Loss of Customer Trust and Confidence Biggest Consequence of DDoS Attacks

A new study from Corero Network Security has revealed that the most damaging consequence of a distributed denial-of-service (DDoS) attack for a business is the erosion of customer trust and confidence.

The firm surveyed IT security professionals at this year’s Infosecurity Europe, with almost half (42%) of respondents stating loss of customer trust and confidence as the worst effect of suffering DDoS, with just 26% citing data theft as the most damaging.

Third most popular among those polled was potential revenue loss (13%), followed by the threat of intellectual property theft (10%).

“Network and web services availability are crucial to ensuring customer satisfaction and sustaining customer trust and confidence in a brand,” said Ashley Stephenson, CEO at Corero Network Security. “These indicators are vital to both the retention and acquisition of customers in highly competitive markets. When an end user is denied access to internet-facing applications or network outages degrade their experience, it immediately impacts brand reputation.”

Corero’s findings come at a time when DDoS attacks continue to cause havoc for organizations around the world.

Link11’s Distributed Denial of Service Report for Europe revealed that DDoS attacks remained at a high level during Q2 2018, with attackers focusing on European targets 9,325 times during the period of April-June. That equated to an average of 102 attacks per day.

“The cyber-threat landscape has become increasingly sophisticated and companies remain vulnerable to DDoS because many traditional security infrastructure products, such as firewalls and IPS, are not sufficient to mitigate modern attacks,” added Corero’s Stephenson. “Proactive DDoS protection is a critical element in proper cybersecurity protection against loss of service and the potential for advanced, multi-modal attack strategies.”

“With our digital economy utterly dependent upon access to the internet, organizations should think carefully about taking steps to proactively protect business continuity, particularly including DDoS mitigation.”

Source: https://www.infosecurity-magazine.com/news/loss-trust-confidence-ddos/

  • 0

DDoS attackers increasingly strike outside of normal business hours

DDoS attack volumes have increased by 50% to an average of 3.3 Gbps during May, June and July 2018, compared to 2.2 Gbps during the previous quarter, according to Link11. Attacks are also becoming increasingly complex, with 46% of incidents using two or more vectors.

DDoS attacks outside business hours

While attack volumes increased, researchers recorded a 36% decrease in the overall number of attacks. There was a total of 9,325 attacks during the quarter: an average of 102 attacks per day.

While the number of attacks decreased overall – possibly as a result of DDoS-as-a-service website Webstresser being closed down following an international police operation, both the scale and complexity of the attacks increased. The LSOC registered a 50% increase in hyper-scale attacks (80 Gbps+). The most complex attacks seen used 13 vectors in total.

Link11’s Q2 DDoS Report revealed that threat actors targeted organisations most frequently between 4pm CET and midnight Saturday through to Monday, with businesses in the e-commerce, gaming, IT hosting, finance, and entertainment/media sectors being the most affected.

The report reveals that high volume attacks were ramped up via Memcached reflection, SSDP reflection and CLDAP, with the peak attack bandwidth recorded at 156 Gbps. Other key findings from the Q2 report include:

  • The total duration of attacks during the quarter was 1,221 hours
  • 17% of attacks used two vectors, while 16% used three
  • The most frequently observed attacks were UDP floods (59.7%), TCP SYN floods (3.3%) and ICMP floods (0.9%)
  • Memcached was the most used reflection amplification technique, with 773 attacks observed using this technique, highlighting that Memcached is still an issue. The SSDP reflection technique generated the greatest proportion of DDoS packets.

DDoS attacks outside business hours

“Attacks in Q2 2018 continued to grow in scale and complexity. Nearly half of attacks were multi-vector, making them harder to defend against, and with the rapid growth in ‘hyper attacks’ with volumes of over 80 Gbps, we must now consider these large, complex attacksto be the new normal,” said Aatish Pattni, Regional Director UK & Ireland for Link11.

“It’s only a matter of time until a new DDoS-for-hire service emerges to replace Webstresser, so attacks will inevitably increase over the coming months. Given the scale of the threat that organizations are facing, and the fact that the attacks are deliberately aimed at causing maximum disruption, it’s clear that businesses need to deploy advanced techniques to protect themselves against DDoS exploits,” added Pattni.

Source: https://www.helpnetsecurity.com/2018/08/15/ddos-attacks-outside-business-hours/

  • 0

Report Looks at Future Trends in Cyber Security

The Future Today Institute, an organization that provides forecasts about how emerging technology will disrupt business and transform the workforce, has once again looked into its crystal ball—and cyber security executives might not be thrilled with the predictions.

In its 2018 Tech Trends Report, the institute said organizations and individuals can expect to see more sophisticated data breaches, advanced hacker tactics, and targeted ransomware against devices in offices and homes.

Here are some of the key security-related prognostications:

