Canada third most exposed country to possible cyber attacks, says vendor study

After hours of thankless work on their systems every day infosec pros in this country are among the best in securing their systems, right? Not according to a new report.

Canada ranks third on a list of worst countries whose organizations and users have unsecured Internet services open to cyber attacks, says a security vendor survey.

The National Exposure Index, released Thursday by Rapid7, rates the United States first and China second as the countries with the biggest exposure to likely attack, exposure to pervasive monitoring and exposure to amplification abuse.

After Canada comes South Korea, Great Britain, France, the Netherlands, Japan, Germany and Mexico.

Countries are ranked based in part on a scan of open ports to certain services (see below) relative to the number of allocated IPv4 addresses, So, for example, a country that has 1,000 computers and 100 per cent of them are exposing old versions of Windows SMB (server message block) it won’t score as high in the exposure rankings as a country with a million computers where only 10 per cent are exposing SMB.

There is also some weighing. A country with a higher percentage of exposed services in relation to its total allocated IP address space will tend to score higher. In addition, countries that have confirmed Microsoft SMB exposed to the internet are weighted even higher.

As a result Russia ranks 14th.

Among other findings:

• There are 13 million exposed endpoints associated with direct database access, half of which are associated with MySQL. Along with millions of exposed PostgreSQL, Oracle DB, Microsoft SQL Server, Redis, DB2, and MongoDB endpoints, this exposure presents significant risk of crucial data loss to a co-ordinated attack;
• While the number of exposed Microsoft SMB Servers dropped considerably after the WannaCry attack of 2017, there remain about a half a million targets today, primarily in the U.S., Taiwan, Japan, Russia, and Germany.
• Amplification-based distributed denial of service (DDoS-A) remains a powerful technique for harming enterprises and providing cover for more sophisticated attacks. While the number of exposed UDP-based memcached servers is less than 4,000, there are about 40,000 unpatched, out-of-date memcached servers, which are at risk of being drafted into the next record-breaking DDoS attack.

Memcached is an open source high-performance, distributed memory object caching system originally intended for use in speeding up dynamic web applications by alleviating database load. But in March hackers leveraged misconfigured or unprotected memcached servers to launch huge distributed denial of service (DDoS) attacks.

Source: https://www.itworldcanada.com/article/canada-third-most-exposed-country-to-possible-cyber-attacks-says-vendor-study/406044

7 Variants (So Far) of Mirai

Mirai is an example of the newest trend in rapidly evolving, constantly improving malware. These seven variants show how threat actors are making bad malware worse.

Satori

Where Mirai is relatively broad in scope, able to plant itself on many different routers and devices, Satori is quite specific. Discovered in December 2017, Satori takes advantage of vulnerabilities in two devices: Realtek’s UPNP SOAP interface and Huawei’s home gateway.

In addition to the device changes, Satori differs from Mirai (in at least some versions) by changing the way it propagates. Whereas Mirai uses the venerable telnet protocol, several Satori versions take advantage of device-specific communications protocols to spread to new targets.

With Satori, malware developers have added targets and communication protocols to a functional core of capabilities.

Okiru

Unlike Satori, Okiru — based, in part, on Satori’s improvements to Mirai — is broad in its scope. Okiru targets systems with an Argonaut RISK Core (ARC) processor and uses executable and linkable format (ELF) distribution files.

The ARC target is important because ARC processors are used in a vast number of IoT devices. In addition, ELF files are commonly used as a distribution source for Linux applications; using them for Okiru brings into reach IoT devices running a Linux variant as the embedded OS.

Some researchers consider Okiru, first identified in January 2018, to be a version of Satori. But the advances in target architecture and distribution method show the kind of evolution that gives Okiru a name of its own.

Masuta

Malware can exploit vulnerabilities in many things, but threat actors love a protocol exploit because it can hit so many targets. Masuta and its PureMasuta subvariant take advantage of SOAP to convince targeted devices to run commands issued by the threat actor.

Masuta is presumed to have been created by the same developer who built the Satori botnet, but the code for Masuta demonstrates “professional development” both in the additional functionality and in the way the programmer covered identifying tracks left in the code.

The development in Masuta shows not only the evolution of an exploit family but the evolution of an individual programmer — and is typical of the kind of skills development researchers are seeing more frequently in the malware world.

PureMasuta

Where Masuta widened Mirai’s (and Satori’s) scope with more SOAP, PureMasuta bring it back to a specific vulnerability first found on D-Link routers in 2015. PureMasuta exploits a known vulnerability in HNAP (Home Network Administration Protocol), which is based on SOAP.

Once again, PureMasuta shows how a hacker develops skill, building exploit on exploit and trying new targets. PureMasuta’s programmer, Nexus Zeta, has so far specialized in SOAP exploits. That’s a trivial limitation, though, given SOAP’s ubiquity in the modern Internet world.

OMG

The old saying goes, “There’s more than one way to skin a cat.” There’s also more than one way to monetize a botnet, and the OMG Mirai variant takes a commercial tack that is far removed from the original.

Where all the variants of Mirai discussed so far were DDoS engines, OMG, just like the original, uses 3proxy, an open source proxy server, to turn any infected device into a proxy server that can then be used for a variety of purposes. OMG even goes so far as to check for, and rewrite, firewall rules to ensure that the ports used by the new proxy server can transit the network perimeter with no trouble.

OMG provides a network of proxy servers that can be rented out for use by a huge number of clients, whether they’re looking for DDoS generators, a SPAM network, crypto-jacker scheme, or ransomware empire. No matter the demand, the OMG proxy network can provide the illicit proxy.

IoTroop

Like many family trees, Mirai has branches that shoot directly from the original root and others that are a bit farther out in the canopy. IoTroop is one of the latter, but it’s curving back to rejoin the main stem, making it more interesting than your average third cousin, twice removed.

