FCC Admits It Lied About the DDoS Attack During Net Neutrality Comment Process – Ajit Pai Blames Obama

During the time the Federal Communications Commission (FCC) was taking public comments ahead of the rollback of net neutrality rules, the agency had claimed its comments system was knocked offline by distributed denial-of-service (DDoS) attacks.

These attacks were used to question the credibility of the comment process, where millions of Americans had voiced against the net neutrality rollback. The Commission then chose to ignore the public comments altogether.

FCC now admits it’s been lying about these attacks all this time

No one bought the FCC’s claims that its comment system was targeted by hackers during the net neutrality comment process. Investigators have today validated those suspicions revealing that there is no evidence to support the claims of DDoS attacks in 2017. Following the investigation that was carried out after lawmakers and journalists pushed the agency to share the evidence of these attacks, the FCC Chairman Ajit Pai has today released a statement, admitting that there was no DDoS attack.

This statement would have been surprising coming from Pai – an ex-Verizon employee who has continued to disregard public comments, stonewall journalists’ requests for data, and ignore lawmakers’ questions – if he hadn’t thrown the CIO under the bus, taking no responsibility whatsoever for the lies. In his statement, Pai blamed the former CIO and the Obama administration for providing “inaccurate information about this incident to me, my office, Congress, and the American people.”

He went on to say that the CIO’s subordinates were scared of disagreeing with him and never approached Pai. If all of that is indeed true, the Chairman hasn’t clarified why he wouldn’t demand to see the evidence despite everyone out of the agency already believing that the DDoS claim was nothing but a lie to invalidate the comment process.

“It has become clear that in addition to a flawed comment system, we inherited from the prior Administration a culture in which many members of the Commission’s career IT staff were hesitant to express disagreement with the Commission’s former CIO in front of FCC management. Thankfully, I believe that this situation has improved over the course of the last year. But in the wake of this report, we will make it clear that those working on information technology at the Commission are encouraged to speak up if they believe that inaccurate information is being provided to the Commission’s leadership.”

The statement comes as the result of an independent investigation by the Government Accountability Office that is to be published soon. However, looking at Pai’s statement it is clear what this report is going to say.

As a reminder, the current FCC leadership didn’t only concoct this story of the DDoS attack. It had also tried to bolster its false claims by suggesting that this wasn’t the first such incident as the FCC had suffered a similar attack in 2014 under the former chairman Tom Wheeler. It had also tried to claim that Wheeler had lied about the true nature of the attack back in 2014 to save the agency from embarrassment. The former Chairman then went on record to call on Pai’s FCC for lying to the public as there was no cyberattack under his leadership.

Pai throws CIO under the bus; takes no responsibility

And now it appears the FCC was also lying about the true nature of the failure of comment system in 2017. In his statement released today, Pai is once again blaming [PDF] the Obama administration for feeding him inaccurate information.

I am deeply disappointed that the FCC’s former [CIO], who was hired by the prior Administration and is no longer with the Commission, provided inaccurate information about this incident to me, my office, Congress, and the American people. This is completely unacceptable. I’m also disappointed that some working under the former CIO apparently either disagreed with the information that he was presenting or had questions about it, yet didn’t feel comfortable communicating their concerns to me or my office.

It remains unclear why the new team that replaced Bray nearly a year ago didn’t debunk what is being called a “conspiracy theory” and came clean about it.

Some redacted emails received through the Freedom of Information Act (FOIA) by the American Oversight had previously revealed that the false theory around 2014 cyberattack in order to justify 2017 attack also appeared in a draft copy of a blog post written on behalf of Pai. That draft was never published online to keep Pai’s hands clean since there was no evidence to support FCC’s claims of a malicious attack. These details were then instead sent out to media through which this narrative was publicized.

“The Inspector General Report tells us what we knew all along: the FCC’s claim that it was the victim of a DDoS attack during the net neutrality proceeding is bogus,” FCC Commissioner Jessica Rosenworce wrote. “What happened instead is obvious – millions of Americans overwhelmed our online system because they wanted to tell us how important internet openness is to them and how distressed they were to see the FCC roll back their rights. It’s unfortunate that this agency’s energy and resources needed to be spent debunking this implausible claim.”

Source: https://wccftech.com/fcc-admits-lied-ddos-ajit-pai-obama/

10 Big Security Concerns About IoT For Business (And How To Protect Yourself)

In recent years, the Internet of Things (IoT) has vastly changed the way we view, use and interact with smart devices, especially in the business world. Internet-connected virtual assistants, appliances, security systems and more can all communicate and coordinate with each other, allowing business owners to automate and streamline mundane, time-consuming activities.

But for all the conveniences IoT devices afford us, there’s still one major concern that users need to consider: security. Anything that’s connected to the internet has the potential to be hacked and misused. This is especially unsettling considering the amount of personal data IoT devices collect and use.

Members of Young Entrepreneur Council discussed their top security concerns related to IoT, as well as how they’re protecting their businesses and customers.

