In the DNI reported on DDoS-attack on the site of the national police

The website of the people’s militia department of the self-proclaimed Donetsk people’s republic was subjected to DDoS attacks, said the head of the people’s militia press service, Daniel Bezsonov.

According to him, this happened after the agency announced that Kiev was preparing a large-scale offensive in the Donbass.

“It has been established that the attack was carried out from the Ukrainian and Baltic IP addresses,” Betsonov quoted the Donetsk News Agency.

In October 2016, the DPR announced that hackers from Ukraine had hacked and blocked the database of the self-proclaimed Donetsk People’s Republic pension fund, as a result of which payments to DPR residents were suspended.

Source: http://www.tellerreport.com/news/–in-the-dni-reported-on-ddos-attack-on-the-site-of-the-national-police-.BkyHtk6JE.html

Council on Foreign Relations encourages global initiative to combat botnets

A global initiative of public and private organizations is needed to eliminate computer-effecting botnets, according to a new paper from the Council on Foreign Relations (CFR).

The report was written by Robert Knake, senior fellow for cyber policy at CFR and senior research scientist at Northeastern University’s Global Resilience Institute, and Jason Healey, senior research scholar in the Faculty of International and Public Affairs at Columbia University.

Criminals use botnets, or groups of computers infected with malicious software, to propagate spam, send phishing emails, guess passwords, impersonate users, and break the encryption, the report stated. Botnets are also used to carry out distributed denial of service (DDoS) attacks. DDoS attacks result in individual computers that make up the botnet to send internet traffic to a target, thereby blocking legitimate traffic.

As much as 30 percent of all internet traffic may be attributable to botnets, the report said. Many DDoS attacks are used by companies to take down their competitors’ websites or servers. China, Russia, and Iran, however, have all harnessed botnets for geopolitical purposes, according to the report.

Knake and Healey contend that government must partner with the private sector to fight this threat. As Knake explained in a recent blog post, a public-private partnership to combat botnets doesn’t have to be initiated by government agencies. Private companies may be better suited to place pressure on the actors that enable botnets to persist, he wrote.

Knake noted that most botnet takedowns had been led by private companies, such as Microsoft, which has pursued more than a dozen. Financial services firms are particularly vulnerable to them, getting hit on a daily basis with botnet-enabled fraud, Knake wrote.

A relatively small effort would help significantly reduce botnet infections, according to Knake’s post. The formation of a new organization to coordinate takedown activities would be a good place to start. A new anti-botnet organization could be used to pressure device makers, website registrars, cloud computing providers, and internet service providers (ISPs) to improve cyber hygiene.

“I can guarantee that it would only take the slightest amount of pressure from its largest customers to get Amazon to figure out a way to keep its on-demand computing platform from being botmasters’ preferred platform,” Knake wrote in his blog post on the CFR website.

The organization could also pressure device makers to prevent initial infections and make cleanup of infected devices easier.

Source: https://homelandprepnews.com/stories/31499-council-on-foreign-relations-encourages-global-initiative-to-combat-botnets/

IoT & Cybersecurity: Where we are and what needs to change

Threats are now emerging beyond home and medical devices towards IoT control systems connected to national infrastructures. It is no exaggeration to say that IoT vulnerabilities are a threat to our national and personal security – dangers brought into sharp relief by the growing weaponisation of cybersecurity on the world stage

Cybersecurity agenda

Over the last decade, the scale of cyber attacks have increased dramatically and there has been a huge increase in the scale of cyber attacks against global IT infrastructures. The increase in the number of attack vectors enabled by the internet, the level of sophistication of the attacks, the ‘staying power’ of the cyber gangs, are all markers of how cybersecurity has become the subject of major international conflict.

The rewards of cyber crime over the last decade have been lavish and can be measured in trillions of dollars. And the size of this cyber treasure chest will only increase exponentially over the next decade.

The cyber war is an asymmetric battle. According to Carbon Black, cyber criminals are spending an estimated $1 trillion each year on finding weaknesses in the cyber defences of organisations and businesses, while the same organisations and businesses are spending a mere $96 billion per year to defend themselves against these attacks.

But it’s not always the case that these threats are created by what people in the West would call ‘rogue’ states or actors.

Militarisation of cyber attacks

The biggest single factor that has emerged in the cybersecurity landscape over the last decade is the brazen and overt participation of nation states in the battle. The size of a state’s cyber capability has now become the biggest statement of its national power and global influence.

So loud are the noises around cybersecurity that cyber-aggression appears to have bumped the threat of nuclear and biowarfare down the security agenda.

In the mid-noughties there appears to have been a joint US/Israeli project to attack Iran’s nuclear programme. A virus was created which attacked the SCADA infrastructure around this programme and thus the centrifuges which were being used to enrich uranium.

Stuxnet surfaced once activated in 2010 when it preyed upon Siemens PLCs to the extent that around a third of Iran’s centrifuges were taken out of action. This might be termed a ‘successful’ attack upon the process control layer of a large utility project.

To say that cyber warfare is preferable to weapons of mass destruction might appear an understatement. However one should at the same time be mindful of the huge impacts cyber attacks could have on energy and utility companies, upon hospitals, and upon the military apparatus and democratic institutions we take for granted. Lives can be placed at risk.