  • The historical tension between security and privacy domains will unleash new challenges this year, report said. Individuals are providing more data each day, and as more connected devices enter the marketplace the volume of available data will continue to rise. But the companies making devices and managing consumer data are not planning for future scenarios, and off-the-shelf compliance checklists will not be sufficient. Managers will need to develop and constantly update their security policies and make the details transparent. Today, most organizations aren’t devoting enough budget to securing their data and devices, the report said.
  • Distributed denial of service attacks (DDoS) will increase. In the past few years the number of DDoS attacks have spiked, the report said. The U.S. was hit with 122 million DDoS attacks between April and June 2017 alone. One of the more notable DDoS incidents was a massive attack that shut down many leading Internet cites, caused by the Mirai botnet and infecting Dyn, a company that controls a large portion of the Internet domain name system infrastructure. Cyber criminals are leveraging more sophisticated tools, and that means future attacks will be larger in scope and could have greater impact.
  • Ransomware will continue to be a threat with the growth of cryptocurrencies. There was a spread of ransomware attacks, including WannaCry, Petya, and NotPetya, during 2017. In England, WannaCry shut down systems in dozens of medical centers, which resulted in hospitals diverting ambulances and 20,000 cancelled appointments. Because cash and online bank transfers are easy to track, the currency of choice for ransomware attacks is bitcoin, which moves through an encrypted system and can’t be traced. The rise of blockchain and cryptocurrencies have transformed ransomware into a lucrative business, according to the report. Just backing up data will probably not be enough of a measure against these attacks.
  • Russia will remain a big source of hacker attacks. The country is home to the world’s most gifted and prolific hackers, who are motivated both by a lack of economic opportunity and weak law enforcement, according to the report. In the past two years it has become clear that Russia’s military and government intelligence agencies are eager to put home-grown hackers to work, infiltrating the Democratic National Committee, Olympic organizations and European election commissions, it said.
  • Zero-day exploits will be on the rise. These attacks are dangerous, and finding vulnerabilities is a favorite activity of malicious hackers, the report noted. A number of zero-day exploits have been lying dormant for years—and two emerged late in 2017. A flaw found on chips made by Intel and ARM led to the realization that virtually every Intel processor shipped since 1995 was vulnerable to two new attacks called Spectre and Meltdown.
  • There will be more targeted attacks on digital assistants. Now that digital assistants such as Alexa, Siri, and Cortana have moved from the fringe to the mainstream, expect to see targeted attacks, the report said. Whether they target the assistants or their hardware (Amazon Echo, Apple HomePod, Google Home), it’s clear that the next frontier in hacking are these platforms.
  • In the wake of several hacking attacks during elections around the world, several government agencies are now making public their plans to hack offensively, according to the report. The U.K.’s National Health Service has started hiring white hat hackers to safeguard it against a ransomware attack such as WannaCry, which took the nation’s health care system offline. Singapore’s Ministry of Defense is hiring white hat hackers and security experts to look for critical vulnerabilities in its government and infrastructure systems. And in the U.S., two agencies responsible for cyberwarfare—the U.S. Cyber Command and the National Security Agency—are looking to leverage artificial intelligence (AI) as a focus for the U.S. cyber strategy.
  • Also thanks to advancements in AI, one of the big trends in security is automated hacking—software designed to out-hack human hackers. The report said the Pentagon’s research agency DARPA launched a Cyber Grand Challenge project in 2016, with a mission to design computer systems capable of beating hackers at their own game. The agency wanted to show that smarter automated systems can reduce the response time—and develop fixes in system flaws—to just a few seconds. Spotting and fixing critical vulnerabilities is a process that can take human hackers months or even years to complete, the report said.

Source: https://securityboulevard.com/2018/08/report-looks-at-future-trends-in-cyber-security/

  • 0

‘SCRAPER’ BOTS AND THE SECRET INTERNET ARMS RACE

COMPANIES ARE WAGING an invisible data war online. And your phone might be an unwitting soldier.

Retailers from Amazon and Walmart to tiny startups want to know what their competitors charge. Brick and mortar retailers can send people, sometimes called “mystery shoppers,” to their competitors’ stores to make notes on prices.

Online, there’s no need to send people anywhere. But big retailers can sell millions of products, so it’s not feasible to have workers browse each item and manually adjust prices. Instead, the companies employ software to scan rival websites and collect prices, a process called “scraping.” From there, the companies can adjust their own prices.

Companies like Amazon and Walmart have internal teams dedicated to scraping, says Alexandr Galkin, CEO of the retail price optimization company Competera. Others turn to companies like his. Competera scrapes pricing data from across the web, for companies ranging from footwear retailer Nine West to industrial outfitter Deelat, and uses machine-learning algorithms to help its customers decide how much to charge for different products.

Walmart didn’t respond to a request for comment. Amazon didn’t answer questions about whether it scrapes other sites. But the founders of Diapers.com, which Amazon acquired in 2010, accused Amazon of using such bots to automatically adjust its prices, according to Brad Stone’s book The Everything Store.

Scraping might sound sinister, but it’s part of how the web works. Google and Bing scrape web pages to index them for their search engines. Academics and journalists use scraping software to gather data. Some of Competera’s customers, including Acer Europe and Panasonic, use the company’s “brand intelligence” service to see what retailers are charging for their products, to ensure that they are complying with pricing agreements.

For retailers, scraping can be a two-way street, and that’s where things get interesting. Retailers want to see what their rivals are doing, but they want to prevent rivals from snooping on them; retailers also want to protect intellectual property like product photos and descriptions, which can be scraped and reused without permission by others. So many deploy defenses to subvert scraping, says Josh Shaul, vice president of web security at Akamai Technologies. One technique: showing different prices to real people than to bots. A site may show the price as astronomically high or zero to throw off bots collecting data.

 Such defenses create opportunities for new offenses. A company called Luminati helps customers, including Competera, mask bots to avoid detection. One service makes the bots appear to be coming from smartphones.

Luminati’s service can resemble a botnet, a network of computers running malware that hackers use to launch attacks. Rather than covertly take over a device, however, Luminati entices device owners to accept its software alongside another app. Users who download MP3 Cutter from Beka for Android, for example, are given a choice: View ads or allow the app to use “some of your device’s resources (WiFi and very limited cellular data).” If you agree to let the app use your resources, Luminati will use your phone for a few seconds a day when it’s idle to route requests from its customers’ bots, and pay the app maker a fee. Beka didn’t respond to a request for comment.

The ongoing battle of bot and mouse raises a question: How do you detect a bot? That’s tricky. Sometimes bots actually tell the sites they’re visiting that they’re bots. When a piece of software accesses a web server, it sends a little information along with its request for the page. Conventional browsers announce themselves as Google Chrome, Microsoft Edge, or another browser. Bots can use this process to tell the server that they’re bots. But they can also lie. One technique for detecting bots is the frequency with which a visitor hits a site. If a visitor makes hundreds of requests per minute, there’s a good chance it’s a bot. Another common practice is to look at a visitor’s internet protocol address. If it comes from a cloud computing service, for example, that’s a hint that it might be a bot and not a regular internet user.

Shaul says that techniques like disguising bot traffic has made it “almost useless” to rely on an internet address. Captchas can help, but they create an inconvenience for legitimate users. So Akamai is trying something different. Instead of simply looking for the common behaviors of bots, it’s looking for the common behaviors of humans and lets those users through.