1. Default ‘Raw Data’ Storage

Many developers default to saving data in raw form, provided they have the storage capacity to do so. But in an age when federal law enforcement officers choose to follow unconstitutional orders, storing data can be life-threatening. Whether a company sells a product to law enforcement officers or merely retains data that could be subpoenaed, evaluating how IoT devices and the data they collect can be used to endanger people is a part of modern risk assessment. Setting clear policies on anonymizing user data, as well as data retention, can help limit potential problems. But if you work with a homogeneous team, you won’t be equipped to see how some data may be used. While consultants can help on this point, hiring diversely is more effective and less expensive. – Thursday Bram, The Responsible Communication Style Guide

2. Insecure Devices

Software security is a fundamental problem for the Internet of Things. Before the IoT, businesses had to worry about updating their servers, content management systems, and desktop computers. Today, they have to worry about updating everything from connected coffee machines to security cameras. Businesses are bringing insecure devices into their networks, and then failing to update the software. Failing to apply security patches is not a new phenomenon, but insecure IoT devices with a connection to the open internet are a disaster waiting to happen. Criminals can hack insecure security cameras, for example, and use them as beachheads to access the rest of the company’s network or combine thousands together into botnets to launch devastating DDOS attacks. – Vik Patel, Future Hosting

3. Trolls And Bad Players

One of the most notorious examples of IoT and security involves a troll who managed to send white supremacist literature to online printers all over the world simultaneously. This action showed both the overwhelming reach that this new technology holds and its vast potential for corruption. This single action terrified me more than any other exploit, leak, or hack since it showed me how vulnerable we are to those who may want to use this technology for evil purposes. To prevent this, I have adopted IoT technology sparingly and only after an exhaustive vetting process. Despite all of the amazing possibilities this phenomenon can provide, I just can’t trust its security and the intentions of those around me. I’ve passed this paranoia on to my clients, and they seem to appreciate my concern. – Bryce Welker, Crush The LSAT

4. Surveillance

With devices all around us, all collecting data, all accessible remotely, there is a new ability to measure and monitor individuals and groups behavior. Organizations have to have a new level of protective measures to ensure this data is not able to be hacked into from the outside. Two key aspects are network security and the encryption of the data. You can go to providers such as Cisco, Bayshore Networks, or Senrio to get new levels of network security. For encryption, look to providers such as Cisco, Entrust Datacard, Gemalto, HPE, Lynx Software Technologies and Symantec. There are many limitations to securing IoT devices so you’ll need to find solutions that work best for your organization and specific device types. – Baruch Labunski, Rank Secure

5. Lack Of Updates

Without a verified update cycle, most IoT devices will eventually get hacked. It may not be in one year, but it could happen as devices get several years old. It is not uncommon to see devices five to seven years old in use in offices and at home. After many years, the original manufacturer could be out of business. Even if in business, their teams could have moved on to other projects and lack support of the product. Thus, the reliability of future updates is at stake. When purchasing IoT devices, we try to pinpoint manufacturers who we believe will be around for years to come and have proven to update older products when there is an issue. – Peter Boyd, PaperStreet Web Design

6. Data Breaches

As we have learned from the recent Facebook debacle and the millions of personal data that they have shared with its partners, the IoT faces a similar threat as more and more devices join the network and share data. Millions of data points will be collected as devices track our every behavior (for example from when we wake up to how many times we open our refrigerator door) and this data can potentially be shared among a number of different network participants. Unlike Facebook, which is a single entity that controls most of the data, the IoT will see various major players. Managing (and protecting) user’s private data will be a challenge new to this industry. – Diego Orjuela, Cables & Sensors

7. Compliant Data Storage

The Internet of Things is generating a huge amount of data that must be processed and stored. Millions of devices will generate petabytes of data, some of which will be linked to identifiable individuals. Canada (PIPEDA) and Europe (GDPR) — and the U.S. to a more limited degree — have regulatory regimes around the privacy of personal data and the penalties can be devastating. As businesses collect more data via the IoT, they must take care not to suck up personal data without storing it securely and in accordance with international privacy standards. As a server hosting provider with data centers in Canada, Europe, and the US, we are compliant with the GDPR and implement a huge range of server, network, and physical security measures to ensure that data is kept safe. – Justin Blanchard, ServerMania Inc.

