Democratic lawmakers want to know why the agency didn’t inform consumers of the falsity of its claim sooner

A group of House democrats want to know when FCC Chairman Ajit Pai knew that the agency’s claims of a DDoS attack were false.

Last week, the FCC’s Office of Inspector General released a report that found no evidence to support the claims of DDoS attacks in May of 2017.

The agency had previously blamed multiple DDoS attacks for temporarily taking down a comment section of its website following a segment of Last Week Tonight, in which comedian John Oliver asked viewers to submit comments to the FCC and speak out in support of net neutrality.

However, viewers were unable to voice their opinion on the proposed rollback of net neutrality because the comment submission section wasn’t available at the time.

Now that it has come to light that the agency’s claims of a DDoS attack were false, a handful of Democratic lawmakers want to know when Pai became aware that there was no DDoS attack and why the agency didn’t correct its public statements alleging a DDoS attack before now.

Misrepresented facts

“We want to know when you and your staff first learned that the information the Commission shared about the alleged cyberattack was false,” Democratic lawmakers wrote in a letter to Pai.

“It is troubling that you allowed the public myth created by the FCC to persist and your misrepresentations to remain uncorrected for over a year,” they wrote. The letter was signed by Representatives Frank Pallone Jr. (NJ), Mike Doyle (PA), Jerry McNerney (CA) and Debbie Dingell (MI).

The results of the investigation concluded that FCC officials deliberately misrepresented facts in responses to Congressional inquiries.

“Given the significant media, public and Congressional attention this alleged cyberattack received for over a year, it is hard to believe that the release of the IG’s report was the first time that you and your staff realized that no cyberattack occurred,” wrote the lawmakers.

“Such ignorance would signify a dereliction of your duty as the head of the FCC, particularly due to the severity of the allegations and the blatant lack of evidence.”

The Democratic lawmakers have asked Pai for complete written responses to their questions by August 28. Pai is also scheduled to appear before a Senate Commerce, Science and Transportation Committee oversight hearing on Thursday where he is expected to face questions about the results of the investigation.


DDoS attack volumes have increased by 50% to an average of 3.3 Gbps during May, June and July 2018, compared to 2.2 Gbps during the previous quarter, according to Link11. Attacks are also becoming increasingly complex, with 46% of incidents using two or more vectors.

DDoS attacks outside business hours

While attack volumes increased, researchers recorded a 36% decrease in the overall number of attacks. There was a total of 9,325 attacks during the quarter: an average of 102 attacks per day.

While the number of attacks decreased overall – possibly as a result of DDoS-as-a-service website Webstresser being closed down following an international police operation, both the scale and complexity of the attacks increased. The LSOC registered a 50% increase in hyper-scale attacks (80 Gbps+). The most complex attacks seen used 13 vectors in total.

Link11’s Q2 DDoS Report revealed that threat actors targeted organisations most frequently between 4pm CET and midnight Saturday through to Monday, with businesses in the e-commerce, gaming, IT hosting, finance, and entertainment/media sectors being the most affected.

The report reveals that high volume attacks were ramped up via Memcached reflection, SSDP reflection and CLDAP, with the peak attack bandwidth recorded at 156 Gbps. Other key findings from the Q2 report include:

  • The total duration of attacks during the quarter was 1,221 hours
  • 17% of attacks used two vectors, while 16% used three
  • The most frequently observed attacks were UDP floods (59.7%), TCP SYN floods (3.3%) and ICMP floods (0.9%)
  • Memcached was the most used reflection amplification technique, with 773 attacks observed using this technique, highlighting that Memcached is still an issue. The SSDP reflection technique generated the greatest proportion of DDoS packets.

DDoS attacks outside business hours

“Attacks in Q2 2018 continued to grow in scale and complexity. Nearly half of attacks were multi-vector, making them harder to defend against, and with the rapid growth in ‘hyper attacks’ with volumes of over 80 Gbps, we must now consider these large, complex attacksto be the new normal,” said Aatish Pattni, Regional Director UK & Ireland for Link11.

“It’s only a matter of time until a new DDoS-for-hire service emerges to replace Webstresser, so attacks will inevitably increase over the coming months. Given the scale of the threat that organizations are facing, and the fact that the attacks are deliberately aimed at causing maximum disruption, it’s clear that businesses need to deploy advanced techniques to protect themselves against DDoS exploits,” added Pattni.


MODERN businesses use web applications every day to do different things, from interacting and engaging with customers to supporting sales and operations.

As a result, web applications are rich with data and critical to the functioning of the company – which means, special precautions must be taken in order to protect them from hackers.

However, not all organizations or their applications are subject to the same level of threats and attacks. In an exclusive interview with Gartner’s Research Director Dale Gardner, Tech Wire Asia learns how businesses can best protect their web applications.

