Blocking DDoS Archive

Infosec vigilantism can cause serious harm in the era of industrial IoT and connected medical devices.

For several years now, security experts have been trying to bring attention to the growing threat that insecure Internet of Things (IoT) devices pose to networks around the world. The enormous growth in popular connected devices like webcams, DVRs, and smart watches has made it possible for hackers to amass huge botnets that can launch devastating distributed denial-of-service (DDoS) attacks.

Unfortunately, some vigilante hackers have tried to solve this problem with “bricker” malware that infects and destroys insecure IoT devices before they can become part of a botnet. This might seem like a positive on the surface, but this tactic creates serious, sometimes life-threatening risks as more IoT devices are used in industrial networks and healthcare organizations.

Let’s start at the beginning. IoT security became a top-of-mind issue in late 2016 thanks to the record-breaking DDoS attacks by the Mirai botnet and its subsequent source code release. In a perfect world, this should have been the wake-up call to improve IoT security. Unfortunately, slim profit margins and rapid development times kept IoT security considerations on the back burner and led some individuals to take matters into their own hands. The first instance of IoT vigilantism was in 2017 when a strain of malware known as BrickerBot began making its rounds.

Similar to the Mirai botnet, BrickerBot exploited flaws like insecure, hard-coded passphrases to log in to vulnerable IoT devices. But once it connected to a device, it didn’t add it to a massive botnet. Instead, it deleted files, corrupted the system storage, and disconnected the device from the Internet, effectively making it unusable. While it is possible to restore the device to factory defaults, the average IoT user likely doesn’t have the technical skills to do this. The author of BrickerBot, known by the pseudonym Janit0r, explained in an interview that his malware was intended to prevent devices from being infected by Mirai. Janit0r believed that if IoT manufacturers and owners weren’t going to take security seriously, then the devices shouldn’t exist to begin with.

In the end, BrickerBot destroyed over 10 million devices in just nine months before Janit0r retired it from service. While that may sound like a lot, it’s still less than one-tenth of 1% of the estimated 14 billion IoT devices online worldwide.

But the end of BrickerBot wasn’t the end of IoT bricking malware. In early 2019, a new variant of IoT bricking malware called Silex began infecting devices worldwide. Within a few hours, Silex had infected thousands of devices, deleting system file and firewall rules, and effectively rendering them useless. With the Mirai source code public, it’s not a stretch to think there are other similar malware variants lurking undiscovered in the wild today. Thankfully, individual IoT owners can also protect themselves from both botnets and brickers by changing the default passwords on their IoT devices, not exposing the telnet port (which BrickerBot uses to infect devices) and performing basic network segmentation and monitoring.

Bricker malware is dangerous because it doesn’t discriminate between different types of IoT devices. Almost every industry is incorporating IoT technology in some way. “Smart city” technology is becoming widely adopted across the globe, with municipalities connecting everything from power grids to traffic lights to networks. Healthcare is another sector that’s quickly adopting IoT technology, with the Internet of Medical Things projected to reach $136.8 billion worldwide by 2021. While some might question the need for refrigerators to connect to the Internet, there is no arguing that the ability to quickly share data from an ECG/EKG machine could be the difference between life and death. As widespread IoT adoption continues to grow within these sectors and overall, bricking malware can have some devastating consequences.

The problem is that many of these new IoT applications exhibit the same security lapses as consumer IoT devices, but with significantly higher risks if they fail. A rash of bricked industrial IoT sensors could cause widespread power outages, and an infusion pump or medical monitor that unexpectedly shuts off could put patients’ lives at risk. The authors of BrickerBot and Silex might not have been so ready to claim their work was for the good of the Internet if they truly considered the serious collateral damage that they might cause along the way.

There are other options to improve IoT security that don’t involve such a high degree of risk. Security researchers can work on raising awareness about connected device security, participating in public education initiatives and trying to drum up consumer demand for secure devices. Just last year the state of California, the fifth-largest economy in the world by GDP compared with other sovereign nations, passed Senate Bill 327, which mandates that manufacturers of connected devices equip their products with reasonable security features by January 2020. While the bill will have little effect on the masses of inexpensive IoT devices imported from foreign countries every year, it’s a step in the right direction that can be built upon with future legislation.

There is no denying the IoT industry needs to fundamentally change its approach to security, but vigilantism is not the answer. There are less destructive ways to convince both manufacturers and consumers that developing and deploying secure devices is worth the investment.

Source: https://www.darkreading.com/iot/why-bricking-vulnerable-iot-devices-comes-with-unintended-consequences-/a/d-id/1336009

More than 70% of websites now use SSL encryption. The Google Transparency Report statistics below show a very rapid rise in adoptions of HTTPS for Chrome browser users worldwide.