8. DDoS Attacks

The rise of IoT has meant there’s a huge amount of internet-connected computing power that simply didn’t exist before. If hackers can gain access to insecure devices, they can take down huge portions of the internet by simply hammering servers with relentless requests from thousands or millions of connected devices (DDoS, or distributed denial-of-service). Even if you’re not an IoT company, you probably rely on the services that will be the targets — Amazon AWS, Google Cloud, Github, or Facebook, all of which have a big target on their back and all of which are now providing critical infrastructure to businesses. You should always have a Plan B, or at the very least, elegant fallback for if and when you lose access to key technological components of your software setup. – Tim Chaves, ZipBooks Accounting Software

9. Sensitive Data Storage

To be honest, I’m not sure if there is anything anyone can do to stop the world’s best hackers. Many of them are even capable of hacking into government systems. I take a different approach of not storing super sensitive data in our own database. For example, my e-commerce company does not store credit card information in our database. Even when you offer a recurring billing service, you can always store that sensitive info in a payment gateway’s server (Braintree, PayPal Pro, Authorize.net, etc.). This will allow you to manage recurring billing services without needing to save credit card data on your server, further protecting this information in the event of a data breach. – Shu Saito, All Filters LLC

10. Smartphone Security

While my business is about SMS marketing rather than IoT, the common denominator is the widespread use of smartphones. I always urge my clients and employees to be vigilant about safeguarding their phones and apps as this is the entry point hackers often use to gain access to private data. Be sure to use secure passwords and be careful about who you share them with. Be cautious about downloading apps connected to smart devices. Make sure the vendor is trustworthy and be careful about the permissions you set on your apps. When it comes to IoT, you might also want to think about how much automation you really need. Sometimes it just makes your life more complicated, as well as less secure, to have everything connected and automated. – Kalin Kassabov, ProTexting

Source: https://www.forbes.com/sites/theyec/2018/07/31/10-big-security-concerns-about-iot-for-business-and-how-to-protect-yourself/#4bd33ebe7416

Researchers Uncover Massive Malvertising Operation

While analyzing recent drive-by download attacks, security researchers have uncovered a large malvertising operation that infiltrated the legitimate online ad ecosystem and abuses more than 10,000 compromised websites.

Malicious advertising, or malvertising, is the practice of displaying rogue ads on legitimate websites without their owners’ consent or knowledge. This has been a very popular attack vector for many years and even led to an investigation by the U.S. Senate in 2014.

In response, ad networks, which are responsible for delivering ads to content publishers, have strengthened their defenses against fraud and abuse, but as researchers from Check Point recently found, cybercriminals still find ways to bypass those checks on a large scale.

In addition to scam and scareware, malicious ads are frequently used to direct unsuspecting users to exploit kits, web-based attack tools that attempt to exploit vulnerabilities in browsers or their plug-ins. Flash Player, Java and Silverlight have been common targets over the years.

Exploit kits are not as popular with cybercriminals as they used to be, because the targeted applications have incorporated sandboxing and other mechanisms that make exploitation more difficult. However, they’re still around and new ones are being created.

“Check Point Research has uncovered a large Malvertising campaign that starts with thousands of compromised WordPress websites, involves multiple parties in the online advertising chain and ends with distributing malicious content, via multiple Exploit Kits,” researchers from the security company said in a new report.

The researchers uncovered that a single threat actor, whom they dubbed Master134, is in control of more than 10,000 compromised websites. The sites all run an older version of WordPress that is vulnerable to remote code execution.

The threat actor appears to be posing as a publisher and sells ad space on these compromised websites through a large advertising network called AdsTerra. In turn, that ad space is bid on and bought through AdsTerra by several other reseller companies, which then sell it to advertisers who turn out to be almost exclusively cybercriminal groups that operate exploit kits.

This seems to be a full abuse of the advertising supply chain and it’s not clear if the advertising companies involved are having their security checks bypassed or are intentionally turning a blind eye to the malicious activity.

“Indeed, threat actors never cease to look for new techniques to spread their attack campaigns, and do not hesitate to utilize legitimate means to do so,” the researchers said. “However, when legitimate online advertising companies are found at the heart of a scheme, connecting threat actors and enabling the distribution of malicious content worldwide, we can’t help but wonder – is the online advertising industry responsible for the public’s safety? Indeed, how can we be certain that the advertisement we encounter while visiting legitimate websites are not meant to harm us?”

Unfortunately, malvertising is likely to remain a common attack vector for years to come, if not to direct users to exploit kits, then to trick them into downloading potentially unwanted applications. Malicious and annoying advertisements are frequently cited as the primary reasons for users installing ad blockers in their browsers, which hurts the entire online ecosystem and content creators in particular.

Source: https://securityboulevard.com/2018/07/researchers-uncover-massive-malvertising-operation/

Linux bots account for 95 percent of DDoS attacks as attackers turn to the past

Cybercriminals are delving into the past to launch attacks based on some very old vulnerabilities according to the latest report from Kaspersky Lab, and they’re using Linux to do it.

In the second quarter of 2018, experts have reported DDoS attacks involving a vulnerability in the Universal Plug-and-Play protocol known since 2001. Also, the Kaspersky DDoS Protection team observed an attack organized using a vulnerability in the CHARGEN protocol that was described as far back as 1983.

Despite the considerable length of service and the protocol’s limited scope, many open CHARGEN servers can be found on the internet for things like printers and copiers.

Activity by Windows-based DDoS botnets decreased almost seven fold over the quarter, while the activity of Linux-based botnets grew by 25 percent. This has resulted in Linux bots accounting for 95 percent of all DDoS attacks in Q2, which also caused a sharp increase in the share of SYN flood attacks — up from 57 percent to 80 percent.

