Anonymous hacker charged with #opJustina DDoS attacks on hospital

The Anonymous-affiliated hacker who admitted to cyberattacks on two hospitals in the #opJustinaoperation and fled the country while being investigated was indicted last week.

Martin Gottesfeld, 32, a biotechnology information technology professional from Somerville, Massachusetts, is being charged with conspiracy to launch cyberattacks against two local hospitals: Boston Children’s Hospital (BCH) and the Wayside Youth and Family Support Network, a mental health facility.

Those two hospitals were at the center of a case that attracted masses of media attention: that of Justina Pelletier, the then-15-year-old who was caught in a 16-month custody battle as her parents tried to have her treated for mitochondrial disease at one hospital, while Boston Children’s Hospital treated her in a psychiatric unit as a ward of the state.

Gottesfeld’s indictment, handed down on Wednesday, also charges him with intentional damage to a protected computer.

Both are felony hacking charges.

Gottesfeld admitted to the attacks last month, explaining how he did it and why in an editorial published by the Huffington Post.

I had heard many, too many, such horror stories of institutionalized children who were killed or took their own lives in the so-called “troubled teen industry”. I never imagined a renowned hospital would be capable of such brutality and no amount of other good work could justify torturing Justina.

The distributed denial of service (DDoS) attack against BCH was planned for maximum financial damage, Gottesfeld said: he knew that the hospital was planning a big fundraising drive and that most donors gave online.

In his editorial, he went on to scoff at BCH for making it easy for him to attack it, since the hospital kept its donation page on the same public network as the rest of its systems:

Rookie mistake. To take it down, I’d have to knock the whole hospital off the internet.

He also claimed that no patients would be harmed:

There’s no such thing as an outage-proof network, so hospitals have to be able to function without the internet. It’s required by federal law, and for accreditation. The only effects would be financial and on BCH’s reputation.

That’s not how the hospital, or the prosecution, sees it. The indictment states that BCH had to shut down its access to the internet and email servers to protect patient medical records.

That meant that physicians outside the hospital couldn’t get at patients’ records. Nor could patients communicate with their doctors.

BCH claims that responding to, and mitigating, the damage of the attack cost $300,000, while the disruption in fundraising meant another $300,000 hit, for a total loss of $600,000.

Gottesfeld claims that the attack against BCH was a justifiable reaction to the actions of the hospital, which was described as  a “parentectomy”.

Gottesfeld’s defence, to blame the hospital for the attack, is all too commonly heard. The blame-the-victim reasoning is often voiced by other cyberattackers, be it from people who guess at weak passwords and use them to waltz into accounts without authorization, or those who launch crippling attacks such as those that Gottesfeld admits to.

But just because it’s easy to do doesn’t make those or other cybercrimes OK. They’re illegal, and they can result in jail time, fines or both.

Each of the charges Gottesfeld’s facing carry a maximum sentence of five years in jail, along with fines.

Gottesfeld has been detained in Rhode Island since he and his wife were plucked off their boat near the coast of Cuba and arrested in Florida.

When the indictment was handed down last Wednesday, Gottesfeld was reportedly on day 16 of a hunger strike over the appointment of the office of Carmen Ortiz as his prosecutor. Ortiz was the prosecutor in the cases against both Aaron Swartz and Jonathan James, who both later took their own lives. She has faced sharp criticism over her approach to those cases.

In spite of his admission to the DDoS attacks, Gottesfeld is likely to plead not guilty at his arraignment this week before US Magistrate Judge Marianne B. Bowler, his wife told the Washington Times.


How Hackers Make Money from DDoS Attacks

Attacks like Friday’s are often financially motivated.

Yesterday’s attack on the internet domain directory Dyn, which took major sites like Twitter and Paypal offline, was historic in scale. But the motivation for the attack may seem opaque, since no valuable information seems to have been stolen. A group called New World Hackers is claiming credit, but giving conflicting accounts of their motives—and security experts have called them “impostors.”

So why else might someone have done it? This class of hack, known as a distributed denial of service (DDoS) attack, has been around for a while. And while many DDoS attacks are indeed motivated by politics, revenge, or petty trolling, there’s frequently money involved.

For instance, DDoS attacks are often used as leverage for blackmail. Once a hacking group has a reputation for being able to field a large and dangerous botnet to knock servers offline, they can demand huge ‘protection’ payments from businesses afraid of facing their wrath. In fact, they don’t even have to do the hacking in the first place—in one recent case, someone posing as a notorious cabal merely emailed blackmail messages and managed to pocket tens of thousands of dollars before they were exposed.

In the current case, there are rumors that Dyn was a target of extortion attempts before the attack. And the hackers behind what may be the biggest DDoS attack in history could demand a pretty penny to leave other companies alone. A wave of impostors will likely give it a shot, too.

