether “the Russians have figured out ways to defeat security enhancements like multifactor authentication.”  To be clear, multifactor authentication is not “one size fits all” there are numerous approaches and technologies available with varying degrees of security and usability.  For example, one time passwords transmitted via SMS are very convenient and widely deployed, however this multifactor authentication approach has been proven to be unsecure with OTPs being intercepted.  Other solutions such as fingerprint biometrics, adaptive authentication, and utilizing public key cryptography techniques are far more secure and have gained widespread adoption. It remains to be seen what DHS learns.

Given the potential catastrophic harm that could be carried out by a hacker on a power plant or water supply, critical infrastructure facilities should patch all software, encrypt all data and deploy the latest identity management and authentication technologies.

David Vergara, Head at Security Product Marketing:

“This is “big game hunting” for cybercriminals. The motivation may pivot between political and monetization, but the impact to the target is the same, terror through vulnerability and exposure. It’s not difficult to extrapolate the outcome when an entire power grid goes offline during peak hours and the attack follows the weakest link, unsophisticated utility vendors or third parties. I would draw a similar parallel to open banking/PSD2 in Europe where third parties are entrusted with vast amounts of bank customer data in order to provide various financial services and all this done via API connections to the large banks. So how are banks securing access and connections? The short answer is multi-factor authentication, risk analytics and mobile application security technology. And don’t think for a second that open banking is just a European thing, US banks are already pressured to satisfy consumer demands for more holistic financial services and visibility. This may happen through commercial partnerships over legislation, but the fact remains, it’s coming.”

Andrea Carcano, Founder and Chief Product Officer at Nozomi Networks:

“The U.S. government has been warning organizations about the vulnerability of critical infrastructure to attack from foreign adversaries. The unprecedented levels of information that is being made public in unclassified settings is a signal that these threats are growing quite rapidly. The successful attack on the Ukraine power grid has continued to serve as a reminder for the wide-spread consequences of this type of attack. In this most recent campaign, attackers used conventional tools to exploit weak third-party vendors in a way that could have led to blackouts – demonstrating that even unsophisticated methods can be successful.

However, blackouts did not occur, which makes us question if the attackers intentionally only went so far. Attacks on the grid will be difficult to control and will undoubtedly lead to lots of collateral damage. This, combined with the risk of retaliation, may be keeping attackers at bay. It is reminiscent of the mutually assured destruction model of the Cold War when restraint was used on all sides. We are likely in the midst of a Cyber Cold War with all sides holding back from enacting the destruction they are truly capable of.”

Pravin Kothari, CEO at CipherCloud:

“The cyberattackers were very successful in their efforts and penetrated completely through to the utility control rooms where they had the ability to disrupt power flows.

The big questions remain open. We still don’t know how many of these utilities, if any, were nuclear powered but the implications obvious. If they had the ability to “throw switches” per an official at DHS, exactly how could they disrupt the operation of nuclear power plants and what risks did this present? How long were they inside the networks of any nuclear-powered plants?

Most utility plants and certainly nuclear-powered utilities are protected by “air gaps.” This implies that there is no network connectivity allowed to the “air-gapped” network. Of course, persistent state-sponsored attackers had the resources to carefully research and identify the key vendors that had trusted relationships with the targeted utilities. These key vendors likely had special network connections into the supposedly “air-gapped” networks. Once identified, the cyberattackers could target and compromise them directly, apparently yielding access to the utility infrastructure.”

Source: https://www.informationsecuritybuzz.com/expert-comments/russian-hackers-breach-us-utility-networks/

  • 0

AppSec in the World of ‘Serverless’

The term ‘application security’ still applies to ‘serverless’ technology, but the line where application settings start and infrastructure ends is blurring.

“Serverless” computing is essentially an application deconstructed to its atomic unit: a function. Function-as-a-Service (FaaS) would actually be a better name, but the whole XaaS naming scheme is a bit, shall I say, PaaSé. (Oops, couldn’t resist!) So, instead, we have “serverless” to drive home the idea that application developers don’t need to think about servers any longer. They can focus their energies on creating countless glorious functions – and in the cloud, no less.

In concept, this continues the industry trend of making a starker separation in software delivery services, as well as extending the micro-services trend to the next stage of decomposition, or the breaking down of monolith applications. Here are some key concepts to understand about serverless in the context of application security (AppSec) and infrastructure.