Among other findings of the Q2 2018 DDoS Intelligence Report are that Hong Kong found itself among the top three most attacked countries, coming in second — its share increased five fold and accounted for 17 percent of all botnet-assisted DDoS attacks. The most attacked resources in Hong Kong were hosting services and cloud computing platforms. In addition, China and the US remained first and third respectively, while South Korea dropped down to fourth.

In the top 10 of countries hosting the most active command and control (C&C) servers, the US leads, accounting for almost half (45 percent) of all active botnet C&C servers in Q2. Meanwhile, Vietnam joined the list while Hong Kong dropped out of the top 10.

“There can be different motives for DDoS attacks — political or social protest, personal revenge, competition,” says Alexey Kiselev, project manager on the Kaspersky DDoS Protection team. “However, in most cases, they are used to make money, which is why cybercriminals usually attack those companies and services where big money is made. DDoS attacks can be used as a smokescreen to steal money or to demand a ransom for calling off an attack. The sums of money gained as a result of extortion or theft can amount to tens or hundreds of thousands and even millions of dollars. In that context, protection against DDoS attacks looks like a very good investment.”

One of the most popular methods of monetizing DDoS attacks remains the targeting of cryptocurrencies and currency exchanges. In Q2, Verge cryptocurrency suffered an attack on some mining pools over the course of several hours, resulting in $35 million XVGs being stolen in the ensuing confusion.

Gaming platforms continue to be a target as well, particularly during eSports tournaments. According to Kaspersky Lab, DDoS attacks affect not only game servers (which is often done to extort a ransom in return for not disrupting the competition) but also the gamers themselves who connect from their own platforms. An organized DDoS attack on a team’s key players can easily result in that team losing and being eliminated from a tournament. Cybercriminals use similar tactics to monetize attacks on channels streaming broadcasts of video games. Competition in this segment is intense, and by using DDoS attacks, cybercriminals can interfere with online broadcasts and, consequently, a streamer’s earnings.

Source: https://betanews.com/2018/07/24/linux-ddos-attacks/

Your IoT Is Probably Not A-OK

A few weeks ago, major retailers stopped selling toys from the company CloudPets after more than 2 million recorded messages were leaked in a major security breach. Internet of things (IoT) security breaches are as prevalent as they’re varied. From medical devices and traffic lights to automobiles and toys, each hitherto unconnected device that now joins the big bad world wide web brings additional security mysteries to the fore. And with over 20 billion connected devices projected to be in use by 2020, these are mysteries we must unravel.

There are plenty of reasons for the current gaps in IoT security including a lack of regulation, market failures and stakeholder indifference, although none of these are insurmountable. Even considering these challenges, there are concrete steps that we can take to avoid future IoT mishaps and eventual attacks by an animatronic locust swarm.

IoT Security Challenges

Square Pegs In Round Holes

It’s difficult for organizations to achieve competence in multiple fields. Whenever product companies make an IoT-enabled device, they struggle to reconcile their expertise in their original industry with their unfamiliarity in internet connectivity and security. This results in manufacturers having outdated (if at all) OS and patching features on their products, being lax with password protection and changes and having no regular software update mechanisms to communicate to their customers.

Moreover, many physical products have complex supply chains with outsourced production, cost-saving exercises and clearly defined team structures. It’s an expensive and — from the companies’ point of view — unnecessary undertaking to weave device security into the process when there’s no requirement for it.

And there’s no requirement because of…

Lack Of Regulation

There have been welcome strides in IoT security regulation in recent years. While the IoT Cybersecurity Improvement Act of 2017 is a good start, the industry still lacks a unifying, robust piece of legislation that puts the onus on vendors to comply with requirements or face consequences. And it’s understandable why that’s the case: with IoT still an evolving field, most innovation is carried out by startups that would be hamstrung by having to comply with labyrinthine regulations from the get-go.

Additionally, since IoT sits at the intersection of technology and a bevy of other industries, it’s a challenge to enact legislation that intersects across these industries and doesn’t impose unfair restrictions but also doesn’t leave requirements too lax to make any difference.

Attack By Proxy

In 2016, major websites experienced outages because of a large DDoS (Distributed Denial of Service) attack. This happened because their domain name provider, Dyn, was forced offline by a botnet that included traditional computing devices as well as IoT devices like webcams and digital video recorders. This incident set a dangerous precedent for how innocuous devices could be “recruited” by attackers and used for malicious purposes without the device owners ever knowing about it.

The range of dangers posed by IoT hacks is so great because of their interconnected and dual nature. Because the devices serve an “offline” purpose (like a TV or fridge) but are also connected to the internet, they can be compromised without affecting their original purpose, making the compromise harder to spot. And because they’re interconnected, one loose stone can quickly lead to an avalanche.

What Can We Do?

