When 911 Goes Down: Why Voice Network Security Must Be a Priority

When there’s a DDoS attack against your voice network, are you ready to fight against it?

An estimated 240 million calls are made to 911 in the US each year. With the US population estimated at more than 328 million people as of November 2018, this means each US resident makes, on average, more than one 911 call per year. 911 is a critical communications service that ensures the safety and individual welfare of our nation’s people.

So, what happens when the system goes down?

Unfortunately, answers can include delays in emergency responses, reputational damage to your brand or enterprise by being associated with an outage, and even loss of life or property. We have seen very recent examples of how disruption in 911 services can impact municipalities. For example, days after Atlanta was struck by a widespread ransomware attack, news broke of a hacking attack on Baltimore’s computer-assisted dispatch system, which is used to support and direct 911 and other emergency calls. For three days, dispatchers were forced to track emergency calls manually as the system was rebuilt — severely crippling their ability to handle life-and-death situations.

In 2017, cybersecurity firm SecuLore Solutions reported that there had been 184 cyberattacks on public safety agencies and local governments within the previous two years. 911 centers had been directly or indirectly attacked in almost a quarter of those cases, most of which involved distributed denial-of-service (DDoS) attacks.

Unfortunately, these kinds of DDoS attacks will continue unless we make it a priority to improve the security of voice systems, which remain dangerously vulnerable. This is true not just for America’s emergency response networks, but also for voice networks across a variety of organizations and industries.

The Evolving DDoS Landscape
In today’s business world, every industry sector now relies on Internet connectivity and 24/7 access to online services to successfully conduct sales, stay productive, and communicate with customers. With each DDoS incident costing $981,000 on average, no organization can afford to have its systems offline.

This is a far cry from the early days of DDoS, when a 13-year-old studentdiscovered he could force all 31 users of the University of Illinois Urbana-Champaign’s CERL instruction system to power off at once. DDoS was primarily used as a pranking tool until 2007, when Estonian banks, media outlets, and government bodies were taken down by unprecedented levels of Internet traffic, which sparked nationwide riots.

Today, DDoS techniques have evolved to use Internet of Things devices, botnets, self-learning algorithms, and multivector techniques to amplify attacks that can take down critical infrastructure or shut down an organization’s entire operations. Last year, GitHub experienced the largest-ever DDoS attack, which relied on UDP-based memcached traffic to boost its power. And just last month, GitHub experienced a DDoS attack that was four times larger.

As these attacks become bigger, more sophisticated, and more frequent, security measures have also evolved. Organizations have made dramatic improvements in implementing IP data-focused security strategies; however, IP voice and video haven’t received the same attention, despite being equally vulnerable. Regulated industries like financial services, insurance, education, and healthcare are particularly susceptible — in 2012, a string of DDoS attacksseverely disrupted the online and mobile banking services of several major US banks for extended periods of time. Similarly, consider financial trading — since some transactions are still done over the phone, those jobs would effectively grind to a halt if a DDoS attack successfully took down their voice network.

As more voice travels over IP networks and as more voice-activated technologies are adopted, the more DDoS poses a significant threat to critical infrastructure, businesses, and entire industries. According to a recent IDC survey, more than 50% of IT security decision-makers say their organization has been the victim of a DDoS attack as many as 10 times in the past year.

Say Goodbye to DDoS Attacks
For the best protection from DDoS attacks, organizations should consider implementing a comprehensive security strategy that includes multiple layers and technologies. Like any security strategy, there is no panacea, but by combining the following solutions with other security best practices, organizations will be able to better mitigate the damages of DDoS attacks:

  • Traditional firewalls: While traditional firewalls likely won’t protect against a large-scale DDoS attack, they are foundational in helping organizations protect data across enterprise networks and for protection against moderate DDoS attacks.
  • Session border controllers (SBCs): What traditional firewalls do for data, SBCs do for voice and video data, which is increasingly shared over IP networks and provided by online services. SBCs can also act as session managers, providing policy enforcement, load balancing and network/traffic analysis. (Note: Ribbon Communications is one of a number of companies that provide SBCs.)
  • Web application firewalls: As we’ve seen with many DDoS attacks, the target is often a particular website or online service. And for many companies these days, website uptime is mission-critical. Web application firewalls extend the power of traditional firewalls to corporate websites.

Further, when these technologies are paired with big data analytics and machine learning, organizations can better predict normative endpoint and network behavior. In turn, they can more easily identify suspicious and anomalous actions, like the repetitive calling patterns representative of telephony DoS attacks or toll fraud.