Code Still Matters
A serverless function is a piece of application code. As such, little changes when it comes to AppSec fundamentals – for example, defending against injection attacks. Query strings and string concatenation of file names are still bad. Not paying attention to encoding is bad. Serialization attacks still occur, and so on. Similarly, applications still use third-party libraries, which could have known vulnerabilities and should be vetted. Serverless doesn’t make those problems go away. (For an excellent talk, see “Serverless Security: What’s Left To Protect,” by Guy Podjarny.)

On the other hand, because security practitioners have placed a great deal of attention on infrastructure settings and services, the line where application settings start and infrastructure ends is now blurry.

Infrastructure Shift
Because serverless extends what the infrastructure provides, it shifts the shared security model. Just as in the case of cloud computing, where the provider takes responsibility for the security “of the cloud” (hardware, network, compute, storage, etc.) while leaving the customer responsible solely for security “in the cloud” (operating system, authentication, data, etc.), serverless reduces the responsibility of the customer further.

Serverless infrastructure eliminates the need for operations to constantly update OS patches. Further, the execution environment is in an ephemeral container, with a read-only file system and highly restrictive permissioning. Controls like these greatly improve inherent security. But they also have their own limitations, such as /tmp being writable, and “ephemeral” doesn’t strictly mean a repaved instance between each invocation.

Most attacks against serverless applications succeed through a combination of the aforementioned limitations (which are still significant improvements over typical containerized instances), app-level exploits, and taking advantage of services in the cloud infrastructure, such as poorly configured AWS IAM. (The talk “Gone in 60 Milliseconds,” by Rich Jones, outlines chaining examples.) It’s highly instructive to understand the anatomy of such attacks. My main takeaway: The road to hell is paved with default settings.

Greater dependency on infrastructure also mutates some of the threats. In the case of DDoS attacks, the infrastructure can scale to meet the demands; hence, DDoS effectiveness is diminished. However, it’s not the sky that’s the limit but your wallet. Major cloud providers simply do not put utilization caps in place for many reasons. One reason? They don’t want to be held responsible for an involuntary shutdown of service based on a monetary threshold. The most you can do is set up billing alerts – and thus was born the “denial of wallet” attack.

The Threat of Serverless Sprawl
Fundamentally, the above concerns present few unique risks not shared by customers with apps running on plain EC2 instances. However, managing sprawl does present a novel challenge for serverless. The reason: Serverless functions are like tribbles. They start out small and cute, but then they proliferate, and you end up neck-deep in them. Suddenly, what was meant to be simple is simple no longer.

As the number of functions multiply without a means of easily managing the access controls of serverless functions, the application security posture is greatly threatened. For instance, the principle of least privilege is easy with few functions, but as functions proliferate, often with ill-defined requirements, maintaining secure settings rapidly becomes harder.

Fighting Fire with Fire
Serverless provides a way to scale, so why not use it to scale serverless security? When it comes to the “three R’s of security” (rotate, repave, repair), serverless functions provide an excellent mechanism to build security into deployment. For instance, AWS already provides a means to rotate keys using Lambda functions. Moreover, serverless functions are basically in continuously repaved containers, and practitioners have been writing lambdas to automatically fix security mistakes. In fact, there’s a lot of untapped potential in No. 10 on the OWASP Top Ten: Insufficient Logging and Monitoring. Lambda functions that operate on CloudTrail logs to identify threats and perform automatic remediation have intriguing potential.

Serverless is neither the end-all and be-all, nor does it make irrelevant lessons learned from AppSec. It nonetheless provides an exciting opportunity to build more secure apps in the cloud (serverless or otherwise), with some pitfalls to beware of along the way.

The Future 
Vendors, tools, and processes will need to evolve to fit naturally into the structure of serverless application construction. Some solutions, such as host/container security tools, may become less relevant in some respects due to the shift in responsibility. But those that can manage security concerns on the functional level (both build and run times) and manage infrastructure at scale will enable serverless to fulfill its goal of providing a more secure means of delivering cloud applications.

Source: https://www.darkreading.com/cloud/appsec-in-the-world-of-serverless/a/d-id/1332078

  • 0

Mylobot is sophisticated malware on the hunt for PCs to enslave

The botnet-making malware employs a suite of anti-detection techniques

A HIGHLY SPOHISTICATED BOTNET is on the hunt for PCs to enslave and use as malware-spreading machines.

The botnet-recruiting malware has been dubbed Mylobot by Deep Instinct security researcher Tom Nipravsky, who discovered the malicious code after it was detected and prevented from causing chaos in one of the company’s client’s live IT environments.

