DDoS Attack on Infinite Campus Limits Parent Access

A distributed denial-of-service (DDoS) attack on Infinite Campus, an educational software provider that houses the parent portal for Oklahoma City Public Schools, created access issues for those parents trying to connect to the district’s student information system.

While this was not the first attack on Infinite Campus, district spokeswoman Beth Harrison told NewsOK that the most recent attacks were greater than any it had previously experienced in both volume and duration. “The latest series of attacks began Monday, September 17, and included multiple customers and data centers. Homeland Security is now involved and Infinite Campus has hired additional security experts to assure all data is safe and to track down the attack perpetrators.”

In an announcement to parents explaining the cause of the access issues, the Oklahoma City Public Schools wrote, “Please note that NO student data was stolen or breached. This attack just causes the service to be very slow or unresponsive. Many districts across the country are impacted and authorities are investigating. We’ll provide updates as soon as we have them. Thanks for your patience!”

The attack comes at the beginning of a new school year, and while the motive is unclear at this point, attackers often have myriad objectives when orchestrating these types of attacks.

According to recent research from Corero Network Security, during the first half of 2018 DDoS attacks increased 40% from Q2 2017 to Q2 2018. “This highlights the increasing need for organizations that rely on high levels of online availability to ensure they include the latest always-on, real-time, automatic DDoS protection in their defenses,” said Sean Newman, director product management, Corero Network Security.

“The key point is that such a critical service is able to be taken down by what is now a relatively cheap-and-simple-to-launch attack vector. It’s good to see that a strong emphasis is being placed on the privacy of any data being held, but that doesn’t help with the disruption and inconvenience caused when such a vital service is down for an extended period of time.”

Many online services are delivered by third parties such as Infinite Campus, and when these service providers are targeted with DDoS or other attacks, their customers feel the impact. “The attack on Oklahoma City’s student information system is just another example of just how many services, which are increasingly provided online for reasons of cost, efficiency and scalability, are delivered without adequate resiliency to distributed denial-of-service attacks,”

Source: https://www.infosecurity-magazine.com/news/ddos-attacks-infinite-campus/

  • 0

3 Drivers Behind the Increasing Frequency of DDoS Attacks

What’s causing the uptick? Motivation, opportunity, and new capabilities.

According to IDC Research’s recent US DDoS Prevention Survey, more than 50% of IT security decision makers said that their organization had been the victim of a distributed denial-of-service (DDoS) attack as many as 10 times in the past year. For those who experienced an attack, more than 40% lasted longer than 10 hours. This statistic correlates with our ATLAS findings, which show there were 7.5 million DDoS attacks in 2017 — a rate, says Cisco, that is increasing at roughly the same rate as Internet traffic.

What’s behind the uptick? It boils down to three factors: motivation of the attackers; the opportunity presented by inexpensive, easy-to-use attack services; and the new capabilities that Internet of Things (IoT) botnets have.

Political and Criminal Motivations
In an increasingly politically and economically volatile landscape, DDoS attacks have become the new geopolitical tool for nation-states and political activists. Attacks on political websites and critical national infrastructure services are becoming more frequent, largely because of the desire and capabilities of attackers to affect real-world events, such as election processes, while staying undiscovered.

In June, a DDoS attack was launched against the website opposing a Mexican presidential candidate during a debate. This attack demonstrated how a nation-state could affect events far beyond the boundaries of the digital realm. It threatened the stability of the election process by knocking a candidate’s website offline while the debate was ongoing. Coincidence? Perhaps. Or maybe an example of the phenomenon security experts call “cyber reflection,” when an incident in the digital realm is mirrored in the physical world.

DDoS attacks carried out by criminal organizations for financial gain also demonstrate cyber reflection, particularly for global financial institutions and other supra-national entities whose power makes them prime targets, whether for state actors, disaffected activists, or cybercriminals. While extortion on the threat of DDoS continues to be a major threat to enterprises across all vertical sectors, cybercriminals also use DDoS as a smokescreen to draw attention away from other nefarious acts, such as data exfiltration and illegal transfers of money.

Attacks Made Easy
This past April, Webstresser.org — one of the largest DDoS-as-a-service (DaaS) providers in existence, which allowed criminals to buy the ability to launch attacks on businesses and responsible for millions of DDoS attacks around the globe — was taken down in a major international investigation. The site was used by a British suspect to attack a number of large retail banks last year, causing hundreds of thousands of pounds of damage. Six suspected members of the gang behind the site were arrested, with computers seized in the UK, Holland, and elsewhere. Unfortunately, as soon as Webstresser was shut down, various other similar services immediately popped up to take its place.