DDoS attacks will continue to be a threat for organizations to contend with. Cybercriminals will always look toward new attack vectors, such as voice networks, to find the one weak spot in even the most stalwart of defenses. If organizations don’t take the steps necessary to make voice systems more secure, critical infrastructure, contact centers, healthcare providers, financial services and educational institutions will certainly fall victim. After all, it only takes one overlooked vulnerability to let attackers in.

Source: https://www.darkreading.com/attacks-breaches/when-911-goes-down-why-voice-network-security-must-be-a-priority-/a/d-id/1333782

Hacktivist Gets 10-Year Prison Sentence for DDoS Attack on Hospitals

A 34-year-old man from Somerville, Massachusetts, has been sentenced to 10 years in prison for launching distributed denial-of-service (DDoS) attacks against two healthcare organizations in the United States.

Martin Gottesfeld, who identified himself as a member of the Anonymous movement, was accused of launching DDoS attacks against the Boston Children’s Hospital and the Wayside Youth and Family Support Network back in 2014.

The attacks on these organizations were part of a campaign related to Justina Pelletier, a teen who had been the subject of a high-profile custody battle between her parents and the state of Massachusetts.

Boston Children’s Hospital and Pelletier’s parents entered a dispute over a diagnosis and a judge awarded custody of the teen to the state. Pelletier was later moved to Wayside Youth and Family Support Network, a residential treatment facility.

Gottesfeld posted a video on YouTube in the name of Anonymous urging others to launch DDoS attacks on the Boston Children’s Hospital until Pelletier was released.

According to authorities, the DDoS attack aimed at the hospital was powered by tens of thousands of bots. The attack caused disruptions not only to the Boston Children’s Hospital, but also several other medical facilities in the Longwood Medical Area.

The Boston hospital claimed that the attack had cost it over $300,000 and led to the organization losing roughly $300,000 in donations due to the attack disabling its fundraising portal.

Gottesfeld became a suspect a few months after the attacks were launched. His home was searched and his devices were seized, but he was not charged at the time. In February 2016, he and his wife attempted to flee the country on a small boat, but they returned to the US on a Disney Cruise Ship that had rescued them off the coast of Cuba.

Gottesfeld was arrested upon his return. He was convicted by a jury on August 1, 2018, of one count of conspiracy to damage protected computers and one count of damaging protected computers.

He has now been sentenced to 121 months in prison and ordered to pay nearly $443,000 in restitution.

According to Reuters, Gottesfeld plans on appealing the sentence, but says he has no regrets.

Source: https://www.securityweek.com/hacktivist-gets-10-year-prison-sentence-ddos-attack-hospitals

Blockchain Technology can be Critical to IoT Infrastructure Security

Over 45 billion IoT devices are expected to be connected by 2021, while the cumulative cost of data breaches between 2017 and 2022 is expected to touch $8 trillion

The era of Internet of things (IoT) is upon us and it is impacting our lives. Today, technology has pervaded into nearly all walks of life, and constant innovation has made it almost impossible to stay disconnected. However, with all the convenience that connected devices offer, there is also a growing risk of cyber threats that can cripple the IoT networks and infrastructure, and cause considerable economic and personal harm to users.

According to a report by Juniper Research, as much as 46 billion IoT devices are expected to be connected by 2021, while the cumulative cost of data breaches between 2017 and 2022 is expected to touch $8 trillion. Securing IoT would require adopting a future-ready, flexible and highly scalable cybersecurity strategy – a significant shift from current reactive approaches used by businesses that involve patching discovered vulnerabilities and adding new solutions without performing a comprehensive assessment.

IoT makes it possible to connect previously closed devices and appliances to the Internet and allow users to control their operations remotely. However, as more closed systems are made accessible online, they also become increasingly vulnerable to cyberattacks and hacks. From smart homes and offices to connected cars, unmanned aerial vehicles, autonomous trucks and even to critical infrastructure like industrial control systems as part of industrial Internet of things (IIoT) – all existing and emerging IoT networks face a very high risk of cyber threats.

Blockchain-powered cybersecurity  

An emerging technology alongside IoT which offers much promise in helping secure connected devices is blockchain technology. While blockchain technology gained prominence originally in the world of fintech by ushering in the revolution of digital payments, this underlying technology behind the success and rise of cryptocurrencies could play an important role in cybersecurity, especially in the IoT space.

A blockchain-based cybersecurity platform can secure connected devices using digital signatures to identify and authenticate them, adding them as authorized participants in the blockchain network and ring-fencing critical infrastructure by rendering them invisible to unauthorized access attempts. Each authenticated device joining the blockchain-based secure IoT network is treated as a participating entity, just like in a conventional blockchain network. All communication among these verified participants (IoT devices) are cryptographically secure and are stored in tamper-proof logs.