IoTroop has Mirai code as its foundation, but it is a variant that has taken a huge leap from its roots. It begins with the way that IoTroop infects a device. Whereas Mirai uses brute force user ID and password guessing, IoTroop searches for vulnerabilities to exploit.

Then come the big changes: IoTroop doesn’t place a Mirai-style DDoS engine on a device. Instead, it places a loader that constantly communicates with a C&C server. The server can then pass any one of a number of payloads to the victim device, turning the network into whatever illicit form someone is willing to pay for.

Wicked Mirai

Wicked Mirai is the most recent major variation on a theme, and it adds a dangerous capability to the Mirai family tree: persistence.

Wicked Mirai takes many of the advances in other variants, such as vulnerability scanning and a payload downloaded on demand from a C&C server, and adds code to the firmware in many common residential routers that makes the malware persistent – that is, able to remain on the device through reboots.

Mirai will likely continue to evolve and develop. It has also shown to the malware market the possibility of rapid code evolution and an agile mindset. The question for the security world is whether the defender can evolve as quickly, or as effectively, as the attacker.

Source: https://www.darkreading.com/vulnerabilities—threats/7-variants-(so-far)-of-mirai/d/d-id/1331953?_mc=rss%5Fx%5Fdrr%5Fedt%5Faud%5Fdr%5Fx%5Fx%2Drss%2Dsimple&image_number=1

Six years on from the official launch, just how secure is IPv6?

The world launch of IPv6 happened back in June 2012, and World IPv6 Day is on Friday 8 June. But just how secure is IPv6 some six years after that fanfare deployment?

The world launch of IPv6 happened back in June 2012, and World IPv6 Day is on Friday 8 June. But just how secure is IPv6 some six years after that fanfare deployment?
Development of IPv6 first started in the early 1990’s when it was realised that the physical limitation of 4.3 billion unique IP addresses in the IPv4 protocol wasn’t going to be enough to support Internet growth. And that was before the Internet of Things had even been thought about. IPv6 addresses the problem, if you’ll excuse the pun, by providing 340 trillion, trillion, trillion unique addresses.
The newly published Internet Society State of IPv6 Deployment report for 2018 points to the success of IPv6 deployment. More than 25 percent of all Internet-connected networks advertise IPv6 connectivity, for example. If you combine the top 15 ISPs across the world, nearly half a billion people are using IPv6 already. Six years ago, less than one in every 100 connections to Google were using IPv6, today that is one in four. The report does admit, however, that “enterprise operations tend to be the elephant in the room when it comes to IPv6 deployment.”
Internet Society Chief Internet Technology Officer, Olaf Kolkman says that IPv6 is “increasingly seen as a competitive advantage, a market differentiator and an essential tool for forward-looking Internet applications and service providers of all kinds.” But the question for enterprise security teams remains, just how secure is IPv6?
“In the sense of the protocol, IPv4 and IPv6 are roughly similar in terms of security” says Dr. Stephen Strowes, Senior Researcher at the RIPE NCC in conversation with SC Media UK. “The difference comes from other layers” Dr Strowes adds “it’s the tools used and training that network operators get that makes all the difference.”
Cricket Liu, VP of Infrastructure at Infoblox, agrees. “IPv6 isn’t inherently more or less secure than IPv4.” However, speaking to SC Media Liu suggests that the major security implications of moving to IPv6 are that “network administrators have substantially less experience managing the protocol than they do with IPv4.” Throw in that network equipment vendors, security vendors,and so on often don’t support IPv6 as completely as they do IPv4 and “the chance of making configuration mistakes increases, as does the likelihood that some whizzy feature of your firewall, IDS or IPS that works great over IPv4 isn’t supported at all over IPv6.”
Wicus Ross, Security Researcher with SecureData, admits that “It’s possible that there are more misconfigurations present on IPv6 due to the relative lesser usages compared to IPv4.” However, to balance that there’s the small matter of the huge size of the IPv6 address space where a single IPv6 subnet can contain the entire IPv4 address space. “As such” Ross continues “IP Address enumeration or scanning through the IPv6 address space sequentially using current capability is not feasible.” This should be good news, as it makes it less efficient for attackers to hunt for vulnerable devices.
Earlier this year, DDoS protection experts Neustar experienced and successfully mitigated its first recorded native IPv6 DDoS attack. This targeted the authoritative DNS service on the Neustar network, and originated from around 1,900 native IPv6 hosts on more than 650 different networks. “IPv6 attacks present a particular set of challenges that, at this moment, cannot easily be rectified” Barrett Lyon, General Manager of DDoS at Neustar, told SC media UK. “For example, the massive number of addresses available to an attacker allows them to exhaust the memory of modern day security appliances” Lyon continues “as a result, the potential volume of an IPv6 attack has the opportunity to create a mess.”
Lyon concludes that, going forward “a great deal of work will need to be undertaken by security professionals to ensure that IPv6 is protected and that we are ahead of the curve when it comes to predicting a hacker’s next move.”
Source: https://www.scmagazineuk.com/six-years-on-from-the-official-launch-just-how-secure-is-ipv6/article/771757/

8 Questions to Ask in DDoS Protection

As DDoS attacks grow more frequent, more powerful, and more sophisticated, many organizations turn to DDoS mitigation providers to protect themselves against attack.

Before evaluating DDoS protection solutions, it is important to assess the needs, objectives, and constraints of the organization, network and applications. These factors will define the criteria for selecting the optimal solution.