DaaS services like Webstresser run rampant in the underground marketplace, and their services are often available at extremely low prices. This allows anyone with access to digital currency or other online payment processing service to launch a DDoS attack at a target of their choosing. The low cost and availability of these services provide a means of carrying out attacks both in the heat of the moment and after careful planning.

The rage-fueled, irrational DDoS-based responses of gamers against other gamers is a good example of a spur-of-the-moment, emotional attack enabled by the availability of DaaS. In other cases, the DaaS platforms may be used in hacktivist operations to send a message or take down a website in opposition to someone’s viewpoint. The ease of accessibility to DaaS services enables virtually anyone to launch a cyberattack with relative anonymity.

IoT Botnets
IoT devices are quickly brought to market at the lowest cost possible, and securing them is often an afterthought for manufacturers. The result? Most consumer IoT devices are shipped with the most basic types of vulnerabilities, including hard code/default credentials, and susceptibility to buffer overflows and command injection. Moreover, when patches are released to address these issues, they are rarely applied. Typically, a consumer plugs in an IoT device and never contemplates the security aspect, or perhaps does not understand the necessity of applying regular security updates and patches. With nearly 27 billion connected devices in 2017, expected to rise to 125 billion by 2030 according to analysis from IHS Markit, they make extremely attractive targest for malware authors.

In the latter half of 2016, a high-visibility DDoS attack against a DNS host/provider was observed, which affected a number of major online properties. The malware responsible for this attack, and many others, was Mirai. Once the source code for Mirai was published on September 30, 2016, it sparked the creation of a slew of other IoT-based botnets, which have continued to evolve significantly. Combined with the proliferation of IoT devices, and their inherent lack of security, we have witnessed a dramatic growth in both the number and size of botnets. These new botnets provide the opportunity for attackers and DaaS services to create new, more powerful, and more sophisticated attacks.

Conclusion
Today’s DDoS attacks are increasingly multivector and multilayered, employing a combination of large-scale volumetric assaults and stealth infiltration targeting the application layer. This is just the latest trend in an ever-changing landscape where attackers adapt their solutions and make use of new tools and capabilities in an attempt to evade and overcome existing defenses. Businesses need to maintain a constant vigilance on the techniques used to target them and continually evolve their defenses to industry best practices.

Source: https://www.darkreading.com/attacks-breaches/3-drivers-behind-the-increasing-frequency-of-ddos-attacks/a/d-id/1332824

  • 0

California Dem hit with DDoS attacks during failed primary bid: report

The campaign website of a Democratic congressional candidate in California was taken down by cyberattacks several times during the primary election season, according to cybersecurity experts.

Rolling Stone reported on Thursday that cybersecurity experts who reviewed forensic server data and emails concluded that the website for Bryan Caforio, who finished third in the June primary, was hit with distributed denial of service (DDoS) attacks while he was campaigning.

The attacks, which amount to artificially heavy website traffic that forces hosting companies to shut down or slow website services, were not advanced enough to access any data on the campaign site, but they succeeded in blocking access to bryancaforio.com four times before the primary, including during a crucial debate and in the week before the election.

Caforio’s campaign didn’t blame his loss on the attacks, but noted that he failed to advance to a runoff against Rep. Steve Knight (R-Calif.) by coming up 1,497 votes short in his loss against fellow Democrat Katie Hill.

Caforio’s campaign tried several tactics to deter malicious actors, including upgrading the website’s hosting service and adding specific DDoS protections, which in the end failed to deter the attacks.

“As I saw firsthand, dealing with cyberattacks is the new normal when running for office, forcing candidates to spend time fending off those attacks when they should be out talking to voters,” Caforio told the magazine.

A spokeswoman for the Department of Homeland Security (DHS) told Rolling Stone that it offered to help Caforio’s campaign investigate the four attacks but received no response.

A DHS spokesperson did not immediately respond to a request for comment from The Hill.

An aide to the Democratic Congressional Campaign Committee, the campaign arm for House Democrats, told Rolling Stone that it takes attacks such as the ones Caforio faced “very seriously.”

“While we don’t have control over the operations of individual campaigns, we continue to work with and encourage candidates and their staffs to utilize the resources we have offered and adopt best security practices,” the aide said.

Source: https://thehill.com/policy/cybersecurity/407608-california-democrat-hit-with-ddos-attacks-during-failed-primary-bid

  • 0

Hackers behind Mirai botnet could be sentenced to working for the FBI

This comes after more than 18 months of already helping the FBI stop cyberattacks

Three young hackers went from believing they were “untouchable” to helping the FBI stop future cyberattacks.

The trio of hackers behind the Mirai botnet — one of the most powerful tools used for cyberattacks — has been working with the FBI for more than a year, according to court documents filed last week.