Network Segmentation

It’s vital to protect and secure the networks connecting IoT devices to the wilderness of the internet. Because IoT network security is a greater challenge owing to the multitude of protocols, standards and device capabilities at play, its implementation is often incomplete and thus draws the eyes of attackers. A combination of traditional endpoint security features like antivirus software as well as firewalls/IPS features will go a long way toward deterring the use of IoT devices as attack entry points.

Stakeholder Proactivity

Consumers have been trained to care about the security of their computing devices (relatively), but it’s easy for them to forget updating the OS on their toaster, to everyone’s detriment. IoT device users should be proactive in changing passwords from their default (and changing them afterward as well), checking that patches and updates are regularly installed and report unusual activities to the relevant authorities immediately.

For their part, IoT device manufacturers should comply with the IoT Cybersecurity Improvement Act by regularly patching software on their devices, providing users the option to change default passwords and communicating with their users about other security best practices as and when they come to light.

Authentication And Encryption

IoT communication often doesn’t have a human in the loop with machine-to-machine “conversations” taking place in the back-end. In this scenario, it becomes vital for the data to be strongly encrypted (along with full key life cycle management) while in transit between devices. Even if the devices themselves are secure, a stray credential key on the public domain can be sniffed out by attackers and become the keyhole they need to jimmy the door.

Automate For Fast Response

Following the “hope for the best, prepare for the worst” adage, enterprises need to be prepared for an IoT breach to occur. Key tools needed here would be a SIEM/detection platform that identifies any anomalies that occur with IoT device behavior, and a security orchestration platform that weaves together data and actions from multiple products to automate incident response.

Platforms that can connect to on-premise security tools, as well as IoT devices through APIs, can make it easier for security teams to recognize the root cause of the attack and execute actions on the IoT devices directly.

Source: https://www.forbes.com/sites/forbestechcouncil/2018/07/16/your-iot-is-probably-not-a-ok/#3268d52d763d

Critical infrastructure remains insecure

Organisations can no longer afford to leave their systems unprotected from increasingly advanced cyber threats.

The threat to our critical national infrastructure (CNI) system is at an unprecedented high with reported cyber-attacks from a number of factions, suspected infiltrations from nation states, and the NCSC warning that these systems remain a high-profile target and exceptionally vulnerable.

Earlier this month, researchers found that just four lines of code implanted in a device on a factory floor could identify and list networks, trigger controllers and stop processes and production lines. In fact, responding to Corero’s Freedom of Information requests, 70% of critical infrastructure institutions – ranging from police forces to NHS trusts, energy suppliers and water authorities – confirmed they’d experienced service outages in their IT systems within the last two years.

Service outages and cyber-attacks against critical infrastructure have the potential to inflict significant, real-life, disruption by preventing access to essential services such as power, transport and the emergency services. Recognizing the damaging impact they can inflict, malicious actors have started crafting malware specifically to target these systems and many believe the next attack is just around the corner.

With the heightened threat, and possibility of significant fines under the new Networks and Information Systems (NIS) directive which came into effect in early May, it’s crucial that organizations implement security measures before damage is done.

Industrial control systems at risk

In recent months, we have seen a greater number of sophisticated cyber threats against all parts of critical infrastructure. Indeed, last October a DDoS attack on the Swedish Railway took out their train ordering system for two days, causing travel chaos.  Similarly, last May’s Wannacry ransomware attack caused many NHS systems to be unavailable (e.g. access to patients’ medical records) causing operations to be cancelled. There is no doubt that a successful attack on the more vulnerable management systems can cause widespread disruption. Moreover, such attacks can result in network downtime, which in turn can have a serious economic impact as it can affect production, impact output, cause physical damage and even put people’s lives in danger.

In a separate Corero study last year, we found that most UK critical infrastructure organizations (51%) are potentially vulnerable, due to failure to detect or mitigate short-duration surgical DDoS attacks on their networks and deploy technology which can detect or mitigate such attacks. Modern DDoS attacks represent a serious security and availability challenge for infrastructure operators, because even a short amount of downtime or latency can significantly impact the delivery of essential services. Indeed, DDoS attacks can disrupt the availability of critical services we use as part of our everyday life, while potentially allowing attackers to plant weaponized malware. Critical infrastructure operators, including energy, transport, communications and emergency services should not be leaving DDoS attack protection to chance.

Attackers are taking advantage of the escalating number of industrial IoT devices, which underscore the growing risk of very large botnet-based DDoS attacks. These devices are transforming industrial sectors by reducing costs and providing better visibility of networks, processes and security. However, despite their benefits, these devices suffer from basic security vulnerabilities and it is precisely this lack of security that makes them such an attractive target for hackers.