When you tap a button on your phone, you move the phone ever so slightly. That movement can be detected by the phone’s accelerometer and gyroscope, and sent to Akamai’s servers. The presence of minute movement data is a clue that the user is human, and its absence is a clue that the user might be a bot.

Luminati CEO Ofer Vilenski says the company doesn’t offer a way around this yet, because it’s a relatively uncommon practice. But Shaul thinks it’s only a matter of time before bot makers catch on. Then it will be time for another round of innovations. So goes the internet bot arms race.

Good Bots and Bad Bots

One big challenge for Akamai and others trying to manage bot-related traffic is the need to allow some, but not all, bots to scrape a site. If websites blocked bots entirely, they wouldn’t show up in search results. Retailers also generally want their pricing and items to appear on shopping comparison sites like Google Shopping, Price Grabber, and Shopify.

“There’s really a lot of different scenarios where scraping is used on the internet for good, bad, or somewhere in the middle,” Shaul says. “We have a ton of customers at Akamai who have come to us to help us manage the overall problem of robots, rather than humans, visiting their site.”

Some companies scrape their own sites. Andrew Fogg is the co-founder of a company called Import.io, which offers web-based tools to scrape data. Fogg says one of Import.io’s customers is a large retailer that has two inventory systems, one for its warehouse operations and one for its e-commerce site. But the two systems are frequently out of sync. So the company scrapes its own website to look for discrepancies. The company could integrate its databases more closely, but scraping the data is more cost effective, at least in the short term.

Other scrapers live in a gray area. Shaul points to the airline industry as an example. Travel price-comparison sites can send business to airlines, and airlines want their flights to show up in the search results for those sites. But many airlines rely on outside companies like Amadeus IT and Sabre to manage their booking systems. When you look up flight information through those airlines, the airline sometimes must pay a fee to the booking system. Those fees can add up if a large number of bots are constantly checking an airline’s seat and pricing information.

 Shaul says Akamai helps solve this problem for some airline customers by showing bots cached pricing information, so that the airlines aren’t querying outside companies every time a bot checks prices and availability. The bots won’t get the most up-to-date information, but they’ll get reasonably fresh data without costing the airlines much.

Other traffic, however, is clearly problematic, such as distributed denial-of-service, or DDoS, attacks, which aim to overwhelm a site by flooding it with traffic. Amazon, for example, doesn’t block bots outright, including price scrapers, a spokesperson says. But the company does “prioritize humans over bots when needed to ensure we are providing the shopping experience our customers expect from Amazon.”

Fogg says Import.io doesn’t get blocked much. The company tries to be a “good citizen” by keeping its software from hitting servers too often or otherwise using a lot of resources.

Vilenski says Luminati’s clients have good reasons to pretend not to be bots. Some publishers, for example, want to make sure advertisers are showing a site’s viewers the same ads that they show to the publishers.

Still, the company’s business model raised eyebrows in 2015 when a similar service from its sister company, Hola VPN, was used to launch a DDoS attack on the website 8chan. Earlier this month, Hola VPN’s Chrome extension was accused of being used to steal passwords of users of the cryptocurrency service MyEtherWallet. In a blog post, Hola VPN said its Google Chrome Store account was compromised, allowing attackers to add malware to its extension. Vilenski says the company carefully vets its customers, including a video call and steps to verify the potential customer’s identity. He declined to comment on alleged malicious uses of Luminati’s service. Controversial or not, Vilenski says the company’s business has tripled in the past year.

Source: https://www.wired.com/story/scraper-bots-and-the-secret-internet-arms-race/

  • 0

Check Point: Time for a Fifth Generation of Cybersecurity

Cybersecurity is entering a new phase that requires IT organizations to put processes in place that are capable of continuously identifying potential threats before they impact operations and detecting them once a breach occurs.

Don Meyer, head of marketing for data center at Check Point Software Technologies, said that shift represents a new fifth era of cybersecurity that requires a mechanism through which cybersecurity intelligence is shared across a layered defense in real time.

Today, most organizations unfortunately still rely mainly on firewalls and anti-virus software that are not integrated in any meaningful way, said Meyer. That’s become problematic, because cybercriminals are becoming more adept at launching polymorphic attacks targeting multiple potential exploits. For example, a distributed denial of service (DDoS) attack may be intended to serve as a distraction as endpoints are being targeted. In some cases, the only purpose of these attacks is to implant malware that hijacks IT infrastructure to mine cryptocurrencies.

To effectively respond to those threats, an IT organization needs a central control plane through which companies can coordinate their response to threats to applications and infrastructure running in the cloud and on-premises. Given the increased volume of attacks and the ever-expanding size of the attack surface that needs to be defended, Meyer said it’s only a matter of time before organizations find themselves relying more on big data along with machine learning algorithms and other forms of artificial intelligence (AI) to defend the extended enterprise.

In fact, Meyer noted that cybercriminals already have access to advanced hacking tools developed by the Central Intelligence Agency (CIA), for example. Cybercriminals are leveraging those tools alongside machine learning algorithms to more precisely identify and target vulnerabilities. Today, cybercrime is a trillion-dollar industry, and much of the profits generated are plowed right back into the development of more sophisticated means of launching attacks. Despite this, cooperation remains limited among organizations trying to defend against these attacks. Unless organizations find some way to share and act on threat intelligence data in real time, the odds will continue to be stacked against them, Meyer said.

herefore, IT organizations need to move beyond deploying a series of uncoordinated point products to defend against one type of potential threat or another, he said. Rather, a modern approach to cybersecurity requires a much more coordinated response across multiple organizations that have committed to each other’s mutual defense.

It’s unclear where the center of gravity for cybersecurity intelligence will ultimately reside. Check Point and other providers of firewalls say their platforms are the most logical place to coordinate security across thousands of endpoints as well as any number of external cloud platforms. It’s obvious, however, that something must be done. The current status quo for cybersecurity is ineffective—not only will the volume of attacks continue to increase, the ability of IT organizations to discover and then remediate breaches is increasingly being taxed beyond any ability to keep pace.