Unfortunately, the security provided by SSL/TLS is also misused to attack applications by injecting malicious content and hide malware. SSL is also being used to facilitate data leakage from within an organization. HTTPS floods are now frequently used in many DDoS attack campaigns.

A Double Edged Sword

As more and more
applications and websites use end-to-end encryption and adopt HTTP/S and TLS
1.3, the ability to inspect traffic has become an important element of the
security posture. However, the encryption of traffic has made visibility
challenging.

Most DDoS mitigation services do not actually inspect SSL traffic, as doing so would require decrypting the traffic. Gaining visibility to SSL/TLS traffic also requires extensive server resources. Mitigating SSL attacks thus poses several challenges, including the burden of implementing encryption and decryption mechanisms at every point where traffic needs to be inspected.

Encryption and decryption at many different points in the traffic data path not only adds latency to the traffic, but is also expensive and problematic to scale.

However, despite all the
challenges, SSL/TLS remain the standards for ensuring secure communications and
commerce on the web.

In order to detect any application security issues before your customers experience them, it is essential to have an end-to-end monitoring capability that provides actionable insights and alerts through visualization.

As application delivery controllers are deployed at the intersection of the network and applications, ADCs can act in conjunction with your edge protection solutions to detect and mitigate an encrypted security attack or prevent leakage of proprietary information.

Conclusion

Even though you may be protected by the most
advanced firewall technology, your existing security mechanisms may still fail
to see into encrypted SSL/TLS traffic. You should deploy enterprise security
solutions that enhances your existing security posture to gain visibility into
the encrypted traffic and prevent encrypted attacks on your organization.

Source: https://securityboulevard.com/2019/09/visibility-do-you-know-whats-in-your-network/

IoT networks can both amplify and be the targets of distributed denial of service (DDoS) or botnet attacks. Architect resilient solutions to properly secure your devices.

Cybercriminals have many different ways of exploiting network vulnerabilities and weak spots in our cyber defenses. Considering that the number of devices we use on a daily basis is growing, more avenues of exploitation will be open to cybercriminals — unless we close those pathways.

Distributed Denial of Service, or “DDoS,” attacks on IoT networks via botnets have been especially alarming and difficult to counter. Let’s have a closer look at DDoS attacks, botnets and ways of protecting against them.

The Anatomy of a DDoS Attack

A simple principle governs a “denial-of-service” attack: attackers attempt to deny service to legitimate users. Some typical examples might include attackers overwhelming a server or cluster with requests, disrupting everyone’s access to the site or focusing the attack on a particular target who will be denied access.

With DDoS, the attacker usually has one of three goals:

  1. To cause destruction or destructive change to network components
  2. To destroy configuration information
  3. To consume non-renewable or limited resources

DDoS attacks can be performed on their own or as part of a more massive attack on an organization. It usually targets bandwidth or processing resources like memory and CPU cycles. However, the type of DDoS attacks where we often see IoT devices used is a botnet attack.

What Makes a Botnet Attack So Destructive?

A botnet is a group of connected computers that work together on performing repetitive tasks, and it doesn’t necessarily have a malicious purpose. Unfortunately, it’s possible for an attacker to take control of a botnet by infecting a vulnerable device with malware. Then they can use the network as a group of devices to perform DDoS attacks that can be much more dangerous, depending on the number of mechanisms involved. What’s more, since IoT devices often interact in the physical world in ways that other IT devices don’t, it’s difficult to monitor and safeguard them.

If we strive to protect IoT devices the same way we protect our conventional IT devices, there will invariably be faults in the system that cybercriminals might exploit. To eliminate vulnerabilities, we must think of IoT protection in its own terms and take into account the various types of IoT use when we do.

Defending Against an IoT Botnet Attack

Even though the threat of botnets can’t wholly be eradicated, there are still ways to limit the impact and the scope of these attacks by taking preventative actions. One of them is placing IoT devices on a segmented network protected from external traffic. It’s also crucial to start monitoring the systems and invest in developing intrusion detection processes which would go a long way in warning a user that the system is being compromised.

How can each layer of your IoT solution stack be architected not to trust any other part naively? Think about that as you design your solution. Find ways to make your network more resilient. Model botnet attacks and test disaster scenario responses.

In addition to network segmentation and testing, we also shouldn’t forget fundamental security measures, such as timely firmware and software patching and the ability to control who can access a particular device, which every IoT solution should take care of.