NIS Directive introduces changes to critical infrastructure security

Protecting critical infrastructure from cyber-attacks has become a top government priority. The EU’s NIS Directive, adopted into UK law as the NIS Regulation, aims to raise levels of security and resilience of network and information systems. Indeed, now that the legislation is implemented into UK law, critical infrastructure outages will have to be reported to regulators, who have the power to impose financial penalties of up to £17 million to providers of infrastructure services that fail to protect against cyber-attacks on their networks. Consequently, operators of essential services and industrial control systems need to up their game to be resilient to today’s cyber-threats. However, rather than being seen as just more red-tape, or a financial telling off for non-compliance, the regulation should be seen as a golden opportunity to improve the UK’s cyber-security posture.

Best practices

Despite the huge fines and multiple warnings, 11% of the critical infrastructure organizations that responded to Corero’s 2018 study admitted that they do not always ensure that patches for critical vulnerabilities are routinely implemented within 14 days, as recommended within the Government’s 10 Steps to Cyber Security guidance. Paradoxically, almost all the organizations that responded to the request (98%) are following government advice about network security, by adhering to the Network Security section of the 2012 guidance.

To reduce the risk of a catastrophic outcome that risks public safety, organizations need to ensure their industrial control systems are secure.

Organizations need to take a serious look at their own operating model and ensure that robust protection against cyberthreats are in place. It is not acceptable that service and data loss should be excused, under any circumstances, when the technology and services to provide proper protection is available today.

One of the biggest challenges that organisations running critical infrastructure systems now have, is that they are increasingly connecting those networks to the broader IT infrastructure, for reasons of operational efficiency and effectiveness.  The potential for hackers being able to access these devices from the outside and potentially change settings or, launch DDoS attacks to block local changes taking effect, could be very damaging indeed, depending on the systems being targeted. Organisations vulnerable to such attacks need to ensure they are putting the right protection in place, including real-time automatic DDoS protection, as even small attacks getting through, for even a short period of time, could have serious implications.

In addition, to avoid smart devices being enslaved into DDoS botnets, organizations need to pay close attention to the network settings for those devices and, where possible, protect them from access to the Internet and to other devices.

Organizations can include IoT devices alongside regular IT asset inventories and adopt basic security measures like changing default credentials and rotating a selection of strong Wi-Fi network passwords regularly.

Businesses can certainly protect their networks from DDoS attacks fueled by IoT-driven botnets by deploying an always-on, automated solution at the network edge, which can detect unusual network activity and eliminate threats from entering a network, in real-time.

Source: https://www.itproportal.com/features/critical-infrastructure-remains-insecure/

Cloud Security For The Healthcare Industry: A No-Brainer

The healthcare industry has become one of the likeliest to suffer cyber-attacks, and there’s little wonder why. Having the financial and personal information of scores of patients makes it a very appetizing target for attackers.

Just over a year ago, the WannaCry ransomware attack wreaked havoc on the UK National Health Service (NHS), ultimately disrupting a third of its facilities and causing a rash of canceled appointments and operations.

As healthcare organizations face the prospect of increasing attack, their security teams look to cybersecurity experts with comprehensive, tested products to protect the sensitive information they hold. ALYN Woldenberg Family Hospital, Israel’s only pediatric rehabilitation facility, is no exception.

With a database of more than 70,000 patients and a website hosted in four languages and across three different domains; ALYN Hospital’s IT team was concerned that their content management system (CMS) could be vulnerable. The team didn’t feel their cybersecurity vendor was updating the security on their CMS as often as they should, leading them to go looking for a new vendor.

Initially checking out on-premise WAF systems, ALYN’s team kept coming up against the cost of securing their sites and; because of strict government regulations, they were initially hesitant to move to a cloud-based system. Ultimately, however, they decided that the Imperva Incapsula cloud-based WAF was just the thing.

“We looked at community reviews and talked with colleagues at other hospitals and got the impression that Incapsula is one of the best in terms of cost-benefit ratio, which is important to us, in addition to robustness, ease-of-use, and integration, which was very smooth. It all proved to be correct, for which I am very glad,” said Uri Inbar, Director of IT for ALYN Hospital.

Setting up the system took less than a day and ALYN Hospital still manages its servers in-house, with a staff member who is now dedicated to security. Imperva Incapsula has been low maintenance from the start, so, while customer support was with them every step of the way at the beginning; they haven’t needed any for the last few years because the system has been running smoothly on its own.

“It gives us peace of mind to know that someone has dedicated themselves to the subject and keeps us updated. It’s one less worry to take care of.”

Since making the switch, ALYN Hospital has seen some significant improvements:

  • Increased visibility for monitoring security threats: The Imperva Incapsula dashboard is easy to use and provides information that helps ALYN Hospital keep its systems secure. And for their special projects, they can even see which countries are generating the most traffic.
  • Good cost-benefit ratio: One of the most important aspects of any new security system for ALYN, the costs were reasonable, especially given the security benefits they received from the Incapsula system.
  • Faster content delivery: While no formal studies were done, the IT staff has heard from some users that their CDN is delivering content faster than before.