Source: https://securityboulevard.com/2018/05/check-point-time-for-a-fifth-generation-of-cybersecurity/

  • 0

Malware with bricking capabilities poses major threat after infecting 500,000+ networking device

A potentially highly destructive malware is estimated to have infected at least 500,000 networking devices in at least 54 countries since as far back as 2016, in what could be the prelude to a massive attack potentially capable of cutting off the internet from hundreds of thousands around the world.

Researchers from Cisco Systems’ Talos threat intelligence unit warn that the newly discovered malware, dubbed VPNFilter, has overlapping code with BlackEnergy, an APT trojan capable of DDoS attacks, information wiping, and cyber espionage that Russia allegedly used in past cyberattacks to disable the Ukrainian power grid.

The campaign’s connection to BlackEnergy, combined with its heavy emphasis on infecting Ukrainian hosts using a command-and-control infrastructure specifically dedicated to that country, leads Talos experts to believe Ukraine may again be the primary target of an imminent cyber assault.

Talos observed markedly heavy infection activity in Ukraine on May 8 and again on May 17. Meanwhile, Symantec, posted its own take on the threat, informing SC Media in emailed comments that while VPNFilter has spread widely, honeypot and sensor data seem to indicate that it is not scanning and infecting indiscriminately.

The malware compromises devices so that attackers can potentially spy on and collect their network traffic (including website credentials) and monitor Modbus supervisory control and data acquisition (SCADA) protocols used with industrial control systems.

It can even “brick” devices — individually or, far worse, en masse –rendering them unusable by overwriting a portion of the firmware and forcing a reboot. “In most cases, this action is unrecoverable by most victims, requiring technical capabilities, know-how, or tools that no consumer should be expected to have,” the Talos blog post explains.

“This shows that the actor is willing to burn users’ devices to cover up their tracks, going much further than simply removing traces of the malware,” the post continues. “If it suited their goals, this command could be executed on a broad scale, potentially rendering hundreds of thousands of devices unusable, disabling internet access for hundreds of thousands of victims worldwide or in a focused region where it suited the actor’s purposes.

Affected products include Linksys, MikroTik, NETGEAR and TP-Link small and home office networking equipment, and QNAP NAS devices.

“The type of devices targeted by this actor are difficult to defend, They are frequently on the perimeter of the network, with no intrusion protection system (IPS) in place, and typically do not have an available host-based protection system such as an anti-virus (AV) package,” Talos warns in its blog post. “We are unsure of the particular exploit used in any given case, but most devices targeted, particularly in older versions, have known public exploits or default credentials that make compromise relatively straightforward.”

The modular malware is comprised of three stages. The first stage, which establishes persistence, is unique among IoT malware programs in that it can survive a reboot. It also uses multiple redundant command-and-control mechanisms to discover the current stage-two deployment server’s IP address.

Stage two is in charge of file collection, command execution, data exfiltration and device management, and also possesses the “kill” function” that can brick devices. Stage three acts as a plug-in that provides the remaining known capabilities. “The capabilities built into the various stages and plugins of the malware are extremely versatile and would enable the actor to take advantage of devices in multiple ways,” Talos reports.

“VPNFilter is an expansive, robust, highly capable, and dangerous threat that targets devices that are challenging to defend,” warns Talos, which does suggest several mitigation techniques in its report. “Its highly modular framework allows for rapid changes to the actor’s operational infrastructure, serving their goals of misattribution, intelligence collection, and finding a platform to conduct attacks.”

In a security advisory, NETGEAR has advised running the latest firmware on routers, changing default admin passwords and ensuring that remote management is turned off.

“Given the list of compromised device models is large and potentially incomplete, it is recommended that everyone reboots their home routers and NAS devices one time,” said Mounir Hahad, head of Juniper Threat Labs at Juniper Networks, in emailed comments. “This will remove any second- and third-stage malware from their devices, since the malware does not have persistence capabilities. It will leave the first stage in place, which will try to download the second stage again, but with law enforcement’s efforts to take down the known command-and-control infrastructure and the efforts by security vendors who provide equipment to internet service providers, the threat should be partially mitigated.”

Derek Manky, global security strategist at Fortinet, said in emailed comments that VPNFilter reminds him of a BrickerBot, a wormable IoT malware capable of knocking unsecured IoT devices offline.

“Last year we talked about while the BrickerBot was not a worm with mass adoption yet, it was a precursor of things to come,” said Manky. Forward to today, VPNFilter is the real deal, in the wild, and in full force, which makes it a much larger threat and quite concerning. This is a true brick, overwriting the first 5,000 bytes of memory,” resulting in a “dead state.”

Source: https://www.scmagazine.com/malware-with-bricking-capabilities-poses-major-threat-after-infecting-500000-networking-devices/article/768231/

  • 0

This new type of DDoS attack takes advantage of an old vulnerability

The new technique has “the potential to put any company with an online presence at risk of attack”, warn researchers.

A newly-uncovered form of DDoS attack takes advantage of a well-known, yet still exploitable, security vulnerability in the Universal Plug and Play (UPnP) networking protocol to allow attackers to bypass common methods for detecting their actions.

Attacks are launched from irregular source ports, making it difficult to determine their origin and blacklist the ports in order to protect against future incidents.

The new form of distributed denial-of-service attack has been uncovered and detailed by researchers at security company Imperva, who say it has been used by unknown attackers twice.

The UPnP protocol is commonly used for device discovery, especially so by Internet of Things devices, which use it to find each other and communicate over a local network.

The protocol is still used, despite known issues around poor default settings, lack of authentication, and UPnP-specific remote code execution vulnerabilities, which make the devices vulnerable to attack.

Just like the much-discussed case of easily exploitable IoT devices, most UPnP device vendors prefer focusing on compliance with the protocol and easy delivery, rather than security,” Avishay Zawoznik, security research team leader at Imperva, told ZDNet.

“Many vendors reuse open UPnP server implementations for their devices, not bothering to modify them for a better security performance.”

Examples of problems with the protocol go all the way back to 2001, but the simplicity of using it means it is still widely deployed. However, Imperva researchers claim the discovery of how it can be used to make DDoS attacks more difficult to attack could mean widespread problems.

“We have discovered a new DDoS attack technique, which uses known vulnerabilities, and has the potential to put any company with an online presence at risk of attack,” said Zawoznik.