Now the government is recommending they be sentenced to continue assisting the FBI, instead of a maximum five years in prison and a $250,000 fine.

“By working with the FBI, the defendants assisted in thwarting potentially devastating cyberattacks and developed concrete strategies for mitigating new attack methods,” US attorneys said in a motion filed Sept. 11. “The information provided by the defendants has been used by members of the cybersecurity community to safeguard US systems and the Internet as a whole.”
Originally, a probation officer on the case recommended that all three defendants be sentenced to five years’ probation and 200 hours of community service.

Because of the hackers’ help, prosecutors have asked that the community service requirement be bumped up to 2,500 hours, which would include “continued work with the FBI on cybercrime and cybersecurity matters.”

The three defendants are set to be sentenced by a federal judge in Alaska. The sentencing plea Tuesday was earlier reported by Wired.

Hacker rehab

Governments have taken a new approach with young, first-offender hackers, in the hopes of rehabilitating them and recruiting them to help defend against future attacks. The UK offers an alternative called the “cybercrime intervention workshop,” essentially a boot camp for young hackers who have technical talent but poor judgment.

The three defendants — Josiah White, Paras Jha and Dalton Norman — were between the ages of 18 and 20 when they created Mirai, originally to take down rival Minecraft servers with distributed denial-of-service attacks.

DDoS attacks send massive amounts of traffic to websites that can’t handle the load, with the intention of shutting them down. Mirai took over hundreds of thousands of computers and connected devices like security cameras and DVRs, and directed them for cyberattacks and traffic scams.

In one conversation, Jha told White that he was “an untouchable hacker god” while talking about Mirai, according to court documents.

The botnet was capable of carrying out some of the largest DDoS attacks ever recorded, including one in 2016 that caused web outages across the internet. The three defendants weren’t behind the massive outage, but instead were selling access to Mirai and making thousands of dollars, according to court documents.

Helping the FBI

The three hackers pleaded guilty in December, but had been helping the government with cybersecurity for 18 months, even before they were charged. Prosecutors estimated they’ve worked more than 1,000 hours with the FBI — about 25 weeks in a typical workplace.

That includes working with FBI agents in Anchorage, Alaska, to find botnets and free hacker-controlled computers, and building tools for the FBI like a cryptocurrency analysis program.

In March, the three hackers helped stop the Memcached DDoS attack, a tool that was capable of blasting servers with over a terabyte of traffic to shut them down.

“The impact on the stability and resiliency of the broader Internet could have been profound,” US attorneys said in a court document. “Due to the rapid work of the defendants, the size and frequency of Memcache DDoS attacks were quickly reduced such that within a matter of weeks, attacks utilizing Memcache were functionally useless.”

According to US officials, the three hackers also last year helped significantly reduce the number of DDoS attacks during Christmas, when activity usually spikes. Along with helping the FBI, the three defendants have also worked with cybersecurity companies to identify nation-state hackers and assisted on international investigations.

Jha now works for a cybersecurity company in California while also attending school. Dalton has been continuing his work with FBI agents while attending school at the University of New Orleans, and White is working at his family’s business.

Prosecutors heavily factored their “immaturity” and “technological sophistication” as part of the decision.

“All three have significant employment and educational prospects should they choose to take advantage of them rather than continuing to engage in criminal activity,” the court documents said.

Source: https://www.cnet.com/news/hackers-behind-mirai-botnet-could-be-sentenced-to-working-for-the-fbi/

  • 0

What Feds Can Do to Guard Against DDoS Attacks and the Botnet Threat

In October 2016, the Mirai botnet took down domain name system provider Dyn, waking much of the world up to the fact that Internet of Things devices could be weaponized in a massive distributed denial of service (DDoS) attack. Although DDoS attacks have been around since the early days of the modern internet, IT communities around the globe came to realize that IoT devices could be leveraged in botnet attacks to go after all kinds of targets.

In the case of Dyn, the cyberattack took huge chunks of the web offline, since Dyn served as a hub and routing service for internet traffic. The attack temporarily shut off access to Twitter, Netflix, Spotify, Box, GitHub, Airbnb, reddit, Etsy, SoundCloud and other sites.

The rising prominence of botnets in DDoS attacks also prompted the federal government to take a stronger interest. President Donald Trump’s May 2017 executive order on cybersecurity directed the secretaries of Commerce and Homeland Security to lead “an open and transparent process to identify and promote action by appropriate stakeholders” that would improve the resilience of the internet and encourage collaboration around the goal of “dramatically reducing threats perpetrated by automated and distributed attacks (e.g., botnets).”

In late May, the departments of Commerce and Homeland Security issued a final report on the topic, which included numerous recommendations for agencies to take to mitigate DDoS attacks and botnet threats.

