The evolution of DDoS attacks – and defences

Aatish Pattni, regional director, UK & Ireland, Link11, explores in Information Age how DDoS attacks have grown in size and sophistication over the last two decades.

What is the biggest cyber-threat to your company? In April 2018, the UK’s National Crime Agency answered that question by naming DDoS attacks as the joint leading threat facing businesses, alongside ransomware. The NCA noted the sharp increase in DDoS attacks on a range of organisations during 2017 and into 2018, and advised organisations to take immediate steps to protect themselves against the potential attacks.

It’s no surprise that DDoS is seen as such a significant business risk. Every industry sector is now reliant on web connectivity and online services. No organisation can afford to have its systems offline or inaccessible for more than a few minutes: business partners and consumers expect seamless, 24/7 access to services, and being forced offline costs a company dearly. A Ponemon Institute study found that each DDoS incident costs $981,000 on average, including factors such as lost sales and productivity, the effect on customers and suppliers, the cost of restoring IT systems, and brand damage.

So how have DDoS attacks evolved from their early iterations as stunts used by attention-seeking teens, to one of the biggest threats to business? What techniques are attackers now using, and how can organisations defend themselves?

Early days of DDoS

The first major DDoS attack to gain international attention was early in 2000, launched by a 15-year-old from Canada who called himself Mafiaboy. His campaign effectively broke the internet, restricting access to the web’s most popular sites for a full week, including Yahoo!, Fifa.com, Amazon.com, eBay, CNN, Dell, and more.

DDoS continued to be primarily a tool for pranks and small-scale digital vandalism until 2007, when a range of Estonian banking, news, and national government websites were attacked. The attack sparked nationwide riots and is widely regarded as one of the world’s first nation-state acts of cyberwar.

The technique is also successful as a diversion tactic, to draw the attention of IT and security teams while a second attack is launched: another security incident accompanies up to 75% of DDoS attacks.

Denial of service has also been used as a method of protest by activist groups including Anonymous and others, to conduct targeted take-downs of websites and online services. Anonymous has even made its attacks tools freely available for anyone to use. Recent years have also seen the rise of DDoS-on-demand services such as Webstresser.org. Before being shut down by international police, Webstresser offered attack services for as little as £11, with no user expertise required – yet the attacks were powerful enough to disrupt operations at seven of the UK’s biggest banks.

Amplified and multi-vector attacks

In October 2016, a new method for distributing DoS attacks emerged – using a network of Internet of Things (IoT) devices to amplify attacks. The first of these, the Mirai botnet infected thousands of insecure IoT devices to power the largest DDoS attack witnessed at the time, with volumes over a Terabyte. By attacking Internet infrastructure company Dyn, Mirai brought down Reddit, Etsy, Spotify, CNN and the New York Times.

This was just a signpost showing how big attacks could become. In late February 2018, developer platform Github was hit with a 1.35 Tbps attack, and days later a new record was set with an attack volume exceeding 1.7 Tbps. These massive attacks were powered by artificial intelligence (AI) and self-learning algorithms which amplified their scale, giving them the ability to disrupt the operations of any organisation, of any size.

Attacks are not only getting bigger but are increasingly multi-vector. In Q4 2017, Link11 researchers noted that attackers are increasingly combining multiple DDoS attack techniques. Over 45% of attacks used 2 or more different techniques, and for the first time, researchers saw attacks which feature up to 12 vectors. These sophisticated attacks are difficult to defend against, and even low-volume attacks can cause problems, as happened in early 2018 when online services from several Dutch banks, financial and government services were brought to a standstill.

Staying ahead of next-generation AI-based attacks

As DDoS attacks now have such massive scale and complexity, traditional DDoS defences can no longer withstand them. Firewalls, special hardware appliances and intrusion detection systems are the main pillars of protection against DDoS, but these all have major limitations. Current attack volume levels can easily overload even high-capacity firewalls or appliances, consuming so many resources that that reliable operation is no longer possible.

Extortion by DDoS

The next iteration of attackers set out to use DDoS as an extortion tool, threatening organisations with an overwhelming attack unless they meet the attacker’s demand for cryptocurrency. Notable extortionists included the original Armada Collective, which targeted banks, web hosting providers, data centre operators as well as e-commerce and online marketing agencies in Greece and Central Europe.

Between January and March 2018, Link11’s Security Operation Centre recorded 14,736 DDoS attacks, an average of 160 attacks per day, with multiple attacks exceeding 100 Gbps. Malicious traffic at these high volumes can simply flood a company’s internet bandwidth, rendering on-premise network security solutions useless.

What’s needed is to deploy a cloud-native solution that can use AI to filter, analyse, and block web traffic if necessary before it even reaches a company’s IT systems. This can be done by routing the company’s Internet traffic via an external, cloud-based protection service. With this approach, incoming traffic is subject to granular analysis, with the various traffic types being digitally ‘fingerprinted’.

