Eight-Hour DDoS Attack Struck AWS Customers

Google Cloud Platform suffered issues around the same time as Amazon Web Services but claims they were not caused by DDoS.

A significant distributed denial-of-service (DDoS) attack lasting approximately eight hours affected Amazon Web Services yesterday, knocking its S3 service and other services offline between 10:30 a.m. and 6:30 p.m. PDT.

The attack struck AWS’s Router 53 DNS Web service, which led to outages for other services that require public DNS resolution: Elastic Load Balancing, Relational Database Service, and Elastic Compute Cloud. AWS alerted customers while the attack was ongoing to inform them of “intermittent errors with resolution of some AWS DNS names.” Starting at 5:16 p.m., a small number of specific DNS names experienced a higher error rate. The issues have been resolved.

Amazon says its Shield Advanced DDoS mitigation tool helped in managing the attack; however, some users were unable to connect because it categorized legitimate customer queries as malicious.

Around the same time as the AWS attack, Google Cloud Platform also experienced a range of problems. It’s believed the incidents are separate; GCP claims its issue was unrelated to DDoS.

Source: https://www.darkreading.com/cloud/eight-hour-ddos-attack-struck-aws-customers/d/d-id/1336165

Do network layer and application layer DDoS attacks differ?

Network layer and application layer DDoS attacks are significant threats. Learn about the differences between them and what you can do to reduce their effects.

A distributed denial of service, or DDoS, attack is a method to bring down a service by sending a flood of legitimate or illegitimate requests from multiple source devices. The goal is to overwhelm the target device so that it can no longer operate normally. Let’s examine two: network layer and application layer DDoS attacks.

Network DDoS attacks attempt to overwhelm the target by overtaxing available bandwidth. Network DDoS protections formerly were implemented at the network edge — typically, using next-gen firewalls and intrusion prevention systems. But, even with DDoS protections in place, a large-scale bot network can quickly overwhelm the edge.

Today, it’s more common for enterprises to tap into the resources of a cloud security service engineered with a high-capacity network expansive enough to handle massive amounts of data in the event a DDoS attack occurs. Because the service can handle the bandwidth capacity without the threat of its resources succumbing to overutilization, it can successfully identify and scrub DDoS traffic while passing on legitimate traffic to your servers. This architecture moves the threat of a bottleneck closer to the source of the attack where it can be better handled without interruption.

How application layer attacks work

Application layer DDoS attacks, on the other hand, don’t target network bandwidth. Instead, they strike the application (Layer 7 of the OSI model) running the service end users are trying to access. To that end, the server, server application and back-end resources are the main target. The goal of these attacks is to consume the resources of a specific service, thus slowing it or stopping it altogether.

Application layer DDoS attacks are trickier to identify and mitigate compared to a network layer DDoS attack. Common methods include the use of CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) tests to validate bots from humans. Additionally, the use of a web application firewall (WAF) is a great way to protect against more sophisticated application DDoS attacks. The purpose of a WAF is to use various signatures to discern between normal human requests and those sent from bots. A WAF can be deployed either on premises or through a third-party cloud security service provider.

Source: https://searchsecurity.techtarget.com/answer/Do-network-layer-and-application-layer-DDoS-attacks-differ

The correlation between DDoS attacks and cryptomining

There is a direct correlation between cryptocurrency and DDoS attacks. As the price of cryptocurrency dropped in 2018, leading to decreased profits from cryptomining, hackers on the black market began to divert prime botnet resources to DDoS attack activities, which increased month by month.

correlation DDoS attacks cryptomining

DDoS attacks in 2018

In NSFOCUS’ 2018 DDoS Attack Landscape report, NSFOCUS analyzed the threat landscape after a landmark year of technological growth related to cloud computing, big data, artificial intelligence (AI), Internet of Things (IoT), and Industry 4.0.