The government, the report says, “should leverage industry-developed capability baselines, where appropriate, in establishing capability baselines for IoT devices in U.S. government environments to meet federal security requirements, promote adoption of industry-led baselines, and accelerate international standardization.”

Among numerous other measures, the report says that agencies should put in place basic DDoS prevention and mitigation measures for all federal networks, and ensure they are not used to amplify DDoS attacks.

Before federal IT leaders and professionals put mitigation and prevention measures in place, it’s worth taking time to understand the nature of the threat. Here is a primer on DDOs attacks, botnets, the damage they can do and how agencies can guard against them.

What Is a DDoS Attack?

A DDoS attack is a cyberattack in which multiple compromised systems attack a given target, such as a server or website, to deny users access to that target.

Attackers often use compromised devices — desktops, laptops, smartphones or IoT devices — to command them to generate traffic to a website in order to disable it, in ways that the user does not even detect.

“The smart cybercriminal imposes limits on the malware code to avoid detection by not utilizing too much of the user’s bandwidth or system resources,” Carl Danowski, a CDW service delivery architect in managed services, writes in a blog post. “The user would have to know where to look to detect this, and probably won’t be motivated to as long as the software doesn’t cause any problems for them. The attack does not use just a single system but millions of such compromised systems, nearly simultaneously.”

The malware then visits or sends special network packets (OSI Layer 7 and Layer 3, respectively) to the website or DNS provider. The attack then generates what looks like, to most cybersecurity tools, normal traffic or unsuccessful connection attempts.

“However, the website soon becomes unavailable as some part of the infrastructure can no longer handle the sheer number of simultaneous requests,” Danowski notes. “It could be the router, the firewall, the web servers, the database servers behind the web servers — any number of points can become overwhelmed, leading to the unavailability of the service they are providing. As a result, legitimate users of the website are denied service.”

As the DHS/Commerce report notes, DDoS attacks have been a concern since the early days of the internet and were a regular occurrence by the early 2000s. They can “overwhelm networked resources, sending massive quantities of spam, disseminating keylogger and other malware.”

What Is a Botnet Attack?

Botnet attacks are related to DDoS attacks. Not all botnets are malicious; a botnet is a simply a group of connected computers working together to execute repetitive tasks, and can keep websites up and running. However, malicious botnets use malware to take control of internet-connected devices and then use them as a group to attack.

“More often than not, what botnets are looking to do is to add your computer to their web,” a blog post from anti-virus firm Norton notes. “That usually happens through a drive-by download or fooling you into installing a Trojan horse on your computer. Once the software is downloaded, the botnet will now contact its master computer and let it know that everything is ready to go. Now your computer, phone or tablet is entirely under the control of the person who created the botnet.”

Malicious botnets are often used to amplify DDoS attacks, as well as sending out spam, generating traffic for financial gain and scamming victims.

The rise of the IoT makes botnets more dangerous and potentially virulent. The IoT means there are simply many more (usually unsecured) connected devices for attackers to target. As a result, the DHS/Commerce report notes, “DDoS attacks have grown in size to more than one terabit per second, far outstripping expected size and excess capacity. As a result, recovery time from these types of attacks may be too slow, particularly when mission-critical services are involved.”

Further, the report adds, traditional DDoS mitigation techniques, such as network providers building in excess capacity to absorb the effects of botnets, “were not designed to remedy other classes of malicious activities facilitated by botnets, such as ransomware or computational propaganda.”

Botnet Detection and Removal Tools

Botnet detection can be difficult, since infected bots are designed to operate without users knowing about them. A blog post from CA Technologies suggests several symptoms of botnet infection that administrators should look for. These Include:

  • Internet Relay Chat traffic (botnets and bot masters use IRC for communications)
  • Connection attempts with known command-and-control servers
  • Multiple machines on a network making identical DNS requests
  • High outgoing Simple Message Transfer Protocol traffic (as a result of sending spam)
  • Unexpected pop-ups (as a result of clickfraud activity)
  • Slow computing/high CPU usage spikes in traffic, especially on Port 6667 (used for IRC), Port 25 (used in email spamming) and Port 1080 (used by proxy servers)
  • Outbound messages (email, social media, instant messages, etc.) that weren’t sent by the user

Some tools, such as CDW’s Threat Check tool, perform passive inspection of all inbound and outbound network traffic and look for evidence of malicious activity. “It will not block any traffic but simply monitor and report on what it sees. This includes connections to botnets, connections to command and control servers, remote access tools, visits to sites hosting malicious code, or any other evidence of an infection,” Aaron Colwell, manager of strategic software sales for the analytics practice at CDW, writes on CDW’s solutions blog.