Each fingerprint consists of hundreds of properties, including browser data, user behaviour, and its origin. The solution builds up an index of both normal and abnormal, or malicious traffic fingerprints. When known attack patterns are detected in a traffic flow, the attack ‘client’ is blocked immediately and automatically in the cloud, before it even reaches customers’ networks – so that only clean; legitimate traffic reaches the organisation. However, regular traffic is still allowed, enabling a business to continue unaffected, without users being aware of the filtering process.

The solution’s self-learning AI algorithms also help to identify and block attacks for which there is no current fingerprint within a matter of seconds, to minimise the impact on the organisation’s website or web services. This means each new attack helps the system improve its detection capabilities, for the benefit of all users. Furthermore, this automated approach to blocking attacks frees up IT and security teams, enabling them to focus on more strategic work without being distracted by DDoS attempts.

In conclusion, DDoS attacks will continue to evolve and grow, simply because with DDoS-for-hire services and increasingly sophisticated methods, they are relatively easy and cheap to do – and they continue to be effective in targeting organisations. But by understanding how attacks are evolving and implementing the protective measures described here, organisations will be better placed to deny DDoS attackers.

Source: https://www.information-age.com/evolution-of-ddos-123473947/

FCC Admits It Lied About the DDoS Attack During Net Neutrality Comment Process – Ajit Pai Blames Obama

During the time the Federal Communications Commission (FCC) was taking public comments ahead of the rollback of net neutrality rules, the agency had claimed its comments system was knocked offline by distributed denial-of-service (DDoS) attacks.

These attacks were used to question the credibility of the comment process, where millions of Americans had voiced against the net neutrality rollback. The Commission then chose to ignore the public comments altogether.

FCC now admits it’s been lying about these attacks all this time

No one bought the FCC’s claims that its comment system was targeted by hackers during the net neutrality comment process. Investigators have today validated those suspicions revealing that there is no evidence to support the claims of DDoS attacks in 2017. Following the investigation that was carried out after lawmakers and journalists pushed the agency to share the evidence of these attacks, the FCC Chairman Ajit Pai has today released a statement, admitting that there was no DDoS attack.

This statement would have been surprising coming from Pai – an ex-Verizon employee who has continued to disregard public comments, stonewall journalists’ requests for data, and ignore lawmakers’ questions – if he hadn’t thrown the CIO under the bus, taking no responsibility whatsoever for the lies. In his statement, Pai blamed the former CIO and the Obama administration for providing “inaccurate information about this incident to me, my office, Congress, and the American people.”

He went on to say that the CIO’s subordinates were scared of disagreeing with him and never approached Pai. If all of that is indeed true, the Chairman hasn’t clarified why he wouldn’t demand to see the evidence despite everyone out of the agency already believing that the DDoS claim was nothing but a lie to invalidate the comment process.

“It has become clear that in addition to a flawed comment system, we inherited from the prior Administration a culture in which many members of the Commission’s career IT staff were hesitant to express disagreement with the Commission’s former CIO in front of FCC management. Thankfully, I believe that this situation has improved over the course of the last year. But in the wake of this report, we will make it clear that those working on information technology at the Commission are encouraged to speak up if they believe that inaccurate information is being provided to the Commission’s leadership.”

The statement comes as the result of an independent investigation by the Government Accountability Office that is to be published soon. However, looking at Pai’s statement it is clear what this report is going to say.

As a reminder, the current FCC leadership didn’t only concoct this story of the DDoS attack. It had also tried to bolster its false claims by suggesting that this wasn’t the first such incident as the FCC had suffered a similar attack in 2014 under the former chairman Tom Wheeler. It had also tried to claim that Wheeler had lied about the true nature of the attack back in 2014 to save the agency from embarrassment. The former Chairman then went on record to call on Pai’s FCC for lying to the public as there was no cyberattack under his leadership.

Pai throws CIO under the bus; takes no responsibility

And now it appears the FCC was also lying about the true nature of the failure of comment system in 2017. In his statement released today, Pai is once again blaming [PDF] the Obama administration for feeding him inaccurate information.

I am deeply disappointed that the FCC’s former [CIO], who was hired by the prior Administration and is no longer with the Commission, provided inaccurate information about this incident to me, my office, Congress, and the American people. This is completely unacceptable. I’m also disappointed that some working under the former CIO apparently either disagreed with the information that he was presenting or had questions about it, yet didn’t feel comfortable communicating their concerns to me or my office.

It remains unclear why the new team that replaced Bray nearly a year ago didn’t debunk what is being called a “conspiracy theory” and came clean about it.

Some redacted emails received through the Freedom of Information Act (FOIA) by the American Oversight had previously revealed that the false theory around 2014 cyberattack in order to justify 2017 attack also appeared in a draft copy of a blog post written on behalf of Pai. That draft was never published online to keep Pai’s hands clean since there was no evidence to support FCC’s claims of a malicious attack. These details were then instead sent out to media through which this narrative was publicized.