There’s another, even darker money-driven application of DDoS attacks—industrial sabotage. Companies seeking to undermine their competition can hire hackers to take the other guys offline. DDoS services are often contracted through so-called “booter” portals where anyone can hire a hacker’s botnet in increments as small as 15 minutes. Researchers found last year that three of the most prominent booter services at the time had over 6,000 subscribers in total, and had launched over 600,000 attacks. (And despite the criminal reputation of Bitcoin, by far the largest method used to pay for DDoS-for-hire was Paypal.)

But it’s unlikely that this was some sort of hit called in by a competitor of Dyn—that tactic seems to primarily appeal to already-shady dealers, including online gambling operations.

Finally, DDoS attacks can serve as a kind of smokescreen for more directly lucrative crimes. While a security team is struggling to deal with an army of zombie DVRs pummeling their system, attackers can grab passwords, credit card numbers, or identity information.

In weighing possible explanations for Friday’s attack, it’s important to note the massive scale of the thing. Even if their claims of responsibility aren’t credible, New World Hackers’ description of about 1.2 terabits of data per second thrown at Dyn’s servers is both vaguely plausible and utterly mind-boggling. That’s around a thousand times as powerful as the huge 620 gigabit per second attack that knocked out a single website, Krebs on Security, last month. Dyn has also described the attack as sophisticated, arriving in three separate waves that targeted different parts of their systems.

That kind of operation could have been pulled off by a gang of kids doing it for kicks—and maybe that’s the scarier scenario. But such a massive undertaking suggests bigger, and possibly more lucrative, motivations.


How massive DDoS attacks are undermining the Internet

On Friday morning, I awoke to find that our company-wide single sign-on and cloud storage was disrupted due to the massive distributed denial of service (DDoS) attack against domain host Dyn.

This attack was big, disrupting consumer services like Spotify and Netflix, all the way to enterprise-grade providers like Heroku and Zendesk. Once the dust has settled, it’s likely that this attack will have impacted more people, in more ways, than any other in memory.

A DoS attack is an attempt to make something on the network unavailable to users, for example, a website. A distributed denial-of-service (DDoS) is when the attack is launched by many unique IP addresses—or, as in this case, devices—all aiming traffic at one or multiple targets. The target simply crumbles under the pressure of so much traffic.

In the past few weeks, hackers have upped the DDoS stakes in a big way. Starting with the attack on and increasing in severity from there, hundreds of thousands of devices have been used to perpetrate these actions. A number that dwarfs previous attacks by orders of magnitude.

While it isn’t yet confirmed, evidence points to the attack that we saw on Friday morning following this same playbook, but being perpetrated on a much larger scale, relying on Internet of Things (IoT) devices rather than computers and servers to carry out an attack.

In fact, in all likelihood an army of surveillance cameras attacked Dyn. Why surveillance cameras?  Because many of the security cameras used in homes and business around the world typically run the same or similar firmware produced by just a few companies.

This firmware is now known to contain a vulnerability that can easily be exploited, allowing the devices to have their sights trained on targets like Dyn. What’s more, many still operate with default credentials — making them a simple, but powerful target for hackers.

Why is this significant? The ability to enslave these video cameras has made it easier and far cheaper to create botnets at a scale that the world has never seen before. If someone wants to launch a DDoS attack, they no longer have to purchase a botnet—they can create their own using a program that was dumped on the internet just a few weeks ago.

Moreover, DDoS attacks aren’t the only problem with vulnerable IoT devices: these devices can also be a pathway for hackers to get behind a company’s firewall.

The other reason why this is so significant is that, by most accounts, we are extremely unprepared to secure our devices from being taken over. Early government and commercial efforts have focused on how manufacturers can build better security into devices. But this is problematic for a couple reasons, not the least of which is that IoT devices cannot run traditional

But this is problematic for a couple reasons, not the least of which is that IoT devices cannot run traditional cyber security software.

As a result, there are fewer “tools in the shed” to protect the IoT than there are for computers that run traditional operating systems. Some IoT devices can be patched, others can’t. For the device that can be patched, this is a very manual process and not something that is routinely done.

What’s the answer here?  As with everything with cybersecurity, there is no silver bullet. Even when it comes to IoT, we have to remember one of the fundamental tenets of this field: defense in depth. Moving beyond the acknowledged need to be better at patching devices, we must then ask if devices are protected by a robust perimeter security solution and are continuously monitored for suspicious behavior.

We can debate the merits of the different approaches but the point is that all of the necessary levels and approaches are being considered and that we do not have device tunnel vision.