Below are eight questions to ask when considering DDoS protection:

  1. What are my data center plans? Many organizations are migrating their data center workloads to cloud-based deployments. The decision of whether to invest in new equipment or to use to a cloud service depends heavily on this consideration. Organizations that are planning to downscale (or completely eliminate) their data centers might consider a cloud service. However, if you know for sure that you are planning to maintain your physical data center for the foreseeable future, then investing in a DDoS mitigation appliance could be worthwhile.
  2. What is my threat profile? Which protection model is best for you also depends heavily on the company’s threat profile. If a company is constantly attacked with a stream of non-volumetric DDoS attacks, then a premise-based solution might be an effective solution. However, if they face large-scale volumetric attacks, then a cloud-based or a hybrid solution would be better.
  3. Are my applications mission-critical? Some DDoS protection models offer faster response (and protection) time than others. Most applications can absorb short periods of interruption without causing major harm. However, if your service cannot afford even a moment of downtime, that should factor heavily into the decision-making process.
  4. How sensitive are my applications to latency? Another key consideration is the sensitivity of the organization and its applications to latency. Cloud-based services tend to add latency to application traffic, so if latency is a big issue, then an on-premise solution – either deployed inline or out-of-path – might be relevant.
  5. Am I in a regulated industry? Some organizations are within regulated industries that handle sensitive user data. As a result, they’re prevented from – or prefer not to – migrate services/data to the cloud.
  6. How important is control for me? Some organizations place a big emphasis on control, while others prefer that others handle the burden. A physical device will provide you with more control, but will also require additional overhead. Others, however, might prefer the lower overhead usually offered by cloud services.
  7. OPEX vs. CAPEX? Solutions which include hardware devices (such as a premise-based DDoS appliance) are usually accounted for as a capital expenditure (CAPEX), whereas ongoing subscription services (such as cloud DDoS protection services) are considered operating expenses (OPEX). Depending on accounting and procurement processes, some organizations may have a preference for one type over the other.
  8. What is my budget? Finally, when selecting a DDoS protection solution, many times the decision comes down to costs and available funds. That’s why it is important to be cognizant of the total cost of ownership (TCO), including added overhead, infrastructure, support, staff and training.

Depending on the answers to those questions, organizations can define the criteria for what’s important for them in a DDoS solutions, and base their choice based on that.

  • Typically, for organizations seeking data center protection, or have mission critical and latency-sensitive applications they need to protect, a hybrid solution will provide optimal protection.

Hybrid DDoS protection combines both premise-based and cloud-based components. It provides both low latency and uninterrupted protection, as well as the high capacity required to mitigate large-scale volumetric DDoS attacks.

  • For organizations looking to protect applications hosted on public cloud providers (such as AWS or Azure), or customers who frequently come under attack, an cloud-based always-on solution will usually be best.

Always-On cloud service provides constant, uninterrupted cloud-based DDoS protection. However, since all traffic is routed through the provider’s scrubbing network, it may add latency to requests.

  • Finally, for customers who are infrequently attacked, or otherwise have a limited budget, a cloud-based on-demand solution will usually suffice.

On-Demand cloud service is activated only when organizations come under DDoS attack. However, detection and diversion usually take longer than in other models, meaning that the customer may be exposed for longer periods.

The parameters of the optimal DDoS solution will inevitably vary from organization to organization. Use these questions to help guide you to the solution that is best for you.

Source: https://securityboulevard.com/2018/06/8-questions-to-ask-in-ddos-protection/

2018: Snapshot of the Most Important Worldwide Cybersecurity Laws, Regulations, Directives and Standards

Are you out of breath from the breakneck pace of cyberattacks since the start of 2018? Throughout the world, nearly daily news reports have been filed detailing the results of incredibly effective cyberattacks ranging from small companies to nation-states. The sum total of these attacks has permanently and dramatically changed the information security threat landscape.  This change hasn’t gone unnoticed with the regulators and now, depending on where your business operates, you have accrued even more work to demonstrate your diligence to these threats.

Among the numerous lessons drawn from this carnage is that cyberattacks have become an existential threat to many countries as the attacks, on financial services to power generation facilities, threaten the fidelity and integrity of numerous industrial segments. As a result, regulators throughout the world are stepping in to try and drive meaningful action where they believe it is required.  Normally these early efforts are the harbingers of future legislation and give birth to standard approaches and forums to debate the efficacy in approaches.

Since 2014 there have been 10 noteworthy efforts:

  • Effort#1: National Institute of Standards and Technology’s Cybersecurity Framework (U.S.)
  • Effort#2: Office of the Superintendent of Financial Institutions (OSFI) Memorandum (Canada)
  • Effort #3: Federal Financial Institution’s Examiner Council (FFIEC) Joint Statement on DDoS Cyber Attacks, Risk Mitigation and Additional Resources (U.S.)
  • Effort #4: Securities & Exchange Commission Cyber Exams (U.S.)
  • Effort #5: Office of the Comptroller of the Currency (OCC) Guidance (U.S.)
  • Effort #6: National Credit Union Administration (NCUA) Risk Alert (U.S.)
  • Effort #7: EU’s NIS Directive (EU)
  • Effort #8: EU’s GDPR (EU)
  • Effort #9: EU’s Regulation Against Geo-IP-based blocking of EU member countries or economies (EU)
  • Effort #10: Growth of Country Specific Cybersecurity Laws such as Korean Cyber Laws (KOREA)

Each of these efforts has taken different approaches but seem to have similar ethos.  Let’s explore each in a little more depth:

National Institute of Standards and Technology’s (NIST) Cybersecurity Framework

In response to a presidential directive, on Oct.22nd the U.S. National Institute of Standards and Technology (NIST) released the latest version of its cybersecurity framework which aims to better secure U.S. companies and government agencies. The new draft goes into significantly greater detail than the version released Aug. 28th, which laid out higher level principles of the framework, including items referred to as ‘pillars.’ The NIST laid out three central pillars to the framework which are designed to provide industry and government alike with common cybersecurity taxonomy, establish goals, intended targets, identify and prioritize opportunities for improvement, assess progress and improve communication among stakeholders. The final framework was announced in February of 2014. Many thought this framework was viewed as the seed which would spawn numerous industrial requirements throughout the U.S.