Key findings include:

  • Attackers were more inclined to launch DDoS attacks when the short-term benefits from cryptomining activities declined in 2018.
  • In 2018, DDoS attacks kept expanding in size as DDoS-as-a-Service experienced a fast growth.
  • Of all internet attack types, 25% of attackers were recidivists responsible for 40% of all attack events. The proportion of recidivists in DDoS attacks decreased in 2018, making up about 7% of DDoS attackers that launched 12% of attack events.
  • Cloud services/IDCs, gaming, and e-commerce were the top three industries targeted by attackers.
  • The total number of DDoS attacks in 2018 reached 148,000, down 28.4% from 2017, driven by effective protections against reflection attacks, which decreased considerably.
  • In 2018, the most frequently seen attacks were SYN flood, UDP flood, ACK flood, HTTP flood, and HTTPS flood attacks, which all together accounted for 96% of all DDoS attacks.
  • Of all DDoS attacks, 13% used a combination of multiple attack methods. The other 87% were single-vector attacks.

correlation DDoS attacks cryptomining

“The fluctuation of Bitcoin prices has a direct bearing on DDoS attack traffic,” said Richard Zhao, COO at NSFOCUS.

“This, along with other report findings, can help us better predict and prepare for DDoS attacks. Attackers are after profits and as we watch bitcoin fluctuate, we will continue to see this correlation pop up. DDoS attacks have never stopped since making their debut – analyzing trends in this report helps companies keep up with the fluid attack and threat landscape.”

Source: https://www.helpnetsecurity.com/2019/04/15/correlation-ddos-attacks-cryptomining/

Blockchain Technology can be Critical to IoT Infrastructure Security

Over 45 billion IoT devices are expected to be connected by 2021, while the cumulative cost of data breaches between 2017 and 2022 is expected to touch $8 trillion

The era of Internet of things (IoT) is upon us and it is impacting our lives. Today, technology has pervaded into nearly all walks of life, and constant innovation has made it almost impossible to stay disconnected. However, with all the convenience that connected devices offer, there is also a growing risk of cyber threats that can cripple the IoT networks and infrastructure, and cause considerable economic and personal harm to users.

According to a report by Juniper Research, as much as 46 billion IoT devices are expected to be connected by 2021, while the cumulative cost of data breaches between 2017 and 2022 is expected to touch $8 trillion. Securing IoT would require adopting a future-ready, flexible and highly scalable cybersecurity strategy – a significant shift from current reactive approaches used by businesses that involve patching discovered vulnerabilities and adding new solutions without performing a comprehensive assessment.

IoT makes it possible to connect previously closed devices and appliances to the Internet and allow users to control their operations remotely. However, as more closed systems are made accessible online, they also become increasingly vulnerable to cyberattacks and hacks. From smart homes and offices to connected cars, unmanned aerial vehicles, autonomous trucks and even to critical infrastructure like industrial control systems as part of industrial Internet of things (IIoT) – all existing and emerging IoT networks face a very high risk of cyber threats.

Blockchain-powered cybersecurity  

An emerging technology alongside IoT which offers much promise in helping secure connected devices is blockchain technology. While blockchain technology gained prominence originally in the world of fintech by ushering in the revolution of digital payments, this underlying technology behind the success and rise of cryptocurrencies could play an important role in cybersecurity, especially in the IoT space.

A blockchain-based cybersecurity platform can secure connected devices using digital signatures to identify and authenticate them, adding them as authorized participants in the blockchain network and ring-fencing critical infrastructure by rendering them invisible to unauthorized access attempts. Each authenticated device joining the blockchain-based secure IoT network is treated as a participating entity, just like in a conventional blockchain network. All communication among these verified participants (IoT devices) are cryptographically secure and are stored in tamper-proof logs.

Every new device added to the network is registered by assigning a unique digital ID on the blockchain network, and the platform provides secure channels for inter-device communication and offers all connected devices secure access to core systems or infrastructure as well. A blockchain-based cybersecurity solution can additionally leverage Software-Defined Perimeter (SDP) architecture and utilize a Zero-Trust model to render all authenticated devices invisible to attackers. This means that only verified devices can “see” or know of the existence of other connected devices, adding an extra layer of security to the IoT infrastructure.