We do not need to reinvent the wheel when it comes to protecting networks from IoT.  But we need to recognize that massive DDoS attacks utilizing IoT devices have the potential to undermine the reliability and availability of the internet. With the backbone of our economy relying on it, it’s time to get serious about fighting these hackers. The first thing we need is to prevent our devices from being used as ammunition.


Twitter, Amazon, other top websites shut in cyber attack

Major internet services including Twitter, Spotify and Amazon suffered service interruptions and outages on Friday as a US internet provider came under a cyber attack.

The internet service company Dyn, which routes and manages internet traffic, said that it had suffered a distributed denial of service (DDoS) attack on its domain name service shortly after 1100 GMT.

The service was restored in about two hours, Dyn said.

The attack meant that millions of internet users could not access the websites of major online companies such as Netflix and Reddit as well as the crafts marketplace Etsy and the software developer site Github, according to media reports.

The website Gizmodo said it had received reports of difficulty at sites for media outlets including CNN, The Guardian, Wired, HBO and People as well as the money transfer service PayPal.

Dyn, which is headquartered in New Hampshire, said the attack went after its domain name service, causing interruptions and slowdowns for internet users.

“This morning, October 21, Dyn received a global DDoS attack on our Managed DNS infrastructure in the east coast of the United States,” Scott Hilton, executive vice president for products at Dyn, said in a statement.

“We have been aggressively mitigating the DDoS attack against our infrastructure.”

The company said it was continuing to investigate.

A map published by the website showed service interruptions for Level3 Communications, a so-called “backbone” internet service provider, across much of the US east coast and in Texas.

Amazon Web Services, which hosts some of the most popular sites on the internet, including Netflix and the homestay network Airbnb, said on its website that users experienced errors including “hostname unknown” when attempting to access hosted sites but that the problem had been resolved by 1310 GMT.

Domain name servers are a crucial element of internet infrastructure, converting numbered Internet Protocol addresses into the domain names that allow users to connect to internet sites.

Distributed denial of service or DDoS attacks involve flooding websites with traffic, making them difficult to access or taking them offline entirely. Attackers can use them for a range of purposes, including censorship, protest and extortion.

The loose-knit hacktivist network Anonymous in 2010 targeted the DNS provider EveryDNS among others in 2010 as retribution for denying service to the anti-secrecy organization WikiLeaks.

“The internet continues to rely on protocols and infrastructure designed before cyber security was an issue,” said Ben Johnson, a former engineer at the National Security Agency and founder of the cybersecurity company Carbon Black.

He said that growing interconnection of ordinary devices to the internet, the so-called “internet of things,” increased the risks to networks.

“DDoS, especially with the rise of insecure IOT devices, will continue to plague our organizations. Sadly, what we are seeing is only the beginning in terms of large scale botnets and disproportionate damage done.”


Martin Gottesfeld, Anonymous hacktivist, charged over hospital DDoS attacks

Felony hacking charges were handed down Wednesday to a Massachusetts man accused of disrupting the computer networks of Boston-area hospitals with a 2014 digital protest waged under the name of hacktivist group Anonymous.

Martin Gottesfeld, 32, was indicted by a grand jury Wednesday on one count each of computer hacking and conspiracy related to distributed denial-of-service (DDoS) attacks suffered by Boston Children’s Hospital and the Wayside Youth and Family Support Network, a residential treatment facility in nearby Framingham.

Mr. Gottesfeld was arrested in February, and has been held at a detention center in Rhode Island for the last eight months while investigators assembled their case. He’ll likely plead not guilty when formally arraigned next week before U.S. Magistrate Judge Marianne B. Bowler, his wife, Dana Gottesfeld, told The Washington Times on Thursday. The charges each carry a maximum prison sentence of five years apiece.

Prosecutors say Mr. Gottesfeld plotted and participated in a cyber campaign against facilities he perceived to be part of “the troubled teen industry,” or institutions involved in the the treatment of adolescents with serious emotional, psychological and medical problems.

By overloading their computer networks with illegitimate internet traffic, authorities say the self-described human rights activist caused the facilities’ systems to suffer from setbacks that disrupted operations and resulted in hundreds of thousands of dollars in losses and damages.

Investigators say Mr. Gottesfeld led DDoS attacks in March 2014 that “lasted for more than a week, crippled Wayside’s website during that time and caused it to spend more than $18,000 on response and mitigation efforts.”

A subsequent campaign launched against Children’s is described in charging documents as “particularly disruptive,” and reportedly caused the hospital to lose upwards of $600,000.

The hospital said it spent around $300,000 responding to the DDoS attack, but also lost approximately $300,000 because its systems were knocked offline in the midst of a fundraiser.