Internet of Things

The massive increase in the number of devices connected to the internet continues unabated. This year there will be in the region of 23bn connected devices. This number is projected by IHS to rise to 75bn by 2025. This huge growth presents an ever increasing ‘attack surface’ for the cyber gangs to attack.

The traditional target area for IoT cyber attacks has its origins very much in the home device front. A prime example would be the 2016 Mirai botnet attack which infected around 600,000 IoT devices. The devices affected in the main were internet routers, but connected cameras were also compromised.

Mirai wreaked havoc by launching a distributed denial of service (DDoS) attack and overwhelming the devices’ networks.

By 2018 the hackers had switched their focus to the wireless protocols which exist for smart home devices, specifically the Z-Wave wireless protocol. This year, a vulnerability was discovered which affected up to 100 million smart home devices. Burglar alarms, security cameras, and door locks could be disabled, for example, allowing thieves to enter unchecked.

Another major area of vulnerability is that of accessing an individual’s home banking systems via the ‘voice hacking’ of smart speakers.

The recent news about FreeRTOS – a real-time operating system ported to around 35 microcontroller platforms – being an easy target for hackers has further eroded confidence in the security of IoT home devices.

As well as connected domestic appliances there is growing concern about the threats to healthcare devices. There are around 100m such devices installed worldwide. From insulin pumps, to diagnostic equipment, to remote patient monitoring, the areas for potential attack are huge and life-threatening.

Industrial IoT

Cybersecurity firm Carbon Black issued its Quarterly Incident Response Threat Report in November. The report represents an analysis of the latest attack trends seen by the world’s top incident response (IR) firms.

The report found that a growing number of attacks are now taking advantage of IoT vulnerabilities. An alarming 38 percent of IR professionals saw attacks on enterprise IoT devices, which can become a point of entry to organisations’ primary networks, allowing island hopping (whereby attackers target organisations with the intention of accessing an affiliate’s network).

This latter point underscores the continuing trend of exploiting IoT devices in the enterprise domain to attack business and to move from there into other ‘supply chain’ networks in order to disrupt additional enterprise operations.

The threats emerging away from these home and medical devices towards IoT control systems connected to national infrastructures are increasing in number and truly terrifying.

Process control devices in the industrial world present vulnerabilities in our oil and gas industries, and in our water purification and power plants. A nation’s vital utility infrastructure could potentially be brought to its knees by cyber attacks against the IoT device layer.

This threat isn’t new, although comparatively rare in the past. The Industroyer (Crashoverride) malware framework took out approximately one fifth of Kiev’s power for one hour in December 2015. A number of other different malware attacks targeted against industrial control systems in energy plants have also been discovered in the last few years.

It is now well understood that nation states such as Russia, China and North Korea have been probing other nations’ power generation facilities with a view to potential future hacks. The dangers are well understood by many governments but as of yet these vital infrastructure areas are still massively vulnerable to attack.

Understanding the risks

Only recently, Ciaran Martin, head of the UK’s National Cyber Security Centre (the NCSC) gave an apocalyptic warning about cyber threats to the UK. Martin said that Britain will be hit by a life-threatening ‘category 1’ cyber emergency in the near future.

Similar warnings have been coming out of the US recently, and President Trump’s National Cyber Strategy outlined the same types of threats against US infrastructure. Trump has constantly talked about the threats to US Power Grids – primarily again via the IoT layer – and it’s an area of deep concern for the Federal Government.

In the last month, Trump has been offering to share cyber attack and defence capabilities with NATO allies at the same time as UN calls for an ‘amnesty’ in the use of cyber attacks against critical infrastructures.

But at the business level the understanding of cyber risks is patchy. British business is predominantly uneducated and complacent when it comes to the risks posed by cyber threats and the vulnerability of IoT devices wherever they might be on their network.

Who is responsible?

In the IoT domain for both home and enterprise devices we need secure device design and manufacture, secure deployment, and secure onward protection.

It is the device manufacturer’s responsibility that IoT devices are delivered uninfected with malware, or rogue components. They have a responsibility to ensure that default passwords cannot be implemented in a live environment and to ensure that system software is able to be patched and updated going forward as new threats are understood.

But there is a dual responsibility between device supplier and the end user. Users of these devices in public sector organisations and business enterprises also have a responsibility to ensure that this layer of their IT infrastructure is of itself secure and that it cannot be compromised by weaknesses in other layers of their own cyber defence, or by malware which might be passed on through their supply chain, i.e. ‘island hopping.’

The role of businesses

Starting with the boardroom, businesses must enact a top-down approach to avoid backlash from the market. All companies should be aware that their cybersecurity will be subject to considerable public scrutiny when things go wrong. The directors of companies need to take an active interest in their companies’ cybersecurity policies.

News published in early November told us that Facebook had lost 1m users in Europe in the last couple of months after its highly publicised breaches, and we can expect them to lose more user share going forward.

In the home IoT market, consumer confidence is key. If any particular brand of fridge, TV, baby alarm, speaker, or burglar alarm was exposed as being the source of attacks, consumers will vote with their wallets.

A recent survey conducted by Opinium in the UK showed that businesses which were breached or caused other businesses to be breached would experience repercussions from other businesses.

One in five businesses would take legal action to recover financial losses incurred from a breach as a result of a supplier’s negligence, and a similar number would use the incident to negotiate a further discount. Just three percent of businesses said they would take no action.