Benefits and the way forward

A blockchain powered platform uses a decentralized set-up, further denying cyber attackers a single point of failure to target to bring down such a network. Consensus-based control distributes the responsibility of security across nodes within a blockchain network, making it impossible for hackers to spoof their way into such a network, and also protecting IoT networks from being brought down via DDoS attacks. Decentralization also makes such a solution highly scalable – one of the biggest concerns of implementing cybersecurity on an ever-growing network such as in the case of connected devices. With every new device that gets added/removed, the change is immediately notified to all participants, letting the system be adaptable and flexible to expand and evolve over time without significant upgrades to the platform in entirety.

Such a system can be used to secure smart homes, connected autonomous vehicles, critical IIoT infrastructure and even entire smart cities. A cybersecurity solution based on blockchain technology enhanced using SDP architecture offers a next-generation, future-proof way to secure IoT devices, networks and communication, not just from present-day vulnerabilities and cyber risks, but remain just as robust in anticipating emerging vulnerabilities and offering protection against them.

Both blockchain and IoT are emerging technologies, with most innovations in these domains being at nascent, proof-of-concept stages. However, blending the strengths of blockchain technology with the potential of IoT can quickly and effectively propel entire industries, cities and nations into the “smart” space, by easing the burden of securing an ever-expanding perimeter of unconventional devices and critical infrastructure without impeding the rate of innovation.

Source: https://www.entrepreneur.com/article/325855

Ad Fraud 101: How Cybercriminals Profit from Clicks

Fraud is and always will be a cornerstone of the cybercrime community. The associated economic gains provide substantial motivation for today’s malicious actors, which is reflected in the rampant use of identity and financial theft, and ad fraud. Fraud is, without question, big business. You don’t have to look far to find websites, on both the clear and the darknet, that profit from the sale of your personal information.

Fraud-related cyber criminals are employing an evolving arsenal of tactics and malware designed to engage in these types of activities. What follows is an overview.

Digital Fraud

Digital fraud—the use of a computer for criminal deception or abuse of web enabled assets that results in financial gain—can be categorized and explained in three groups for the purpose of this blog: basic identity theft with the goal of collecting and selling identifiable information, targeted campaigns focused exclusively on obtaining financial credentials, and fraud that generates artificial traffic for profit.

Digital fraud is its own sub-community consistent with typical hacker profiles. You have consumers dependent on purchasing stolen information to commit additional fraudulent crime, such as making fake credit cards and cashing out accounts, and/or utilizing stolen data to obtain real world documents like identification cards and medical insurance. There are also general hackers, motivated by profit or disruption, who publicly post personally identifiable information that can be easily scraped and used by other criminals. And finally, there are pure vendors who are motivated solely by profit and have the skills to maintain, evade and disrupt at large scales.

  • Identity fraud harvests complete or partial user credentials and personal information for profit. This group mainly consists of cybercriminals who target databases with numerous attack vectors for the purposes of selling the obtained data for profit. Once the credentials reach their final destination, other criminals will use the data for additional fraudulent purposes, such as digital account takeover for financial gains.
  • Banking fraud harvests banking credentials, digital wallets and credit cards from targeted users. This group consists of highly talented and focused criminals who only care about obtaining financial information, access to cryptocurrency wallets or digitally skimming credit cards. These criminals’ tactics, techniques and procedures (TTP) are considered advanced, as they often involve the threat actor’s own created malware, which is updated consistently.
  • Ad fraud generates artificial impressions or clicks on a targeted website for profit. This is a highly skilled group of cybercriminals that is capable of building and maintaining a massive infrastructure of infected devices in a botnet. Different devices are leveraged for different types of ad fraud but generally, PC-based ad fraud campaigns are capable of silently opening an internet browser on the victim’s computer and clicking on an advertisement

Ad Fraud & Botnets

Typically, botnets—the collection of compromised devices that are often referred to as a bot and controlled by a malicious actor, a.k.a. a “bot herder—are associated with flooding networks and applications with large volumes of traffic. But they also send large volumes of malicious spam, which is leveraged to steal banking credentials or used to conduct ad fraud.