The FBI had already interviewed Mr. Gottesfeld about the DDoS attacks and made it clear he was under investigation when he and his wife suddenly went missing earlier this year. The couple was eventually rescued in the the Bahamas by a Disney cruise ship in February, and law enforcement filed a criminal complaint charging Mr. Gottesfeld with conspiracy to commit computer hacking while the two were being brought back to land.

Writing while in custody last month, Mr. Gottesfeldadmitted waging DDoS attacks in response to the alleged mistreatment suffered by a 15-year-old patient, Justina Pelletier. Now 17, her parents have since sued Boston Children’s Hospital and four of its doctors for claims including gross negligence and civil rights violations.

“I had heard many, too many, such horror stories of institutionalized children who were killed or took their own lives in the so-called ‘troubled teen industry.’ I never imagined a renowned hospital would be capable of such brutality and no amount of other good work could justify torturing Justina,” he wrote for Huffington Post last month.

“Justina wasn’t defenseless. Under the banner of Anonymous, she and other institutionalized children could and would be protected,” he wrote in an op-ed titled “Why I Knocked Boston Children’s Hospital Off The Internet.”

In addition to his admission in the press, investigators said they found hundreds of private Twitter messages on Mr. Gottesfeld’s computer in which he allegedly plotted DDoS attacks with an unindicted co-conspirator, as well as other digital evidence linking him to the disruptions.

Evidence aside, Mr. Gottesfeld has been protesting his prosecution while in detention, and was on the sixteenth day of a hunger strike when Wednesday’s indictment was handed down.

Facing the same federal prosecutor’s office responsible for pursuing a pair of particularly notable hacking cases, Mr. Gottesfeld has been forgoing food in an effort to raise awareness about both the “troubled teen industry” as well as U.S. Attorney Carmen Otiz’s handling of alleged computer crimes.

“The fact that Ortiz’s office indicted on debate day, and without a press release, shows they are aware of the unconscionable human rights violations they are attempting to sweep under the rug and the precedence of impunity that would be even more firmly established,” Mr. Gottesfeld said Thursday in an email shared by his wife with The Washington Times. “They have no compassion for the suffering of Justina Pelletier, a mentally and physically challenged child, ripped from her family, left in agony without her painkillers, and locked in an abusive psych ward. Nor are they concerned with any real semblance of true justice.”

“This indictment, and the manner in which it was unsealed, were cowardly acts,” he said.

Internet activist Aaron Swartz was facing charges related to multiple alleged violations of the federal Computer Fraud and Abuse Act brought by Ms. Ortiz’s office when he committed suicide in 2013. Five years earlier, hacker Jonathan James took his own life while being investigated by the same prosecutor’s office in the District of Massachusetts.

The Department of Justice did not immediately respond to requests for comment on Thursday.


Bitter feud between partners as IBM deflects eCensus blame

NextGen, Vocus refute claims of error.

A bitter feud has broken out between IBM and its internet service provider partners for the 2016 eCensus as the main contractor tried to deflect blame for the site’s meltdown on August 9

In its first detailed response to the failure, IBM said it had plans in place for the risk of DDoS attacks, but its efforts were to no avail thanks to a failure at an upstream provider.

The ABS at the time said it had been forced to take the site offline on Census night following a series of DDoS attacks combined with the failure of the network geoblocking function and the collapse of a router.

The statistics body has publicly criticised IBM for failing to properly implement a geoblocking service, which would have halted the international DDoS attack targeted at the Census site.

But IBM is now laying blame squarely at the feet of its internet service provider partner NextGen and NextGen’s upstream supplier Vocus for the geoblocking bungle.

It claimed NextGen had provided “repeated” assurances – including after the day’s third DDoS attack – that a geoblocking strategy that IBM codenamed ‘Island Australia’ had been correctly put in place.

However, when the fourth and biggest DDoS attack of the day hit at around 7:30pm, IBM said it became clear that a Singapore link operated by Vocus had not been closed off, allowing the attack traffic to pass through to the Census site.

“Vocus admitted the error in a teleconference with IBM, NextGen and Telstra around 11.00 pm on 9 August 2016,” IBM said.

“Had NextGen (and through it Vocus) properly implemented Island Australia, it would have been effective to prevent this DDoS attack and the effects it had on the eCensus site. As a result, the eCensus site would not have become unavailable to the public during the peak period on 9 August 2016.”

IBM said while it accepted its responsibility as the head contractor for the eCensus, it could not have avoided using ISPs to provide links for the website.

“It is not possible for an IT services company such as IBM to implement the 2016 eCensus without engaging ISPs. It was necessary for IBM to involve the ISPs in the implementation of the geoblocking solution as they have control over their respective data networks and are in a position to block internet traffic originating from particular domains or IP addresses.”