The survey also showed that victims of cybercrime could find it more difficult to attract new customers, with 35 percent of the business leaders questioned saying they would not work with a supplier they thought would make them more vulnerable to cybercrime. Just over a quarter said they would avoid using a company that had been publicly associated with a major cybersecurity breach.

Shareholders tend to react when market share is impacted, when the brand of a company is trashed in the market, or when a CEO’s position is undermined by high profile incidents.

CEOs and senior executives have been put on notice that the buck stops with the boardroom. The directors of companies need to take an active interest in their companies’ cybersecurity policies.

Regulatory headwinds

Although only guidelines, the UK has made an admirable headstart towards IoT regulation with its recently released ‘secure by design’ guidelines.

The code – which the government claims is a ‘world first’ – has 13 guidelines, to ensure connected items are ‘secure by design’. It is long overdue and needs to be replicated by other countries.

The guidelines include: no default passwords; a vulnerability disclosure policy; pushed software updates; the secure storage of credentials and security-sensitive data; encrypted in transit communications and secure key management; resilience to outages; monitoring of telemetry data; and making it easy for users to delete personal data from any device.

The code of practice is designed with the home device market in mind. However, the guidelines can have a strong influence on the move towards industrial IoT regulatory requirements too.

In this latter scenario, primary responsibility would pass more towards the implementer or the end user of the industrial control technology.

It’s remarkable that these guidelines took so long to surface given the UK’s long history of consumer protection.

Similarly, the EU has a history of tackling technology giants who impinge on the privacy of individuals (GDPR being the latest culmination), so it’s surprising that a similar code of practice hasn’t emerged from Brussels yet. We can only assume that regulations are ‘in the pipeline.’

As for the IoT layer in the enterprise domain, the IIoT, expect a lot of focus to be driven by governments anxious to protect core businesses and infrastructure. Oil, gas, power generation, aviation and water industries are all highly dependent on IoT to run their businesses effectively.

These are obviously all vulnerable right now. It’s clear that notice has been given by aggressor states that these infrastructures are eminently hackable. It seems to me that the only thing stopping significant disruption is fear of reprisals.

Take The Sunday Times report in October that claimed British military forces had practised a cyber attack that would ‘plunge Moscow into darkness.’ This attack would be an immediate response if Putin’s forces were to move against the West.

Britain no longer possesses small battlefield nuclear weapons – in the eyes of the UK government and many others, cyberweapons have become the most effective military deterrent.

Source: https://thestack.com/iot/2018/11/22/iot-cybersecurity-where-we-are-and-what-needs-to-change/

Bots on a plane? Bad bots cause unique cybersecurity issues for airlines

While bots are a common tool of cybercriminals for carrying out DDoS attacks and mining cryptocurrencies, a recent report found they may also be indirectly increasing the price of your airline tickets.

Distil Research Lab’s Threat report, “How Bots Affect Airlines,” found the airline industry has unique cybersecurity challenges when dealing with bad bots, which comprise 43.9 percent of traffic on airlines websites, mobile apps, and APIs, which is more than double the average bad bot traffic across all industries in which only make up an average of 21.8 percent.

One European airline saw a whopping 94.58 percent of its traffic from bad bots, according to the report which analyzed 7.4 billion requests from 180 domains from 100 airlines internationally.

Cybercriminals launch bots to compromise loyalty rewards programs, steal credentials, steal payment information, steal personal information, carry out credit card fraud, and to launch credential stuffing attacks.

When threat actors infiltrates loyalty programs they can potentially shake customer confidence to the point where they no longer use the airlines.

“Once a customer has been locked out of their account by a criminal changing their password, the airline has a customer service problem to solve,” the report said. “The forensics to investigate what happened inside the account is time consuming and costly.”

Researchers added that the costs of reimbursements for the damages are also a negative impact of these bad bots.

The only industry which had a worse bot problem was the gambling industry with an average of 53.08 percent of its traffic coming from bad bots.

These malicious bots are working around the clock in the airline industry as their activity appears consistent every day throughout the week except Friday when there is a peak in traffic. The majority of the traffic comes from the USA as it’s responsible for 25.58 percent of bad bot traffic worldwide, followed by Singapore in second place with 15.21 percent, and China in third with 11.51 percent.

Researchers also learned that of the nearly 30 percent of the domains they reviewed, bad bots encompassed more than half of all traffic with 48.87 of bad bots reportedly using Chrome as their users’ agent.

Not all bots are evil however, some of the bots are used by travel aggregators such as Kayak and other online travel agencies to scrape prices and flight information or even competitive Airlines looking to gather up-to-the-minute market intelligence but even these can hassles.

Some of these unauthorized (OTAs) however may use bots to scrape prices and flight information seeking to gather ‘free’ information from the airline rather than pay for any associated fees by entering into any commercial arrangement requiring a service level agreement, researchers said in the report.

To combat the bad bots, researchers recommend airlines block or CAPTCHA outdated user agents/browsers, block known hosting providers and proxy servers which host malicious activity, block all access points, investigate traffic spikes, monitor failed login attempts, and pay attention to public data breaches.

Source: https://www.scmagazine.com/home/security-news/bots-on-a-plane-bad-bots-cause-unique-cybersecurity-issues-for-airlines/

How to secure your online business from cyber threats?