However, operating a botnet is not cheap and operators must weigh the risks and expense of operating and maintaining a profitable botnet. Generally, a bot herder has four campaign options (DDoS attacks, spam, banking and ad fraud) with variables consisting of research and vulnerability discovery, infection rate, reinfection rate, maintenance, and consumer demand.

With regards to ad fraud, botnets can produce millions of artificially generated clicks and impressions a day, resulting in a financial profit for the operators. Two recent ad fraud campaigns highlight the effectiveness of botnets:

  • 3ve, pronounced eve, was recently taken down by White Owl, Google and the FBI. This PC-based botnet infected over a million computers and utilized tens of thousands of websites for the purpose of click fraud activities. The infected users would never see the activity conducted by the bot, as it would open a hidden browser outside the view of the user’s screen to click on specific ads for profit.
  • Mirai, an IoT-based botnet, was used to launch some of the largest recorded DDoS attacks in history. When the co-creators of Mirai were arrested, their indictments indicated that they also engaged in ad fraud with this botnet. The actors were able to conduct what is known as an impression fraud by generating artificial traffic and directing it at targeted sites for profit. 

The Future of Ad Fraud

Ad fraud is a major threat to advertisers, costing them millions of dollars each year. And the threat is not going away, as cyber criminals look for more profitable vectors through various chaining attacks and alteration of the current TTPs at their disposal.

As more IoT devices continue to be connected to the Internet with weak security standards and vulnerable protocols, criminals will find ways to maximize the profit of each infected device. Currently, it appears that criminals are looking to maximize their new efforts and infection rate by targeting insecure or unmaintained IoT devices with a wide variety of payloads, including those designed to mine cryptocurrencies, redirect users’ sessions to phishing pages or conduct ad fraud.

Source: https://securityboulevard.com/2019/01/ad-fraud-101-how-cybercriminals-profit-from-clicks/

FragmentSmack: How is this denial-of-service exploited?

FragmentSmack, a DDoS vulnerability first discovered in Linux, affects Windows as well as nearly 90 Cisco products. Discover how it can be exploited with Judith Myerson.

A distributed denial-of-service vulnerability called FragmentSmack enables an unauthenticated remote attacker to disable servers with a stream of fragmented IP packets that activate the vulnerability on affected systems. First discovered in Linux, and now also found in Windows, FragmentSmack affects many products, including nearly 90 from Cisco. How can this vulnerability be exploited, and how big is the threat?
FragmentSmack is a vulnerability in the IP stack that can be used to execute a distributed denial-of-service attack. The vulnerability affects Linux kernel version 3.9 or later, and it was discovered in some Cisco products by the Vulnerability Coordination team of the National Cyber Security Centre of Finland and the CERT Coordination Center. The flaw is caused by inefficient algorithms used in IP implementations to reassemble fragmented IPv4 and IPv6 packets.

An attacker using the FragmentSmack vulnerability could exploit it remotely by continuously sending crafted packets — that appear to be fragments of larger packets that need to be reassembled — to cause the system to become unresponsive, as 100% of the CPU cores will be in use.

In one scenario, an attacker could send a stream of 8-byte sized IP fragments, each starting with randomly chosen offset values, to a server. The queue of malformed IP fragments waiting for reassembly — which will never happen because the fragments are not part of any legitimate packets — increases in size until all the CPU core resources are consumed, leaving no room for other tasks the system needs to perform.

The attacker doesn’t specify what core the malformed packets are sent to and the Linux kernel automatically distributes the reassembly to different cores. While such an attack could take a server down, once the flow of malicious fragments stops, the targeted server can resume its normal function.

Cisco’s vulnerable listed products include network and content security devices, voice and unified communications devices, and telepresence and transcending devices.

Likewise, this threat has extended to Microsoft and Red Hat, and the affected Microsoft’s Window systems include versions 7, 8.1 and 10, as well as all the Windows Server versions. Windows 10 — 64 bit — in particular, features an option for Windows Subsystem for Linux that is vulnerable. Turning off this option doesn’t prevent the attacker from exploiting the vulnerability, however.