Researchers first noticed something was new during a Simple Service Discovery Protocol (SSDP) attack in April. This type of botnet tends to be small and spoofs their victim’s IP addresses in order to query common internet connected devices such as routers, printers and access points.

While most of the attacks were arriving from the usual SSDP port number of 1900, around 12 percent of payloads were arriving from randomised source ports. Imperva investigated and found that a UPnP-integrated attack method could be used to hide source port information.

Attackers could easily find devices to take advantage of by using the Shodan IoT search engine — researchers found over 1.3 million devices which could be exploitable, especially if the attacker used scripts to automate discovery.

In order to not fall victim to this, businesses “should come up with a DDoS protection that is based on the packet payloads, rather than source ports only,” said Zawoznik.

However, researchers note that there is a relatively simple way to protect systems from this and other UNPnP exploits: just block the device from being remotely accessible, because in the vast majority of cases, they note, “it serves no useful function or has any benefit for device users”.

Source:https://www.zdnet.com/article/this-new-type-of-ddos-attacks-takes-advantage-of-an-old-vulnerability/

  • 0

Why the game industry is still vulnerable to distributed-denial-of-service attacks

The game industry has been under attack for a long time. Security professionals have often had to deal with distributed-denial-of-service (DDoS) attacks going back years.

It seemed like the problem was solved not so long ago, but then, the vector for attacks changed. With the rise of the Internet of Things (IoT), hackers were able to get their hands on many more compromised machines, and in turn, they were able to marshal those machines in much larger DDoS attacks. And so, the game companies are finding that they are getting flooded with attacks once again.

Nokia Deepfield helps companies defend themselves against such attacks. I spoke with Craig Labovitz, general manager of Nokia Deepfield, about the game industry’s ongoing vulnerability to DDoS attacks. That may not sound like the specialty you’d expect Nokia to have, but Nokia acquired Deepfield back in 2016 to ensure real-time network security and performance.

Here’s an edited transcript of our interview. GamesBeat and Akamai will hold a breakfast at the Electronic Entertainment Expo (E3) on June 14 to talk about games and security. Contact us through deantak on Twitter if you’d like to attend.

GamesBeat: Tell us about your interest in security and game companies.

Craig Labovitz: I’ve been doing DDoS for about 20 years now. I was a founder and chief architect at Arbor Networks, one of the first commercially successful DDoS companies. I was with Arbor for 12 years. After we left Arbor, we started Deepfield about five years ago, but our history goes back 25 years doing security, doing DDoS, particularly focused on unusual traffic blocking, traffic floods, things like that.

Deepfield had its start trying to do the next generation of security for both the large cloud guys, the large game guys, and the large carriers. Deepfield was an independent company for about five years. We grew pretty quickly, to cover about 90 percent of North America. We’d just started to enter Europe and Latin America and other parts of the world when we joined Nokia, about a year ago. Since then, we’ve been able to — Nokia provided additional investment. We’ve grown our technology, grown the base. Now, we’re deployed all over the world, doing both engineering and DDoS security.

GamesBeat: Why has this problem persisted for so many years? It sounds like an almost unsolvable issue in some ways, the fact that people can still do DDoS attacks.

Labovitz: Well, I’d actually say the opposite. When we left our last company, one of the reasons I left is I thought we were done. If you go back to 2011, all the carriers deployed appliances. It’s always an arms race between attackers and defenders, whether it’s war or security. In 2011, the defenders had the upper hand. Everyone had deployed the tech they bought from Arbor Networks. Generally, while DDoS was a nuisance, it wasn’t on the front page.

Back in 2000, when we started Arbor, DDoS was on the evening news. All the major brand names were under attack. 2011, there were still attacks, but most of them were easily mitigated. Technology had advanced to a point where we thought it was basically over. We saw the market declining. There wasn’t a lot of growth. It wasn’t in the news. Everyone who was going to buy had already bought: 80 or 90 percent of the large cloud and game companies. Then, things started to change, and you get to where we are today, which of course is a very different market.

GamesBeat: 2011 was a big deal in gaming security, because it was the year of the PlayStation Network hack.

Labovitz: Right. That was when things began to change, in that time frame. I left Arbor in 2011, and in the last five or six years, we’ve seen the resurgence. As far as why things changed, a couple of things have really changed the marketplace to where you’re seeing DDoS be such a pain point for our customers and for games, as well as other verticals.

What changed is, number one, the platforms changed, in the sense of we went from compromising PCs in consumer homes to millions of mobile devices. On a regular basis, we’re seeing cloud DVRs and other home devices participating in attacks. The number of compromised devices participating in botnets has tilted the balance of DDoS back to favor the attackers.

The second thing is just the bandwidth available. In 2010, I had a megabit, a couple of megabits at home? Now, I have hundreds. Other people have gigabits. You see significant last-mile advances in bandwidth and not just to consumers. We’ve seen the explosion of cloud servers and VMs, all of which we see being used as part of DDoS today. The firepower in terms of bandwidth has grown dramatically.

Now, we’ve gone from one device in a home you can compromise to as many as 30 or 40. We’re seeing some of these IOT devices participate in DDoS — like webcams. It’s gotten much easier for criminals to hijack devices all around the world. These devices aren’t connected to just a megabit anymore. Some of them have gigabit bandwidth to the rest of the Internet.

GamesBeat: And that sends a much higher volume of junk requests?

Labovitz: Correct. The number of devices to compromise has grown by a factor of 10 or, in some cases, 100, and the bandwidth to those devices has grown in the same way. All this has really happened since 2010, 2011, where we’ve seen the balance of DDoS tilt back to the attackers.

GamesBeat: What’s been the reaction on the defensive side?

Labovitz: Well, concern. It puts you in a tough position when your attackers grow by 10 or 100 times. It’s hard to counter that. That’s why DDoS, particularly in the last few years, is making headlines again and becoming more of a challenge.

It’s a pretty fundamental shift in the way people are thinking about security. When attacks are occasional, when attacks are small, whether you’re a game company or a provider you respond by adding stuff to the network, by adding servers or different security devices. When you get to this scale of attacks, when the attackers are 10 times bigger than any capacity you have, it’s no longer a matter of just adding more devices to the network. You have to fundamentally shift how you think about security, particularly with an eye toward things like DDoS.