IBM did, however, admit what many security experts speculated had occured – that following the fourth DDoS a system monitoring dashboard showed an apparent spike in outbound traffic, causing its staff to wrongly assume data was being exfiltrated from the website, prompting IBM to shut down the website.

The contractor also revealed that a configuration error meant a manual reboot of one of its routers – which was needed after the eCensus firewall became overloaded with traffic – took much longer to rectify than it should have, keeping the site offline for a further hour and a half.

NextGen, Vocus fight back

But Vocus said NextGen was well aware that Vocus would not provide geoblocking services, and had instead recommended its own DDoS protection.

IBM declined the offer, Vocus said. NextGen and Vocus instead agreed on remote triggered black hole (RTBH) route advertisements with international carriers.

“If Vocus DDoS protection product was left in place the eCensus website would have been appropriately shielded from DDoS attacks,” Vocus said in its submission to the inquiry.

Vocus refuted IBM’s claim that it had failed to implement geoblocking, revealing that it had not been made aware of IBM’s DDoS mitigation strategy – including ‘Island Australia’ – until after the fourth attack on August 9.

“As a result, any assumption that Vocus was required to, or had implemented Island Australia or geo-blocking including, without limitation … are inaccurate,” Vocus said.

“Once Vocus was made aware of the fourth DDoS attack, it implemented a static null route to block additional DDoS traffic at its international border routers within 15 minutes.”

Vocus also argued that the fourth DDoS was not as large as IBM claimed, comprising of attack traffic that peaked at 563Mbps and lasting only 14 minutes – which it said was “not considered significant in the industry”.

“Such attacks would not usually bring down the Census website which should have had relevant preparations in place to enable it to cater for the expected traffic from users as well as high likelihood of DDoS attacks.”

NextGen, in its own submission, claimed it had “strongly recommended” to IBM that it take up a DDoS protection product like that on offer by Vocus, but the contractor declined.

The ISP said it was not made aware of details of IBM’s ‘Island Australia’ strategy until six days before the eCensus went live in late July.

At that point it told IBM that an IP address range it had provided was part of a larger aggregate network and therefore would not respond to “specific international routing restrictions” if ‘Island Australia’ was implemented.

“Nextgen recommended using an alternative IP address range, which would give IBM better control, but this was rejected by IBM,” the ISP said.

IBM instead chose to request NextGen’s upstream suppliers apply IP address blocking filters and international remote black holes for 20 host routes.

“Nextgen believes that the individual host routes picked by IBM may not be exhaustive, and DDoS attacks could come from other routes in the IP address range (which they did in the third DDoS attack on Census day),” NextGen said.

“There were a number of routes without geoblocking during the fourth DDoS attack, and which were not identified during testing, along with the [Vocus] Singapore link.”

NextGen said it again offered to implement DDoS protection, this time at its own cost, which IBM agreed to four days after the events of August 9.


Media vulnerable to Election Night cyber attack

A hack on the AP and its results tally could have chaos-inducing consequences.

Despite spending hundreds of millions of dollars on security upgrades, U.S. media organizations have failed to properly protect their newsrooms from cyberattacks on their websites, communications systems and even editing platforms — opening themselves up to the possibility of a chaos-creating hack around Election Day.

In just the past month, BuzzFeed has been vandalized, and both Newsweek and a leading cybersecurity blog were knocked offline after publishing articles that hackers apparently didn’t appreciate. Federal law enforcement is investigating multiple attacks on news organizations, and journalists moderating the presidential debates say they’ve even gotten briefings from the FBI on proper cyber hygiene, prompting them to go back to paper and pens for prep work.

“We do a lot of printing out,” said Michele Remillard, an executive producer at C-SPAN, the network home to the backup moderator for all the debates.

Journalists are seen as especially vulnerable soft targets for hackers. Their computers contain the kinds of notes, story ideas and high-powered contact lists coveted by foreign intelligence services. They also work in an environment that makes them ripe for attack, thanks to professional demands like the need for a constant online presence and inboxes that pop with emails from sources whom they don’t always know and which frequently contain the kinds of suspicious links and attachments that can expose their wider newsroom networks.

Senior U.S. officials, current and former lawmakers and cybersecurity pros told POLITICO the threat against the media is real — and they fret the consequences. Specifically, the security community is worried The Associated Press’ army of reporters could get hacked and the wire service — the newsroom that produces the results data on which the entire media world relies — inadvertently starts releasing manipulated election tallies or that cybercriminals penetrate CNN’s internal networks and change Wolf Blitzer’s teleprompter.