Not only can the malware add an infected machine into a botnet suitable for spreading more malware, launching DDoS attacks, and powering ransomware campaigns, it’s also pretty good at evading detection.

Mylobot has one particularly interesting trait in that it hunts down and terminates instances of other malware and deletes the folders associated with other botnets, such as DorkBot.

“We estimate this rare and unique behaviour is because of money purposes within the Dark web. Attackers compete against each other to have as many ‘zombie computers’ as possible in order to increase their value when proposing services to other attackers, especially when it comes to spreading infrastructures,” explained Nipravsky.

“The more computers – the more money an attacker can make. This is something we’re seeing here as well.”

The sophistication of the malware and the botnet it creates is likely due to it being designed to generate money for hackers and people who lurk on the Dark Web.

Mylobot is also a dab hand at shutting down Windows Defender and Windows Update while locking additional ports on an infected machine’s firewall. It also deletes the ‘%APPDATA% folder, which can trigger a data loss.

But a lot of the damage the malware can cause depends on the payload it has been equipped with. It’s main aim, though, appears to be the complete takeover of a victim’s computer and then its enslavement into a botnet – and depending on what the affected machine is used for, the damage to it can become pretty nasty.

“This can result in loss of tremendous amount of data, the need to shut down computers for recovery purposes, which can lead to disasters in enterprises,” said Nipravsky.

“The fact that the botnet behaves as a gate for additional payloads, puts the enterprise in risk for leak of sensitive data as well, following the risk of keyloggers / banking trojans installations.”

Such sophisticated malware is rare and, despite its smart design, it was still detected by Deep Instinct’s security tech, though it’s worth noting the firm uses deep learning techniques to dig out cyber nasties, something run-of-the-mill anti-virus software doesn’t offer.

 So best be extra vigilant for the time being to what your downloading or what’s lurking behind the processes of your PC.
Source: https://www.theinquirer.net/inquirer/news/3034597/mylobot-is-sophisticated-malware-on-the-hut-for-pcs-to-enslave
  • 0

Website of a Mexican political opposition party hit by cyber attack

The website of a Mexican political opposition party was hit by a cyber attack during Tuesday’s final television debate between presidential candidates ahead of the July 1 vote, after the site had published documents critical of the leading candidate.

The National Action Party (PAN) said that its website, targeting front-runner Andres Manuel Lopez Obrador, likely suffered a distributed denial of service (DDoS) cyber attack with the bulk of traffic to the site nominally coming from Russia and China.

Lopez Obrador’s Morena party said it had nothing to do with the outage. The Chinese and Russian embassies in Mexico did not immediately respond to requests for comment. Reuters could not confirm the PAN’s account of the attack.

 Although there have been no clear signs of foreign meddling in Mexican campaigns, a U.S. probe into possible Russian interference in the 2016 U.S. election has made Mexicans watchful for possible foreign virtual attacks that could muddy the country’s biggest-ever election.
However, the countries where the traffic to the PAN site were generated could be entirely unrelated to the true source and the attack could be intended to create confusion, cyber security experts said.
Cyber experts said they did not know who was behind the attack, but pointed out that it could have been done by hackers for hire working on behalf of somebody looking to prevent people from accessing the PAN website.
“These could be third-parties offering services-for-hire, proxies or a politically motivated group,” said Carles Lopez-Penalver, an analyst at cyber security firm Flashpoint.
 Barrett Lyon, a security solutions executive at U.S. telecommunications firm Neustar, agreed, saying the computers in Russia and China that apparently generated the visits could have been hacked.

The site crashed during Tuesday’s televised presidential debate, the PAN said, shortly after its candidate Ricardo Anaya brandished a black-and-white placard with the site address. It remained down for hours.

The coalition leader, second in most polls, said the site would offer evidence that Lopez Obrador had awarded contracts without public tenders when he was Mexico City mayor. Lopez Obrador denied any wrongdoing.

“On this website, 185,000 visits were registered within 15 minutes, with the attacks coming mainly from Russia and China,” PAN said in a statement, citing information from web security firm Cloudflare and Google Analytics.

Cloudflare said in a statement that its clients can typically access data showing the locations of site visitors, but declined to comment on Tuesday’s incident.

The PAN’s secretary, Damian Zepeda, suggested Lopez Obrador, known as AMLO, was behind the attack using fake “robot” accounts.

“The AMLO bots have been activated to try to crash the page debate2018.mx where there are proofs of contracts worth millions given to AMLO’s friend,” Zepeda wrote on Twitter.