Ecommerce revenue worldwide amounts to more than 1.7 trillion US dollars, in the year 2018 alone. And the growth is expected to increase furthermore.

However, with growth comes new challenges. One such problem is cybersecurity. In 2017, there were more than 88 million attacks on eCommerce businesses. And a significant portion includes small businesses.

Moreover, online businesses take a lot of days to recover from the attacks. Some businesses completely shut down due to the aftermath of the security breaches.

So, if you are a small business, it is essential to ensure the safety and security of your eCommerce site. Else, the risks pose a potential threat to your online business.

Here we discuss some basics to ensure proper security to your eCommerce site.

Add an SSL certificate

An SSL Certificate ensures that the browser displays a green padlock or in a way shows to the site visitors that they are safe; and that their data is protected with encryption during the transmission.

To enable or enforce an SSL certificate on your site, you should enable HTTPS—secured version of HyperText Transfer Protocol (HTTP)—across your website.

In general, HTTP is the protocol web browsers use to display web pages.

So, HTTPS and SSL certificates work hand in hand. Moreover, one is useless without the other.

However, you have to buy an SSL certificate that suits your needs. Buying a wrong SSL certificate would do no good for you.

Several types of SSL certificates are available based on the functionality, validation type, and features.

Some common SSL certificates based on the type of verification required are:

  1. Domain Validation SSL Certificate: This SSL certificate is issued after validating the ownership of the domain name.
  2. Organization Validation SSL Certificate: This SSL certificate additionally requires you to verify your business organization. The added benefit is it gives the site visitors or users some more confidence. Moreover, small online businesses should ideally opt for this type of SSL certificate.
  3. Extended Validation SSL Certificate: Well, this type of SSL certificate requires you to undergo more rigorous checks. But when someone visits your website, the address bar in the browser displays your brand name. It indicates users that you’re thoroughly vetted and highly trustworthy.

Here are some SSL certificate types based on the features and functionality.

  1. Single Domain SSL Certificate: This SSL certificate can be used with one and only one domain name.
  2. Wildcard SSL Certificate: This SSL certificate covers the primary and all the associated subdomains.
    Every subdomain along with the primary domain example.com will be covered under a single wildcard SSL certificate.
  3. Multi-Domain SSL Certificate: One single SSL certificate can cover multiple primary domains. The maximum number of domains covered depends on the SSL certificate vendor your purchase the certificate from. Typically, a Multi-Domain SSL Certificate can support up to 200 domain names.

Nowadays, making your business site secure with SSL certificate is a must. Otherwise, Google will punish you. Yes, Google ranks sites with HTTPS better than sites using no security.

However, if you are processing online payments on your site, then SSL security is essential. Otherwise, bad actors will misuse your customer information such as credit card details, eventually leading to identity theft and fraudulent activities.

Use a firewall

In general, a firewall monitors incoming and outgoing traffic on your servers, and it helps you to block certain types of traffic—which may pose a threat—from interacting or compromising your website servers.

Firewalls are available in both virtual and physical variants. And it depends on the type of environment you have in order to go with a specific firewall type.

Many eCommerce sites use something called a Web Application Firewall (WAF).

On top of a typical network firewall, a WAF gives more security to a business site. And it can safeguard your website from various types of known security attacks.

So, putting up a basic firewall is essential. Moreover, using a Web Application Firewall (WAF) is really up to the complexity of the website or application you have put up.

Protect your site from DDoS attacks

A type of attack used to bring your site down by sending huge amounts of traffic is nothing but denial-of-service-attack. In this attack, your site will be bombarded with spam requests in a volume that your website can’t handle. And the site eventually goes down, putting a service disruption to the normal/legitimate users.

However, it is easy to identify a denial-of-service-request, because too many requests come from only one source. And by blocking that source using a Firewall, you can defend your business site.

However, hackers have become smart and highly intelligent. They usually compromise various servers or user computers across the globe. And using those compromised sources, hackers will send massive amounts of requests. This type of advanced denial-of-service attack is known as distributed-denial-of-service-attack. Or simply put a DDoS attack.

When your site is attacked using DDoS, a common Firewall is not enough; because a firewall can only defend you from bad or malicious requests. But in DDoS, all requests can be good by the definition of the Firewall, but they overwhelm your website servers.

Some advanced Web Application Firewalls (WAF) can help you mitigate the risks of DDoS attacks.

Also, Internet Service Providers (ISPs) can detect them and stop the attacks from hitting your website servers. So, contact your ISP and get help from them on how they can protect your site from DDoS attacks.

If you need a fast and straightforward way to secure your website from distributed-denial-of-service attacks, services like Cloud Secure from Webscale Networks is a great option.

In the end, it is better to have strategies in place to mitigate DDoS attacks. Otherwise, your business site may go down and can damage your reputation—which is quite crucial in the eCommerce world.

Get malware protection

A Malware is a computer program that can infect your website and can do malicious activities on your servers.

If your site is affected by Malware, there are a number of dangers your site can run into. Or, the user data stored on your servers might get compromised.

So, scanning your website regularly for malware detection is essential. Symantec Corporation provides malware scanning and removal tools. These tools can help your site stay safe from various kinds of malware.

Encrypt data

If you are storing any user or business related data, it is best to store the data in encrypted form, on your servers.