“The Inspector General Report tells us what we knew all along: the FCC’s claim that it was the victim of a DDoS attack during the net neutrality proceeding is bogus,” FCC Commissioner Jessica Rosenworce wrote. “What happened instead is obvious – millions of Americans overwhelmed our online system because they wanted to tell us how important internet openness is to them and how distressed they were to see the FCC roll back their rights. It’s unfortunate that this agency’s energy and resources needed to be spent debunking this implausible claim.”

Source: https://wccftech.com/fcc-admits-lied-ddos-ajit-pai-obama/

Researchers Uncover Massive Malvertising Operation

While analyzing recent drive-by download attacks, security researchers have uncovered a large malvertising operation that infiltrated the legitimate online ad ecosystem and abuses more than 10,000 compromised websites.

Malicious advertising, or malvertising, is the practice of displaying rogue ads on legitimate websites without their owners’ consent or knowledge. This has been a very popular attack vector for many years and even led to an investigation by the U.S. Senate in 2014.

In response, ad networks, which are responsible for delivering ads to content publishers, have strengthened their defenses against fraud and abuse, but as researchers from Check Point recently found, cybercriminals still find ways to bypass those checks on a large scale.

In addition to scam and scareware, malicious ads are frequently used to direct unsuspecting users to exploit kits, web-based attack tools that attempt to exploit vulnerabilities in browsers or their plug-ins. Flash Player, Java and Silverlight have been common targets over the years.

Exploit kits are not as popular with cybercriminals as they used to be, because the targeted applications have incorporated sandboxing and other mechanisms that make exploitation more difficult. However, they’re still around and new ones are being created.

“Check Point Research has uncovered a large Malvertising campaign that starts with thousands of compromised WordPress websites, involves multiple parties in the online advertising chain and ends with distributing malicious content, via multiple Exploit Kits,” researchers from the security company said in a new report.

The researchers uncovered that a single threat actor, whom they dubbed Master134, is in control of more than 10,000 compromised websites. The sites all run an older version of WordPress that is vulnerable to remote code execution.

The threat actor appears to be posing as a publisher and sells ad space on these compromised websites through a large advertising network called AdsTerra. In turn, that ad space is bid on and bought through AdsTerra by several other reseller companies, which then sell it to advertisers who turn out to be almost exclusively cybercriminal groups that operate exploit kits.

This seems to be a full abuse of the advertising supply chain and it’s not clear if the advertising companies involved are having their security checks bypassed or are intentionally turning a blind eye to the malicious activity.

“Indeed, threat actors never cease to look for new techniques to spread their attack campaigns, and do not hesitate to utilize legitimate means to do so,” the researchers said. “However, when legitimate online advertising companies are found at the heart of a scheme, connecting threat actors and enabling the distribution of malicious content worldwide, we can’t help but wonder – is the online advertising industry responsible for the public’s safety? Indeed, how can we be certain that the advertisement we encounter while visiting legitimate websites are not meant to harm us?”

Unfortunately, malvertising is likely to remain a common attack vector for years to come, if not to direct users to exploit kits, then to trick them into downloading potentially unwanted applications. Malicious and annoying advertisements are frequently cited as the primary reasons for users installing ad blockers in their browsers, which hurts the entire online ecosystem and content creators in particular.

Source: https://securityboulevard.com/2018/07/researchers-uncover-massive-malvertising-operation/

How to Prevent DDoS Attacks: 6 Tips to Keep Your Website Safe

Falling victim to a distributed denial of service (DDoS) attack can be catastrophic: The average cost to an organization of a successful DDoS attack is about $100,000 for every hour the attack lasts, according to security company Cloudflare.

There are longer term costs too: loss of reputation, brand degradation and lost customers, all leading to lost business. That’s why it is worth investing significant resources to prevent a DDoS attack, or at least minimize the risk of falling victim to one, rather than concentrating on how to stop a DDoS attack once one has been started.

In the first article in this series, we discussed how to stop DDoS attacks. If you’re fortunate enough to have survived an attack – or are simply wise enough to think ahead – we will now address preventing DDoS attacks.

Understanding DDoS attacks

A basic volumetric denial of service (DoS) attack often involves bombarding an IP address with large volumes of traffic. If the IP address points to a Web server, legitimate traffic will be unable to contact it and the website becomes unavailable. Another type of DoS attack is a flood attack, where a group of servers are flooded with requests that need processing by the victim machines. These are often generated in large numbers by scripts running on compromised machines that are part of a botnet, and result in exhausting the victim servers’ resources such as CPU or memory.

A DDoS attack operates on the same principles, except the malicious traffic is generated from multiple sources, although orchestrated from one central point. The fact that the traffic sources are distributed – often throughout the world – makes DDoS attack prevention much harder than preventing DoS attacks originating from a single IP address.