“Botnet detection is useless without having botnet removal capabilities,” the CA blog notes. “Once a bot has been detected on a computer, it should be removed as quickly as possible using security software with botnet removal functionality.”

Microsoft offers tools to remove malicious software, as do many other security software companies.

A Brief History of DDoS Attacks: Reaper, Zeus and Mirai Botnets

In recent years, there have been several high-profile botnet attacks that have rocketed around the internet, causing varying levels of devastation to IT environments.

According to CSO Online, the Mirai botnet was actually created by Paras Jha, then an undergraduate at Rutgers University, who became interested in how DDoS attacks could be used for profit, especially by using DDoS attacks to disable rival servers that might be used to host the online game Minecraft.

The major Mirai botnet attack took down the security blog KrebsOnSecurity in September 2016, and its source code was published online a few weeks later. Then came the major attack on Dyn. “The FBI believes that this attack was ultimately targeting Microsoft game servers,” which can be hosted and used to generate money from Minecraft players, CSO reports. The attack spread to vulnerable devices “by continuously scanning the Internet for IoT systems protected by factory default usernames and passwords,” Krebs reports.

Although Mirai is still causing problems across the web, the Justice Department in December 2017 secured guilty pleas from Jha and Josiah White for their roles in developing and using Mirai.

Another recent botnet that made waves is Reaper, which is built on parts of Mirai’s code. However, as Wired details, it is different in dangerous ways. “Instead of merely guessing the passwords of the devices it infects, it uses known security flaws in the code of those insecure machines, hacking in with an array of compromise tools and then spreading itself further,” the publication reports, meaning that it could “become even larger — and more dangerous — than Mirai ever was.” The botnet surfaced in January when it was used to target financial services firms in the Netherlands, Security Week reports.

In 2014, the GameOver Zeus botnet rose to prominence, and was “responsible for the theft of millions of dollars from businesses and consumers in the U.S. and around the world,” according to the FBI.

“GameOver Zeus is an extremely sophisticated type of malware designed specifically to steal banking and other credentials from the computers it infects,” the FBI noted. “It’s predominantly spread through spam e-mail or phishing messages.”

In February 2015, the FBI announced a $3 million bounty for information leading to the arrest and conviction of Evgeniy Mikhailovich Bogachev, a Russian national the government believes is responsible for building and distributing the Zeus banking Trojan.

How Feds Can Respond to the Botnet Threat

The DHS/Commerce report offers agencies guidance on how they can combat DDoS and botnet attacks.

First, the report says that stakeholders and subject matter experts, in consultation with the National Institute of Standards and Technology, should lead the development of a Framework for Improving Critical Infrastructure Cybersecurity Profile for enterprise DDoS prevention and mitigation.

“The profile would help enterprises identify opportunities to improve DDoS threat mitigation and aid in cybersecurity prioritization by comparing their current state with the desired target state,” the report says. “The profile would likely include multiple levels to support industry sectors with different resilience requirements.”

After that is created, the report says agencies “should implement basic DDoS prevention and mitigation measures for all federal networks to enhance the resilience of the ecosystem and demonstrate the practicality and efficacy of the profile.”

In the past, the report notes, “hackers have leveraged federal networks in DDoS attacks using open resolvers and other agency resources to amplify their attacks.” DNS primarily translates hostnames to IP addresses or IP addresses to hostnames. As TechTarget notes, DNS resolvers are “servers that client systems use to resolve domain names.”

The report says that “poorly administered enterprise resources, such as open DNS resolvers, are often leveraged to amplify attacks.” Many network vendors, including Cisco Systems, offer agencies and other organizations best practices for guarding against DNS attacks.

“The federal government should lead by example, ensuring that federal resources are not unwitting participants and that federal networks are prepared to detect, mitigate, and respond as necessary,” the DHS/Commerce report states.

The administration should mandate implementation of the federal cybersecurity framework profile for DDoS prevention and mitigation by all government agencies within a fixed period after completion and publication of the profile, the report advises.

“The federal government should evaluate and implement effective ways to incentivize the use of software development tools and processes that significantly reduce the incidence of security vulnerabilities in all federal software procurements, such as through attestation or certification requirements,” the report adds.

To establish market incentives for secure software development, the government should “establish procurement regulations that favor or require commercial off-the-shelf software that is developed using such processes, when available,” and “should also ensure that government-funded software development projects use the best available tools to obtain insight into the impact of these regulations.”

Source: https://fedtechmagazine.com/article/2018/09/what-feds-can-do-guard-against-ddos-attacks-and-botnet-threat-perfcon

  • 0

Who’s hacking into UK unis? Spies, research-nickers… or rival gamers living in res hall?