Office of the Superintendent of Financial Institutions (OFSI) DDoS Memorandum

Earlier this year, large Canadian-based banks were hit by cyberattacks whereby one or more hackers used a brute force “denial-of-service” attack to disable some bank’s websites and mobile applications. Attacks such as these were reminiscent of Operation Ababil, which began in September 2012 and focused on attacking the websites of large U.S.-based banks. Those attacks were similar to the Canadian attacks and slowed down website operations and caused many bank sites to be inoperative for a significant portion of their customers. Mindful of this very real threat and the need to manage risk, on October 28, 2013, the Office of the Superintendent of Financial Institutions (OSFI) released a memorandum to federally-regulated Canadian financial institutions (FRFIs) discussing the measures that FRFIs should be taking to prevent, manage and remediate cyberattacks. The memorandum states that cybersecurity is growing in importance because: (i) FRFIs increasingly rely on technology; (ii) the financial sector is interconnected; and (iii) FRFIs play a critical role in our economy. As part of this memorandum, OSFI has required all FRFIs to conduct a self-assessment of the risks and take actions against those risks. OSFI also will be reviewing the fidelity of the assessment and the corresponding risk mitigation steps.

Back in 2005, the OSFI established the Canadian Cyber Incident Response Centre (CCIRC) with a mandate to collaborate with the private sector in responding to the threat of cyberattack.

Last year, however, a report from the country’s auditor general showed that the government had made only limited progress, with gaps in protection, especially at the CCIRC which at the time was only open during business hours, limiting its ability to provide timely information for stakeholders. OSFI suggests in its cybersecurity self-assessment that financial firms should work with the CCIRC, which had its hours extended.

FFIEC Joint Statement: Distributed Denial-of-Service (DDoS) Cyber-Attacks, Risk Mitigation, and Additional Resources (US)

The Federal Financial Institutions Examination Council (FFIEC) members are issuing statements to notify financial institutions of the risks associated with cyberattacks on Automated Teller Machine (ATM) and card authorization systems and the continued distributed denial-of-service (DDoS) attacks on public-facing websites. The statements describe steps the members could expect institutions to take to address these attacks and highlight resources institutions can use to help mitigate the risks posed by such attacks.

The members also expect financial institutions to address DDoS readiness as part of their ongoing information security and incident plans. More specifically, each institution is expected to monitor incoming traffic to its public website, activate incident response plans if it suspects that a DDoS attack is occurring, and ensure sufficient staffing for the duration of the attack, including the use of pre-contracted third-party servicers, if appropriate.

Specifically, the FFIEC is guiding its members to do the following:

  1. Maintain an ongoing program to assess information security risks that identifies, prioritizes, and assesses the risk to critical systems, including threats to external websites and online accounts;
  2. Monitor internet traffic to the institution’s website to detect attacks;
  3. Activate incident response plans and notify service providers, including internet service providers (ISPs), as appropriate, if the institution suspects that a DDoS attack is occurring. Response plans should include appropriate communication strategies with customers concerning the safety of their accounts;
  4. Ensure sufficient staffing for the duration of the DDoS attack and consider hiring pre-contracted third-party servicers, as appropriate, that can assist in managing the internet-based traffic flow. Identify how the institution’s ISP can assist in responding to and mitigating an attack;
  5. Consider sharing information with organizations, such as the Financial Services Information Sharing and Analysis Center and law enforcement because attacks can change rapidly, and sharing the information can help institutions to identify and mitigate new threats and tactics; and
  6. Evaluate any gaps in the institution’s response following attacks and in its ongoing risk assessments, and adjust risk management controls accordingly.

Securities and Exchange Commission Cyber Exams (U.S.)

The SEC announced inaugural exams of member companies along with a list of questions they will use.

If you are not aware, the SEC governs most of the financial services which do not fall under the FFIEC jurisdiction. So, all mutual funds, wealth management and hedge funds (among many others) are regulated NOT by FFIEC guidelines, but rather SEC guidelines. Unlike the FFIEC and their regulatory arms (OCC, FDIC, OTS, & NCUA), up to this point the SEC did conduct ad-hoc reviews, however routine security reviews were maintained.

Office of the Comptroller of the Currency Guidance (U.S.)

In December 2012, the Office of the Comptroller of the Currency (OCC) notified it’s member financial institutions that DDoS attacks are on the rise and that they expect their members to take steps to identify the risks associated with the attacks and to provide notification to the OCC and others if they are under attack.  The guidance reads as follows:

“Recently, various sophisticated groups launched distributed denial of service (DDoS) attacks directed at national banks and federal savings associations (collectively, banks). Each of the groups had different objectives for conducting these attacks ranging from garnering public attention to diverting bank resources while simultaneous online attacks were under way and intended to enable fraud or steal proprietary information. This alert provides a general description of the attacks, along with risk mitigation information and sources of related risk management guidance. The alert also reiterates the Office of the Comptroller of the Currency’s (OCC) expectations that banks should have risk management programs to identify and appropriately consider new and evolving threats to online accounts and to adjust their customer authentication, layered security, and other controls as appropriate in response to changing levels of risk.

The OCC expects banks that are victims of or adversely affected by a DDoS attack to report this information to law enforcement authorities and to notify their supervisory office. Additionally, banks should voluntarily file a Suspicious Activity Report (SAR) if the DDoS attack affects critical information of the institution including customer account information, or damages, disables or otherwise affects critical systems of the bank.”

National Credit Union Administration Risk Alert (U.S.)