Another reason that preventing DDoS attacks is a challenge is that many of today’s attacks are “amplification” attacks. These involve sending out small data packets to compromised or badly configured servers around the world, which then respond by sending much larger packets to the server under attack. A well-known example of this is a DNS amplification attack, where a 60 byte DNS request may result in a 4,000 byte response being sent to the victim – an amplification factor of around 70 times the original packet size.

More recently, attackers have exploited a server feature called memcache to launch memcached amplification attacks, where a 15 byte request can result in a 750 kb response, a amplification factor of more than 50,000 times the original packet size. The world’s largest ever DDoS attack, launched against Github in earlier this year, was a memcached amplification attack that peaked at 1.35 Tbps of data hitting Github’s servers.

The benefit to malicious actors of amplification attacks is that they need only a limited amount of bandwidth at their disposal to launch far larger attacks on their victims than they could do by attacking the victims directly.

Six steps to prevent DDoS attacks

1. Buy more bandwidth

Of all the ways to prevent DDoS attacks, the most basic step you can take to make your infrastructure “DDoS resistant” is to ensure that you have enough bandwidth to handle spikes in traffic that may be caused by malicious activity.

In the past it was possible to avoid DDoS attacks by ensuring that you had more bandwidth at your disposal than any attacker was likely to have. But with the rise of amplification attacks, this is no longer practical. Instead, buying more bandwidth now raises the bar which attackers have to overcome before they can launch a successful DDoS attack, but by itself, purchasing more bandwidth is not a DDoS attack solution.

2. Build redundancy into your infrastructure

To make it as hard as possible for an attacker to successfully launch a DDoS attack against your servers, make sure you spread them across multiple data centers with a good load balancing system to distribute traffic between them. If possible, these data centers should be in different countries, or at least in different regions of the same country.

For this strategy to be truly effective, it’s necessary to ensure that the data centers are connected to different networks and that there are no obvious network bottlenecks or single points of failure on these networks.

Distributing your severs geographically and topographically will make it hard for an attacker to successfully attack more than a portion of your servers, leaving other servers unaffected and capable of taking on at least some of the extra traffic that the affected servers would normally handle.

3. Configure your network hardware against DDoS attacks

There are a number of simple hardware configuration changes you can take to help prevent a DDoS attack.

For example, configuring your firewall or router to drop incoming ICMP packets or block DNS responses from outside your network (by blocking UDP port 53) can help prevent certain DNS and ping-based volumetric attacks.

4. Deploy anti-DDoS hardware and software modules

Your servers should be protected by network firewalls and more specialized web application firewalls, and you should probably use load balancers as well. Many hardware vendors now include software protection against DDoS protocol attacks such as SYN flood attacks, for example, by monitoring how many incomplete connections exist and flushing them when the number reaches a configurable threshold value.

Specific software modules can also be added to some web server software to provide some DDoS prevention functionality. For example, Apache 2.2.15 ships with a module called mod_reqtimeout to protect itself against application-layer attacks such as the Slowloris attack, which opens connections to a web server and then holds them open for as long as possible by sending partial requests until the server can accept no more new connections.

5. Deploy a DDoS protection appliance

Many security vendors including NetScout Arbor, Fortinet, Check Point, Cisco and Radware offer appliances that sit in front of network firewalls and are designed to block DDoS attacks before they can take effect.

They do this using a number of techniques, including carrying out traffic behavioral baselining and then blocking abnormal traffic, and blocking traffic based on known attack signatures.

The main weakness of this type of approach of preventing DDoS attacks is that the appliances themselves are limited in the amount of traffic throughput they can handle. While high-end appliances may be able to inspect traffic coming in at a rate of up to 80 Gbps or so, today’s DDoS attacks can easily be an order of magnitude greater than this.

6. Protect your DNS servers

Don’t forget that a malicious actor may be able to bring your web servers offline by DDoSing your DNS servers. For that reason it is important that your DNS servers have redundancy, and placing them in different data centers behind load balancers is also a good idea. A better solution may even be to move to a cloud-based DNS provider that can offer high bandwidth and multiple points-of-presence in data centers around the world. These services are specifically designed with DDoS prevention in mind. For more information, see How to Prevent DNS Attacks.

Source: https://www.esecurityplanet.com/network-security/how-to-prevent-ddos-attacks.html

Cyber Attacks Cost Korean Firms US$72 billion Last Year: Report

Cyber attacks cost Korean companies US$72 billion last year, according to a survey released by Microsoft Korea on June 18.

The Cyber Security Threat Report, produced jointly with Frost & Sullivan, a global consulting firm, assumes that 90 percent of the damage was indirect losses, which included losses from losing customers, tarnished corporate reputations, and job losses. The report referred to this phenomenon as an “iceberg effect” where indirect losses eclipse direct losses.

This report also covered the status of Korean companies’ security awareness. Among the Korean companies which participated in the survey, 29 percent said they did not even know whether or not a cyber attack occurred. In addition, 35 percent of them said they were postponing digitalization because they were concerned about cyber attacks.