Juan Pablo Espinosa de los Monteros, coordinator for the promotional arm of Lopez Obrador’s campaign, dismissed suggestions the leftist had backed a bot operation.

“We don’t use them,” Espinosa de los Monteros told Reuters on Wednesday, saying the campaign instead focuses on reaching undecided voters.

Lopez Obrador has laughed off suggestions of Russian ties, jokingly calling himself “Andres Manuelovich.”

Like a virtual flash mob, cyber attackers can flood a particular site with thousands of information requests at once, overwhelming capacity and forcing a site to crash.

Source: https://www.deccanchronicle.com/technology/in-other-news/140618/we

  • 0

Frequency & Costs of DNS-Based Attacks Soar

The average cost of a DNS attack in the US has climbed 57% over the last year to $654,000 in 2018, a survey from EfficientIP shows.

The frequency of Domain Name System (DNS) attacks and the costs associated with addressing them are both increasing sharply, a new survey by EfficientIP shows.

The DNS management vendor recently had research firm Coleman Parkes poll about 1,000 IT managers in North America, Asia, and Europe on the causes and responses to DNS-based threats.

The results showed that the global average costs of DNS attacks have surged 57% over 2017 to $715,000 in 2018. In the past 12 months, organizations faced an average of seven DNS attacks. Some of the victims ended up paying more than $5 million in associated costs. One in five (22%) organizations suffered business losses to DNS attacks.

The costs per DNS attack associated with remediation, recovery, and business disruption tended to vary by region. In North America, organizations in the US had the highest average costs, at around $654,000. Companies in the region also experienced the steepest year-over-year increase in costs at 82%. Overall, though, organizations in France had higher costs associated with DNS attacks than anywhere else, with victims spending an average of $974,000 on one.

“DNS attacks cost so much because consequences are instantaneous, broad, and very difficult to mitigate without the appropriate technology,” says Ronan David, senior vice president of strategy for EfficientIP. “In modern networks, DNS is routing access to almost all applications.”

Contributing to the high attack costs and overall complexity is the fact that DNS is both an attack vector and a target, he says. Attackers can use the DNS infrastructure as a vector for stealing data, for communicating with command and control servers, for setting up malicious phishing and spam domains, and for enabling other kinds of malicious activity. Other attacks, though, are targeted at disrupting DNS services directly, such as DNS distributed denial-of-service (DDoS) attacks.

DDoS attacks against DNS infrastructure in particular can be very costly to remediate, chiefly because such attacks are asymmetric, says Cricket Liu, chief DNS architect at Infoblox. “An attacker just needs to hire a botnet for a few hours to launch the attack, but the organization targeted needs to build excess capacity and maintain it year-round,” in addition to possibly using a DDoS mitigation service, Liu says.

The five most common DNS-based attacks in EfficientIP’s survey included those in which DNS is used as an attack vector and those in which an organization’s DNS infrastructure is the target. Topping the list for 2018 is DNS-based malware followed by phishing, DNS tunneling, domain lock-up, and DNS-based DDoS attacks.

“With 33% of people having suffered data theft, DNS is certainly one of the most powerful attack vectors,” says EfficientIP’s David from. At the same time, the survey also showed that 40% of cloud-based application downtime is caused by attacks aimed at DNS servers and service.

Hackers are developing sophisticated new multivector, multistage, and distributed DNS attacks. The exponential rise of connected devices, Web-based applications, and interconnected networks is giving them a broader surface to attack as well, David says. “DNS is, therefore, a primary vector and target leading to higher damage costs.”

Merike Kaeo, CTO at Farsight Security, says DNS is a more fundamental and complex protocol than most people realize. “It is critical to not only name and address resolution but can also be utilized to define email servers associated with a domain name, identify service locations, specify type of OS or CPU on a host, and other Internet-related activities.”

As attacks against DNS increase and become more sophisticated, it’s no surprise that remediation costs are increasing as well, Kaeo says. What surveys like those by EfficientIP show is that organizations need to start paying attention to their DNS infrastructure, she says.

“Know which domains you use and what can potentially be abused,” Kaeo notes. Pay attention to the security practices of registries and registrars and implement controls for determining changes in DNS traffic patterns and for blocking unknown domains, she says.

Review your existing mechanisms for dealing with DNS threats as well, says David. Most are simply workarounds that are not designed specifically for dealing with DNS threats. As an example, he points to data exfiltration attacks via DNS. The appropriate detection capacity requires real-time and context-aware DNS traffic analysis for behavioral threat detection, he says.