In February, 2013, the National Credit Union Administration (NCUA) issued a Risk Alert to member credit union institutions on “Mitigating Distributed Denial-of-Service Attacks.”   The alert included the following verbiage:

“The increasing frequency of cyber-terror attacks on depository institutions heightens the need for credit unions to maintain strong information security protocols. Recent incidents have included distributed denial-of-service (DDoS) attacks, which cause internet-based service outages by overloading network bandwidth or system resources. DDoS attacks do not directly attempt to steal funds or sensitive personal information, but they may be coupled with such attempts to distract attention and/or disable alerting systems.”

Clearly the sense of urgency and ferocity of the attacks came through in the alert and provided for an understanding of the issues being broader than the availability of credit union systems.

No one can say for certain how all of this will play out, however given the increased frequency, directed attacks, and effectiveness of the techniques, we can safely assume that regulators and government legislators will take head from public calls-to-action and will continue to drive prescriptive steps for all relevant organizations to follow.

European Union Security of Network Information Systems (NIS) Directive 2016/ 2018

In July 2016, the European Parliament set into policy the Directive on Security of Network and Information Systems (the NIS Directive).

The directive went into effect in August 2016, and all member states of the European Union were given 21 months to incorporate the directive’s regulations into their own national laws.  The aim of the NIS Directive is to create an overall higher level of cybersecurity in the EU. The directive significantly affects digital service providers (DSPs) and operators of essential services (OESs). Operators of essential services include any organizations whose operations would be greatly affected in the case of a security breach if they engage in critical societal or economic activities. Both DSPs and OES are now held accountable for reporting major security incidents to Computer Security Incident Response Teams (CSIRT). While DSPs are not held to as stringent regulations as operators of essential services, DSPs that are not set up in the EU but still operate in the EU still face regulations. Even if DSPs and OES outsource the maintenance of their information systems to third parties, the NIS Directive still holds them accountable for any security incidents.

The member states of the EU are required to create a NIS directive strategy, which includes the CSIRTs, in addition to National Competent Authorities (NCAs) and Single Points of Contact (SPOCs). Such resources are given the responsibility of handling cybersecurity breaches in a way that minimizes impact. In addition, all member states of the EU are encouraged to share cyber security information.[23]

Security requirements include technical measures that manage the risks of cybersecurity breaches in a preventative manner. Both DSP and OES must provide information that allows for an in-depth assessment of their information systems and security policies. All significant incidents must be notified to the CSIRTs. Significant cybersecurity incidents are determined by the number of users affected by the security breach as well as the longevity of the incident and the geographical reach of the incident.

European Union General Protection Regulation (GDPR) 

The EU General Data Protection Regulation (GDPR) went into effect on May 25th, 2018. The GDPR aims to bring a single standard for data protection among all member states in the EU. Changes include the redefining of geographical borders. It applies to entities that operate in the EU or deal with the data of any resident of the EU. Regardless of where the data is processed, if an EU citizen’s data is being processed, the entity is now subject to the GDPR.

Fines are also much more stringent under the GDPR and can total €20 million euros or 4% of an entity’s annual turnover, whichever is higher. In addition, like in previous regulations, all data breaches that effect the rights and freedoms of individuals residing in the EU must be disclosed within 72 hours.

The overarching board, the EU Data Protection Board, EDP, is in charge of all oversight set by the GDPR.

Consent plays a major role in the GDPR. Companies that hold data in regards to EU citizens must now also offer to them the right to back out of sharing data just as easily as when they consented to sharing data.

In addition, citizens can also restrict processing of the data stored on them and can choose to allow companies to store their data but not process it, which creates a clear differentiation. Unlike previous regulations, the GDPR also restricts the transfer of a citizen’s data outside of the EU or to a third party without a citizen’s prior consent.

What Does It Mean for Online Business and Cloud Service Providers?

For online businesses and cloud service providers, GDPR compliance means adherence to the principles of “Privacy by Design” and “Data Protection by Design” during the design, development, implementation and deployment of web applications or services and any components or services associated with them. With the rapid adoption of cloud services, there is a heightened concern with regard to the readiness of these applications and services. A recent study conducted by Symantec/Bluecoat shows that 98% of today’s cloud applications do not even come close to being GDPR-ready.

WAF, DDoS and the GDPR

Based on recital 39 of the GDPR, personal data should be processed in a manner that ensures appropriate security and confidentiality, including preventing unauthorized access to or use of personal data and the equipment used for the processing. Recital 49 goes further by requiring the ability of a network or an information system to resist accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems. The recital literally says “This could, for example, include preventing unauthorized access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.” This would include brute force login attempts and automated mitigation techniques outlined in the OWASP Top 10 requirement for PCI compliance.

Most businesses will face the urgent need for increasing protection on published applications and services on all topics and purposes of data leak prevention, access control, web-based attack prevention and denial of service prevention. Leading providers of cloud and on-premise web application and API protection services as well as on-demand, always-on cloud and hybrid denial of service mitigation services do provide an adequate solution for this acute need. A fully managed WAF and DDoS Cloud service provides a fast route to check off one of the regulatory compliance boxes and a worry-free GDPR compliance strategy.

European Union Ban on Geo-IP Blocking of Member States 2018

In February 2018, The European Council adopted a regulation to ban unjustified geo-blocking in the internal market. The European Council has emphasized repeatedly the importance of the digital single market strategy and called for the speeding up of the implementation of the strategy, which includes the removal of remaining barriers to the free circulation of goods and services sold online and for tackling unjustified discrimination on the grounds of geographic location.

EU declared geo-blocking as a discriminatory practice that prevents online customers from accessing and purchasing products or services from a website based in another member state.

The new law will remove barriers to e-commerce by avoiding discrimination based on customers’ nationality, place of residence or place of establishment.

