Blocking DDoS Archive

2018 brought massive, hardware-level security vulnerabilities to the forefront. Here’s the five biggest vulnerabilities of the year, and how you can address them.

2018 was a year full of headaches for IT professionals, as security vulnerabilities became larger and more difficult to patch, since software mitigations for hardware vulnerabilities require some level of compromise. Here’s the five biggest security vulnerabilities of 2018, and what-if anything-you can do to address them in your organization.

1. Spectre and Meltdown dominated security decisions all year

On January 4, the Spectre and Meltdown vulnerabilities allowing applications to read kernel memory were disclosed, and posed security problems for IT professionals all year, as the duo represented largely hardware-level flaws, which can be mitigated-but not outright patched-through software. Though Intel processors (except for Atom processors before 2013, and the Itanium series) are the most vulnerable, microcode patches were necessary for AMD, OpenPOWER, and CPUs based on Arm designs. Other software mitigations do exist, though some require vendors to recompile their programs with protections in place.

The disclosure of these vulnerabilities sparked a renewed interest in side-channel attacks requiring manipulative or speculative execution. Months later, the BranchScope vulnerability was disclosed, focusing on the shared branch target predictor. The researchers behind that disclosure indicated that BranchScope provides the ability to read data which should be protected by the SGX secure enclave, as well as defeat ASLR.

Between the initial disclosure, Spectre-NG, Spectre 1.2, and SpectreRSB, a total of eight variants were discovered, in addition to related work like SgxPectre.

2. Record-breaking DDoS attacks with memcached

Malicious actors staged amplification attacks using flaws in memcached, reaching heights of 1.7 Tbps. The attack is initiated by a server spoofing their own IP address-specifying the attack target address as the origin address-and sending a 15-byte request packet, which is answered by a vulnerable memcached server with responses ranging from 134KB to 750KB. The size disparity between the request and response-as much as 51,200 times larger-made this attack particularly potent.

Proof-of-concept code, which can be easily adapted for attacks was published by various researchers, among them “Memcrashed.py,” which integrates with the Shodan search engine to find vulnerable servers from which you can launch an attack.

Fortunately, it is possible to stop memcached DDoS attacks, though users of memcached should change the defaults to prevent their systems from being abused. If UDP is not used in your deployment, you can disable the feature with the switch -U 0. Otherwise, limiting access to localhost with the switch -listen 127.0.0.1 is advisable.

3. Drupal CMS vulnerability allows attackers to commandeer your site

A failure to sanitize inputs resulted in the announcement of emergency patches for 1.1 million Drupal-powered websites in late March. The vulnerability relates to a conflict between how PHP handles arrays in URL parameters, and Drupal’s use of a hash (#) at the beginning of array keys to signify special keys that typically result in further computation, allowing attackers to inject code arbitrarily. The attack was nicknamed “Drupalgeddon 2: Electric Hashaloo” by Paragon Initative’s Scott Arciszewski.

In April, the same core issue was patched for a second time, relating to the URL handling of GET parameters not being sanitized to remove the # symbol, creating a remote code execution vulnerability.

Despite the highly publicized nature of the vulnerability, over 115,000 Drupal websites were still vulnerable to the issue, and various botnets were actively leveraging the vulnerability to deploy cryptojacking malware.

ZDNet’s Catalin Cimpanu broke a story in November detailing a new type of attack which leverages Drupalgeddon 2 and Dirty COW to install cryptojacking malware, which can proliferate due to the number of unpatched Drupal installations in the wild.

4. BGP attacks intercept DNS servers for address hijacking

Border Gateway Protocol (BGP), the glue that is used to determine the most efficient path between two systems on the internet, is primed to become the target of malicious actors going forward, as the protocol was designed in large part before considerations of malicious network activity were considered. There is no central authority for BGP routes, and routes are accepted at the ISP level, placing it outside the reach of typical enterprise deployments and far outside the reach of consumers.

In April, a BGP attack was waged against Amazon Route 53, the DNS service component of AWS. According to Oracle’s Internet Intelligence group, the attack originated from hardware located in a facility operated by eNet (AS10297) of Columbus, Ohio. The attackers redirected requests to MyEtherWallet.com to a server in Russia, which used a phishing site clone to harvest account information by reading existing cookies. The hackers gained 215 Ether from the attack, which equates to approximately $160,000 USD.

BGP has also been abused by governments in certain circumstances. In November 2018, reports indicated that the Iranian government used BGP attacks in an attempt to intercept Telegram traffic, and China has allegedly used BGP attacks through points of presence in North America, Europe, and Asia.

Work on securing BGP against these attacks is ongoing with NIST and DHS Science and Technology Directorate collaborating on Secure Inter-Domain Routing (SIDR), which aims to implement “BGP Route Origin Validation, using Resource Public Key Infrastructure, [which] can address and resolve the erroneous exchange of network routes.”

5. Australia’s Assistance and Access Bill undermines security

In Australia, the “Assistance and Access Bill 2018,” which provides the government “frameworks for voluntary and mandatory industry assistance to law enforcement and intelligence agencies,” basically provides government access to the contents of encrypted communication. It is essentially the definition of a self-inflicted wound, as the powers it provides the government stand to undermine confidence in Australian products, as well as the Australian outposts of technology companies.

The bill hastily passed on December 7 and was touted as necessary in the interest of “safeguarding national security,” though subtracting perpetrators. Australia has seen a grand total of seven deaths related to terrorist activities since 2000. Additionally, the bill permits demands to be issued in relation to “the interests of Australia’s foreign relations or the interests of Australia’s national economic well-being.”

While the bill appears to not provide the full firehose of user data unencrypted to government agencies, it does permit the government to compel companies to provide content from specific communication, though forbids the disclosure of any demands made to companies about compliance. Stilgherrian provides a balanced view of the final bill in his guide on ZDNet.