“DNS is by design an open service on the network which is not correctly monitored, and for which a traditional security solution cannot protect efficiently,” he notes. “DNS is mission-critical. When it goes down, the business is down.”

Source: https://www.darkreading.com/attacks-breaches/frequency-and-costs-of-dns-based-attacks-soar/d/d-id/1331828

  • 0

The end of DDoS? Future promises and current problems with blockchain technology

Blockchain technology is currently being hailed as, well, many things. In any given day you might see it called a disruptor or the future of financial transactions or the answer to data storage and digital identity issues or the technology that will finally put an end to DDoS attacks.

New technologies are never a stranger to massive hype, and the digital landscape is littered with technologies that failed to reach their lofty expectations, and yet, blockchain is looking like it could very well be the real deal and might just become all of the above. Before it can become the answer to the widespread and devastating DDoS attack problem, however, there are a few blockchain cybersecurity issues that need to be addressed.

Blockchain basics

At its core, blockchain is an ever-growing ledger that records transactions. Each transaction’s data is housed in a so-called block and secured via cryptography. Each block also contains a timestamp as well as a cryptographic hash of the content of the block that came before it. This cryptographic hash is what connects each block to the previous block, creating a chain. Ergo, blockchain.

This technology offers a few important benefits over standard transaction technology. Firstly, it eliminates the middleman. If Alexis in Idaho wants to transfer ten Bitcoins to Ashik in Bangladesh, she doesn’t have to go to Western Union or call her bank or consult a lawyer. She simply creates a record in the blockchain. No fees spent, no time wasted. All a transaction needs is data, and that data is securely stored in the blockchain.

Secondly, there is no way to alter a block in the blockchain without altering every block that came after it, as the cryptographic hash in each block depends on the content of the blocks that came before it. Essentially, then, there is no way to alter a block in the blockchain as it would simply require too much collusion.

Thirdly, the very nature of blockchain technology decentralizes data by storing copies of the blockchain across nodes in a peer to peer network instead of in a centralized location, such as a database. There is therefore no one point hackers could crack into in order to access a trove of valuable data. Even if it were possible to get past blockchain’s cryptography, hackers would have to do so one block at a time – a process too burdensome for even the most dedicated cybercriminals.

At this point, you probably have to admit blockchain technology sounds pretty good, but you might be wondering how exactly it’s supposed to become the next big development in DDoS protection.

Denying denial of service?

Blockchain technology in and of itself is impervious to distributed denial of service attacks because of that decentralized nature. Attackers can’t take down a blockchain because it’s spread too widely across the internet.

If financial institutions and other organizations get on board with blockchain technology for transactions, then services related to those transactions are theoretically protected from the threat of DDoS-caused downtime. However, as has been evidenced by the myriad successful DDoS attacks on cryptocurrency exchanges – all of which use blockchain technology for transactions – it isn’t enough for the transaction process to be impervious to these attacks.

This is because even companies or services that have their core business processes taking place on blockchain still require web servers, even if it isn’t for a public-facing website. These servers – which are centralized – represent a single point of failure to DDoS attackers. Take down the server, take down a swath of applications and functions, deny services. This is how margin traders end up losing their minds unable to buy and sell cryptocurrency during DDoS attacks on exchanges, and it’s how businesses of all types will end up being let down if they think blockchain technology on its own right now spells the end of DDoS woes.

Looking to the future

In addition to blockchain technology helping to make DDoS attacks harder to accomplish, it may also be put to work as a direct DDoS mitigation measure in the near future as the idea of making it possible for the average person to make their excess bandwidth available for a per-use fee is currently being explored. This would make bandwidth available in a decentralized blockchain-style manner, as opposed to the centralized bank of bandwidth some DDoS mitigation solutions use, a solution that can be both finite and expensive if the mitigation solution lacks the scalability of the cloud. The idea of the poolable, blockchain-style bandwidth is to increase the resources readily available to absorb DDoS traffic, thereby making attacks cheaper to mitigate and less likely to be successful with attempts and therefore less damaging to the target.

However, while blockchain technology gets to work living up to its heady expectations, businesses who have already hopped on the blockchain bandwagon should get to work protecting that technological investment with scalable cloud-based DDoS protection and/or a leading web application firewall that can shore up vulnerable or weak points while improving availability. A content delivery network may also be an optimal solution depending on how a service’s user base is geographically dispersed, how much content is cacheable, and whether or not any page load time or performance issues are being experienced. With a helping hand from trusted, established technology, the new kid on the disruptor technology block might just become everything it’s supposed to.