Every new device added to the network is registered by assigning a unique digital ID on the blockchain network, and the platform provides secure channels for inter-device communication and offers all connected devices secure access to core systems or infrastructure as well. A blockchain-based cybersecurity solution can additionally leverage Software-Defined Perimeter (SDP) architecture and utilize a Zero-Trust model to render all authenticated devices invisible to attackers. This means that only verified devices can “see” or know of the existence of other connected devices, adding an extra layer of security to the IoT infrastructure.

Benefits and the way forward

A blockchain powered platform uses a decentralized set-up, further denying cyber attackers a single point of failure to target to bring down such a network. Consensus-based control distributes the responsibility of security across nodes within a blockchain network, making it impossible for hackers to spoof their way into such a network, and also protecting IoT networks from being brought down via DDoS attacks. Decentralization also makes such a solution highly scalable – one of the biggest concerns of implementing cybersecurity on an ever-growing network such as in the case of connected devices. With every new device that gets added/removed, the change is immediately notified to all participants, letting the system be adaptable and flexible to expand and evolve over time without significant upgrades to the platform in entirety.

Such a system can be used to secure smart homes, connected autonomous vehicles, critical IIoT infrastructure and even entire smart cities. A cybersecurity solution based on blockchain technology enhanced using SDP architecture offers a next-generation, future-proof way to secure IoT devices, networks and communication, not just from present-day vulnerabilities and cyber risks, but remain just as robust in anticipating emerging vulnerabilities and offering protection against them.

Both blockchain and IoT are emerging technologies, with most innovations in these domains being at nascent, proof-of-concept stages. However, blending the strengths of blockchain technology with the potential of IoT can quickly and effectively propel entire industries, cities and nations into the “smart” space, by easing the burden of securing an ever-expanding perimeter of unconventional devices and critical infrastructure without impeding the rate of innovation.

Source: https://www.entrepreneur.com/article/325855

Ad Fraud 101: How Cybercriminals Profit from Clicks

Fraud is and always will be a cornerstone of the cybercrime community. The associated economic gains provide substantial motivation for today’s malicious actors, which is reflected in the rampant use of identity and financial theft, and ad fraud. Fraud is, without question, big business. You don’t have to look far to find websites, on both the clear and the darknet, that profit from the sale of your personal information.

Fraud-related cyber criminals are employing an evolving arsenal of tactics and malware designed to engage in these types of activities. What follows is an overview.

Digital Fraud

Digital fraud—the use of a computer for criminal deception or abuse of web enabled assets that results in financial gain—can be categorized and explained in three groups for the purpose of this blog: basic identity theft with the goal of collecting and selling identifiable information, targeted campaigns focused exclusively on obtaining financial credentials, and fraud that generates artificial traffic for profit.

Digital fraud is its own sub-community consistent with typical hacker profiles. You have consumers dependent on purchasing stolen information to commit additional fraudulent crime, such as making fake credit cards and cashing out accounts, and/or utilizing stolen data to obtain real world documents like identification cards and medical insurance. There are also general hackers, motivated by profit or disruption, who publicly post personally identifiable information that can be easily scraped and used by other criminals. And finally, there are pure vendors who are motivated solely by profit and have the skills to maintain, evade and disrupt at large scales.

  • Identity fraud harvests complete or partial user credentials and personal information for profit. This group mainly consists of cybercriminals who target databases with numerous attack vectors for the purposes of selling the obtained data for profit. Once the credentials reach their final destination, other criminals will use the data for additional fraudulent purposes, such as digital account takeover for financial gains.
  • Banking fraud harvests banking credentials, digital wallets and credit cards from targeted users. This group consists of highly talented and focused criminals who only care about obtaining financial information, access to cryptocurrency wallets or digitally skimming credit cards. These criminals’ tactics, techniques and procedures (TTP) are considered advanced, as they often involve the threat actor’s own created malware, which is updated consistently.
  • Ad fraud generates artificial impressions or clicks on a targeted website for profit. This is a highly skilled group of cybercriminals that is capable of building and maintaining a massive infrastructure of infected devices in a botnet. Different devices are leveraged for different types of ad fraud but generally, PC-based ad fraud campaigns are capable of silently opening an internet browser on the victim’s computer and clicking on an advertisement

Ad Fraud & Botnets

Typically, botnets—the collection of compromised devices that are often referred to as a bot and controlled by a malicious actor, a.k.a. a “bot herder—are associated with flooding networks and applications with large volumes of traffic. But they also send large volumes of malicious spam, which is leveraged to steal banking credentials or used to conduct ad fraud.