Vulnerable Red Hat products include Virtualization 4, Enterprise MRG, Enterprise Linux Atomic Host and Enterprise Linux versions 6, 7, Real Time 7, 7 for ARM64 and 7 for Power.

Source: https://searchsecurity.techtarget.com/answer/FragmentSmack-How-is-this-denial-of-service-exploited

In the DNI reported on DDoS-attack on the site of the national police

The website of the people’s militia department of the self-proclaimed Donetsk people’s republic was subjected to DDoS attacks, said the head of the people’s militia press service, Daniel Bezsonov.

According to him, this happened after the agency announced that Kiev was preparing a large-scale offensive in the Donbass.

“It has been established that the attack was carried out from the Ukrainian and Baltic IP addresses,” Betsonov quoted the Donetsk News Agency.

In October 2016, the DPR announced that hackers from Ukraine had hacked and blocked the database of the self-proclaimed Donetsk People’s Republic pension fund, as a result of which payments to DPR residents were suspended.

Source: http://www.tellerreport.com/news/–in-the-dni-reported-on-ddos-attack-on-the-site-of-the-national-police-.BkyHtk6JE.html

Council on Foreign Relations encourages global initiative to combat botnets

A global initiative of public and private organizations is needed to eliminate computer-effecting botnets, according to a new paper from the Council on Foreign Relations (CFR).

The report was written by Robert Knake, senior fellow for cyber policy at CFR and senior research scientist at Northeastern University’s Global Resilience Institute, and Jason Healey, senior research scholar in the Faculty of International and Public Affairs at Columbia University.

Criminals use botnets, or groups of computers infected with malicious software, to propagate spam, send phishing emails, guess passwords, impersonate users, and break the encryption, the report stated. Botnets are also used to carry out distributed denial of service (DDoS) attacks. DDoS attacks result in individual computers that make up the botnet to send internet traffic to a target, thereby blocking legitimate traffic.

As much as 30 percent of all internet traffic may be attributable to botnets, the report said. Many DDoS attacks are used by companies to take down their competitors’ websites or servers. China, Russia, and Iran, however, have all harnessed botnets for geopolitical purposes, according to the report.

Knake and Healey contend that government must partner with the private sector to fight this threat. As Knake explained in a recent blog post, a public-private partnership to combat botnets doesn’t have to be initiated by government agencies. Private companies may be better suited to place pressure on the actors that enable botnets to persist, he wrote.

Knake noted that most botnet takedowns had been led by private companies, such as Microsoft, which has pursued more than a dozen. Financial services firms are particularly vulnerable to them, getting hit on a daily basis with botnet-enabled fraud, Knake wrote.

A relatively small effort would help significantly reduce botnet infections, according to Knake’s post. The formation of a new organization to coordinate takedown activities would be a good place to start. A new anti-botnet organization could be used to pressure device makers, website registrars, cloud computing providers, and internet service providers (ISPs) to improve cyber hygiene.

“I can guarantee that it would only take the slightest amount of pressure from its largest customers to get Amazon to figure out a way to keep its on-demand computing platform from being botmasters’ preferred platform,” Knake wrote in his blog post on the CFR website.

The organization could also pressure device makers to prevent initial infections and make cleanup of infected devices easier.

Source: https://homelandprepnews.com/stories/31499-council-on-foreign-relations-encourages-global-initiative-to-combat-botnets/

IoT & Cybersecurity: Where we are and what needs to change

Threats are now emerging beyond home and medical devices towards IoT control systems connected to national infrastructures. It is no exaggeration to say that IoT vulnerabilities are a threat to our national and personal security – dangers brought into sharp relief by the growing weaponisation of cybersecurity on the world stage

Cybersecurity agenda

Over the last decade, the scale of cyber attacks have increased dramatically and there has been a huge increase in the scale of cyber attacks against global IT infrastructures. The increase in the number of attack vectors enabled by the internet, the level of sophistication of the attacks, the ‘staying power’ of the cyber gangs, are all markers of how cybersecurity has become the subject of major international conflict.