GamesBeat: What has that shift been like?

Labovitz: Back in the day, I used to have a Palm Pilot. I had an MP3 player. I had five different devices that I carried with me that were all sort of adjunct. Similarly, in networking, you used to have a separate device for every possible function. You had a firewall, a DDoS box, an analysis box, a router, a management box. You tried to scale by scaling up all five or six of these things, and that worked for a good 15 [to] 20 years.

The problem, of course, is your attackers are now so much bigger than you are. It’s hard to scale each of those things separately by 10 or 100 times. What you’re seeing now across the market is a shift to move away from that Palm Pilot view of the universe and look to have this embedded in the network, embedded in the infrastructure. You can’t just add it on as an afterthought.

For years, security was an afterthought. You build your network, your game, or your data center, and then, you added security to it. The real shift today is it needs to be part of how you build it from day one. It needs to be everywhere, ubiquitous, embedded. It needs to scale at the same rate you scale your game servers and your network. That’s what we’re seeing in the market today.

GamesBeat: If you had to tick off, say, five things game companies have to worry about, where would you put DDoS in that spectrum of security problems?

Labovitz: It’s kind of like asking a homeowner how they consider security. If they’ve never been burglarized, that’s the last thing on their list. Someone who’s just been broken into or someone who’s made the front page of the Wall Street Journal because they just lost five percent off their stock value, they might have a different opinion. Having done DDoS for 20 years, our best sales were the day after. We used to call them the day-after sales. The day after someone made the front page of the Financial Times, those were the easiest sales we ever had. You hear similar stories about home alarm systems.

When we started doing DDoS 20 years ago, we had to convince people they needed DDoS protection. I think the market has largely matured, and people believe they need it. The question is how much. Clearly losing all your game infrastructure for a period of hours or days is catastrophic to the business. In terms of things you worry about, that would probably be near the top of the list. Things that pose an existential threat to a company are good things to worry about.

GamesBeat: As far as where the online game operators are at, are they effectively all outsourcing this function to the likes of Akamai or Amazon? Do they say to the providers, “Hey, if I get attacked, just give me some more compute resources and get me through it?” Or, is there a different mix of infrastructure.

Labovitz: If you look at the game companies, what’s been interesting over the last three or four years is they’ve come to look a lot like network providers. They’re starting to not only do DDoS themselves, but they’re building their own data centers, laying their own dark fiber, handling more and more as performance becomes a competitive element in games. We see the top five game companies take over more and more of their own infrastructure, down to dark fiber. They’re building out their own global networks.

We did see a period of outsourcing, but now, the opposite is happening, as performance and latency and jitter become more important. As scale has grown, the major game operators — certainly in the U.S. and also in other parts of the world — have made big investments in infrastructure.

GamesBeat: We haven’t talked much about platforms yet, but are we talking about consoles or PC or even mobile? I know that on mobile now, the fast interaction has been very important for games like Clash Royale or Arena of Glory. These are multiplayer team games. They seem to be very sensitive to latency problems. If they’re getting attacked, is that another layer to the problem?

Labovitz: There are definitely attacks there. I think most of the issues we see and hear about from our game customers and carrier customers are more the first-person shooters. We see a ton of — it’s just constant. At any given time for some networks, as much as five or 10 percent of traffic is just people with Xboxes or other console games trying to block someone else.

When we talk about DDoS with respect to gaming, there are two types of attacks. One is you’re specifically targeting another consumer, trying to knock them off, knock their IP address off. The other is you might have monetary incentives. You might go after one of the main game companies and attack their servers. We see both of those. Less frequent, though they happen on a regular basis, are the attacks against servers. But we do see a constant, never stopping wave of gamers attacking each other for whatever motives.

GamesBeat: In that case, they’re going to the trouble of finding a farm to use to attack someone?

Labovitz: I don’t know if it’s a farm exactly. There are just sites that you can go to, pay $10 or whatever, and get a link. I don’t think it’s that much trouble. If you have a credit card or Bitcoin, you too can launch a DDoS.

GamesBeat: Now, we’re getting to another part of the problem, then, that something like this isn’t getting shut down.

Labovitz: No, they’re not. It used to be a big deal, to find a machine that [had] a gigabit of bandwidth. Today, you can rent one. We’ve seen an explosion of bandwidth, an explosion of devices out there, servers and others. Stuff on the edge has grown by 10 or 100 times. You’re left with the guys in the middle of the Internet facing — I remember I had a pool growing up, and sometimes, the algae in it would just explode overnight. I think that’s how a lot of game companies and carriers feel, facing 10 times the devices with 10 times the bandwidth. You can buy any of it for a few bucks.

GamesBeat: How do you mitigate this?

Labovitz: As I say, we have pretty broad coverage. Our customer base includes a large cross section of the major game companies, as well as providers, in North America. The game companies do two things. We work with them on traffic engineering and visibility. We can detect unusual spikes, unusual shifts in traffic. We also work with devices on the network, particularly — a lot of our focus is not on third-party devices, that Palm Pilot world, but we’re working with a lot of the router vendors. Nokia, of course, is a big focus there, but we’re also working with other providers that do the plumbing of the Ethernet.

Deepfield’s big idea, instead of what we used to do when security was something you added to the network, we’ve been working with all of these providers to make sure it’s built in. Every bit of networking device has the capability to block and to filter. We’re working with them to build these blocking capabilities, to build this intelligence in the network, so we can accommodate this huge explosion of devices and bandwidth over the last few years.

GamesBeat: I’ve written a lot about semiconductor companies like ARM that are trying to build trust networks and physical hardware security for IoT chips. Is any of that helping yet? Or do we have too many unprotected devices already out there?

Labovitz: I’ve never won my battles against the moles in the backyard, and that’s never going to happen on the Internet. We’re never going back. Pandora’s box is open. Just as an example, do you know what’s the most popular domain name on the Internet as far as DNS queries?

GamesBeat: Maybe some kind of movie pirating site?