If the data is not encrypted, and when there is a data breach, a hacker can easily use the data—which may include confidential information like credit card details, social security number, etc. But when the data is encrypted, it is much hard to misuse as the hacker needs to gain access to the decryption key.

However, you can use a tokenization system. In which, the sensitive information is replaced with a non-sensitive data called token.

When tokenization implemented, it renders the stolen data useless. Because the hacker cannot access the Tokenization system, which is the only component that can give access to sensitive information. Anyhow, your tokenization system should be implemented and isolated properly.

Use strong passwords

Use strong passwords that are at least 15 character length for your sites’ admin logins. And when you are remotely accessing your servers, use SSH key-based logins wherever possible. SSH key-based logins are proven to be more secure than password-based logins.

Not only you, urge your site users and customers to use strong password combinations. Moreover, remind them to change their password frequently. Plus, notify them about any phishing scams happening on your online business name.

For example, bad actors might send emails to your customers giving lucrative offers. And when a user clicks on the email, he will be redirected to a site that looks like yours, but it is a phishing site. And when payment details are entered, the bad actor takes advantage and commits fraudulent activities with the stolen payment info.

So, it is important to notify your user base about phishing scams and make your customers knowledgeable about cybersecurity.

Avoid public Wi-Fi networks

When you are working on your business site or logging into your servers, avoid public wifi networks. Often, these networks are poorly maintained on the security front. And they can become potential holes for password leaks.

However, public wifi networks can be speedy. So, when you cannot avoid using a public wifi network, use VPN services like ProtonVPN, CyberGhost VPN, TunnelBear VPN, etc, to mitigate the potential risks.

Keep your software update

To run an online business, you have to use various software components, from server OS to application middleware and frameworks.

Ensure that all these components are kept up to date timely and apply the patches as soon as they are available. Often these patches include performance improvements and security updates.

Some business owners might feel that this is a tedious process. But remember, one successful cyber attack has the potential to push you out of business for several days, if not entirely.

Conclusion

In this 21st century, web technology is growing and changing rapidly. So do the hackers from the IT underworld.

The steps mentioned above are necessary. But we cannot guarantee that they are sufficient. Moreover, each business case is different. You always have to keep yourself up to date. And it would help if you took care of your online business security from time to time. Failing which can make your business site a victim of cyber attacks.

Source: https://londonlovesbusiness.com/how-to-secure-your-online-business-from-cyber-threats/

Over third of large Dutch firms hit by cyberattack in 2016 – CBS

Large companies are hit by cyberattacks at an above average rate, according to the Cybersecurity Monitor of Dutch statistics bureau CBS for 2018. Among companies of 250+ employees, 39 percent were hit at least once by a cyberattack in 2016, such as a hack or DDoS attack. By contrast, around 9 percent of small companies (2-10 employees) were confronted with such an ICT incident.

Of the larger companies, 23 percent suffered from failure of business processes due to the outside cyberattacks. This compares to 6 percent for the smaller companies. Of all ICT incidents, failures were most common, for all sizes, though again, the larger companies were more affected (55%) than the smaller ones (21%). The incidents led to costs for both groups of companies.

Chance of incident bigger at large company

CBS noted that ICT incidents can arise from both from an outside attack and from an internal cause, such as incorrectly installed software or hardware or from the unintentional disclosure of data by an employee. The fact that larger companies suffer more from ICT incidents can be related to the fact that more people work with computers; this increases the chance of incidents. In addition, larger companies often have a more complex ICT infrastructure, which can cause more problems.

The number of ICT incidents also varies per industry. For example, small businesses in the ICT sector (12%) and industry (10%) often suffer from ICT incidents due to external attacks. Small companies in the hospitality sector (6%) and health and welfare care (5%) were less often confronted with cyberattacks.

Internal cause more common at smaller companies

Compared to larger companies, ICT incidents at small companies more often have an internal cause: 2 out 3, compared to 2 out of 5 for larger companies. ICT incidents at small companies in health and welfare care most often had an internal cause (84%). In the ICT sector, this share was 60 percent.

About 7 percent of companies with an ICT incident report them to one or more authorities, including police, the Dutch Data Protection Authority AP, a security team or their bank. The largest companies report ICT incidents much more often (41%) than the smallest companies (6%). Large companies report these ICT incidents most frequently to the AP, complying with law. After that, most reports are made to the police. The smallest companies report incidents most often to their bank.

Smaller: less safe

Small businesses are less often confronted with ICT incidents and, in comparison with large companies, take fewer security measures. Around 60 percent of small companies take three or more measures. This goes to 98 percent for larger companies.

Source: https://www.telecompaper.com/news/over-third-39-of-large-dutch-firms-hit-by-cyberattack-in-2016-cbs–1265851

The FBI Is Investigating More Cyberattacks in a California Congressional Race

The hacks — first reported by Rolling Stone — targeted a Democratic candidate in one of the country’s most competitive primary races

WASHINGTON — The FBI has opened an investigation into cyberattacks that targeted a Democratic candidate in a highly competitive congressional primary in southern California.