The rewards of cyber crime over the last decade have been lavish and can be measured in trillions of dollars. And the size of this cyber treasure chest will only increase exponentially over the next decade.

The cyber war is an asymmetric battle. According to Carbon Black, cyber criminals are spending an estimated $1 trillion each year on finding weaknesses in the cyber defences of organisations and businesses, while the same organisations and businesses are spending a mere $96 billion per year to defend themselves against these attacks.

But it’s not always the case that these threats are created by what people in the West would call ‘rogue’ states or actors.

Militarisation of cyber attacks

The biggest single factor that has emerged in the cybersecurity landscape over the last decade is the brazen and overt participation of nation states in the battle. The size of a state’s cyber capability has now become the biggest statement of its national power and global influence.

So loud are the noises around cybersecurity that cyber-aggression appears to have bumped the threat of nuclear and biowarfare down the security agenda.

In the mid-noughties there appears to have been a joint US/Israeli project to attack Iran’s nuclear programme. A virus was created which attacked the SCADA infrastructure around this programme and thus the centrifuges which were being used to enrich uranium.

Stuxnet surfaced once activated in 2010 when it preyed upon Siemens PLCs to the extent that around a third of Iran’s centrifuges were taken out of action. This might be termed a ‘successful’ attack upon the process control layer of a large utility project.

To say that cyber warfare is preferable to weapons of mass destruction might appear an understatement. However one should at the same time be mindful of the huge impacts cyber attacks could have on energy and utility companies, upon hospitals, and upon the military apparatus and democratic institutions we take for granted. Lives can be placed at risk.

Internet of Things

The massive increase in the number of devices connected to the internet continues unabated. This year there will be in the region of 23bn connected devices. This number is projected by IHS to rise to 75bn by 2025. This huge growth presents an ever increasing ‘attack surface’ for the cyber gangs to attack.

The traditional target area for IoT cyber attacks has its origins very much in the home device front. A prime example would be the 2016 Mirai botnet attack which infected around 600,000 IoT devices. The devices affected in the main were internet routers, but connected cameras were also compromised.

Mirai wreaked havoc by launching a distributed denial of service (DDoS) attack and overwhelming the devices’ networks.

By 2018 the hackers had switched their focus to the wireless protocols which exist for smart home devices, specifically the Z-Wave wireless protocol. This year, a vulnerability was discovered which affected up to 100 million smart home devices. Burglar alarms, security cameras, and door locks could be disabled, for example, allowing thieves to enter unchecked.

Another major area of vulnerability is that of accessing an individual’s home banking systems via the ‘voice hacking’ of smart speakers.

The recent news about FreeRTOS – a real-time operating system ported to around 35 microcontroller platforms – being an easy target for hackers has further eroded confidence in the security of IoT home devices.

As well as connected domestic appliances there is growing concern about the threats to healthcare devices. There are around 100m such devices installed worldwide. From insulin pumps, to diagnostic equipment, to remote patient monitoring, the areas for potential attack are huge and life-threatening.

Industrial IoT

Cybersecurity firm Carbon Black issued its Quarterly Incident Response Threat Report in November. The report represents an analysis of the latest attack trends seen by the world’s top incident response (IR) firms.

The report found that a growing number of attacks are now taking advantage of IoT vulnerabilities. An alarming 38 percent of IR professionals saw attacks on enterprise IoT devices, which can become a point of entry to organisations’ primary networks, allowing island hopping (whereby attackers target organisations with the intention of accessing an affiliate’s network).

This latter point underscores the continuing trend of exploiting IoT devices in the enterprise domain to attack business and to move from there into other ‘supply chain’ networks in order to disrupt additional enterprise operations.

The threats emerging away from these home and medical devices towards IoT control systems connected to national infrastructures are increasing in number and truly terrifying.

Process control devices in the industrial world present vulnerabilities in our oil and gas industries, and in our water purification and power plants. A nation’s vital utility infrastructure could potentially be brought to its knees by cyber attacks against the IoT device layer.

This threat isn’t new, although comparatively rare in the past. The Industroyer (Crashoverride) malware framework took out approximately one fifth of Kiev’s power for one hour in December 2015. A number of other different malware attacks targeted against industrial control systems in energy plants have also been discovered in the last few years.