Labovitz: Nope. It’s not Google or Facebook either. The single most popular thing queried on the Internet is time.netgear.com because eight years ago, a bug was introduced into the firmware of routers, where devices would make regular queries well beyond anything they really needed to do to set their time. That bug was fixed long ago, but what’s fascinating is that it’s still by far the most popular thing queried on the Internet. That speaks to how hard it is, once firmware gets out there — the changes of that getting permanently fixed, it’s like a radioactive half-life. We’re stuck with it forever.

GamesBeat: As far as game companies go, are they collectively addressing this in some way? Do they have their own security conferences or other signs they’re approaching this as a group?

Labovitz: Certainly, there’s a very tight security community. It’s not very big. All of us know each other and travel in the same circles. There’s a lot of collaboration. It’s not just the game companies, of course. Whether you’re a game company, a financial company, or one of the ISPs, security crosses all of those. There’s a lot of interaction as we push on initiatives and share information about the threats we’re seeing, as well as working with vendors like Nokia as we work on solutions and try to implement them.

We spend a lot of time talking to different groups and working with different parties. I’m not aware of a specific security organization just for gaming, but certainly, there are a lot of discussions, a lot of engineering meetings. It’s a fairly small community, and it works together.

GamesBeat: As far as other problems besides DDoS, what do you see in security that relates to games?

Labovitz: I can only tell you about what we deal with. I read articles about other things, like loot box fraud, but the problems we deal with in the market, what I personally interact with — it’s just keeping everything running as this stuff continues to scale. Keeping it running, keeping the latency and performance up. Part of that is blocking DDoS, but it’s also just managing the complexity of traffic.

It used to be that whenever you went to Netscape.com, you went to a single server. Today, if you play a game or watch a video, a lot of infrastructure needs to work together from different game servers, different telemetry servers, and content distribution. Power has come at the cost of complexity. Traffic comes from a lot of places. Lots of things go into playing a game. Managing that traffic as it makes its way across the Internet, having the real-time visibility into quality so that as things shift, you can adjust, and, of course, having real-time visibility into DDoS and security. We really help with all of that: just managing stuff, keeping it up and running, and maintaining basic levels of quality in the experience.

GamesBeat: When you do that, are you interacting directly with game companies, or do you work through intermediaries like Amazon or other games-as-a-service vendors?

Labovitz: We do a little bit of both. We do have direct companies we interact with that are game companies.

GamesBeat: Do you have some predictions on this front? It seems like it can only get to be a bigger and bigger problem.

Labovitz: I’m lousy at predicting the future. Like I said, in 2010, I predicted that DDoS was over. I left my previous DDoS company thinking we were done. But I can give you some predictions with that in mind.

I think we’re in the early days of IoT. I’m one of those guys who vowed to never have an IoT device at home, and now — well, I don’t want to talk about what I have in my home. But if you take my mother, she has a Nest doorbell. She has connected speakers. We’re still in the early days of things in the home that have IP addresses. We’re also in the early days of bandwidth. The bandwidth predictions we’re seeing these days are wild. If you look at 5G, suddenly, we’re talking about every phone having huge amounts of bandwidth available in addition to IoT devices.

I don’t think we’ve made the advances we need to in terms of figuring out how to secure servers, how to secure IoT. I don’t think we’ll win that. There’s no magic bullet. We’ve been trying to win as far as protecting PCs and protecting servers for 30 or 35 years. It hasn’t happened yet. It’s not likely to happen any time soon. We’re seeing new threats even at low levels. The threat will continue to grow.

My main prediction is we need to be able to build this stuff into the network itself. You mentioned ARM and others. We’re seeing significant advances in the basic chipsets. Nokia makes our own hardware, so we like to think we’re ahead of the curve, but we’re seeing even some of what’s called merchant silicon, the commodity chips market. They’re a little bit behind, but we’re seeing a lot of advances in merchant silicon as well.

I have high hopes that if we can build this into the network, if we can make sure the hardware advances continue, and if security isn’t an afterthought but really starts to become a part of how we build everything, we can have a chance of improving or at least maintaining the status quo. I don’t know if we’ll ever win.

GamesBeat: I had a couple of questions about streamers. A few years ago, there was a streamer who became very popular broadcasting on Twitch, and he was followed by a bunch of DDoS attack groups. They had a sort of sparring conversation. He would go play a game, and then, the attackers would take down that game while he was trying to stream and repeat the process every time he started a new game. People would watch this, and the audience got bigger and bigger as the day went on. Every game he tried to play, the attackers took down. Some of these streamers have enormous audiences now, with hundreds of thousands of concurrent viewers. I wonder if there’s a way they have of protecting themselves now.

Labovitz: That’s another big thing. Like I say, there are two types of attacks we see. You have attacks against servers and then attacks against players or even streamers. Previously, I think most of the focus was on the servers, higher up on the network. But we’re seeing the volume of malicious traffic — and a lot of that is DDoS — becoming so large that it’s a performance win if your provider can automatically block this traffic when it first enters the network. We’re starting to see carriers — including probably your provider because we’re working with a lot of the U.S. providers — who are trying to add these capabilities for blocking traffic before it ever enters the network.

Going back 5 [to] 10 years, DDoS protection was so expensive that it was just the big banks and a handful of other companies that were purchasing it. Of course, those numbers have come down. You can protect web pages. But the cost of protecting your business traffic or your traffic at home is still prohibitive. Sometimes, that’s not even technically available.

What we are seeing, though, is DDoS protection going from something you add to the network to something that is available, that’s already in place for every customer. It’s just part of the network. We’re starting to see the buildout of infrastructure and capability to block DDoS everywhere in the network, and that capability could be available, whether automatically or for a fee, to every home user and every business. We’re seeing DDoS go from something available to dozens or hundreds of companies to something that’s available to everyone as the problem has become more significant [and] more ubiquitous.

As I say, this has taken a while, but we’re finally seeing a convergence of technology and incentives. This stuff is cyclical. Back in 2010, I thought we had won. Then, the world changed on us. In hindsight, the ways it changed are obvious, but hindsight is always obvious. We’re starting to see more capabilities built into the network, and that’s quite encouraging.