Meanwhile, according to semi-annual “Security Intelligence Report” released by Microsoft Korea, three types of cybercrime were used in combination — botnets, phishing, and ransomware.

A botnet is a method of infecting multiple PCs as zombie PCs through the internet to perform distributed denial-of-service attack (DDoS attack), steal data and send spam. Phishing refers to deceiving users and making them make a mistake by disguising a malicious website or e-mail as a secure website or e-mail. Ransomware is a malicious code that encrypts data in your computer and demand money in exchange for a password.

“In the rapidly changing digital world, companies must make cybersecurity a top priority for their organization,” said Kim Gui-ryeon, chief security officer at Microsoft Korea.

Source: http://www.businesskorea.co.kr/news/articleView.html?idxno=23084

Six years on from the official launch, just how secure is IPv6?

The world launch of IPv6 happened back in June 2012, and World IPv6 Day is on Friday 8 June. But just how secure is IPv6 some six years after that fanfare deployment?

The world launch of IPv6 happened back in June 2012, and World IPv6 Day is on Friday 8 June. But just how secure is IPv6 some six years after that fanfare deployment?
Development of IPv6 first started in the early 1990’s when it was realised that the physical limitation of 4.3 billion unique IP addresses in the IPv4 protocol wasn’t going to be enough to support Internet growth. And that was before the Internet of Things had even been thought about. IPv6 addresses the problem, if you’ll excuse the pun, by providing 340 trillion, trillion, trillion unique addresses.
The newly published Internet Society State of IPv6 Deployment report for 2018 points to the success of IPv6 deployment. More than 25 percent of all Internet-connected networks advertise IPv6 connectivity, for example. If you combine the top 15 ISPs across the world, nearly half a billion people are using IPv6 already. Six years ago, less than one in every 100 connections to Google were using IPv6, today that is one in four. The report does admit, however, that “enterprise operations tend to be the elephant in the room when it comes to IPv6 deployment.”
Internet Society Chief Internet Technology Officer, Olaf Kolkman says that IPv6 is “increasingly seen as a competitive advantage, a market differentiator and an essential tool for forward-looking Internet applications and service providers of all kinds.” But the question for enterprise security teams remains, just how secure is IPv6?
“In the sense of the protocol, IPv4 and IPv6 are roughly similar in terms of security” says Dr. Stephen Strowes, Senior Researcher at the RIPE NCC in conversation with SC Media UK. “The difference comes from other layers” Dr Strowes adds “it’s the tools used and training that network operators get that makes all the difference.”
Cricket Liu, VP of Infrastructure at Infoblox, agrees. “IPv6 isn’t inherently more or less secure than IPv4.” However, speaking to SC Media Liu suggests that the major security implications of moving to IPv6 are that “network administrators have substantially less experience managing the protocol than they do with IPv4.” Throw in that network equipment vendors, security vendors,and so on often don’t support IPv6 as completely as they do IPv4 and “the chance of making configuration mistakes increases, as does the likelihood that some whizzy feature of your firewall, IDS or IPS that works great over IPv4 isn’t supported at all over IPv6.”
Wicus Ross, Security Researcher with SecureData, admits that “It’s possible that there are more misconfigurations present on IPv6 due to the relative lesser usages compared to IPv4.” However, to balance that there’s the small matter of the huge size of the IPv6 address space where a single IPv6 subnet can contain the entire IPv4 address space. “As such” Ross continues “IP Address enumeration or scanning through the IPv6 address space sequentially using current capability is not feasible.” This should be good news, as it makes it less efficient for attackers to hunt for vulnerable devices.
Earlier this year, DDoS protection experts Neustar experienced and successfully mitigated its first recorded native IPv6 DDoS attack. This targeted the authoritative DNS service on the Neustar network, and originated from around 1,900 native IPv6 hosts on more than 650 different networks. “IPv6 attacks present a particular set of challenges that, at this moment, cannot easily be rectified” Barrett Lyon, General Manager of DDoS at Neustar, told SC media UK. “For example, the massive number of addresses available to an attacker allows them to exhaust the memory of modern day security appliances” Lyon continues “as a result, the potential volume of an IPv6 attack has the opportunity to create a mess.”
Lyon concludes that, going forward “a great deal of work will need to be undertaken by security professionals to ensure that IPv6 is protected and that we are ahead of the curve when it comes to predicting a hacker’s next move.”
Source: https://www.scmagazineuk.com/six-years-on-from-the-official-launch-just-how-secure-is-ipv6/article/771757/

The platform is under extreme load:’ Cyber attack brings major cryptocurrency exchange to its knee

  • One of the largest cryptocurrency exchanges shut Tuesday morning because of a cyber attack.
  • “The platform is under extreme load,” Bitfinex said at 9:39 a.m. ET.
  • Bitcoin was trading slightly lower at $7,421 a coin, according to Markets Insider data.
 Bitfinex, one of the largest cryptocurrency exchanges by trading volumes, was down Tuesday morning after it experienced a cyber attack.According to its incident page, the exchange shut early Tuesday morning after it experienced problems with its trading engine. For a short period the exchange was back online after the issue was addressed. But the exchange was then hit with a so-called denial-of-service attack, which is when a network of virus-infected computers overwhelm websites with massive amounts of data.