However, operating a botnet is not cheap and operators must weigh the risks and expense of operating and maintaining a profitable botnet. Generally, a bot herder has four campaign options (DDoS attacks, spam, banking and ad fraud) with variables consisting of research and vulnerability discovery, infection rate, reinfection rate, maintenance, and consumer demand.

With regards to ad fraud, botnets can produce millions of artificially generated clicks and impressions a day, resulting in a financial profit for the operators. Two recent ad fraud campaigns highlight the effectiveness of botnets:

  • 3ve, pronounced eve, was recently taken down by White Owl, Google and the FBI. This PC-based botnet infected over a million computers and utilized tens of thousands of websites for the purpose of click fraud activities. The infected users would never see the activity conducted by the bot, as it would open a hidden browser outside the view of the user’s screen to click on specific ads for profit.
  • Mirai, an IoT-based botnet, was used to launch some of the largest recorded DDoS attacks in history. When the co-creators of Mirai were arrested, their indictments indicated that they also engaged in ad fraud with this botnet. The actors were able to conduct what is known as an impression fraud by generating artificial traffic and directing it at targeted sites for profit. 

The Future of Ad Fraud

Ad fraud is a major threat to advertisers, costing them millions of dollars each year. And the threat is not going away, as cyber criminals look for more profitable vectors through various chaining attacks and alteration of the current TTPs at their disposal.

As more IoT devices continue to be connected to the Internet with weak security standards and vulnerable protocols, criminals will find ways to maximize the profit of each infected device. Currently, it appears that criminals are looking to maximize their new efforts and infection rate by targeting insecure or unmaintained IoT devices with a wide variety of payloads, including those designed to mine cryptocurrencies, redirect users’ sessions to phishing pages or conduct ad fraud.

Source: https://securityboulevard.com/2019/01/ad-fraud-101-how-cybercriminals-profit-from-clicks/

FragmentSmack: How is this denial-of-service exploited?

FragmentSmack, a DDoS vulnerability first discovered in Linux, affects Windows as well as nearly 90 Cisco products. Discover how it can be exploited with Judith Myerson.

A distributed denial-of-service vulnerability called FragmentSmack enables an unauthenticated remote attacker to disable servers with a stream of fragmented IP packets that activate the vulnerability on affected systems. First discovered in Linux, and now also found in Windows, FragmentSmack affects many products, including nearly 90 from Cisco. How can this vulnerability be exploited, and how big is the threat?
FragmentSmack is a vulnerability in the IP stack that can be used to execute a distributed denial-of-service attack. The vulnerability affects Linux kernel version 3.9 or later, and it was discovered in some Cisco products by the Vulnerability Coordination team of the National Cyber Security Centre of Finland and the CERT Coordination Center. The flaw is caused by inefficient algorithms used in IP implementations to reassemble fragmented IPv4 and IPv6 packets.

An attacker using the FragmentSmack vulnerability could exploit it remotely by continuously sending crafted packets — that appear to be fragments of larger packets that need to be reassembled — to cause the system to become unresponsive, as 100% of the CPU cores will be in use.

In one scenario, an attacker could send a stream of 8-byte sized IP fragments, each starting with randomly chosen offset values, to a server. The queue of malformed IP fragments waiting for reassembly — which will never happen because the fragments are not part of any legitimate packets — increases in size until all the CPU core resources are consumed, leaving no room for other tasks the system needs to perform.

The attacker doesn’t specify what core the malformed packets are sent to and the Linux kernel automatically distributes the reassembly to different cores. While such an attack could take a server down, once the flow of malicious fragments stops, the targeted server can resume its normal function.

Cisco’s vulnerable listed products include network and content security devices, voice and unified communications devices, and telepresence and transcending devices.

Likewise, this threat has extended to Microsoft and Red Hat, and the affected Microsoft’s Window systems include versions 7, 8.1 and 10, as well as all the Windows Server versions. Windows 10 — 64 bit — in particular, features an option for Windows Subsystem for Linux that is vulnerable. Turning off this option doesn’t prevent the attacker from exploiting the vulnerability, however.

Vulnerable Red Hat products include Virtualization 4, Enterprise MRG, Enterprise Linux Atomic Host and Enterprise Linux versions 6, 7, Real Time 7, 7 for ARM64 and 7 for Power.

Source: https://searchsecurity.techtarget.com/answer/FragmentSmack-How-is-this-denial-of-service-exploited

In the DNI reported on DDoS-attack on the site of the national police

The website of the people’s militia department of the self-proclaimed Donetsk people’s republic was subjected to DDoS attacks, said the head of the people’s militia press service, Daniel Bezsonov.