Gartner splits attacks on web and mobile applications and web APIs into four categories:

# 1 | Denial of service (DoS) 

DoS is a specific subtype of abuse where the attacker’s goal is to disrupt the availability of the web application or service.

In particular, this attack type covers volumetric attacks, which overwhelm network capabilities, and so-called “low and slow” attacks, which overwhelm application or service resources.

# 2 | Exploits 

Exploits take advantage of design, code or configuration issues that cause unintended behaviour of the application.

Some common examples include SQL Injection (SQLi), cross-site scripting (XSS), buffer overflows, and various Secure Sockets Layer (SSL) and Transport Layer Security (TLS) manipulation attacks.

# 3 | Abuse 

Abuse covers many non-exploit types of attack that primarily take advantage of business logic. This includes scraping, aggregating, account brute-forcing, scalping, spamming and other — often automated — scenarios.

# 4 | Access

Access violations occur when an attacker or legitimate user takes advantage of weaknesses in the authentication (AuthN) or authorization (AuthZ) policies of a web application or service.

Of the four categories, Gardner says only exploits can be potentially addressed with secure coding and configuration. The others require design-level considerations that cannot be reasonably compensated for in code.

For example, although it’s arguably possible to defend against account takeovers in individual application code, it is much more economical and error-proof to do so in the identity and access management (IAM) system or another external capability.

In an ideal world, the highest level of protection would be available at all times or as needed, but this isn’t feasible due to complexity and cost factors.

And continuously providing the highest level of protection to all web assets can be an expensive proposition, both from economic and operational perspectives.

Securing web applications and web APIs from attacks and abuse requires businesses to assess what level of protection is necessary.

“Security teams must first pick a protection baseline. Then they must decide what extra protections are necessary to apply to specific assets,” recommends Gardner.

When thinking of protecting web applications, security teams often first look to existing network technologies, such as next-generation firewall (NGFW) platforms and intrusion detection and prevention systems (IDPSs).

But these do not provide strong-enough capabilities in any of the protection areas, warns Gardner.

They are not easily integrated to intercept TLS and do not have the same signatures, rules, behavioral analysis and business logic insight as security solutions that focus on web applications and APIs.

Organizations often first look at a “completely automated public Turing test to tell computers and humans apart” (CAPTCHA) when they suffer from abuse of functionality.

But an always-on CAPTCHA creates user-experience hurdles for legitimate users, and it is also no guarantee to keep the abuser out (attackers keep finding ways to circumvent or solve many CAPTCHAs).

Multifactor authentication (MFA) and out of band (OOB) challenges are often used to enable strong access control, as well as to try to thwart abuse. Unfortunately, they suffer from similar issues as CAPTCHA, and in addition are often complex and expensive to implement.

Currently, no single security platform or solution implements the highest possible level of protection in each of the exploit, abuse of functionality, access violation and DoS mitigation categories.

Some organizations will still be able to start with a single solution to address the biggest potential risks. But they often find themselves needing greater security capabilities over time due to changes in threats and the application landscape.

Web application firewalls (WAFs) are broadly deployed, but buyers routinely express disappointment and frustration over factors such as accuracy, the ability to prevent attacks, the administrative overhead required to maintain attack detection profiles and price.

Incumbent vendors have begun addressing emerging requirements, but many products still lag.

The market for solutions to protect web applications will continue to grow, but given buyer dissatisfaction, vendors with innovative approaches and new product packaging will capture the bulk of new spending.

Buyers are shifting to service-based offerings, and demand for infrastructure as a service (IaaS) deployable products is growing. These shifts pose risks, especially to incumbents, but also present opportunities for new offerings and greater growth.

Gartner believes that by 2020, stand-alone WAF hardware appliances will represent less than 20 percent of new WAF deployments, down from 40 percent today.

By 2020, more than 50 percent of public-facing web applications will be protected by cloud-based WAAP services that combine content delivery networks, DDoS protection, bot mitigation and WAFs, which is an increase from fewer than 20 percent today.

Web applications, mobile applications, and web APIs are subject to increased numbers and complexity of attacks.

Gardner, who will be speaking at the Gartner Security & Risk Management Summit in Sydney later this month explains what organizations must keep in mind when planning and implementing solutions:

  • Public, limited-access external, and internal applications require different levels of security.
  • No one capability covers all types of attack.
  • No two capabilities have interchangeable protection efficacy.
  • Some of the capabilities have strong overlaps in addressing specific attack subcategories.
  • Enforcement of policy may be centralized or distributed (for example, use of micro-gateways).

“As a result, a mix of capabilities, though not necessarily separate products, have to be put in place as a layered approach,” concludes Gardener.