Source: https://venturebeat.com/2018/05/13/why-the-game-industry-is-still-vulnerable-to-distributed-denial-of-service-attacks/view-all/

  • 0

Incident Of The Week: 15K Accounts Breached At U.K. Credit Union

In the dynamic world of cyber security, breaches are both tightly guarded and, sadly, imminent.

Combing through data, market research and threat-defense efforts taken by enterprises can be a daunting task. Here at Cyber Security Hub, we both track the latest industry news and make it more navigable for the IT professional. CSHub coverage extends outwards – as it helps enterprises batten down their proverbial hatches.

In this edition of “Incident of the Week,” we examine a data breach that affected 15,000 members of a U.K.-based credit union.

Threat actors targeted the Sheffield Credit Union (SCU), and officials have warned against the potential compromise of personally identifiable information (PII). SCU said information including names, addresses, national insurance numbers and bank details were accessed, according to a report from the BBC.

The same report notes that the attack happened on Feb. 14, 2018, but only emerged recently after hackers attempted to demand a ransom on the heisted data.

South Yorkshire Police reportedly worked with the SCU and Action Fraud to ameliorate the situation. The BBC notes that the Information Commissioners Office (ICO) was also made aware of the occurrence. The SCU also said its security has heightened since. Nevertheless, the credit union is being cautious in warning that the incident could find hackers looking to defraud customers.

The SCU pointed out in a letter to its members that the breach “may expose you to text messaging, cold calling and attempts to defraud.”

Chairwoman of Trustees, Fiona Greaves, reportedly said that hackers likely accessed the data in a “brute-force” attack, in which they overpower systems with password combinations to crack the proverbial code.

She said that members do not need to assume that the data loss will result in “wholesale fraud,” but that “people need to be aware.” The credit union also suggests that members monitor accounts for anomalous activity.

In a news release on the SCU site, the credit union wrote that in the wake of the attack, “and numerous other similar attacks on businesses large and small,” its aim is to keep members “safe from scammers.”

It offers helpful tips for effective cyber hygiene, some of which include:

  • Use caution in giving out bank details; make sure you are 100% sure it’s the right organization
  • Do not change bank details without thorough vetting/verification
  • Only access a company’s official website; enter by typing the address in the browser
  • Log out of systems after you’ve finished
  • Add virus and malware protection to any device that uses the Internet (including IoT devices)
  • Carry out regular software updates (allow for automatic ones if possible)
  • In downloading software, ensure it’s from a reputable/verifiable source
  • Count on updating your passwords regularly (and making them complex)

While these tips are aimed at the SCU member base, they are largely applicable for the enterprise – as security teams oversee awareness campaigns to educate staffers about proactive cyber behavior/hygiene.

Both health and financial data (highly sensitive) will continue to fall within the crosshairs of hackers. Password offensives such as the “brute-force” attack can become a true thorn in the side of IT security practitioners.

In a recent article for the Cyber Security Hub, Integral Partners’ Director of Information Security Services, Kayne McGladrey, said, “Multi-factor authentication (MFA) that incorporates User Behavior Analytics (UBA) is the lowest-cost and easiest solution for organizations to prevent both credential stuffing and password spraying attacks. These attacks both work because the user account is typically protected with a password which may be stolen or guessed, and which may be reused at multiple websites and cloud services.

“MFA requires that the user provide a second form of authentication to access a cloud service… Modern MFA solutions incorporate UBA, which can require MFA only when the user is doing something unusual… This simple and elegant solution can protect both non-privileged business and privileged users.”

Source: https://www.cshub.com/news/incident-of-the-week-15k-accounts-breached-at-uk

  • 0

Hide and Seek Brings Persistence to IoT Botnets

The rapidly evolving Hide and Seek botnet is now persistent on a wide range of infected IoT devices.

IoT devices tend to be simple. So simple, in fact, that turning them off and back on again has historically been a reliable way to eliminate malware. Now, though, a new variant of the Hide and Seek bot can remain persistent on IoT devices that use a variety of different hardware and Linux platforms.

A research team at Bitdefender described the new variant of a botnet they had first discovered in January with notes of two important developments, one novel and one in keeping with a broader trend in malware.

Persistence in IoT devices is novel and disturbing since it removes a common defense mechanism from the security team’s toolbox. In order to achieve persistence, Hide and Seek must gain access to the device via Telnet, using the protocol to achieve root access to the device. With root access, a file is placed in the /etc/init.d/ directory where it executes each time the device is rebooted. According to the Bitdefender researchers, there are at least 10 different versions of the executables that can run on 10 different system variants.

“Once this new botnet has been armed, it isn’t going to do anything but increase the availability of the already prevalent DDoS tools for those looking to launch such attacks,” says Sean Newman, director of product management at Corero Network Security. He points out that this is disturbing for technology advancement reasons, but it might not immediately make a huge impact on the DDoS environment. “With most IoT devices rarely rebooted and easily re-infected if they are, it feels like this may not make as much impact as you might think to the already burgeoning supply of botnets,” he says, “particularly those being used to launch damaging DDoS attacks.”

As part of a broader trend in malware, Hide and Seek shows considerable development and evolution in the code being deployed. Since its initial discovery in January of this year, “The botnet seems to undergo massive development as new samples compiled for a variety of architectures have been added as payloads,” according to the Bitdefender Labs blog post on the malware.

“This showcases the continued evolution of malware and how the internet continues to democratize access to information, malicious or otherwise,” says Dan Mathews, director at Lastline. He lists some of the ways in which the industry has seen botnet malware evolve since the days of Mirai, including, “…default & expanded password guessing and cross-compiled code to run on multiple CPU architectures added, as well as exploits added to leverage IoT vulnerabilities, exploits added for peer to peer communications, and now exploits added for persistence.”

Hide and Seek’s original version was notable for using a proprietary peer-to-peer network for both C&C and new infection communication. Now that persistence has been added to the feature mix, the botnet has become a more pressing concern for the owners of the 32,000+ already infected and those IoT devices that are vulnerable and still unprotected.

Source: https://www.darkreading.com/iot/hide-and-seek-brings-persistence-to-iot-botnets/d/d-id/1331783

  • 0