“The platform is under extreme load,” the exchange said at 9:39 a.m. ET. “We are investigating. Seems a DDoS attack was launched soon after we relaunched the platform.”

Still, clients’ funds were not impacted, according to a statement by Kasper Rasmussen, head of marketing at Bitfinex.

“The attack only impacted trading operations, and user accounts and their associated funds/account balances were not at risk at any point during the attack,” Rasmussen said in a statement. “We will continue to update our user base on any further disruptions to service.”

Crypto exchange outages were common at the end of 2017 as bitcoin soared to all-time highs near $20,000, but have been less common in 2018 as prices and volumes across the digital coin market have fallen back to earth.

In 2017, the breakneck growth of the market forced some exchanges to stop onboarding new users altogether. A flash crash at Bitfinex in December left customers demanding answers and refunds.

Hacks and cyber attacks have long been a problem for the crypto space. Notably, Mt. Gox, which was the world’s largest bitcoin exchange, witnessed a massive DDoS attack in 2013. It shut in 2014 after a $450 million hack. JPMorgan estimates that a third of bitcoin exchanges have been hacked.

“Running an exchange is one of the most complex server-side operations out there,” Kyle Samani, a crypto fund manager, told Business Insider.

“On an exchange, everyone wants real time, all the time, globally and the bots are hitting the APIs every few milliseconds both to get order book updates and to trade,” Samani added. “Doing this at scale is much harder than almost any other application.”

Still, Gabor Gurbacs, the director of digital asset strategy at VanEck, told Business Insider he thinks exchanges are getting better at handling technical issues and communicating with clients.

“Recently, exchanges started to halt trading, especially important for margin trades, and provided timely and more transparent notes to customers in cases of service disruptions,” Gurbacs said. “It’s a sign of maturation in my view.”

2018’s less volatile trading environment has given exchanges an opportunity to catch their breath. Bitfinex didn’t experience any technical incidents in the entire month of May.

Bitcoin was trading lower in the aftermath of the DDos attack. The cryptocurrency was down 1.04% at $7,421 a coin, according to Markets Insider data.

Source: http://www.businessinsider.com/bitfinex-hit-by-cyber-attack-2018-6

Internet of Things: when objects threaten national security

We all know personal devices can be hacked, but a whole country’s security could be at risk too. With the rise of the so-called Internet of Things (IoT), and against the backdrop of cyberwarfare, digital surveillance and digital subversion, the risk to national security is increasing. Earlier this year the head of the UK National Cyber Security Centre publicly stated that a major cyber-attack on the country’s essential services was a question of “when, not if”.

The IoT comprises of the billions of online objects embedded in our homes, workplaces and cities, that are constantly collecting, analysing and transmitting data. Some IoT devices, such as personal fitness trackers or smartphones, are carried with us wherever we go. Others we interact with remotely, such as domestic heating controls. Many are invisible, operating silently to modulate traffic flows, industrial control systems, and much more.

IoT devices are not so much things with computers in them, but computers with things attached to them. Because no computer is perfectly secure, that means that neither is your smart fridge or your virtual assistant. Like all things online, these objects form part of massively distributed networks. If someone wanted to hack into these global information networks, IoT devices provide billions of extra entry points.

It is relatively easy to hack an IoT device, as many cheap products do not have adequate security. Even devices with advanced security, such as driverless cars, are vulnerable. This means that IoT technologies are widely regarded as a major cyber-security problem. Pacemakers being hacked, air traffic control systems going down, and all out “cyber-war” are just some worst case scenarios. Vulnerabilities, if exploited, could lead to damage, injury and death.

Cyber-attacks on critical national infrastructure are already a very real threat. In 2015, the Ukranian power grid was affected by a cyber-attack that left Kiev without electricity for several hours. More recently in 2017, the UK’s NHS was compromised for weeks due to the malicious software (malware) WannaCry.

These incidents show just how disruptive cyber-attacks can be and the fact that IoT attacks are proliferating and diversifying is a cause to worry. One major internet security company reported that IoT attacks increased 600% in 2016-17. This is an exponential rise and is expected to persist, not least as the number of IoT devices increase. Devices already outnumbered humans in 2017 but may top 20 billion by 2020.