According to him, this happened after the agency announced that Kiev was preparing a large-scale offensive in the Donbass.

“It has been established that the attack was carried out from the Ukrainian and Baltic IP addresses,” Betsonov quoted the Donetsk News Agency.

In October 2016, the DPR announced that hackers from Ukraine had hacked and blocked the database of the self-proclaimed Donetsk People’s Republic pension fund, as a result of which payments to DPR residents were suspended.

Source: http://www.tellerreport.com/news/–in-the-dni-reported-on-ddos-attack-on-the-site-of-the-national-police-.BkyHtk6JE.html

Small Businesses Lose $80K on Average to Cybercrime Annually, Better Business Bureau Says

The growth of cybercrime will cost the global economy more than $2 trillion by 2019, according to the Better Business Bureau’s 2017 State of Cybersecurity Among Small Businesses in North America report.

Cost of a Cyber Attack

When it comes to small businesses, the report said the overall annual loss was estimated at almost $80K or $79,841 on average. And as more small businesses become equal parts digital and brick-and-mortar, securing both aspects of their company is more important than ever.

The risks small business owners face in the digital world has increased their awareness of the dangers of this ecosystem. A survey conducted by GetApp in 2017 revealed security concerns ranked second as the challenges small businesses were facing.

In its report GetApp says, small businesses have to implement a multipronged approach with defense mechanism designed to “Ward off attacks from different fronts.”

However, the company doesn’t forget to address the challenges small business owners face when it comes to tackling cybersecurity with limited budgets and IT expertise while at the same time running their business.

Adopting a Small Business Cybersecurity Strategy

Why is adopting a cybersecurity strategy important for small businesses? Because according to eMarketer, in 2017 retail e-commerce sales globally reached $2.304 trillion, which was a 24.8% increase over the previous year.





Of this total, mCommerce accounted for 58.9% of digital sales and overall eCommerce made up 10.2% of total retail sales worldwide in 2017, an increase of 8.6% for the year.

What this means for small businesses is they can’t afford not to be part of this growing trend in digital commerce. They have to ensure the digital platform they have protects their organization and customers whether they are on a desktop, laptop or mobile device.

Have Clear Goals and Objectives

When it comes to cybersecurity, having clear goals and objectives will greatly determine the success of the tools, processes, and governance you put in place to combat cybercriminals.

According to GetApp, with the right cybersecurity solution in place, your small business will be able to detect and prevent a cyber-attack before it takes place.

It is important to note, there is no such thing as 100% security, whether it is in the digital or physical world. Given enough time and resources, bad actors may be able to find a vulnerability in any system. The data breaches at some of the largest organizations in the world are proof of this fact.

As a small business, your goal is to make it as difficult as possible for these bad actors to penetrate the security protocols you have in place.

Don’t Rely on a Single Solution

The GetApp report says small businesses have to fortify their organization against different threats emerging from multiple fronts.

The company says there is no single cybersecurity solution which offers complete defense against all the different types of threats that are out there. At any given time a small business can be under attack from a distributed denial of service or DDoS attack, ransomware attacks, cryptojacking, and others.

To address these challenges, GetApp recommends small businesses to implement a cybersecurity strategy with investments which include a combination of antivirus, firewall, spam filter, data encryption, data backup, and password management applications.

Last but not least, even if you have the best system in place, you have to stay vigilant at all times. Cybercriminals rely on complacency.

Source: https://smallbiztrends.com/2018/12/cost-of-a-cyber-attack-small-business.html

Council on Foreign Relations encourages global initiative to combat botnets

A global initiative of public and private organizations is needed to eliminate computer-effecting botnets, according to a new paper from the Council on Foreign Relations (CFR).

The report was written by Robert Knake, senior fellow for cyber policy at CFR and senior research scientist at Northeastern University’s Global Resilience Institute, and Jason Healey, senior research scholar in the Faculty of International and Public Affairs at Columbia University.

Criminals use botnets, or groups of computers infected with malicious software, to propagate spam, send phishing emails, guess passwords, impersonate users, and break the encryption, the report stated. Botnets are also used to carry out distributed denial of service (DDoS) attacks. DDoS attacks result in individual computers that make up the botnet to send internet traffic to a target, thereby blocking legitimate traffic.

As much as 30 percent of all internet traffic may be attributable to botnets, the report said. Many DDoS attacks are used by companies to take down their competitors’ websites or servers. China, Russia, and Iran, however, have all harnessed botnets for geopolitical purposes, according to the report.

Knake and Healey contend that government must partner with the private sector to fight this threat. As Knake explained in a recent blog post, a public-private partnership to combat botnets doesn’t have to be initiated by government agencies. Private companies may be better suited to place pressure on the actors that enable botnets to persist, he wrote.