It is now well understood that nation states such as Russia, China and North Korea have been probing other nations’ power generation facilities with a view to potential future hacks. The dangers are well understood by many governments but as of yet these vital infrastructure areas are still massively vulnerable to attack.

Understanding the risks

Only recently, Ciaran Martin, head of the UK’s National Cyber Security Centre (the NCSC) gave an apocalyptic warning about cyber threats to the UK. Martin said that Britain will be hit by a life-threatening ‘category 1’ cyber emergency in the near future.

Similar warnings have been coming out of the US recently, and President Trump’s National Cyber Strategy outlined the same types of threats against US infrastructure. Trump has constantly talked about the threats to US Power Grids – primarily again via the IoT layer – and it’s an area of deep concern for the Federal Government.

In the last month, Trump has been offering to share cyber attack and defence capabilities with NATO allies at the same time as UN calls for an ‘amnesty’ in the use of cyber attacks against critical infrastructures.

But at the business level the understanding of cyber risks is patchy. British business is predominantly uneducated and complacent when it comes to the risks posed by cyber threats and the vulnerability of IoT devices wherever they might be on their network.

Who is responsible?

In the IoT domain for both home and enterprise devices we need secure device design and manufacture, secure deployment, and secure onward protection.

It is the device manufacturer’s responsibility that IoT devices are delivered uninfected with malware, or rogue components. They have a responsibility to ensure that default passwords cannot be implemented in a live environment and to ensure that system software is able to be patched and updated going forward as new threats are understood.

But there is a dual responsibility between device supplier and the end user. Users of these devices in public sector organisations and business enterprises also have a responsibility to ensure that this layer of their IT infrastructure is of itself secure and that it cannot be compromised by weaknesses in other layers of their own cyber defence, or by malware which might be passed on through their supply chain, i.e. ‘island hopping.’

The role of businesses

Starting with the boardroom, businesses must enact a top-down approach to avoid backlash from the market. All companies should be aware that their cybersecurity will be subject to considerable public scrutiny when things go wrong. The directors of companies need to take an active interest in their companies’ cybersecurity policies.

News published in early November told us that Facebook had lost 1m users in Europe in the last couple of months after its highly publicised breaches, and we can expect them to lose more user share going forward.

In the home IoT market, consumer confidence is key. If any particular brand of fridge, TV, baby alarm, speaker, or burglar alarm was exposed as being the source of attacks, consumers will vote with their wallets.

A recent survey conducted by Opinium in the UK showed that businesses which were breached or caused other businesses to be breached would experience repercussions from other businesses.

One in five businesses would take legal action to recover financial losses incurred from a breach as a result of a supplier’s negligence, and a similar number would use the incident to negotiate a further discount. Just three percent of businesses said they would take no action.

The survey also showed that victims of cybercrime could find it more difficult to attract new customers, with 35 percent of the business leaders questioned saying they would not work with a supplier they thought would make them more vulnerable to cybercrime. Just over a quarter said they would avoid using a company that had been publicly associated with a major cybersecurity breach.

Shareholders tend to react when market share is impacted, when the brand of a company is trashed in the market, or when a CEO’s position is undermined by high profile incidents.

CEOs and senior executives have been put on notice that the buck stops with the boardroom. The directors of companies need to take an active interest in their companies’ cybersecurity policies.

Regulatory headwinds

Although only guidelines, the UK has made an admirable headstart towards IoT regulation with its recently released ‘secure by design’ guidelines.

The code – which the government claims is a ‘world first’ – has 13 guidelines, to ensure connected items are ‘secure by design’. It is long overdue and needs to be replicated by other countries.

The guidelines include: no default passwords; a vulnerability disclosure policy; pushed software updates; the secure storage of credentials and security-sensitive data; encrypted in transit communications and secure key management; resilience to outages; monitoring of telemetry data; and making it easy for users to delete personal data from any device.

The code of practice is designed with the home device market in mind. However, the guidelines can have a strong influence on the move towards industrial IoT regulatory requirements too.