The rise of the botnet

A botnet is a network of internet connected devices that have been hacked, hijacked and controlled remotely. The problem is that poorly secured IoT accounts make perfect targets for hackers attempting to develop and weaponise botnets. With the right malware, hackers can use botnets to perform distributed denial-of-service (DDoS) attacks against specific targets. The malware uses thousands of devices to flood internet servers with traffic and disable access to online resources. Billions of IoT devices make it easier for hackers to take control of large botnets and attack even the most robust targets.

The Mirai malware exploited vulnerabilities in IoT devices, such as CCTV cameras and routers, to do just this. In October 2016, Mirai launched a DDoS against Dyn, Inc, the company that provides access to major platforms like Twitter, Amazon and Netflix. The DDoS prevented consumers from accessing these platforms for several hours. Of course, it is difficult to calculate the financial implications of such incidents but Mirai showed how essential services can be attacked by exploiting IoT devices.

States or non-state actors could try and use an IoT botnet to attack a country’s health, energy, transport or finance sector. If a botnet were directed against critical national infrastructure, the effects could be severe. Speculation in the absence of evidence is rarely wise but it is not hard to imagine what might happen if financial services were taken offline, or rail transport networks sabotaged. No cyber-attack has yet collapsed the global financial system, or killed anyone, thankfully, but these are the fears of policymakers and cyber-security professionals.

Attribution is not easy either but it’s getting better. Were a state or terrorist group identified as the perpetrator of a major attack, national security apparatuses should swing into action to counter them. For NATO members, a cyber-attack might even trigger a collective political and military response.

How are governments responding?

So far both the US and the UK have stopped short of introducing regulation, but instead are putting pressure on businesses to make their products more secure. However, these policies do not address the overarching problem: companies will keep on selling products with poor security because consumers are willing to buy them. It is supply and demand. There are presently few incentives for firms to bring IoT products to market that meet high security standards. In global supply chains, the picture is even more complicated because national initiatives cannot resolve transnational problems.

The market will not solve this problem, so more robust government regulation is all but inevitable. Few bureaucracies relish the challenge. In policy terms, this is a “wicked problem”. Even if a solution was obvious, it would likely be impossible due to key players’ competing motives and the dynamism of the technical environment.

A more radical approach is to address why the IoT exists in the first place. It is the product of both laudable aims (energy efficiency, public welfare) and an obsession with connectivity for connectivity’s sake. As is well-established, complex systems generate unpredictable effects. If we are to minimise the risks of wiring up our world, we need to consider prioritising devices that are truly necessary over ones that are simply desirable. This will require a fundamental shift in mindset, putting the public good before profit and political expediency.

Source: http://theconversation.com/internet-of-things-when-objects-threaten-national-security-96962

Weekly Cyber Risk Roundup: FBI Advises Home Router Resets

What’s Everyone Talking About? Trending Cybercrime Events

The big news for this week was the CISCO warning of 500,000 routers being hacked by Russian criminal hackers in a bid to attack Ukraine. According to CNBC, “Cisco’s Talos cyber intelligence unit said it has high confidence that the Russian government is behind the campaign, dubbed VPNFilter, because the hacking software shares code with malware used in previous cyber attacks that the U.S. government has attributed to Moscow.”

In subsequent reporting, the FBI has issued a statement and recommendation that all users with home or small-business router turn off the device and turn it back on. The reboot is meant to counter the Fancy Bear linked malware mentioned above.

Further details are being released as they are available. The details of the warnings were: “at least 500,000 in at least 54 countries. The known devices affected by VPNFilter are Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices.”

 

Screen Shot 2018-05-29 at 5.00.06 AM

Other trending cybercrime events from the week include:

  • State data breach notifications: In October 2017, criminal hackers obtained the credentials for two employee accounts for Worldwide Insurance Services. A phishing campaign was used to steal credentials and may have resulted in private insurance details of their customers being viewed by unauthorized parties. In December 2017, a former employee of Muir Medical Group took personal details of clients with them before their employment ended. This could have resulted in the leak of personal identifiable information of clients. In March 2018, a contractor for the California Department of Public Health experienced a robbery where documents and a laptop were stolen.
  • Altcoin Experienced Second Hack: The alternative cryptocurrency Verge, experienced its second hack in recent months. $1.4 Million (USD) was stolen in this recent attack which started as a distributed denial-of-service (DDoS) attack. In the last event, the cryptocurrency suffered a 25% loss.
  • Bitcoin Gold Suffers Attack: In a similar attack to the previous report with Verge, Bitcoin Gold suffered a 51% attack resulting in the loss of $18 million in Bitcoin Gold. Also known as double spending this type of attack works very similar to DDoS attacks in which they tie up the network resources of the targets.
  • Fourteen Vulnerabilities Found in BMWs: In a recent security test, researchers found fourteen vulnerabilities as they hacked BMW cars. The reported vulnerabilities were, “the flaws could be exploited to gain local and remote access to infotainment (a.k.a head unit), the Telematics Control Unit (TCU or TCB) and UDS communication, as well as to gain control of the vehicles’ CAN bus.”
  • App Leaks Passwords in Plaintext: Researchers discovered two servers owned by the app TeenSafe, which is an app parents and guardians can use to monitor phone activity of a child, were hosted without passwords to access data being stored. Over 10,000 accounts were exposed on the AWS hosted servers.