Source: https://www.forexcrunch.com/the-end-of-ddos-future-promises-and-current-problems-with-blockchain-technology/

  • 0

Critical infrastructure needs shoring up after U.S., U.K. blame Russia for attacks

The U.S. is prepared to take aggressive action against Russia for a recent, extended campaign of cyberattacks on infrastructure assets around the world by compromising devices such as routers and firewalls, the White House cybersecurity coordinator, who has since left his position, said Monday.

“When we see malicious cyberactivity, whether it be from the Kremlin or other nation-state actors, we are going to push back,” Rob Joyce told reporters after the U.S. and the U.K. laid the blame for the attacks squarely on Russia’s shoulders.

Devices like routers are particularly enticing to hackers. “These devices actually make ideal targets,” said Jeanette Manfra, the top Homeland Security cybersecurity official. “When a malicious actor has access to this, they can monitor, modify, or deny traffic to an organization or from an organization externally.”

Joyce abruptly left his position just hours after speaking with reporters. His departure followed the resignation of White House Homeland Security Adviser Tom Bossert as well as others to who have resigned or been pushed out as John Bolton settles into the role of national security adviser.

David Ginsburg, vice president of Marketing at Cavirin, said the routers that were compromised “are only part of the attack and eventual impact.”

Envisioning what a future attack could look like, he pointed to “Mirai and Reaper, where the ultimate goal was a DDoS attack against other assets, most notably the Dyn attack that took down many internet properties in the U.S. and Europe,” noting that attacks “against servers or the internet infrastructure itself is the most probable scenario, with the routers managed as a botnet against corporate or government assets.”

Marina Kidron, who heads up cyber vulnerabilities research for Skybox Security, said there has “been a 120 percent increase in the vulnerabilities affecting what is known as operational technology in the last 12 months.”

Troubling to cybersecurity pros is that hackers are not relying on cutting edge techniques or “using a stockpile of zero-day vulnerabilities that no one has previously discovered” to do their dirty work, said Nathan Wenzler, chief security strategist at AsTech. Instead, they are plying security holes such as unpatched, misconfigured or neglected devices. “There’s no great skill or trick in this, but they are simply taking advantage of the poor effort we all make to ensure that devices we attach to the internet are configured well and secured.”

Users are unlikely “to know for certain if their router has been compromised or not,” he said. “Since there’s no real exploit being taken advantage of here, it’s likely that everything will look normal from the outside.”

Noting that “the rise in frequency and scope of cyberattacks on governments and critical infrastructure points to a modern form of stealth warfare that can disrupt the availability of basic goods and services across the world,” Eddie Habibi, founder and CEO of PAS Global, said countries must come together to recognize the seriousness of bad actors’ cyber capabilities” to combat what he sees as a global phenomenon.

“During this time of severe political tension, it’s imperative that countries such as the U.S. and U.K. present a united front to establish global treaties on rules of cybersecurity engagement, as well as create alliances to foster information sharing,” he said. “This, combined with greater collaboration between governments and their local infrastructure companies, is the best way to ensure proactive movement towards greater critical infrastructure security.”

“These are computer-connected control systems for running critical processes in power generation and supply as well as similar functions in other utilities like water,” said Kidron, noting that unless the vulnerabilities are addressed, they “can be exploited by adversaries, as we discovered with the NotPetya and other incidents last year.”

Since attackers will continue to up the level of sophistication in their attacks against infrastructure, “defenders must be equally resourceful,” said Nozomi Networks founder and Chief Product Officer Andrea Carcano. “Organizations need to ensure critical infrastructure resilience so that risks from wherever and in whatever format can be identified and remediated.”

Matt Walmsley, head of EMEA marketing at Vectra, said “enterprises should take another look at how they’re securing their network infrastructure.”

He advised organizations not to “leave the door wide open,” noting that they should be current with network infrastructure software updates and patches. “Then make sure you’re not exposing your equipment’s management interfaces and ensure you have changed the default admin credentials,” said Walmsley. “For perimeter devices with internet connectivity this is doubly important.”

While that may seem like the stuff of “cybersecurity 101,” Walmsley pointed out that “only last month, default settings in some Cisco switches allowed over 168,000 devices exposed to the internet to be identified as vulnerable to illicit remote command execution via an admin protocol.”