Considering the range of exploits and abuse that can occur with web and mobile applications and web APIs, technical professionals must leverage a mix of externalized security controls to deliver appropriate protection and alleviate burdens to development staff.


Major online poker sites partypoker and PokerStars have been disrupted in recent days by apparent DDoS attacks, launched by party or parties unknown at present.

Two of the world’s largest online poker sites, partypoker and PokerStars, have endured periods of downtime and forced cancellations of tournaments in recent days after being targeted by confirmed or suspected DDoS (distributed denial of service) attacks. Both of the attack waves targeted the sites’ global “dot-com” gaming offerings, rather than being launched against their firewalled, single-jurisdiction offerings.

The attacks targeting partypoker began on August 9 and continued into August 11 or 12, with each attack wave consisting of a massive flood of data requests targeting its gaming servers. Partypoker confirmed the DDoS nature of the attacks late on August 9 and updated its customers via social media about the recurring waves and the ongoing mitigation efforts. Partypoker also released a formal statement about the attacks, the cancellation of tournaments, and an ongoing refund process for affected players.

That statement, issued as a formal apology for the unexpected downtime, expressed frustration about the nature of the DDoS attacks, without speculation as to the motive behind them. Tom Waters, partypoker managing director said: “The unfortunate events…were understandably frustrating for our players. After consideration, the decision was taken to pause and then subsequently cancel all affected tournaments.

“Our team worked hard to try to resolve the key issues. As poker players ourselves, we fully understand how frustrating it can be when an online poker room suffers technical issues, and we fully appreciate the considerable patience and understanding shown by our players in light of these difficulties.”

Additional commentary from partypoker

Partypoker received widespread praise from both its players and industry onlookers for its rapid response to the attacks, even as those attacks continued. VegasSlotsOnline received an additional statement from Colette Stewart, partypoker player rep and social specialist, who said: “The recent DDoS attacks were very unfortunate; however, we feel the team have done their very best to communicate and respond to as many of our players as possible during this very frustrating time. We greatly value our relationship with the player community and feel it is vital to be as open and transparent with our players as possible during such issues and, most importantly, ensure that we are available for player feedback and communication.

“In refunding affected players, we have ensured that every single cent collected in buy-ins, bounties, and fees has been refunded to players in addition to honoring the guarantees of tournaments that didn’t make the required entries due to the issues faced.

“All refunds have now been issued and, of course, should players wish to follow up in more detail or ask more questions about their specific refund, they should contact our 24/7 customer service line. The nature of ensuring the refunds were correct led to a delay that we simply hadn’t anticipated. We are sorry that it took us until Sunday to complete the process; however, we refunded players based on their chip stacks at the time that the disruption began and the data evaluation process was complex and took some time to complete.

“Finally, we are all poker players ourselves and fully appreciate the patience and loyalty of our players.”

PokerStars becomes the latest target

About the time the wave of attacks against partypoker ceased, a new wave of apparent DDoS attacks began targeting PokerStars. That attack wave started on August 12; Stars has not confirmed that these were explicitly DDoS attacks, but the recurring and intermittent nature of the “technical issues,” including forced disconnections affecting legitimate players, bears all the hallmarks of another DDoS attack.

Like partypoker and a third, smaller network (the Winning Poker Network) that also suffered several waves of DDoS attacks earlier in August, PokerStars has attempted to keep its players informed on the situation via social media.

“Apologies to all our players for the recent issues on PokerStars,” reads one of the site’s official Twitter posts, after nearly two days of the “technical issues.” “The players affected by this morning’s issues have already been credited & we aim to refund players affected by yesterday’s problems, with their equity at the time of disconnection, within 72 hours.”

Extortion central to most DDoS attacks

Modern DDoS attacks typically employ tens or hundreds of thousands of “zombie” computers — virus-laden devices scattered around the globe — that are commanded in harmony to send data requests to the targeted site to slow traffic to a crawl and make it useless for gambling-business activities. The “DDoS” moniker is commonly used to label several different forms of traffic-based online attacks designed to cripple the target site’s activity.

DDoS attacks have been an intermittent but occasionally recurring threat that has existed since online gambling’s earliest days. Similar attacks have targeted other forms of online commerce as well. Extortion, in the form of a promise to halt the attacks when the target pays a ransom to the attacker or attackers, is the most common motive behind the attacks.

One twist frequently seen in recent years is a demand by the blackmailers that payments be made in hard-to-trace cryptocurrencies such as Bitcoin. Whether a site victimized by an attack has made such a payment is virtually never disclosed in public, especially by publicly-traded firms. Most websites and networks impacted by such attacks incur heavy losses due to downtime and increased customer-service cost, but would rather incur that form of operating expense rather than give in to any kind of blackmail.