Knake noted that most botnet takedowns had been led by private companies, such as Microsoft, which has pursued more than a dozen. Financial services firms are particularly vulnerable to them, getting hit on a daily basis with botnet-enabled fraud, Knake wrote.

A relatively small effort would help significantly reduce botnet infections, according to Knake’s post. The formation of a new organization to coordinate takedown activities would be a good place to start. A new anti-botnet organization could be used to pressure device makers, website registrars, cloud computing providers, and internet service providers (ISPs) to improve cyber hygiene.

“I can guarantee that it would only take the slightest amount of pressure from its largest customers to get Amazon to figure out a way to keep its on-demand computing platform from being botmasters’ preferred platform,” Knake wrote in his blog post on the CFR website.

The organization could also pressure device makers to prevent initial infections and make cleanup of infected devices easier.

Source: https://homelandprepnews.com/stories/31499-council-on-foreign-relations-encourages-global-initiative-to-combat-botnets/

IoT & Cybersecurity: Where we are and what needs to change

Threats are now emerging beyond home and medical devices towards IoT control systems connected to national infrastructures. It is no exaggeration to say that IoT vulnerabilities are a threat to our national and personal security – dangers brought into sharp relief by the growing weaponisation of cybersecurity on the world stage

Cybersecurity agenda

Over the last decade, the scale of cyber attacks have increased dramatically and there has been a huge increase in the scale of cyber attacks against global IT infrastructures. The increase in the number of attack vectors enabled by the internet, the level of sophistication of the attacks, the ‘staying power’ of the cyber gangs, are all markers of how cybersecurity has become the subject of major international conflict.

The rewards of cyber crime over the last decade have been lavish and can be measured in trillions of dollars. And the size of this cyber treasure chest will only increase exponentially over the next decade.

The cyber war is an asymmetric battle. According to Carbon Black, cyber criminals are spending an estimated $1 trillion each year on finding weaknesses in the cyber defences of organisations and businesses, while the same organisations and businesses are spending a mere $96 billion per year to defend themselves against these attacks.

But it’s not always the case that these threats are created by what people in the West would call ‘rogue’ states or actors.

Militarisation of cyber attacks

The biggest single factor that has emerged in the cybersecurity landscape over the last decade is the brazen and overt participation of nation states in the battle. The size of a state’s cyber capability has now become the biggest statement of its national power and global influence.

So loud are the noises around cybersecurity that cyber-aggression appears to have bumped the threat of nuclear and biowarfare down the security agenda.

In the mid-noughties there appears to have been a joint US/Israeli project to attack Iran’s nuclear programme. A virus was created which attacked the SCADA infrastructure around this programme and thus the centrifuges which were being used to enrich uranium.

Stuxnet surfaced once activated in 2010 when it preyed upon Siemens PLCs to the extent that around a third of Iran’s centrifuges were taken out of action. This might be termed a ‘successful’ attack upon the process control layer of a large utility project.

To say that cyber warfare is preferable to weapons of mass destruction might appear an understatement. However one should at the same time be mindful of the huge impacts cyber attacks could have on energy and utility companies, upon hospitals, and upon the military apparatus and democratic institutions we take for granted. Lives can be placed at risk.

Internet of Things

The massive increase in the number of devices connected to the internet continues unabated. This year there will be in the region of 23bn connected devices. This number is projected by IHS to rise to 75bn by 2025. This huge growth presents an ever increasing ‘attack surface’ for the cyber gangs to attack.

The traditional target area for IoT cyber attacks has its origins very much in the home device front. A prime example would be the 2016 Mirai botnet attack which infected around 600,000 IoT devices. The devices affected in the main were internet routers, but connected cameras were also compromised.

Mirai wreaked havoc by launching a distributed denial of service (DDoS) attack and overwhelming the devices’ networks.

By 2018 the hackers had switched their focus to the wireless protocols which exist for smart home devices, specifically the Z-Wave wireless protocol. This year, a vulnerability was discovered which affected up to 100 million smart home devices. Burglar alarms, security cameras, and door locks could be disabled, for example, allowing thieves to enter unchecked.

Another major area of vulnerability is that of accessing an individual’s home banking systems via the ‘voice hacking’ of smart speakers.

The recent news about FreeRTOS – a real-time operating system ported to around 35 microcontroller platforms – being an easy target for hackers has further eroded confidence in the security of IoT home devices.

As well as connected domestic appliances there is growing concern about the threats to healthcare devices. There are around 100m such devices installed worldwide. From insulin pumps, to diagnostic equipment, to remote patient monitoring, the areas for potential attack are huge and life-threatening.