“It’s the art of possible is what really scares me,” said Tony Cole, chief technology officer of FireEye, a Silicon Valley-based cybersecurity firm that works with some of the country’s major television and newspaper companies. “Everything is hackable.”

“No site is safe,” added Tucker Carlson, editor-in-chief of The Daily Caller. “If the federal government can be hacked, and the intelligence agencies have been hacked, as they’ve been then, can any news site say we have better cybersecurity than the FBI or Google?”

The media have long been a spy’s best friend. Intelligence community sources say that foreign and U.S. agents use local newspapers to look for clues about their targets, and that strategy has only grown more sophisticated in an all-online era in which foreign intelligence is reportedly known to hover over a media company’s servers searching for any kind of heads-up on relevant stories inching closer to publication. Reporters on the campaign trail and back in their home bureaus said in interviews that they’ve become increasingly aware of their status as potential hacking victims. The spate of recent attacks — involving their sites and their competitors’ — are more than ample warning of what’s possible. Several journalists said they now use email and other communication with the expectation they’re being watched, and under the assumption that their messages can and will be hacked and shared publicly with the wider world.

“We’re a bigger target than the 7-Eleven down the street,” said Mark Leibovich, chief national correspondent for The New York Times Magazine. “Presumably, we have really good, smart IT people who know what they’re doing, who are taking all kinds of precautions, who are acutely in tune with what the risks are and what the threats are.”

There is perhaps no greater target in election journalism than the AP, the venerable wire service that will have more than 5,000 reporters, editors and researchers working across the country, tabulating results, calling races and feeding a much wider network of subscribers. Often other news outlets refer to the AP before making calls on races, and AP projections on the East Coast can have effects on West Coast voting, which closes hours later thanks to the time differences. Multiple sources in media, government and the security industry fretted about the effect if the AP were to get hit, and what that would do to their ability to get the news out.

The AP will deploy reporters across the country to send up vote tallies, usually by phone, the wire service explained to The Washington Post in May. It also has multiple checks and balances in place to monitor for errors. But as with many other news organizations contacted by POLITICO, AP spokesman Paul Colford said the wire service’s policy is to refrain from making public comments about its security measures.

“Given the extraordinary interest in the presidential election and thousands of other state and local contests, we would add that AP has been working diligently to ensure that vote counts will be gathered, vetted and delivered to our many customers on Nov. 8,” he said.

Federal and state officials stress that even a successful hack on a major news outlet around Election Day would not affect the final results, which typically take weeks to certify. The vote tallies, after all, will be available on official sites and in many instances on special social media feeds. And if a news site did get defaced with incorrect information, the results would be more like a modern-day version of the famous ‘Dewey Defeats Truman’ headline that President Harry Truman triumphantly held aloft the day after his 1948 reelection.

Still, there is a widespread recognition — from the White House down to the local precinct level — that a hack on the media could be damaging given the role it plays in getting election news out to satisfy the country’s insatiable information appetite. Misinformation circulated in the early hours of Nov. 8 about the race’s trajectory, for example, could factor into a voter’s decision to even show up during the election’s final hours, especially in Western states. There’s also concern that false media reports spread via a hacked news account could be a potential spark for violence in an already exceptionally charged atmosphere. On the flip side, there’s a recognition that the media can help build public confidence in the final results, especially following a campaign that’s been engulfed in its closing weeks by Russian-sponsored hacking of the Democratic National Committee, the hacking of Hillary Clinton’s campaign chairman’s personal emails, and Donald Trump’s unfounded charges of vote rigging.

“To the degree that foreign hackers could prevent the dissemination of good information around the election, that can be a problem,” said Rep. Adam Schiff, the top Democrat on the House Intelligence Committee. The California congressman said he frets that media outlets, like many other industries, face “massive costs” in protecting themselves against cyberattacks with “no end in sight” to the potential risks. Schiff added that he is especially concerned about smaller news organizations without major IT budgets or the backing of larger parent companies. “They’re much more vulnerable,” he said.

Cybersecurity experts say media spending to protect news organizations against cyberattack has grown substantially in the past three years, especially in the wake of North Korea’s attack on Sony Pictures in late 2014. The price tag for vulnerability audits and other techniques varies by the size of the newsroom and the surface area for potential attacks, but multiple sources said quarterly audits can easily cost $50,000 or more.

Cyber experts and media officials from newsrooms across the country said they’re prepped to deal with a range of threats to their sites, including the kinds of malware that can infect a computer network and give hackers an entry point to manipulate a home site. They’re also building backup capacity in the event of a DDoS attack, or distributed denial of service, that tries to overwhelm a website or server with fake traffic. News sites, they note, are already prepping for monster traffic around the election, which can surge as much as 30 times compared with other big events this cycle, such as a debate or primary.