Source: https://securityboulevard.com/2018/07/cloud-security-for-the-healthcare-industry-a-no-brainer/

Concern Mounts for SS7, Diameter Vulnerability

The same security flaws that cursed the older SS7 standard and were used with 3G, 2G and earlier are prevalent in the Diameter protocol used with today’s 4G (LTE) telephony and data transfer standard, according to researchers at Positive Technologies and the European Union Agency For Network and Information Security (ENISA).

Network security is built on trust between operators and IPX providers, and the Diameter protocol that replaced SS7 was supposed to be an improved network signaling protocol. But when 4G operators misconfigure the Diameter protocol, the same types of vulnerabilities still exist.

“As society continues to leverage mobile data capabilities more and more heavily, from individual users performing more tasks directly on their smartphones, to IoT devices which use it when regular network connections are not available (or not possible), service providers need to take the security of this important communications channel more seriously,” said Sean Newman, director of product management for Corero Network Security.

Given that the Diameter protocols are slated to be used in 5G, reports of critical security capabilities not being enabled in the Diameter protocol used for 4G mobile networks are worrisome. Of particular concern is the potential that misconfigurations that lead to the vulnerability could result in distributed denial of service (DDoS) attacks for critical infrastructure relying on mobile access. An attacker would not need to harness any large-scale distributed attack capabilities.

“The latest generation of denial of service protection solutions are critical for any organization that relies on always-on internet availability, but this can only be effective if service providers are ensuring the connectivity itself is always-on,” Newman said.

Concerns over the threats from smartphones have even been presented to Congress with pleas that they should act immediately to protect the nation from cybersecurity threats in SS7 and Diameter.

“SS7 and Diameter were designed without adequate authentication safeguards. As a result, attackers can mimic legitimate roaming activity to intercept calls and text messages, and can imitate requests from a carrier to locate a mobile device. Unlike cell-site simulator attacks, SS7 and Diameter attacks do not require any physical proximity to a victim,” wrote Jonathan Mayer, assistant professor of computer science and public affairs, Princeton University, in his testimony before the Committee on Science, Space, and Technology of 27 June.

Source: https://www.infosecurity-magazine.com/news/concern-mounts-for-ss7-diameter/

Bigger, Faster, Stronger: 2 Reports Detail the Evolving State of DDoS

DDoS attacks continue to plague the Internet, getting bigger and more dangerous. And now, the kids are involved

DDoS attacks don’t arrive on little cat feet; they announce their presence with the subtlety of a shovel to the face. Two just-released reports show that these loud DDoS attacks are getting louder, larger, and more numerous with the passage of time.

Verisign released its Q1 2018 DDoS Trends Report and Akamai published its State of the Internet/Security Summer 2018 report and neither was filled with good news if your job is defending a company or network against DDoS attacks. Together, the two reports paint a detailed and disturbing picture of the way DDoS attacks are evolving to be both more common and more dangerous.

Both reports noted the largest DDoS attack in the period, a 170 Gbps, 65 Mpps (million packets per second) operation notable for two things: its target and its originator.

The target was not a single organization or individual. It was, instead, an entire /24 subnet on the Internet. The size of the attack and the broad target meant that scores of websites and services around the world felt the effects.

Akamai’s report notes that the threat actor was also notable, given that it was a 12-year-old who originated the attack mechanism on YouTube and coordinated the attack through Steam (an online game-playing platform) and IRC.

When adolescents can use YouTube to launch a globe-spanning attack, it marks the dawn of a new definition of “script kiddies.”

“I believe [kids are] growing up faster because they’re exposed to it,” says Lisa Beegle, senior manager of information security at Akamai, when asked about the age of this attack developer. “They also have a greater amount of time they can commit to it.” She continues, “Was this kid as smart as an adult threat actor? No, but there was still a level of sophistication as to the target.”

That target was hit with a reflection and massive amplification attach using memcached — an attack that saw a returned payload directed at the victim subnet that was 51,000 times the size of the spoofed request sent by the attacker.

While memcached has been in existence for 15 years, this attack seems to be the first major assault using the function in a malicious manner. Since it is a distributed memory object caching system, memcached becomes a very effective tool in the DDoS attacker’s arsenal.

While new attacks are available, the Verisign report notes that UDP floods remain the favorite DDoS mechanism, accounting for roughly half of all attacks seen in the quarter. TCP attacks were the next most common, involved in approximately one-quarter of the attacks. In many cases, though, both types (and others) could be involved, since 58% of attacks involved multiple attack types in a single event.

The nature of attacks continues to evolve through the industry. “Last year, we were seeing smaller attacks that were coming in under the radar — they were causing an impact in 30 seconds, before we could see it and respond,” Beegle says. Now, “I’ve seen attacks that were a week long, where [the attacker] changed the dynamics during the attack,” she says. Moving forward, Beegle expects both types of attacks to continue. “I think there will always be the mix, depending on who the target is and who the attacker is,” she says. “We’ve seen some nation-state action and that will always be different than the script kiddies.”