Industrial IoT

Cybersecurity firm Carbon Black issued its Quarterly Incident Response Threat Report in November. The report represents an analysis of the latest attack trends seen by the world’s top incident response (IR) firms.

The report found that a growing number of attacks are now taking advantage of IoT vulnerabilities. An alarming 38 percent of IR professionals saw attacks on enterprise IoT devices, which can become a point of entry to organisations’ primary networks, allowing island hopping (whereby attackers target organisations with the intention of accessing an affiliate’s network).

This latter point underscores the continuing trend of exploiting IoT devices in the enterprise domain to attack business and to move from there into other ‘supply chain’ networks in order to disrupt additional enterprise operations.

The threats emerging away from these home and medical devices towards IoT control systems connected to national infrastructures are increasing in number and truly terrifying.

Process control devices in the industrial world present vulnerabilities in our oil and gas industries, and in our water purification and power plants. A nation’s vital utility infrastructure could potentially be brought to its knees by cyber attacks against the IoT device layer.

This threat isn’t new, although comparatively rare in the past. The Industroyer (Crashoverride) malware framework took out approximately one fifth of Kiev’s power for one hour in December 2015. A number of other different malware attacks targeted against industrial control systems in energy plants have also been discovered in the last few years.

It is now well understood that nation states such as Russia, China and North Korea have been probing other nations’ power generation facilities with a view to potential future hacks. The dangers are well understood by many governments but as of yet these vital infrastructure areas are still massively vulnerable to attack.

Understanding the risks

Only recently, Ciaran Martin, head of the UK’s National Cyber Security Centre (the NCSC) gave an apocalyptic warning about cyber threats to the UK. Martin said that Britain will be hit by a life-threatening ‘category 1’ cyber emergency in the near future.

Similar warnings have been coming out of the US recently, and President Trump’s National Cyber Strategy outlined the same types of threats against US infrastructure. Trump has constantly talked about the threats to US Power Grids – primarily again via the IoT layer – and it’s an area of deep concern for the Federal Government.

In the last month, Trump has been offering to share cyber attack and defence capabilities with NATO allies at the same time as UN calls for an ‘amnesty’ in the use of cyber attacks against critical infrastructures.

But at the business level the understanding of cyber risks is patchy. British business is predominantly uneducated and complacent when it comes to the risks posed by cyber threats and the vulnerability of IoT devices wherever they might be on their network.

Who is responsible?

In the IoT domain for both home and enterprise devices we need secure device design and manufacture, secure deployment, and secure onward protection.

It is the device manufacturer’s responsibility that IoT devices are delivered uninfected with malware, or rogue components. They have a responsibility to ensure that default passwords cannot be implemented in a live environment and to ensure that system software is able to be patched and updated going forward as new threats are understood.

But there is a dual responsibility between device supplier and the end user. Users of these devices in public sector organisations and business enterprises also have a responsibility to ensure that this layer of their IT infrastructure is of itself secure and that it cannot be compromised by weaknesses in other layers of their own cyber defence, or by malware which might be passed on through their supply chain, i.e. ‘island hopping.’

The role of businesses

Starting with the boardroom, businesses must enact a top-down approach to avoid backlash from the market. All companies should be aware that their cybersecurity will be subject to considerable public scrutiny when things go wrong. The directors of companies need to take an active interest in their companies’ cybersecurity policies.

News published in early November told us that Facebook had lost 1m users in Europe in the last couple of months after its highly publicised breaches, and we can expect them to lose more user share going forward.

In the home IoT market, consumer confidence is key. If any particular brand of fridge, TV, baby alarm, speaker, or burglar alarm was exposed as being the source of attacks, consumers will vote with their wallets.

A recent survey conducted by Opinium in the UK showed that businesses which were breached or caused other businesses to be breached would experience repercussions from other businesses.

One in five businesses would take legal action to recover financial losses incurred from a breach as a result of a supplier’s negligence, and a similar number would use the incident to negotiate a further discount. Just three percent of businesses said they would take no action.

The survey also showed that victims of cybercrime could find it more difficult to attract new customers, with 35 percent of the business leaders questioned saying they would not work with a supplier they thought would make them more vulnerable to cybercrime. Just over a quarter said they would avoid using a company that had been publicly associated with a major cybersecurity breach.

Shareholders tend to react when market share is impacted, when the brand of a company is trashed in the market, or when a CEO’s position is undermined by high profile incidents.

CEOs and senior executives have been put on notice that the buck stops with the boardroom. The directors of companies need to take an active interest in their companies’ cybersecurity policies.