Report fingers students and staff for academic cyber-attacks

Who’s hacking into university systems? Here’s a clue from the UK higher education tech crew at Jisc: the attacks drop dramatically during summer break.

A new study from Jisc (formerly the Joint Information Systems Committee) has suggested that rather than state-backed baddies or common criminals looking to siphon off academic research and personal information, staff or students are often the culprits in attacks against UK higher education institutions.

The non-profit body, which provides among other things internet connectivity to universities, analysed 850 attacks in the 2017-18 academic year and found a consistent pattern that occurred during term time and the UK working day.

Holidays brought with them a sharp reduction in attacks, from a peak 60-plus incidents a week during periods of the autumn term to a low of just one a week at times in the summer. It acknowledged that part of the virtual halt in summer may be down to cops and Feds cracking down on black hat distributed denial-of-service tools in the months prior, however.

Jisc is perhaps better known among Reg readers for providing the Janet network to UK education and research institutions.

Its data covered cyber-attacks against almost 190 universities and colleges and focused on denial-of-service and other large-scale infosec hits rather than phishing frauds and malware.

Staff and students with a grudge or out to cause mischief are more credible suspects in much of this rather than external hackers or spies. More sophisticated hackers might be inclined to use DDoS as some sort of smokescreen.

In a blog post, Jisc security operations centre head John Chapman admitted some of the evidence suggesting staff and students might be behind DDoS attacks is circumstantial. However, he pointed out evidence from law enforcement and detected cyber assaults supported this theory. For example, a four-day DDoS attack the unit was mitigating against was traced back to a university hall of residence – and turned out to be the result of a feud between two rival gamers.

Whoever might be behind them, the number of incidents is growing. Attacks are up 42 per cent to reach this year’s 850; the previous academic year (2016-17) witnessed less than 600 attacks against fewer than 140 institutions.

Matt Lock, director of solutions engineers at Varonis, said: “This report is another reminder that some of the biggest threats facing organisations today do not involve some hoodie-wearing, elusive computer genius.”

Education is targeted more often than even the finance and retail sectors, according to McAfee research (PDF).

Nigel Hawthorn, data privacy expert at McAfee, commented in March:

“The kind of data held by universities (student records/intellectual property) is a valuable commodity for cyber criminals, so it is crucial that the security and education sectors work together to protect it.

Source: https://www.theregister.co.uk/2018/09/17/cyber_attack_uk_universities/

  • 0

DDoS attacks: Students blamed for many university cyber attacks

DDoS attacks against university campuses are more likely in term time.

Nation-states and criminal gangs often get the blame for cyber attacks against universities, but a new analysis of campaigns against the education sector suggests that students — or even staff — could be perpetrators of many of these attacks.

Attributing cyber attacks is often a difficult task but Jisc, a not-for-profit digital support service for higher education, examined hundreds of DDoS attacks against universities and has come to the conclusion that “clear patterns” show these incidents take place during term-time and during the working day — and dramatically drop when students are on holiday.

“This pattern could indicate that attackers are students or staff, or others familiar with the academic cycle. Or perhaps the bad guys simply take holidays at the same time as the education sector,” said John Chapman, head of security operations at Jisc.

While the research paper notes that in many cases the reasons behind these DDoS campaigns can only be speculated about, just for fun, for the kudos and to settle grudges are cited as potential reasons.

In one case, a DDoS attack against a university network which took place across four nights in a row was found to be specifically targeting halls of residence. In this instance, the attacker was launching an attack in order to disadvantage a rival in online games.

The research notes that attacks against universities usually drop off during the summer — when students and staff are away — but that the dip for 2018 started earlier than it did in 2017.

“The heat wave weather this year could have been a factor, but it’s more likely due to international law enforcement activity — Operation Power Off took down a ‘stresser’ website at the end of April,” said Chapman.

The joint operation by law enforcement agencies around the world took down ‘Webstresser’, a DDoS for hire service which illegally sold kits for overwhelming networks and was, at the time, the world’s largest player in this space. This seemingly led to a downturn in DDoS attacks against universities.

But universities ignore more advanced threats “at their peril” said Chapman. “It’s likely that some of these more sophisticated attacks are designed to steal intellectual property, targeting sensitive and valuable information held at universities and research centres.”

Despite this, a recent survey by Jisc found that educational establishments weren’t taking cyber attacks seriously, as they weren’t considered a priority issue by many.

“When it comes to cyber security, complacency is dangerous. We do everything we can to help keep our members’ safe, but there’s no such thing as a 100% secure network,” said Chapman.

Source: https://www.zdnet.com/article/ddos-attacks-students-blamed-for-many-university-cyber-attacks/

  • 0

How to train your network: the role of artificial intelligence in network operations

With the help of machine learning and AI, software-defined networks could soon aid businesses with network management.