As Rolling Stone first reported in September, Democrat Bryan Caforio was the victim of what cybersecurity experts believe were distributed denial of service, or DDoS, attacks. The hacks crashed his campaign website on four separate occasions over a five-week span, including several hours before the biggest debate of the primary race and a week before the election itself, according to emails and other forensic data reviewed by Rolling Stone. They were the first reported instances of DDoS attacks on a congressional candidate in 2018.
Caforio was running in the 25th congressional district represented by Republican Rep. Steve Knight, a vulnerable incumbent and a top target of the Democratic Party. Caforio ultimately finished third in the June primary, failing to move on to the general election by several thousand votes.

“I’m glad the FBI has now launched an investigation into the hack,” Caforio tells Rolling Stone in a statement. “These attacks put our democracy at risk, and they’ll keep happening until we take them seriously and start to punish those responsible.”

It was unclear from the campaign’s data who launched the attacks. But in early October, a few weeks after Rolling Stone’s report, Caforio says an FBI special agent based in southern California contacted one of his former campaign staffers about the DDoS attacks. The FBI has since spoken with several people who worked on the campaign, requested forensic data in connection with the attacks and tasked several specialists with investigating what happened, according to a source close to the campaign.

According to the source, the FBI has expressed interest in several details of the DDoS attacks. The bureau asked about data showing that servers run by Amazon Web Services, the tech arm of the online retail giant, appear to have been used to carry out the attacks. The FBI employees also seemed to focus on the last of the four attacks on Caforio’s website, the one that came a week before the primary election.

An FBI spokeswoman declined to comment for this story.

A DDoS attack occurs when a flood of online traffic coming from multiple sources intentionally overwhelms a website and cripples it. The cybersecurity company Cloudflare compares DDoS to “a traffic jam clogging up a highway, preventing regular traffic from arriving at its desired destination.” Such attacks are becoming more common in American elections and civic life, according to experts who monitor and study cyberattacks. “DDoS attacks are being used to silence political speech and voters’ access to the information they need,” George Conard, a product manager at Jigsaw, a Google spin-off organization, wrote in May. “Political parties, campaigns and organizations are a growing target.”

Matthew Prince, the CEO of Cloudflare, told Rolling Stone last month that his company had noticed an increase in such attacks after 2016 and the successful Russian operations on U.S. soil.

“Our thesis is that, prior to 2016, U.S.-style democracy was seen as the shining city on the hill. The same things you could do to undermine a developing democracy wouldn’t work here,” Prince says. “But after 2016, the bloom’s off the rose.”

The FBI has since created a foreign influence task force to combat future efforts to interfere and disrupt U.S. elections.

Southern California, in particular, has seen multiple cyberattacks on Democratic congressional candidates during the 2018 midterms. Rolling Stone reported that Hans Keirstead, a Democratic candidate who had challenged Rep. Dana Rohrabacher (R-CA), widely seen as the most pro-Russia and pro-Putin member of Congress, had been the victim of multiple hacking efforts, including a successful spear-phishing attempt on his private email account that resembled the 2016 hack of John Podesta, Hillary Clinton’s campaign chairman. Hackers also reportedly broke into the campaign computer of Dave Min, another Democratic challenger in a different southern California district, prompting the FBI to open an investigation.

On Friday, the nation’s four top law enforcement and national security agencies — the FBI, Justice Department, Department of Homeland Security and the Office of the Director of National Intelligence — released a joint statement saying there were “ongoing campaigns by Russia, China and other foreign actors, including Iran” that include interference in the 2018 and 2020 elections. Cybersecurity experts and political consultants say there are many reports of hacking attempts on 2018 campaigns that have not been publicized. But the proximity of the attacks is significant because Democrats have a greater chance of taking back the House of Representatives if they can flip multiple seats in Southern California.

Source: https://www.rollingstone.com/politics/politics-news/california-congressional-race-hack-745519/

Cybercrime-as-a-Service: No End in Sight

Cybercrime is easy and rewarding, making it a perfect arena for criminals everywhere.

Over the past 20 years, cybercrime has become a mature industry estimated to produce more than $1 trillion in annual revenues. From products like exploit kits and custom malware to services like botnet rentals and ransomware distribution, the breadth of cybercrime offerings has never been greater. The result: more, and more serious, forms of cybercrime. New tools and platforms are more accessible than ever before to those who lack advanced technical skills, enabling scores of new actors to hop aboard the cybercrime bandwagon. Meanwhile, more experienced criminals can develop more specialized skills in the knowledge that they can locate others on the darknet who can complement their services and work together with them to come up with new and better criminal tools and techniques.

Line Between Illicit and Legitimate E-Commerce Is Blurring
The cybercrime ecosystem has evolved to welcome both new actors and new scrutiny. The threat of prosecution has pushed most cybercrime activities onto the darknet, where the anonymity of Tor and Bitcoin protects the bad guys from being easily identified. Trust is rare in these communities, so some markets are implementing escrow payments to make high-risk transactions easier; some sellers even offer support services and money-back guarantees on their work and products.

The markets have also become fractured, as the pro criminals restrict themselves to highly selective discussion boards to limit the threat from police and fraudsters. Nevertheless, a burgeoning cybercrime market has sprung from these hidden places to offer everything from product development to technical support, distribution, quality assurance, and even help desks.

Many cybercriminals rely on the Tor network to stay hidden. Tor — The Onion Router — allows users to cruise the Internet anonymously by encrypting their activities and then routing it through multiple random relays on its way to its destination. This circuitous process renders it nearly impossible for law enforcement to track users or determine the identities of visitors to certain black-market sites.