Cyber Risk Trends From the Past Week

A new report from security researchers this week is touting a new kind of banking malware. Researchers are calling the malware Backswap anddiscovered it attacking Polish banks. According to the report, “We have discovered a new banking malware family that uses an innovative technique to manipulate the browser: instead of using complex process injection methods to monitor browsing activity, the malware hooks key window message loop events in order to inspect values of the window objects for banking activity.”

The malware was first noticed in January 2018, and the first samples were analyzed in March 2018. According to the report, “the banker is distributed through malicious email spam campaigns that carry an attachment of a heavily obfuscated JavaScript downloader from a family commonly known as Nemucod. The spam campaigns are targeting Polish users.” As users see everyday, just because a malware strain is targeting a specific bank or country doesn’t mean it hasn’t started to spread or won’t be turned to other targets later.

 

Screen Shot 2018-05-29 at 5.02.34 AM

Source: https://securityboulevard.com/2018/05/weekly-cyber-risk-roundup-fbi-advises-home-router-resets/

DDoS used to oust competition in crypto market

n the last 12 months, cyber criminals have been using distributed denial-of-service (DDoS) attacks to target crypto-currencies.

That’s according to Alex Cruz Farmer, product manager at Cloudflare, who spoke at the ITWeb Security Summit 2018 event this week.

Criminal perpetrators of DDoS attacks often target sites or hosted on high-profile Web servers such as banks or credit card payment . Revenge, blackmail and activism can motivate these attacks.

However, when targeting crypto-currencies with DDoS attacks, “it’s not for the good old ransom, it’s a way to run the competition out of town”.

Cloudflare is one of the biggest DDoS mitigation platforms in the world, serving over eight million domains across more than 150 data centres.

Soon to be the norm

A crypto-currency marketplace customer, who had migrated to Cloudflare, had an attack which according to Farmer demonstrated the complexities of modern day attacks, which he believes will soon be the norm.

“The customer noticed that there were a huge number of sign-ups to their Web site, way more than usual, and had assumed this was spam or some other scam. After a week or two, they found that thousands and thousands of these accounts were logging in, and repeatedly checking their account balances, which in turn caused their database platform to grind to a halt.”

He explained that within a very short period of time, it was identified and the attack was dealt with, but the attackers did not stop there.

“Further application-based attacks occurred, focusing on almost every endpoint possible, to find another area of weakness. Fortunately, we were wise to these games, and our security teams were able to put adequate protections in place to block any further attacks.”

DDoS evolution

He pointed out that DDoS attacks have evolved over the years, noting that the first ever DDoS was in 1988 caused by the Morris Worm, written by Robert Morris.

“It was a complete accident, the purpose was to gauge the size of the Internet. However, due to an oversight in the code, it ended up taking down the Internet, causing huge amounts of damage, leading to the first ever cyber-related felony in the US.”

From then, he said DDoS attacks inherently were focused on exhausting CPU or other resources.

“For example, a simple TCP SYN attack on an Apache server would exhaust open sockets, rendering servers useless, causing any new connections to timeout. The only resolution was to restart the Web server.”

TCP SYN flood (aka SYN flood) is a type of DDoS attack that exploits part of the normal TCP three-way handshake to consume resources on the targeted server and render it unresponsive. Essentially, with SYN flood DDoS, the offender sends TCP connection requests faster than the targeted machine can process them, causing network saturation.

“Unfortunately for the attackers, there were quick and easy solutions for server administrators to protect themselves from SYN attacks, so naturally, the evolution was to find the next destructive option; exhaust the network.

“Come to 2003, we had one of the most epic DDoS attacks ever seen, caused by the infamous SQL Slammer virus. Not only did these attacks cripple the target server, they also crippled the network, and in some cases even their upstream ISP,” Farmer said.

Fast forward five to 10 years, we then saw the birth of User Datagram Protocol (UDP) based reflection attacks, primarily utilising NTP services (the service which sets the time on a computer, mobile phone or any other connected device), he pointed out.

“But, like always, patches are created, and the community came together to build necessary protections. It was UDP-based, so it was easy to block for most networks.”

According to Farmer, 2016 is when things really changed. “Mirai was born, with its debut attack of 540Gb/sec targeting the Rio Olympics, then a few weeks later generating the largest attack the world had seen against security blogger Brian Krebs.”

He explained that Mirai was orchestrated used IOT devices to generate the attacks. “While these devices may seem harmless, under the hood they run a real, fully-loaded operating system, mostly Linux. This means an attacker is able to run whatever script they wish, have it call home, update its firmware and most importantly, lock out the owner.”

Source: https://www.itweb.co.za/content/VgZey7JAZa8vdjX9