Regulatory headwinds

Although only guidelines, the UK has made an admirable headstart towards IoT regulation with its recently released ‘secure by design’ guidelines.

The code – which the government claims is a ‘world first’ – has 13 guidelines, to ensure connected items are ‘secure by design’. It is long overdue and needs to be replicated by other countries.

The guidelines include: no default passwords; a vulnerability disclosure policy; pushed software updates; the secure storage of credentials and security-sensitive data; encrypted in transit communications and secure key management; resilience to outages; monitoring of telemetry data; and making it easy for users to delete personal data from any device.

The code of practice is designed with the home device market in mind. However, the guidelines can have a strong influence on the move towards industrial IoT regulatory requirements too.

In this latter scenario, primary responsibility would pass more towards the implementer or the end user of the industrial control technology.

It’s remarkable that these guidelines took so long to surface given the UK’s long history of consumer protection.

Similarly, the EU has a history of tackling technology giants who impinge on the privacy of individuals (GDPR being the latest culmination), so it’s surprising that a similar code of practice hasn’t emerged from Brussels yet. We can only assume that regulations are ‘in the pipeline.’

As for the IoT layer in the enterprise domain, the IIoT, expect a lot of focus to be driven by governments anxious to protect core businesses and infrastructure. Oil, gas, power generation, aviation and water industries are all highly dependent on IoT to run their businesses effectively.

These are obviously all vulnerable right now. It’s clear that notice has been given by aggressor states that these infrastructures are eminently hackable. It seems to me that the only thing stopping significant disruption is fear of reprisals.

Take The Sunday Times report in October that claimed British military forces had practised a cyber attack that would ‘plunge Moscow into darkness.’ This attack would be an immediate response if Putin’s forces were to move against the West.

Britain no longer possesses small battlefield nuclear weapons – in the eyes of the UK government and many others, cyberweapons have become the most effective military deterrent.

Source: https://thestack.com/iot/2018/11/22/iot-cybersecurity-where-we-are-and-what-needs-to-change/

Bots on a plane? Bad bots cause unique cybersecurity issues for airlines

While bots are a common tool of cybercriminals for carrying out DDoS attacks and mining cryptocurrencies, a recent report found they may also be indirectly increasing the price of your airline tickets.

Distil Research Lab’s Threat report, “How Bots Affect Airlines,” found the airline industry has unique cybersecurity challenges when dealing with bad bots, which comprise 43.9 percent of traffic on airlines websites, mobile apps, and APIs, which is more than double the average bad bot traffic across all industries in which only make up an average of 21.8 percent.

One European airline saw a whopping 94.58 percent of its traffic from bad bots, according to the report which analyzed 7.4 billion requests from 180 domains from 100 airlines internationally.

Cybercriminals launch bots to compromise loyalty rewards programs, steal credentials, steal payment information, steal personal information, carry out credit card fraud, and to launch credential stuffing attacks.

When threat actors infiltrates loyalty programs they can potentially shake customer confidence to the point where they no longer use the airlines.

“Once a customer has been locked out of their account by a criminal changing their password, the airline has a customer service problem to solve,” the report said. “The forensics to investigate what happened inside the account is time consuming and costly.”

Researchers added that the costs of reimbursements for the damages are also a negative impact of these bad bots.

The only industry which had a worse bot problem was the gambling industry with an average of 53.08 percent of its traffic coming from bad bots.

These malicious bots are working around the clock in the airline industry as their activity appears consistent every day throughout the week except Friday when there is a peak in traffic. The majority of the traffic comes from the USA as it’s responsible for 25.58 percent of bad bot traffic worldwide, followed by Singapore in second place with 15.21 percent, and China in third with 11.51 percent.

Researchers also learned that of the nearly 30 percent of the domains they reviewed, bad bots encompassed more than half of all traffic with 48.87 of bad bots reportedly using Chrome as their users’ agent.

Not all bots are evil however, some of the bots are used by travel aggregators such as Kayak and other online travel agencies to scrape prices and flight information or even competitive Airlines looking to gather up-to-the-minute market intelligence but even these can hassles.

Some of these unauthorized (OTAs) however may use bots to scrape prices and flight information seeking to gather ‘free’ information from the airline rather than pay for any associated fees by entering into any commercial arrangement requiring a service level agreement, researchers said in the report.

To combat the bad bots, researchers recommend airlines block or CAPTCHA outdated user agents/browsers, block known hosting providers and proxy servers which host malicious activity, block all access points, investigate traffic spikes, monitor failed login attempts, and pay attention to public data breaches.

Source: https://www.scmagazine.com/home/security-news/bots-on-a-plane-bad-bots-cause-unique-cybersecurity-issues-for-airlines/