Macs have a well-deserved reputation for being relatively secure, but they’re not invincible. If your employees use Macs, you need to protect your business by cracking down on cybersecurity.

Think your Mac is safe from malware attacks? Think again.

According to a recent study, malware attacks against the Mac rose more than 270 percent last year. Some experts believe attacks against Mac are increasing faster than similar attacks against the Windows and Android systems.

Businesses unprepared for today’s threats

Malware on the Mac is here, and many users are completely unprepared to protect themselves. By mistakenly believing the Mac is immune to malware or the Apple security built into their system is impervious to harm and threats, they are leaving themselves exposed. With the increase in Mac-focused malware attacks, employees using Macs are more susceptible than ever before.

For example, back in 2012, a piece of malware called Flashback spread across the internet to infect over 600,000 unguarded Mac users, including about 274 in Apple’s Cupertino headquarters. Flashback posed as an installer of Adobe Flash, infecting iMacs and MacBooks when downloaded. Businesses are still not fully prepared for today’s different types of cyberattacks.

Gabby Nizri, the CEO of Ayehu, states that companies were adequately prepared for cyberattacks as little as a decade ago. Today, the same companies are in crisis as they try to respond to an onslaught of cyberattacks. Too many companies are using the same cybersecurity practices they developed in the late 1990s and early 2000s. This leaves them vulnerable to the growing army of AI hackers behind most modern security breaches.

The biggest change has been driven by big data and automation. In the early days of the internet, hackers coordinated almost all attacks manually. Today, they depend on automated bots to carry them out. These bots are programmed to identify weak points in the cybersecurity infrastructure and exploit them better than human hackers can.

One common example of a bot attack is distributed denial of service (DDoS). This is when attackers build a large network of malware-infected computers, known as botnets, which can then be used to send massive amounts of traffic from many different locations to overwhelm website servers. This results in websites going down for potentially long periods.

Cybersecurity, Macs, and the malware explosion

This malware explosion threatening everyone’s favorite Apple ecosystem isn’t a surprise. Experts have known threats are out there, even as users were blissfully unaware their Macs were threatened by malware.

Mac computers have always been vulnerable to malware, even after Apple moved to the mature and security-focused Unix system. Since malware targets software, spreading by attaching to files, Macs are at risk. Anytime you bring a new file into your computer from a download or website, you risk malware.

In recent years, criminals have targeted new attack vectors with malware threats. This includes malvertising on websites. Malvertising infects websites, directing the search traffic on a Mac to fraudulent websites or fake online ads that can infect your browser and computer with malware.

Once past cybersecurity, criminals have tactics for generating revenue at your expense. Ransomware is one threat – introducing a virus to your Mac that will lock up the system until you pay a fee, typically using Bitcoin or another cryptocurrency. Spyware is another threat. Criminals track your keystrokes on an infected computer, stealing your data and login information.

Bots are yet another threat to your computer. They infect your computer to steal the computing power of your system to mine cryptocurrency. Recently, a program on the Mac App Store was used to mine cryptocurrency until Apple pulled it.

With the increase in adware on the web, the massive user base for Mac and Apple, and the ability of criminals to turn malware into a steady stream of income, it’s no wonder Mac users are threatened by a malware explosion.

What you can do to stop malware on Macs

While there’s no way to guarantee your business will never see a security breach, some basic software practices and employee protocols can reduce your risk:

  • Start by protecting your computer with an additional layer of cybersecurity using anti-malware software. XProtect on Mac is a strong defense, but it may not protect against the latest malware threats or attack vectors. Prevent malware with additional protection focused on the Mac, like Malwarebytes for Mac.
  • Next, take steps to directly prevent malware attacks. Many attacks start on suspicious websites. Use discretion when browsing, avoiding potentially malevolent websites. Don’t open email attachments from people you don’t know. Don’t click on links unless you are sure they come from a safe place. Even these simple steps can significantly increase your safety from malware on the Mac.
  • Make sure your cybersecurity software is updated on a regular basis. As new threats are detected, companies like Malwarebytes provide updates to keep their customers’ data safe.
  • Create an employee security protocol that’s ingrained in their everyday business tasks. Educate your employees on the warning signs of a threat and what steps to take once they’ve identified a warning sign. This could include what to look out for in cases of spoofing scams, malware, systems hacking and social engineering.

Remember that desktop computers aren’t the only access points you need to protect; you must apply these principles to your company’s mobile devices as well. As the mobile revolution continues to progress and 5G gets closer to being reality, cyberthreats will literally be everywhere your employees go. Implementing strict cybersecurity guidelines now will mitigate your business’s risk of falling prey to a successful attack.