The end of geo-blocking of internet addresses of EU countries will significantly disrupt many mainline cyber defense strategies of many companies and countries. Moreover, this new complication is not well understood and alternatives are not always easy to implement.

The EU regulation goes into full effect in December 2018.

Payment transactions whereby:

Unjustified discrimination of customers in relation to payment methods will be forbidden. Therefore, traders will not be allowed to apply different payment conditions for customers for reasons of nationality, place of residence or place of establishment.

Non-discrimination for e-commerce website access whereby:

Traders will not be allowed to block or limit customers’ access to their online interface for reasons of nationality or place of residence.  A clear explanation will have to be provided if a trader blocks or limits access or redirects customers to a different version of the online interface.

On the positive side, the EU believes that the end of geo-blocking will mean wider choice and consequently better deals for consumers and more opportunities for businesses.

Growth of Country-Specific Cybersecurity Regulations such as Korean Cyber Laws

In Korea, there are various laws, regulations and guidelines that promote cybersecurity: two general laws (the Network Act and the Personal Information Protection Act (PIPA)) and other laws targeting specific areas, as discussed below.

The Act on the Promotion of IT Network Use and Information Protection (the Network Act) plays an important part in promoting cybersecurity in terms of protecting personal information and enhancing data security in the context of IT networks. The Network Act also prohibits any unauthorized access to a network system by means of a transfer or distribution of a program that may damage, destroy, alter or corrupt the network system, or its data or programs.  Under the Network Act it is prohibited to cause disruption of a ICN by intentionally disturbing network operations with large volumes of signal / data or superfluous requests.  Any violation shall be subject to imprisonment of not more than five years or a penalty of not more than KRW 50 Million.

There are additional targeted statutes, such as the Electronic Financial Transactions Act (EFTA), which includes provisions prohibiting electronic intrusion into the network systems of financial companies, and data protection is mandated for financial companies in the Regulation on Supervision of Electronic Financial Activities (the RSEFA), which is an administrative regulation subordinate to the EFTA.  Under the EFTA, any attacks on financial systems using programs such as viruses, logic or email bombs, with the intention of destroying or disrupting financial systems shall be subject to imprisonment of not more than 10 years or a penalty of not more than KRW 100 Million.

In contrast with the laws mentioned above, which are more focused on the protection of data, the Protection of Information and Communications Infrastructure Act (PICIA) is more engaged with the protection of information and communications infrastructure against ‘electronic intrusion’, which is defined as an act of attacking information and communications infrastructure by hacking, computer viruses, logic bombs, email bombs, denial of service, high-power electromagnetic waves and other means.

Source: https://securityboulevard.com/2018/06/2018-snapshot-of-the-most-important-worldwide-cybersecurity-laws-regulations-directives-and-standards/

The platform is under extreme load:’ Cyber attack brings major cryptocurrency exchange to its knee

  • One of the largest cryptocurrency exchanges shut Tuesday morning because of a cyber attack.
  • “The platform is under extreme load,” Bitfinex said at 9:39 a.m. ET.
  • Bitcoin was trading slightly lower at $7,421 a coin, according to Markets Insider data.
 Bitfinex, one of the largest cryptocurrency exchanges by trading volumes, was down Tuesday morning after it experienced a cyber attack.According to its incident page, the exchange shut early Tuesday morning after it experienced problems with its trading engine. For a short period the exchange was back online after the issue was addressed. But the exchange was then hit with a so-called denial-of-service attack, which is when a network of virus-infected computers overwhelm websites with massive amounts of data.

“The platform is under extreme load,” the exchange said at 9:39 a.m. ET. “We are investigating. Seems a DDoS attack was launched soon after we relaunched the platform.”

Still, clients’ funds were not impacted, according to a statement by Kasper Rasmussen, head of marketing at Bitfinex.

“The attack only impacted trading operations, and user accounts and their associated funds/account balances were not at risk at any point during the attack,” Rasmussen said in a statement. “We will continue to update our user base on any further disruptions to service.”

Crypto exchange outages were common at the end of 2017 as bitcoin soared to all-time highs near $20,000, but have been less common in 2018 as prices and volumes across the digital coin market have fallen back to earth.

In 2017, the breakneck growth of the market forced some exchanges to stop onboarding new users altogether. A flash crash at Bitfinex in December left customers demanding answers and refunds.

Hacks and cyber attacks have long been a problem for the crypto space. Notably, Mt. Gox, which was the world’s largest bitcoin exchange, witnessed a massive DDoS attack in 2013. It shut in 2014 after a $450 million hack. JPMorgan estimates that a third of bitcoin exchanges have been hacked.

“Running an exchange is one of the most complex server-side operations out there,” Kyle Samani, a crypto fund manager, told Business Insider.

“On an exchange, everyone wants real time, all the time, globally and the bots are hitting the APIs every few milliseconds both to get order book updates and to trade,” Samani added. “Doing this at scale is much harder than almost any other application.”

Still, Gabor Gurbacs, the director of digital asset strategy at VanEck, told Business Insider he thinks exchanges are getting better at handling technical issues and communicating with clients.

“Recently, exchanges started to halt trading, especially important for margin trades, and provided timely and more transparent notes to customers in cases of service disruptions,” Gurbacs said. “It’s a sign of maturation in my view.”

2018’s less volatile trading environment has given exchanges an opportunity to catch their breath. Bitfinex didn’t experience any technical incidents in the entire month of May.

Bitcoin was trading lower in the aftermath of the DDos attack. The cryptocurrency was down 1.04% at $7,421 a coin, according to Markets Insider data.

Source: http://www.businessinsider.com/bitfinex-hit-by-cyber-attack-2018-6

Dutch banks affected by cyber attack, all services disconnected

Dutch banks ABN Amro and Rabobank affected by DDOS attacks on May 27, which has affected their online banking system with offline servers.