The Search for a One-Size-Fits-All Security Solution

IoT is a developing technology that we must make as secure as possible, tempering its frenetic evolution with necessary security protocols and standards. Considering how quickly it’s being woven into our everyday lives, businesses and homes, IoT developers, manufacturers, distributors and consumers must work together to eliminate common IoT vulnerabilities and ensure that each device is as secure as it can be from emerging threats.

Source: https://www.iotforall.com/iot-botnets-ddos-attack-architecture/

LIHKG, one of the most important websites used to organise pro-democracy protests in Hong Kong, has been hit with a DDoS attack that temporarily took the forum offline this past weekend. And while no one knows for sure who’s behind the attack, we can take an educated guess. The Chinese government is very unhappy, to say the least, about the protests in Hong Kong that have been raging since June.

The DDoS attack, first reported by Bloomberg News, flooded the website’s servers for hours over the weekend, making it impossible for people to log on. The website reports that “some of the attacks were from websites in China.”

LIHKG has been a crucial online forum for the protesters, who are demanding democratic rights under the region’s “one country, two systems” arrangement with China. Protesters even conduct polls on the site to settle disputes about tactics in the leaderless protest movement.

“LIHKG has been under unprecedented DDoS attacks in the past 24 hours,” a statement posted to LIHKG reads. “We have reasons to believe that there is a power, or even a national level power behind to organise such attacks as botnet from all over the world were manipulated in launching this attack.”

The website says that they were hit with 1.5 billion requests on 31 August over a 16 hour period and has urged users to switch to the mobile website version of the forum if the smartphone app isn’t working properly.

The Chinese government is believed to have been behind a similar attack on the messaging service Telegram that happened back in mid-June. The people of Hong Kong have been waiting with dread for China’s People’s Liberation Army (PLA) to invade the semi-autonomous region, as the military has amassed troops just over the border in Shenzhen. It’s not clear whether the PLA will actually invade, but there have been hints by top government leaders over the past few weeks.

LIHKG has been vital for the protesters who use the motto, “Be Water,” a reference to staging civil disobedience in one part of Hong Kong to attract attention before dispersing and quickly moving to another part of the city. The tactic forces police to respond in faraway places and the protesters are often gone by the time the authorities arrive. These fast-adapting methods of protest are only made possible through online organising on services like LIHKG.

YouTube recently dismantled what it called an “influence operation” that may have been operated by the Chinese government to sway western opinion about the protests. Chinese state media have also complained that they’re being discriminated against on US-run social media like Twitter and Facebook, a rather ironic complaint given the fact that mainland Chinese citizens aren’t allowed to access those websites. China’s largest state-run media outlet, Xinhua News, was buying ads on Facebook to smear protesters as violent hooligans before the social media company declared it would no longer take money from the organisation.

Hong Kong’s top politician, Carrie Lam, was caught on audio over the weekend saying that she wished she could quit the job, but was unable. Most Hong Kongers interpreted that to mean Beijing is in control and won’t let her quit. China’s leader, Xi Jinping, took power in 2012 and has done nothing to liberalise the country as some had hoped, instead his regime has delivered strong economic results under tight government control which has kept the wealthy happy.

The young people of Hong Kong realise that this may be their last opportunity to stand up for their rights before Beijing exerts total dominance on the region. And they’ve sworn that they won’t give up.

All we can say as outsiders is that we hear you, we see you, and we’re with you in spirit. Stay strong, Hong Kong.

The issue impacts users of the vendor’s Cloud WAF product.

Imperva, the security vendor, has made a security breach public that affects customers using the Cloud Web Application Firewall (WAF) product.

Formerly known as Incapsula, the Cloud WAF analyzes requests coming into applications, and flags or blocks suspicious and malicious activity.

Users’ emails and hashed and salted passwords were exposed, and some customers’ API keys and SSL certificates were also impacted. The latter are particularly concerning, given that they would allow an attacker to break companies’ encryption and access corporate applications directly.

Imperva has implemented password resets and 90-day password expiration for the product in the wake of the incident.

Imperva said in a website notice that they learned about the exposure via a third party on August 20. However, the affected customer database contained old Incapsula records that go up to Sept. 15, 2017 only.

imperva

“We profoundly regret that this incident occurred and will continue to share updates going forward,” Imperva noted. “In addition, we will share learnings and new best practices that may come from our investigation and enhanced security measures with the broader industry. We continue to investigate this incident around the clock and have stood up a global, cross-functional team.”

Imperva also said that it “informed the appropriate global regulatory agencies” and is in the process of notifying affected customers directly.

When asked for more details (such as if this is a misconfiguration issue or a hack, where the database resided and how many customers are affected), Imperva told Threatpost that it is not able to provide more information for now.

Source: https://threatpost.com/imperva-firewall-breach-api-keys-ssl-certificates/147743/