At the staffing level, newsrooms have also been pushing for better cyber habits by hosting training seminars, requiring employees to take must-pass exams and requiring double-authentication before granting access to a newsroom’s internal filing system and social media accounts.

But cyber experts warn that all the preparatory work in the world can matter little for a news organization if it’s facing an attack from a more sophisticated actor.

“If all of a sudden your adversary becomes a nation-state, like Sony or the DNC with Russia, you see those kind of procedures aren’t worth a darn,” said Robert Anderson, a former senior FBI cyber official and a managing director at the Navigant consulting firm.

The press has indeed been a familiar target for hackers. In 2013, hackers hit the AP’s Twitter account and posted a false report about a bombing at the White House, sending the stock market into a five-minute spiral. In more recent incidents, a USA Today columnist wrote an article in February admitting he was hacked midair while using his commercial flight’s WiFi, and the New York Times reported in August that its Moscow bureau was targeted by what were believed to be Russian hackers.

Newsweek blamed hackers for a DDoS attack that took down its site last month soon after it published an article about Trump’s company allegedly violating the U.S. embargo against Cuba through secret business dealings in the 1990s. And BuzzFeed had several articles on its site altered earlier this month after it ran a story identifying a person allegedly involved in the hacking of tech CEOs and celebrities.

“I’m sure that lots of newsrooms are having this conversation right now, particularly as we get closer to the election and people have a lot more to lose when things don’t go their way,” said Brian Krebs, the cybersecurity blogger and former Washington Post reporter whose site went down last month after a major DDoS attack that he says was spawned by his reporting about the arrest of two Israeli hackers.

With the threat of hackings against the media reaching such a heightened pace, many election observers urged both reporters and the reading public to take a deep breath as the results start coming in.

“If Twitter is reporting that Jill Stein wins South Carolina, that should probably give you pause,” said David Becker, executive director of the Center for Election Innovation and Research.


Ubisoft’s Servers Have Been Down For Several Hours, Could Be DDoS

Since early this morning gamers have reported server issues when playing Ubisoft games across all platforms. Ubisoft Support has confirmed the problem, sharing that it is affecting all its services, including its digital shop and official website.

Ubisoft has provided the following updates regarding the issue:

[12:44PM EDT] We are still looking into this issue. We appreciate your understanding in the meantime.​

[1:12PM EDT] Our shop and websites are also affected by this issue. We are still investigating further. Thank you for your patience thus far.

Although for some of Ubisoft’s games this is a mere inconvenience, multiplayer-oriented games are currently unplayable. This has resulted in thousands of posts on Twitter directed at Ubisoft, requesting when the problem will be fixed. There is currently no ETA.

It is unclear what the root cause of the issue is, although this type of problem usually happens due to DDoS.


Internet service providers face DDoS attack second time in the last three months

The service providers have also alleged that their complaints about the DDoS attacks have gone ignored.

Internet service providers (ISPs), mainly from Mumbai and Pune, claimed they are being targeted in a distributed denial of service (DDoS) attack for the second time in the last three months, and said they will raise the issue of cyber terrorism with IGP (Cyber) Brijesh Singh. They also claimed that their complaint was not taken seriously by the Pune Police.

“We have been facing DDoS attacks since September 15 and have been running from pillar to post to lodge a complaint, but no officer from the Pune Police has taken a serious stand on our complaint. We are now going to lodge our complaint with IGP (Cyber) Brijesh Singh,” Kishore Desarda, director, Gazon Communication, said.

A DDoS attack typically bombards websites with requests, overloading the portal until its server crashes, thus denying access to legitimate users. “Such attacks, which reduce (Internet) speed to almost zero, have posed a serious threat to businesses of all ISPs, not only in Mumbai and Pune but across Maharashtra, and they need to be curbed immediately,” Mr. Desarda said. In July, ISPs had filed an FIR with the IG’s office about DDoS attacks. The case is being investigated by the Mumbai Police’s cyber cell.

Another leading ISP said, “DDoS attackers are back in business and it has hit services adversely in cities like Mumbai, Thane, Navi Mumbai and Pune. This unprecedented attack on ISPs is akin to cyber terrorism and has assumed extreme significance against the backdrop of the hacking of more than 35 Central and State government websites in the last few days.”

In July, ISP representatives had met IGP Singh and had apprised him of the gravity of this sort of ‘cyber terrorism’. Following their request, the cyber cell had registered an FIR and launched a probe.