Information security experts commented that malicious actors launched DDoS attacks against two bank servers and overloaded the affected traffic to the websites.

A group of information security professionals explain, DDoS attacks are when several systems overflow the bandwidth or resources of a specific system, usually one or more web servers. DDOS attacks are often the result of multiple compromised systems, such as a botnet, flooding the target system with traffic.

The first attack was launched against Rabobank and ABN Amro last week, which caused online and mobile banking to disconnect, iDeal payments and websites were inaccessible.

Now banks, private companies and government organizations are the targets of strong DDOS attacks and companies must take measures to reduce the risk and cost of DDOS attack, always keep their eyes and their network.

According to the ABN Amro spokesperson, malicious actors are jumping from one bank to another with these attacks.

Information security professionals are auditing the bank’s servers and tried to recover the servers to put them online after the second attack this Sunday.

Rabobank reported that its online services went back to work starting at 2:00 a.m. of Monday.

A spokesperson for ABN Amro commented, “The security of Internet Banking, Mobile Banking and iDeal was not in danger.”

Source: http://www.securitynewspaper.com/2018/05/31/dutch-banks-affected-cyber-attack-services-disconnected/

Hacker-for-hire behind series of attacks identified

CYBERCRIMINAL:Data extracted from his computer showed that Chung carried out more than 20,000 DDoS cyberattacks on networks worldwide, officials said.

A young man, surnamed Chung (鍾), has been identified as the alleged hacker behind a series of attacks on the Ministry of Justice’s Investigation Bureau, the Presidential Office, Chunghwa Telecom Co (中華電信) and the central bank, the bureau said yesterday.

Investigators believe Chung has launched distributed denial-of-service (DDoS) attacks and uploaded the videos of those attacks to YouTube, the bureau’s Taipei office said.

Chung’s motive is apparently to advertise his hacker-for-hire Web site, TDDoS.pw, which he set up with Poland-based hackers in February and has since attracted more than 2,000 members, the bureau said.

The Web site bills itself as the most powerful DDoS attack service provider in the nation, and performs cyberattacks and stress testing for users who pay with bitcoin, the bureau said.

On Monday, investigators questioned Chung at his residence and seized an unspecified number of devices, the bureau said.

Data extracted from his computer showed that Chung has carried out more than 20,000 attacks on networks worldwide, including government offices, online gambling firms and financial holding companies, the bureau said.

Since many of the attacks were staged as proof of ability, they tended to occur late at night and the duration was less than a minute, it said.

As a result, many institutions allegedly targeted by Chung were unaware that their network services had been disrupted, it added.

Five people are being investigated on suspicion that they hired Chung to carry out cyberattacks, it said.

The bureau urged government agencies and private companies to improve their protection against DDoS attacks.

Source: http://www.taipeitimes.com/News/front/archives/2018/06/01/2003694100

DDoS attacks and real-world consequences

DDoS attacks have long been known as some of the most devastating attacks on the internet. Even so, well, the consequences always seemed to boil down to dollars and cents. Even when a major attack costs a corporation millions of dollars there’s still a bit of relief in being able to say hey, it’s just downtime, it’s just money, what’s the big deal?

For most of history, DDoS attacks have been things that – other than that price tag – can’t escape beyond the boundaries of the internet to cause real-world chaos and consequences.

Times have changed, however. The world is more connected than ever and because of that connectivity it’s never been so at risk. The consequences of DDoS attacks are extending far beyond cyberspace, and it turns out downtime is a very big deal when it comes to infrastructure like a power grid.

Denial of essential services

A distributed denial of service attack or DDoS attack has been, for quite some now, a go-to attack type for cybercriminals of all kinds. When a website or online service shuts out legitimate users due to a DDoS-induced downtime it causes immediate frustration, an immediate loss of revenue, an immediate disruption to business processes and immediate attention on social media and in the traditional media as well as a long-term loss of loyalty in users and customers that could prove to be the most costly consequence of all. This makes DDoS attacks attractive weapons to businesses looking to gain competitive advantage, activists trying to make a political statement, “entrepreneurs” trying to make money from DDoS ransom notes, shady investors trying to manipulate cryptocurrency values, and of course professional attackers who do the dirty work for all of the above either with targeted contract attacks or basic DDoS for hire services.

Devastating though they may be for the victim (and costly, as mentioned, with per hour costs typically landing between $20,000 and $100,000) it wasn’t until the last few years that the world began to see what these attacks are truly capable of.

In January of 2016 the Ukranian power grid was hit with a distributed denial of service attack that left 100,000 people without power. The Estonian, Latvian and Lithuanian power grids have also been the targets of DDoS attacks. These attacks have been more limited in scope than the one that hit the Ukraine, and experts believe it is because these attacks are being used to probe for vulnerabilities that could be exploited in larger attacks. For all of the above attacks, the finger of blame has been squarely pointed at Russia, and there is every indication that Russia is ready and able to aim a massive attack at the US power grid.

The idea of a sustained attack on a power grid is a terrifying thing, not just because of the chaos it would cause in the economy and the disruption it would represent to every day life, but because if it were timed to coincide with a deep cold or other risky environmental condition, it could kill.

DDoS attacks have also been used stop or delay trains in both Sweden and Denmark, and security researchers fear for critical infrastructure entities including other transportation systems, oil and gas refineries, power plants, water and waste control facilities including dams and telecommunications. Critical infrastructure is vulnerable to these attacks in large part due to a process control software application called SCADA which represents a centralized target that requires as close to 100% uptime as possible.

As security researchers grapple with what can be done to stop these potential attacks, the rest of us have to grapple with the idea that a DDoS attack could cause a dam to fail, causing immense flooding and loss of life, or render critical communications systems in a petrochemical plant useless while malicious code attempts to trigger an explosion. This is the connected world we live in.