Walmsley also contended that “firmware may not be that firm,” leaving it open to compromise by advanced attackers. But “with recent advances in AI-based behavior threat detection, we can now spot in real-time the very subtle signals attackers use to perform command and control orchestration to devices that have compromised firmware by looking for the attacker’s “knocking” signals hidden within legitimate communications,” he said. “With that actionable insight, platforms can be completely reset and their firmware, OS images, and configs reloaded from known good sources.”

Source: https://www.scmagazine.com/critical-infrastructure-needs-shoring-up-after-us-uk-blame-russia-for-attacks/article/759849/

  • 0

33% of businesses hit by DDoS attack in 2017, double that of 2016

Distributed Denial of Service attacks are on the rise this year, and used to gain access to corporate data and harm a victim’s services, according to a Kaspersky Lab report.

Cybercriminals are increasingly turning to Distributed Denial of Service (DDoS) this year, as 33% of organizations faced such an attack in 2017—up from just 17% in 2016, according to a new report from Kaspersky Lab.

These cyber attacks are hitting businesses of all sizes: Of those affected, 20% were very small businesses, 33% were SMBs, and 41% were enterprises.

Half of all businesses reported that the frequency and complexity of DDoS attacks targeting organizations like theirs is growing every year, highlighting the need for more awareness and protection against them, according to Kaspersky Lab.

Of the companies that were hit in 2016, 82% said that they faced more than one DDoS attack. At this point in 2017, 76% of those hit said they had faced at least one attack.

Cybercriminals use DDoS attacks to gain access to valuable corporate data, as well as to cripple a victim’s services, Kaspersky Lab noted. These attacks often result in serious disruption of business: Of the organizations hit by DDoS attacks this year, 26% reported a significant decrease in performance of services, and 14% reported a failure of transactions and processes in affected services.

Additionally, some 53% of companies reported that DDoS attacks against them were used as a smokescreen to cover up other types of cybercrime. Half (50%) of these respondents said that the attack hid a malware infection, 49% said that it masked a data leak or theft, 42% said that it was used to cover up a network intrusion or hacking, and 26% said that it was hiding financial theft, Kaspersky Lab found.

These results are part of Kaspersky Lab’s annual IT Security Risks survey, which included responses from more than 5,200 representatives of small, medium, and large businesses from 29 countries.

“The threat of being hit by a DDoS attack – either standalone or as part of a greater attack arsenal – is showing no signs of diminishing,” said Kirill Ilganaev, head of Kaspersky DDoS protection at Kaspersky Lab, in a press release. “It’s not a case of if an organization will be hit, but when. With the problem growing and affecting every type and size of company, it is important for organizations to protect their IT infrastructure from being infiltrated and keep their data safe from attack.”

Want to use this data in your next business presentation? Feel free to copy and paste these top takeaways into your next slideshow.

  • 33% of organizations experienced a DDoS attack in 2017, compared to 17% in 2016. -Kaspersky Lab, 2017
  • Of organizations hit by DDoS attacks, 20% were very small businesses, 33% were SMBs, and 41% were enterprises. -Kaspersky Lab, 2017
  • 53% of companies reported that DDoS attacks against them were used as a smokescreen to cover up other types of cybercrime, including malware, data leaks, and financial theft. -Kaspersky Lab, 2017

Source: http://www.techrepublic.com/article/33-of-businesses-hit-by-ddos-attack-in-2017-double-that-of-2016/

  • 0

Apache Struts Vulnerabilities and The Equifax Hack, What Happened?

In the wake of the Equifax breach, a lot of people are wondering how the theft of personal information occurred and how it could have been prevented.

Equifax initially reported that a vulnerability in Apache Struts was used to infiltrate their public-facing web server. Apache Struts has faced its fair share of vulnerabilities with 21 having been discovered since the start of 2016.

Which Apache Struts vulnerability was used in the Equifax hack?

At DOSarrest we researched current and past Apache Strut vulnerabilities and determined that they likely were not hacked using the new CVE-2017-9805 but likely CVE-2017-5638.

Equifax released additional details on Sept 13th 2017 confirming that the vulnerability involved was CVE-2017-5638. The CVE-2017-5638 vulnerability dates back to March 2017, which is why people in the security industry are now questioning how they could be so far behind in patching this well-known exploit.

The two vulnerabilities, CVE-2017-5638 and the recently revealed CVE-2017-9805 are very similar in nature and are both considered Remote Code Execution (RCE) vulnerabilities .