From Niche to Mass Market
In 2015, the UK National Cyber Crime Unit’s deputy director stated during a panel discussion that investigators believed that the bulk of the cybercrime-as-a-service economy was based on the efforts of only 100 to 200 people who profit handsomely from their involvement. Carbon Black’s research discovered that the darknet’s marketplace for ransomware is growing at a staggering 2,500% per annum, and that some of the criminals can generate over $100,000 a year selling ransomware kits alone. That’s more than twice the annual salary of a software developer in Eastern Europe, where many of these criminals operate.

There are plenty of ways for a cybercriminal to rake in the cash without ever perpetrating “traditional” cybercrime like financial fraud or identity theft. The first way is something called research-as-a-service, where individuals work to provide the “raw materials” — such as selling knowledge of system vulnerabilities to malware developers — for future criminal activities. The sale of software exploits has captured much attention recently, as the ShadowBrokers and other groups have introduced controversial subscription programs that give clients access to unpatched system vulnerabilities.

Zero-Day Exploits, Ransomware, and DDoS Extortion Are Bestsellers
The number of discovered zero-day exploits — weaknesses in code that had been previously undetected by the product’s vendor — has dropped steadily since 2014, according to Symantec’s 2018 Internet Security Threat Report, thanks in part to an increase in “bug bounty” programs that encourage and incentivize the legal disclosure of vulnerabilities. In turn, this has led to an increase in price for the vulnerabilities that do get discovered, with some of the most valuable being sold for more than $100,000 in one of the many darknet marketplaces catering to exploit sales, as highlighted in related a blog post on TechRepublic. Other cybercrime actors sell email databases to simplify future cybercrime campaigns, as was the case in 2016 when 3 billion Yahoo accounts were sold to a handful of spammers for $300,000 each.

Exploit kits are another popular product on the darknet. They provide inexperienced cybercriminals with the tools they need to break into a wide range of systems. However, Europol suggests that the popularity of exploit kits has fallen over the past 12 months as the top products have been eliminated and their replacements have failed to offer a comparable sophistication or popularity. Europol also notes that theft through malware was generally becoming less of a threat; instead, today’s cybercriminals prefer ransomware and distributed denial-of-service (DDoS) extortion, which are easier to monetize.

Cybercrime Infrastructure-as-a-Service
The third way hackers can profit from more sophisticated cybercrime is by providing cybercrime infrastructure-as-a-service. Those in this field are provide the services and infrastructure — including bulletproof hosting and botnet rentals — on which other bad actors rely to do their dirty work. The former helps cybercriminals to put web pages and servers on the Internet without having to worry about takedowns by law enforcement. And cybercriminals can pay for botnet rentals that give them temporary access to a network of infected computers they can use for spam distribution or DDoS attacks, for example.

Researchers estimate that a $60-a-day botnet can cause up to $720,000 in damages on victim organizations. The numbers for hackers who control the botnets are also big: the bad guys can produce significant profit margins when they rent their services out to other criminals, as highlighted in a related post.

The New Reality
Digital services are often the backbone of small and large organizations alike. Whether it’s a small online shop or a behemoth operating a global digital platform, if services are slow or down for hours, the company’s revenue and reputation may be on the line. In the old days, word of mouth circulated slowly, but today bad news can reach millions of people instantly. Using botnets for DDoS attacks is a moneymaker for cybercriminals who extort money from website proprietors by threatening an attack that would destroy their services.

The danger posed by Internet of Things (IoT) botnets was shown in 2016 when the massive Mirai IoT botnet attacked the domain name provider Dyn and took down websites like Twitter, Netflix, and CNN in the largest such attack ever seen. Botnet use will probably expand in the coming years as cybercriminals continue to exploit vulnerabilities in IoT devices to create even larger networks. Get used to it: Cybercrime is here to stay.

Source: https://www.darkreading.com/endpoint/cybercrime-as-a-service-no-end-in-sight/a/d-id/1333033

Has a BOT Network Compromised Your Systems?