A network that can fix and optimize itself without human intervention could become a reality soon – but not without some training. With the help of machine learning and artificial intelligence, software-defined networks can learn to help with network management by using operational data.  Initial application of AI to WAN operations includes security functions such as DDoS attack mitigation as well as near real-time, automated path selection, and eventually AI-defined network topologies and basic operations essentially running on ‘auto-pilot’.

Enhancing IT operations with artificial intelligence (AI), including configuration management, patching, and debugging and root cause analysis (RCA) is an area of significant promise – enough so that Gartner has defined the emerging market as “AIOps”. These platforms use big data and machine learning to enhance a broad range of IT operations processes, including availability and performance monitoring, event correlation and analysis, IT service management, and automation (Gartner “Market Guide for AIOps platforms,” August 2017).

Gartner estimates that by 2022, 40 percent of all large enterprises will combine big data and machine learning functionality to support and partially replace monitoring, service desk and automation processes and tasks, up from five percent today.

Limits of automation and policy for NetOps

Given the traditional split between APM (application performance management) and NPM (network performance management), even the best network management tools aren’t always going to help trace the root cause of every application and service interruption. There can be interactions between network and application that give rise to an issue, or a router configuration and issue with a service provider that’s impacting application performance.

Network operations personnel might respond to an incident by setting policies in the APM or NPM systems that will alert us when an unwanted event is going to happen again. The issue with policy-based management is that it is backwards looking. That’s because historical data is used to create into policies that should prevent something from happening again. Yet, policy is prescriptive; it doesn’t deal with unanticipated conditions. Furthermore, changes in business goals again more human intervention if there isn’t a matching rule or pre-defined action.

On the whole, SD-WAN services represent an improvement over management of MPLS networks. Still, the use of an SD-WAN isn’t without its own challenges. Depending on the number of locations that have to be linked, there can be some complexity in managing virtual network overlays. The use of on-demand cloud services adds another layer of complexity. Without sufficient monitoring tools, problems can escalate and result in downtime. At the same time, adding people means adding cost, and potentially losing some of the cost efficiencies of SD-WAN services.

AI is way forward for SD-WAN management

What would AIOps bring to SD-WAN management?

Starting with a programmable SD-WAN architecture is an important first step towards a vision of autonomous networking.  Programmable in this case means API-driven, but the system also needs to leverage data from the application performance and security stack as well as the network infrastructure as inputs into the system so that we can move from simple alerting to intelligence that enables self-healing, managing and optimization with minimal human intervention.

Monitoring all elements in the system in real time (or at least near real time) will require storing and analyzing huge amounts of data. On the hardware side, cloud IaaS services have made that possible. Acting on the information will require artificial intelligence in the form of machine learning.

Use Cases for AI in SD-WAN

There are a variety of ways to apply machine learning algorithms to large datasets from supervised to unsupervised (and points in between) with the result being applications in areas such as:

  • Security, where unexpected network traffic patterns and patterns of requests against an application can be detected to prevent DDoS attacks.
  • Enhancing performance of applications over the internet network with optimized route selection.

Looking more closely at security as a use case, how would AI and ML be able to augment security of SD-WANs? While the majority of enterprises are still trying to secure their networks with on-premise firewalls and DDoS mitigation appliances, they are also facing attacks that are bigger and more sophisticated. According to statistics gathered by Verisign last year:

  • DDoS attacks peaked at over 5Gbps approximately 25% of the time
  • During Q3 2017, 29% of attacks combined five or more different attack types.

Challenge: A multi-vector attack on an enterprise network has affected service availability in Europe.

Response: Application of AIOps to the SD-WAN underlay can automate the response to the attack. Instead of manually re-configuring systems, the network can automatically direct traffic to different traffic scrubbing centers based on real-time telemetry around network and peering point congestion, mitigation capacity, and attack type/source. Because the system can process data from outside sources at speeds far beyond human ability to manage the network, the system can adjust traffic flows back to normal transit routes as soon as the attack subsides, saving money on the cost of attack mitigation. AI and ML in conjunction with a programmable SD-WAN are capable of responding more quickly and in more granular fashion than is possible with standard policy-based “automatic detection” and mitigation techniques.

Where does AI in network go next?

Although the industry is still in the early days of applying machine learning to networking, there are a number of efforts underway to keep an eye on. One is the Telecom Infra Project (TIP), founded by Facebook and telecom first firms such as Deutsche Telecom and SK Telecom, which now counts several hundred other companies as members. The TIP recently started collaborating on AI with an eye towards predictive maintenance and dynamic allocation of resources. Important groundwork for the project will include defining common dataset formats that are used to train systems. That work could lead to further sharing of data between network providers and web companies, offering the prospect of significant improvements to security and threat detection for enterprises and consumers.