Source: https://www.darkreading.com/attacks-breaches/bigger-faster-stronger-2-reports-detail-the-evolving-state-of-ddos/d/d-id/1332213

GDPR: A tool for your enemies?st

Every employee at your organisation should be prepared to deal with right to be forgotten requests.

It’s estimated that 75% of employees will exercise their right to erasure now GDPR (General Data Protection Regulation) has come into effect. However, less than half of organisations believe that they would be able to handle a ‘right to be forgotten’ (RTBF) request without any impact on day-to-day business.

These findings highlight the underlying issues we’re seeing in the post-GDPR era and how the new regulations put businesses at risk of being non-compliant. What is also worrying, is that there are wider repercussions for organisations not being prepared to handle RTBF requests.

No matter how well business is conducted, there is always the possibility of someone who holds a grudge against the company and wants to cause disruption to daily operations. One way to do this, without resorting to a standard cyber-attack, is through inundating an organisation with RTBF requests. Especially when the company struggles to complete one request, this can drain a company’s resources and grind the business to a halt. In addition to this, failing to comply with the requests in a timely manner can result in a non-compliance issue – a double whammy.

An unfortunate consequence of the new GDPR regulations is that the right to erasure is free to submit, meaning it is more likely customers or those with a grudge will request to have their data removed. There are two ways this can be requested. The first is a simple opt-out, to remove the name – usually an email address – from marketing campaigns. The other is a more time consuming, complex discovery and removal of all applicable data. It is this second type of request where there is a potential for hacktivists, be-grudged customers, or other cyber-attackers to weaponise the regulation requirement.

One RTBF request is relatively easy to handle – as long as the company knows where its data is stored of course – and the organisation actually has a month to complete the request from the day it was received. However, if a company is inundated with requests coming in on the same or consecutive days, it becomes difficult to manage and has the potential to heavily impact daily operations. This kind of attack is comparable to Distributed Denial of Service (DDoS) attacks – for example the attack on the UK National Lottery last year which saw its entire online and mobile capabilities knocked out for hours because cyber criminals flooded the site with traffic – with companies becoming overloaded with so many requests that it has to stop their services entirely.

When preparing for a flood of RTBF requests, it is essential that all organisations have a plan in place that streamlines processes for discovery and deletion of customer data, making it as easy as possible to complete multiple requests simultaneously.

Don’t let your weakest link be your downfall

The first thing to consider is whether or not the workforce is actually aware of what to do should a RTBF request come in (let alone hundreds). Educating all employees on what to do should a request be made – including who in the company to notify and how to respond to the request – is essential in guaranteeing an organisation is prepared. It will mean that any RTBF request is dealt with both correctly and in a timely manner. The process must also have clearly defined responsibilities and actions able to be audited. For companies with a DPO (Data Protection Officer) or someone who fulfils that role, this is the place to begin this process.

Discovering data is the best defence

The key to efficiency in responding to RTBF requests is discovering the data. This means the team responsible for the completion of requests is fully aware of where all the data for the organisation is stored. Therefore, a complete list of where the data can be found – and how to find it – is crucial. While data in structured storage such as a database or email is relatively simple to locate and action, it is the unstructured data, such as reports and files, which is difficult to find and is the biggest culprit of draining time and resources.

Running a ‘data discovery’ exercise is invaluable in helping organisations achieve an awareness of where data is located, as it finds data on every system and device from laptops and workstations to servers and cloud drives. Only when you know where all critical data is located, can a team assess its ability to delete it and, where applicable, remove all traces of a customer. Repeating the exercise will highlight any gaps and help indicate where additional tools may be required to address the request. Data-At-Rest scanning is frequently found as one part of a Data Loss Prevention (DLP) solution.

Stray data – a ticking time bomb

Knowing where data is stored within the organisation isn’t the end of the journey however. The constant sharing of information with partners and suppliers also has to be taken into account – and for this, understanding the data flow into and out of the company is important. Shared responsibility clauses within GDPR rules means that all partners involved with critical data are liable should a breach happen or a RTBF request cannot be completed. If critical data sitting with a partner is not tracked by the company that received the RTBF request, it makes it impossible to truly complete it and the organisation could face fines of up to 20 million EUR (or 4% of their global turnover). Therefore, it’s even more important to know how and where critical data is moving at all times, minimising the sharing of information to only those who really need to know.

While there is no silver bullet to prevent stray data, there are a number of technologies which can help to control the data which is sent both in and out of a company. Implementing automated solutions, such as Adaptive Redaction and document sanitisation, will ensure that no recipient receives unauthorised critical data. This will build a level of confidence around the security of critical data for both the organisation and the customer.

With the proper processes and technologies in place, dealing with RTBF requests is a straightforward process, whether it is a legitimate request, or an attempt by hacktivists or disgruntled customers to wreak havoc on an organisation. Streamlining data discovery processes and controlling the data flowing in and out of the company will be integral in allowing a business to complete a RTBF request and ultimately defend the organisation against a malicious use of GDPR.

Source: https://www.itproportal.com/features/gdpr-a-tool-for-your-enemies/