BOT networks have surprisingly penetrated many corporate networks around the world. Yet many of the information technology and security operations teams often have difficulty identifying their activity and eliminating them from the network. The term botnet is derived from the combination of the words robot and network. A cybercriminal creates a network of these robots connected together for the purposes of coordinating some large-scale activity, most often to function as a cyberattack tool for cybercriminals. These activities often include the propagation of attacker malware tools, economic gain, or perhaps targeting a debilitating attack upon one or more websites on the internet, effectively harming revenue and reputation for enterprise organizations and online e-tailers. The larger the botnet, the more effective it can be in achieving the desired goal. Botnets spread via malware, often distributed through malicious email, and may also be self-propagating so that they move laterally from your laptop to other workstations and network devices within the network. Alternately, they can infect your laptop when you visit a compromised website, setting in motion a series of malicious events that result in a compromised system (drive-by download) and automatically installing the botnet software unbeknownst to the owner of that system. Very typically, due to a lack of effective cyber defense for both detection and remediation, cybercriminals find undefended internet of things (IoT) devices to be ideal hosts to harbor and hide their botnet malware. These IoT hosts can include the new generation of IoT enabled devices such as smart refrigerators, security cameras, digital video records, network connected access management systems, thermostats, and much more. Enterprise security departments are often surprised to find that their access management systems and security cameras are completely compromised by such botnets. The most common indicator is users complaining that computer programs are running much more slowly. This is an often key warning sign that hidden botnets or other malware are using your computing resources. More subtly, you may notice that your cooling fans are running when you are not actively using your computers or servers. This may be symptomatic of the considerable computational overhead created by botnets heating up the processor boards. Finally, on your Windows endpoint platforms, failure to shut down properly, or at all, or failure to download updates are other key indicators, any of which by themselves may not confirm the presence of a botnet, but together raise the suspicions to a high level. Some of your employees might also see unknown posts placed on their Facebook accounts. This might also be directly related to botnet activity. Cybercriminals can use social media accounts to easily disseminate malicious content. Conceptually, this social media botnet attack is very different than infecting your computer. By infecting your social media account, the botnet can propagate more rapidly across your entire social media account and never has to physically sit on your laptop or other home computers. Botnets usually work through automation set up, of course, by cybercriminals you don’t know. Key symptoms are almost always technology related – not related to insider activity or insider malicious threats. Beyond the symptoms already mentioned above, there are also technical indicators, such as strange processes running under windows, but these are very hard to detect. As quickly as cyber defense automation and tools evolve, so do the tactics, techniques, and procedures of the botnet cyberthieves. Most botnets don’t damage the host computers – most of what they do is degrade your performance and effectively “steal” your computer resources. More dangerous is the damage the cyberattackers can cause by using the botnet to maliciously target other websites. For example, when they launch a denial of service (DDOS) attack. Several best practices can help cut down or eliminate botnet infections and the secondary attacks that may be launched once an attacker has access to your networks through a botnet. These include: Utilize software that filters or cuts down on suspicious email attachments and don’t click on any links which are suspicious; Make sure your operating systems have all patches and updates installed; Keep your antivirus protection up to date – these often have the signatures of known and recent botnet malware components; and Encrypt your data end-to-end (at rest, in use, and in transit) so that an attacker in your network will be unable to make use of it.

Source: https://securityboulevard.com/2018/10/has-a-bot-network-compromised-your-systems/

‘Torii’ Breaks New Ground For IoT Malware

Stealth, persistence mechanism and ability to infect a wide swath of devices make malware dangerous and very different from the usual Mirai knockoffs, Avast says.

A dangerous and potentially destructive new IoT malware sample has recently surfaced that for the first time this year is not just another cheap Mirai knockoff.

Researchers from security vendor Avast recently analyzed the malware and have named it Torii because the telnet attacks through which it is being propagated have been coming from Tor exit nodes.

Besides bearing little resemblance to Mirai in code, Torii is also stealthier and more persistent on compromised devices. It is designed to infect what Avast says is one of the largest sets of devices and architectures for an IoT malware strain. Devices on which Torii works include those based on x86, x64, PowerPC, MIPS, ARM, and several other architectures.

Interestingly, so far at least Torii is not being used to assemble DDoS botnets like Mirai was, or to drop cryptomining tools like some more recent variants have been doing. Instead it appears optimized for stealing data from IoT devices. And, like a slew of other recent malware, Torii has a modular design, meaning it is capable of relatively easily fetching and executing other commands.

Martin Hron, a security researcher at Avast says, if anything, Torii is more like the destructive VPNFilter malware that infected some 500,000 network attached storage devices and home-office routers this May. VPNFilter attacked network products from at least 12 major vendors and was capable of attacking not just routers and network attached storage devices but the systems behind them as well.

Torii is different from other IoT malware on several other fronts. For one thing, “it uses six or more ways to achieve persistence ensuring it doesn’t get kicked out of the device easily on a reboot or by another piece of malware,” Hron notes.

Torii’s modular, multistage architecture is different too. “It drops a payload to connect with [command-and-control (CnC)] and then lays in wait to receive commands or files from the CnC,” the security researcher says. The command-and-control server with which the observed samples of Torii have been communicating is located in Arizona.

Torii’s support for a large number of common architectures gives it the ability to infect anything with open telnet, which includes millions of IoT devices. Worryingly, it is likely the malware authors have other attack vectors as well, but telnet is the only vector that has been used so far, Hron notes.

While Torii hasn’t been used for DDoS attacks yet, it has been sending a lot of information back to its command-and-control server about the devices it has infected. The data being exfiltrated includes Hostname, Process ID, and other machine-specific information that would let the malware operator fingerprint and catalog devices more easily. Hron says Avast researchers aren’t really sure why Torii is collecting all the data.

Significantly, Avast researchers discovered a hitherto unused binary on the server that is distributing the malware, which could let the attackers execute any command on an infected device. The app is written in GO, which means it can be easily recompiled to run on virtually any machine.

Hron says Avast is unsure what the malware authors plan to do with the functionality. But based on its versatility and presence on the malware distribution server, he thinks it could be a backdoor or a service that would let the attacker orchestrate multiple devices at once.

The log data that Avast was able to analyze showed that slightly less than 600 unique client devices had downloaded Torii. But it is likely that the number is just a snapshot of new machines that were recruited into the botnet for the period for which Avast has the log files, the security vendor said.

Source: https://www.darkreading.com/attacks-breaches/-torii-breaks-new-ground-for-iot-malware/d/d-id/1332930