Further in the future, we might expect to see an AI designed network topology, combined with SDN control over resources. Networking will have moved from a paradigm of self-contained networks to a network ‘awareness’ overlay which enables coordinated, intelligent actions based on operator intention. Network engineers can put the system on ‘auto-pilot’ during everyday computing, and instead spend time orchestrating resources based on the goals of the business.

Source: https://www.itproportal.com/features/how-to-train-your-network-the-role-of-artificial-intelligence-in-network-operations/

  • 0

DDoS Attacks Increase in Size by 500%

According to the Q2 2018 Threat ReportNexusguard’s quarterly report, the average distributed denial-of-service (DDoS) attack grew to more than 26Gbps, increasing in size by 500%.

The research looked at the same period last year and found that the maximum attack size quadrupled to 359Gbps. Evaluating thousands of worldwide DDoS attacks, researchers reportedly gathered real-time attack data from botnet scanning, honeypots, ISPs and traffic moving between attackers and their targets. Data analysis led researchers to attribute the stark surge to IoT botnets and Satori malware exploits, one of many variants of the Mirai malware.

“Due to the increase in IoT-related malware exploits and the rampant growth of large-scale DDoS attacks, research conclusions point to the continued use of IoT botnets. Cyber-attacks hit the 2018 FIFA World Cup, as well as cryptocurrency-related businesses, maximizing revenue loss,” Nexusguard wrote in a press release. Additionally, attacks on the Verge Network (XVG) resulted in a significant loss of 35 million XVG tokens.

“The biggest zero-day risks can stem from various types of home routers, which attackers can exploit to create expansive DDoS attacks against networks and mission-critical services, resulting in jumbo-sized attacks intended to cripple targets during peak revenue-generating hours,” said Juniman Kasman, chief technology officer for Nexusguard.

“Telcos and other communications service providers will need to take extra precautions to guard bandwidth against these super-sized attacks to ensure customer service and operations continue uninterrupted.”

Nexusguard analysts advise communications service providers (CSPs) and other potentially vulnerable operations to augment their preparedness so that they are able to maintain their bandwidth, especially if they lack full redundancy and failover plans in their infrastructures. CSPs and vulnerable organizations that enhance bandwidth protection will be better positioned to stay ahead of the surging attack sizes.

“In the quarter, increasingly large attacks (a YoY average-size increase of 543.17%) had a severe impact on Communication Service Providers (CSP),” the report said. “Serving as a link between attack sources and victim servers and infrastructures, CSPs bear the burden of the increasing size of traffic, irrespective of its source or destination. As such, Internet service is degraded.”

Source: https://www.infosecurity-magazine.com/news/ddos-attacks-increase-in-size-by/

  • 0

Edinburgh Uni Hit by Major Cyber-Attack

The website of Edinburgh University was still down at the time of writing after the institution suffered a major cyber-attack during its Freshers’ Week.

A university spokesman told the Edinburgh Evening News that it has “rigid measures in place” to protect IT systems and data.

“Our defenses reacted quickly and no data has been compromised,” he added. “We will continue to work with our internet service provider, [national cybercrime investigators] and with other universities to prevent these network attacks in future.”

The main ed.ac.uk site was still down on Thursday morning, nearly 24 hours after the first reports of an attack went online. That would indicate a serious DDoS attack.

Jisc, the UK non-profit which runs the super-fast Janet network for research and educational institutions, released a statement claiming that a “number of universities” have been targeted this week and adding that the number of DDoS attacks on them “typically increases at this time of year, when students are enrolling at, or returning to university.”

“While Jisc is responsible for protecting connections to the Janet Network for its members (colleges, universities and research centres), members are responsible for protecting their own cyberspace,” it added. “However, Jisc also provides DDoS threat intelligence to its community and provides advice to members affected by cyber-attacks on how to deal with the problem and minimize the impact.”

Ironically, Edinburgh University was praised by the government this year for carrying out cutting-edge cybersecurity research. It is one of 14 Academic Centres of Excellence in Cyber Security Research, backed by the £1.9bn National Cyber Security Strategy.

DDoS attacks grew by 40% year-on-year in the first six months of 2018, according to new figures from Corero Networks.

The security firm claimed that attacks are becoming shorter — with 82% lasting less than 10 minutes — and smaller, with 94% under 5Gbps. However, one in five victims are hit with another attack within 24 hours, the report revealed.

Source: https://www.infosecurity-magazine.com/news/edinburgh-uni-hit-by-major-cyber/

  • 0