In this latter scenario, primary responsibility would pass more towards the implementer or the end user of the industrial control technology.

It’s remarkable that these guidelines took so long to surface given the UK’s long history of consumer protection.

Similarly, the EU has a history of tackling technology giants who impinge on the privacy of individuals (GDPR being the latest culmination), so it’s surprising that a similar code of practice hasn’t emerged from Brussels yet. We can only assume that regulations are ‘in the pipeline.’

As for the IoT layer in the enterprise domain, the IIoT, expect a lot of focus to be driven by governments anxious to protect core businesses and infrastructure. Oil, gas, power generation, aviation and water industries are all highly dependent on IoT to run their businesses effectively.

These are obviously all vulnerable right now. It’s clear that notice has been given by aggressor states that these infrastructures are eminently hackable. It seems to me that the only thing stopping significant disruption is fear of reprisals.

Take The Sunday Times report in October that claimed British military forces had practised a cyber attack that would ‘plunge Moscow into darkness.’ This attack would be an immediate response if Putin’s forces were to move against the West.

Britain no longer possesses small battlefield nuclear weapons – in the eyes of the UK government and many others, cyberweapons have become the most effective military deterrent.

Source: https://thestack.com/iot/2018/11/22/iot-cybersecurity-where-we-are-and-what-needs-to-change/

Bots on a plane? Bad bots cause unique cybersecurity issues for airlines

While bots are a common tool of cybercriminals for carrying out DDoS attacks and mining cryptocurrencies, a recent report found they may also be indirectly increasing the price of your airline tickets.

Distil Research Lab’s Threat report, “How Bots Affect Airlines,” found the airline industry has unique cybersecurity challenges when dealing with bad bots, which comprise 43.9 percent of traffic on airlines websites, mobile apps, and APIs, which is more than double the average bad bot traffic across all industries in which only make up an average of 21.8 percent.

One European airline saw a whopping 94.58 percent of its traffic from bad bots, according to the report which analyzed 7.4 billion requests from 180 domains from 100 airlines internationally.

Cybercriminals launch bots to compromise loyalty rewards programs, steal credentials, steal payment information, steal personal information, carry out credit card fraud, and to launch credential stuffing attacks.

When threat actors infiltrates loyalty programs they can potentially shake customer confidence to the point where they no longer use the airlines.

“Once a customer has been locked out of their account by a criminal changing their password, the airline has a customer service problem to solve,” the report said. “The forensics to investigate what happened inside the account is time consuming and costly.”

Researchers added that the costs of reimbursements for the damages are also a negative impact of these bad bots.

The only industry which had a worse bot problem was the gambling industry with an average of 53.08 percent of its traffic coming from bad bots.

These malicious bots are working around the clock in the airline industry as their activity appears consistent every day throughout the week except Friday when there is a peak in traffic. The majority of the traffic comes from the USA as it’s responsible for 25.58 percent of bad bot traffic worldwide, followed by Singapore in second place with 15.21 percent, and China in third with 11.51 percent.

Researchers also learned that of the nearly 30 percent of the domains they reviewed, bad bots encompassed more than half of all traffic with 48.87 of bad bots reportedly using Chrome as their users’ agent.

Not all bots are evil however, some of the bots are used by travel aggregators such as Kayak and other online travel agencies to scrape prices and flight information or even competitive Airlines looking to gather up-to-the-minute market intelligence but even these can hassles.

Some of these unauthorized (OTAs) however may use bots to scrape prices and flight information seeking to gather ‘free’ information from the airline rather than pay for any associated fees by entering into any commercial arrangement requiring a service level agreement, researchers said in the report.

To combat the bad bots, researchers recommend airlines block or CAPTCHA outdated user agents/browsers, block known hosting providers and proxy servers which host malicious activity, block all access points, investigate traffic spikes, monitor failed login attempts, and pay attention to public data breaches.

Source: https://www.scmagazine.com/home/security-news/bots-on-a-plane-bad-bots-cause-unique-cybersecurity-issues-for-airlines/