“Some unknown people are involved in crashing the networks of ISPs by making lakhs of requests at a particular terminal at a particular time at an unprecedented level, thus slowing down the whole internet experience, which we call DDOS. The Cyber Crime department is taking all possible measures to nab the perpetrators,” Mr. Singh had said earlier


Leaked Mirai source code already being tested in wild, analysis suggests

Since the source code to the Mirai Internet of Things botnet was publicly leaked on Sept. 30, researchers at Imperva have uncovered evidence of several low-level distributed denial of serviceattacks likely perpetrated by new users testing out this suddenly accessible DDoS tool.

With its unusual ability to bombard targets with traffic in the form of generic routing encapsulation (GRE) data packets, Mirai was leveraged last month to launch a massive DDoS attack against Internet security researcher Brian Krebs’ blog site KrebsonSecurity. Soon after, a Hackforums user with the nickname Anna-senpai publicly posted the botnet’s source code – quite possibly a move by the malware’s original author to impede investigators from closing in on him.

In a blog post this week, Imperva reported several low-level DDoS attacks taking place in the days following the leak. Consisting of low-volume application layer HTTP floods leveraging small numbers of source IPs, these attacks “looked like the experimental first steps of new Mirai users who were testing the water after the malware became widely available,” the blog post read.

But Imperva also found evidence of much stronger Mirai attacks on its network prior to the leak. On Aug. 17, Imperva mitigated numerous GRE traffic surges that peaked at 280 Gbps and 130 million packets per second. Traffic from this attack originated from nearly 50,000 unique IPs in 164 countries, many of which were linked to Internet-enabled CCTV cameras, DVRs and routers – all infected by Mirai, which continuously scans the web for vulnerable devices that use default or hard-coded usernames and passwords.

An Imperva analysis of the source code revealed several unique traits, including a hardcoded blacklist of IPs that the adversary did not want to attack, perhaps in order to keep a low profile. Some of these IPs belonged to the Department of Defense, the U.S. Postal Service and General Electric.

Ben Herzberg, security group research manager with Imperva Incapsula, told in a phone interview that the Marai’s author may have truncated the complete blacklist before publishing it – possibly because such information could offer a clue as to the attacker’s identity.

Imperva also found Mirai to be territorial in nature, using killer scripts to eliminate other worms, trojans and botnet programs that may have infiltrated the same IoT devices. Moreover, the company noted traces of Russian-language strings, which could offer a clue to the malware’s origin.

Herzberg said it’s only a matter of time before Mirai’s newest users make their own modifications. “People will start playing with the code and say, ‘Hey, let’s modify this, change this,” said Herzberg. “They have a nice base to start with.”

Web performance and security company Cloudflare also strongly suspects it has encountered multiple Mirai DDoS attacks, including one HTTP-based attack that peaked at 1.75 million requests per second. According to a company blog post, the assault leveraged a botnet composed of over 52,000 unique IP addresses, which bombarded the Cloudflare network – primarily its Hong Kong and Prague data centers – with a flurry of short HTTP requests designed to use up server resources and take down web applications.

A second HTTP-based attack launched from close to 129,000 unique IP addresses generated fewer requests per second, but consumed up to 360Gbps of inbound HTTP traffic – an unusually high number for this brand of attack. In this instance, much of the malicious traffic was concentrated in Frankfurt.

Cloudflare concluded that the attacks were launched from compromised IoT devices, including a high concentration of connected CCTV cameras running on Vietnamese networks and multiple unidentified devices operating in Ukraine.

“Although the most recent attacks have mostly involved Internet-connected cameras, there’s no reason to think that they are likely the only source of future DDoS attacks,” the Imperva report warns. “As more and more devices (fridges, fitness trackers, sleep monitors…) are added to the Internet they’ll likely be unwilling participants in future attacks.”

Of course, compromised IoT devices can be used for more than just DDoS attacks. Today, Akamai Technologies released a white paper warning of a new in-the-wild exploit called SSHowDowN that capitalizes on a 12-year-old IoT vulnerability.

According to Akamai, cybercriminals are remotely converting millions of IoT devices into proxies that route malicious traffic to targeted websites in order to check stolen log-in credentials against them and determine where they can be used. Bad actors can also use the same exploit to check websites for SQL injection vulnerabilities, and can even launch attacks against the internal network hosting the Internet-connected device.

The vulnerability, officially designated as CVE-2004-1653, affects poorly configured devices that use default passwords, including video surveillance equipment, satellite antenna equipment, networking devices and Network Attached Storage devices. It allows a remote user to create an authorized Socket Shell (SSH) tunnel and use it as a SOCKS proxy, even if the device is supposedly hardened against SSH connections.

“What we’re trying to do is raise awareness,” especially among IoT vendors said Ryan Barnett, principal security research at Akamai, in an interview with Barnett noted that when the CVE first came out, an exploit on it was “more theoretical,” but now “we want to show it is actively being used in a massive attack campaign.”