How does a RCE vulnerability work and how can they be prevented?

A RCE vulnerability is exploited when an attacker crafts a packet or request containing arbitrary code or commands. The attacker uses a method to bypass security that causes a vulnerable server to execute the code with either user or elevated privileges.

Such vulnerabilities can be prevented with a two-fold approach to web application security:

1) New vulnerabilities will continually be discovered in any web application framework, and it is the duty of IT teams to keep the software patched. This requires regular audits and patches to vulnerable software. Even the most proactive IT teams will not be able to prevent a so-called zero-day attack by patching alone so more must be done to protect the web server from zero-day vulnerabilities.

2) Since there is always a delay between the time a vulnerability is discovered and when a patch is developed by the maintainer of that product, a means to protect your website from undiscovered zero-day vulnerabilities is needed. Web Application Firewall’s (WAF) that typically rely on signatures are unfortunately at a disadvantage because signatures for existing vulnerabilities in most cases do not match newer zero-day vulnerabilities.

If I cannot rely on signature-based WAF options, what can I rely on to protect my business?

At DOSarrest our WAF is different. The problem with relying on signatures is that it requires constant updates as new vulnerabilities become known. Instead our WAF looks for sets of characters (such as /}/,/“/, and /;/) or phrases (like “/bin/bash” or “cmd.exe”) that are known to be problematic for some web applications.

What makes DOSarrest’s WAF even more appealing is that it is fast. Much faster than signature-based solutions that require high CPU use to match signatures–such matching could result in a measurable impact on latency. With DOSarrest’s WAF there is no increase in latency, and vulnerabilities not yet discovered will still be mitigated.

Examples of how the Apache Strut vulnerabilities are performed:

For the benefit of more technical users, some sample requests will be analyzed below. The first example represents a normal non-malicious request sent by millions of people everyday and the following two exploit RCE vulnerabilities in Apache Struts:

We can note the following characteristics in the exploit of CVE-2017-5638:

1. The Content-Type Header starts with %{(, an incorrect format.

2. The payload contains a java function call, java.lang.ProcessBuilder, that is normally regarded as dangerous.

3. The payload contains both windows and Linux command line interpreters: “cmd.exe” (Windows Command Prompt) and “/bin/bash” (Linux Bash shell/terminal).

The RCE vulnerability used to infiltrate Equifax, CVE-2017-5638 exploits a bug in the way Apache Struts processes the “Content-Type” HTTP header. This allows attackers to run an XML script with elevated user access, containing the java.lang.ProcessBuilder is required to execute the commands the attacker has placed within the XML request.

CVE 2017-9805, announced September 2017, is very similar to the previous RCE vulnerability.

With CVE-2017-9805, we can note the following characteristics:

1. The Content-Type is application/xml with the actual content in the request body matching that of the Content-Type.

2) The payload also contains the java function call java.lang.ProcessBuilder.

3) The payload in this case is Linux specific and calls “/bin/bash -c touch ./CVE-2017-9805.txt” to confirm that the exploit works by creating a file, “CVE-2017-9805.txt”.

Are the payloads shown the exact ones used by attackers to obtain data from Equifax?

Although some of the commands may have been used together as part of the information gathering process, the actual commands used to obtain the data from Equifax may only be known by the attackers and possibly Equifax or an auditing security team directly involved in the case. The examples show how the vulnerability could be exploited in the wild and what methods might be used, e.g., setting Content-Type and sending an XML file with a payload. These examples do not represent the actual payload used to obtain the data from Equifax.

Since the payload itself can be completely arbitrary, an attacker can run any commands desired on the victim’s server. Any action the web server software is capable of could be performed by an attacker, which could allow for theft of information or intellectual property if it is accessible from the hacked server.

In the case of Equifax, there was likely an initial vulnerability scan that the attackers used to expose Equifax’s vulnerability to this particular attack. This would have been followed by an effort to determine what files were available or what actions could be performed from the Equifax public-facing web server.At some point the attackers came across a method for accessing personal credit details on millions of Americans and citizens from other countries who had credit checks performed on their identities within the United States.

If Equifax had been using the DOSarrest WAF, they could have avoided a costly mistake. Don’t let your business suffer a damaging security breach that could result in you being out of business for good. Talk to us about our services.

For more information on our services including our Web Application Firewall, see DOSarrest for more information on Security solutions.

Source: https://www.dosarrest.com/ddos-blog/apache-struts-vulnerabilities-and-the-equifax-hack-what-happened/

  • 0