Acts of cyberwarfare

In 2016 the North Atlantic Treaty Organization (NATO) officially declared cyberspace a domain of warfare, meaning a cyberattack against a member nation could be considered an act of war by the organization. This paves the way for a response that could range from the retaliatory use of cyber weaponry all the way up to an armed response. Since the declaration, nations all over the globe have been rushing to update guidelines that clarify the justification for using cyber weaponry or responding to cyberattacks with force.

While the idea of an invasion in response to a DDoS attack could seem shocking on the surface, with the DDoS capabilities nation states have already demonstrated against critical infrastructure, these declarations and guidelines are becoming increasingly necessary as the so-called war of the future fought in cyberspace inches closer and closer to being the war of right now. With human lives in the balance, the devastation of DDoS attacks is no longer limited to downtime and dollars.

Source: https://www.talk-business.co.uk/2018/05/30/ddos-attacks-and-real-world-consequences/

Internet of Things: when objects threaten national security

We all know personal devices can be hacked, but a whole country’s security could be at risk too. With the rise of the so-called Internet of Things (IoT), and against the backdrop of cyberwarfare, digital surveillance and digital subversion, the risk to national security is increasing. Earlier this year the head of the UK National Cyber Security Centre publicly stated that a major cyber-attack on the country’s essential services was a question of “when, not if”.

The IoT comprises of the billions of online objects embedded in our homes, workplaces and cities, that are constantly collecting, analysing and transmitting data. Some IoT devices, such as personal fitness trackers or smartphones, are carried with us wherever we go. Others we interact with remotely, such as domestic heating controls. Many are invisible, operating silently to modulate traffic flows, industrial control systems, and much more.

IoT devices are not so much things with computers in them, but computers with things attached to them. Because no computer is perfectly secure, that means that neither is your smart fridge or your virtual assistant. Like all things online, these objects form part of massively distributed networks. If someone wanted to hack into these global information networks, IoT devices provide billions of extra entry points.

It is relatively easy to hack an IoT device, as many cheap products do not have adequate security. Even devices with advanced security, such as driverless cars, are vulnerable. This means that IoT technologies are widely regarded as a major cyber-security problem. Pacemakers being hacked, air traffic control systems going down, and all out “cyber-war” are just some worst case scenarios. Vulnerabilities, if exploited, could lead to damage, injury and death.

Cyber-attacks on critical national infrastructure are already a very real threat. In 2015, the Ukranian power grid was affected by a cyber-attack that left Kiev without electricity for several hours. More recently in 2017, the UK’s NHS was compromised for weeks due to the malicious software (malware) WannaCry.

These incidents show just how disruptive cyber-attacks can be and the fact that IoT attacks are proliferating and diversifying is a cause to worry. One major internet security company reported that IoT attacks increased 600% in 2016-17. This is an exponential rise and is expected to persist, not least as the number of IoT devices increase. Devices already outnumbered humans in 2017 but may top 20 billion by 2020.

The rise of the botnet

A botnet is a network of internet connected devices that have been hacked, hijacked and controlled remotely. The problem is that poorly secured IoT accounts make perfect targets for hackers attempting to develop and weaponise botnets. With the right malware, hackers can use botnets to perform distributed denial-of-service (DDoS) attacks against specific targets. The malware uses thousands of devices to flood internet servers with traffic and disable access to online resources. Billions of IoT devices make it easier for hackers to take control of large botnets and attack even the most robust targets.

The Mirai malware exploited vulnerabilities in IoT devices, such as CCTV cameras and routers, to do just this. In October 2016, Mirai launched a DDoS against Dyn, Inc, the company that provides access to major platforms like Twitter, Amazon and Netflix. The DDoS prevented consumers from accessing these platforms for several hours. Of course, it is difficult to calculate the financial implications of such incidents but Mirai showed how essential services can be attacked by exploiting IoT devices.

States or non-state actors could try and use an IoT botnet to attack a country’s health, energy, transport or finance sector. If a botnet were directed against critical national infrastructure, the effects could be severe. Speculation in the absence of evidence is rarely wise but it is not hard to imagine what might happen if financial services were taken offline, or rail transport networks sabotaged. No cyber-attack has yet collapsed the global financial system, or killed anyone, thankfully, but these are the fears of policymakers and cyber-security professionals.

Attribution is not easy either but it’s getting better. Were a state or terrorist group identified as the perpetrator of a major attack, national security apparatuses should swing into action to counter them. For NATO members, a cyber-attack might even trigger a collective political and military response.

How are governments responding?

So far both the US and the UK have stopped short of introducing regulation, but instead are putting pressure on businesses to make their products more secure. However, these policies do not address the overarching problem: companies will keep on selling products with poor security because consumers are willing to buy them. It is supply and demand. There are presently few incentives for firms to bring IoT products to market that meet high security standards. In global supply chains, the picture is even more complicated because national initiatives cannot resolve transnational problems.

The market will not solve this problem, so more robust government regulation is all but inevitable. Few bureaucracies relish the challenge. In policy terms, this is a “wicked problem”. Even if a solution was obvious, it would likely be impossible due to key players’ competing motives and the dynamism of the technical environment.

A more radical approach is to address why the IoT exists in the first place. It is the product of both laudable aims (energy efficiency, public welfare) and an obsession with connectivity for connectivity’s sake. As is well-established, complex systems generate unpredictable effects. If we are to minimise the risks of wiring up our world, we need to consider prioritising devices that are truly necessary over ones that are simply desirable. This will require a fundamental shift in mindset, putting the public good before profit and political expediency.

Source: http://theconversation.com/internet-of-things-when-objects-threaten-national-security-96962