Source: https://www.techrepublic.com/article/5-biggest-security-vulnerabilities-of-2018/

The October 2016 cyberattack on Dyn should have been an object lesson on how to build Domain Name System infrastructure that would resist a distributed denial of service attack. Unfortunately, I believe we have yet to incorporate the fundamental lesson from this attack.

The DDoS attack on Dyn occurred just over two years ago. The Mirai botnet, a botnet that consisted of hundreds of thousands of compromised “internet of things” devices, was used to send an enormous amount of traffic at Dyn’s authoritative DNS servers, which rendered them incapable of responding to legitimate queries. Major organizations that relied on Dyn for their authoritative DNS service, including Twitter, CNN, Netflix and The New York Times, were unreachable for hours.

I believe one of the central takeaways from the Dyn attack was — as simple as it seems — that you shouldn’t put all your eggs in one basket. In DNS terms, this means that you shouldn’t rely exclusively on a single DNS provider to host your internet-facing DNS data. Organizations that relied on Dyn were unreachable for hours during the attack, whereas organizations that hedged their bets by taking the precaution of using multiple providers weathered the attack with minimal downtime.

I gave a talk in London the month after the attack in which I reminded listeners of the “Multiple Egg-Basket” rule — something I had actually stopped mentioning years before because it struck me as too obvious to warrant a mention. One of the attendees caught me during the next break and told me that his company happened to have exactly the setup I’d recommended: They were a Dyn customer, but they also used a handful of their own external DNS servers. As they relied heavily on their online presence, they used a third-party service to monitor the availability of their website 24 hours a day. During the hours-long attack on Dyn, they were only briefly unreachable.

It seems like a simple precaution, right? Unfortunately, it’s not always as simple as you might think. It’s very easy to synchronize basic DNS data among multiple providers. If, for example, you want to use Dyn and one of its competitors to host your internet-facing DNS data, you generally use one provider to manage that data and tell the other provider to get their copy of the data from the first; this is what we refer to in the business as “secondary DNS servers.”

However, many DNS providers now offer, and some customers use, value-added services, such as traffic distribution based on a querier’s location; this enables a customer to direct a querier to the closest web server. In my experience, it’s those value-added services that pose a problem because there’s no standard way to synchronize their configuration among providers. If you laboriously configure Provider A’s system with rules to send all of your customers to the closest web or application servers you offer, you’d have to do the same with Provider B while using the proprietary interface they offer. And if you change Provider A’s configuration in real time in response to conditions, such as if one of your web or application servers failed or was brought down for maintenance, there’s no standard way for that provider to inform the other.

There have been discussions within the Internet Engineering Task Force, the organization responsible for developing and enhancing internet protocols, to come up with some standard means of specifying and synchronizing these value-added services, but there is still progress to be made. Even if such a mechanism existed, there’s not much incentive for providers to support it: Most providers charge customers based on the volume of queries they receive, so when you make it easy for another provider to serve one of your customers, you’re making it just as easy for them to take some of your revenue.

But the benefits of using multiple DNS providers, in my opinion, are important enough for customers to insist that their providers offer some mechanism — perhaps based on the transfer of well-documented metadata or the use of a well-designed API — to synchronize these value-added services. Only then can we implement the lessons that the attack on Dyn should have taught us.

Source: https://www.forbes.com/sites/forbestechcouncil/2018/12/19/the-forgotten-object-lesson-of-the-dyn-ddos-attack/#73ac242f2c06

 

As attackers begin to use multiple command and control systems to communicate with backdoors and other malware, how can organisations ensure that they detect such methods and that all C&C systems are removed, including “sleepers” designed to be activated at a future date.

When it comes to all kinds of cyber defence, it is always less expensive to prevent attacks and infections than to deal with them once they are in place.

This is especially true in the case of botnets. What is a botnet? A botnet is an army of mini-programs; malicious softwaredesigned to infiltrate large numbers of digital devices and then use them for any number of tactics.

For example, botnets can be instructed to steal data or launch huge distributed denial of service (DDoS) attacks and all while simultaneously stealing the electricity and computing power to do it.

Most organisations aim to have at least some cyber security in place. These fundamentals can include Items such as implementing the most effective choice of anti-malware, configuring digital devices and software with as much hardened security as practical and ensuring that security patches are always applied swiftly.

However, even when an organisation invests in implementing cyber security essentials, it is still no guarantee of a fully bot-free environment.

As shown in all of the major breaches that hit the headlines, hackers are very keen on remaining unnoticed for as long as possible. The dwell time is the term given to the duration between the initial intrusion and the point of discovery.

In many cases, Yahoo, Starwood and other mega breaches included, you might have noticed that the dwell time was measured not in hours, days, weeks or even months – it was years between the initial intrusion and eventual discovery.

Determined hackers design their bots to be as stealthy as possible, to hide as best as they can and to communicate as efficiently and discreetly as possible.

When researchers find new botnet armies, they often do it by accident and say things like, “We stumbled across this data anomaly”, eventually tracing the cause back to a new botnet force.

Although botnet communications may try to hide, the thing about bots is that they generally need to communicate to work. These botnets used to work through command and control servers. That meant that disconnecting communications between bots and their botnet command and control servers was enough to “decapitate” the bot and render it unable to steal anything or accept new commands.

However, newer botnets are smarter. They still need to communicate, but now many of them can spawn dynamic, peer-to-peer networks.

Bots do still need instructions to work and they also need destinations to send anything they steal. Identify and block those communication routes and your bots will cease to offer their bot master any value.

The challenge is that not all organisations use or install the technologies that can detect and block bots.

For the few organisations that do have the budget and motivation to ramp up their anti-bot defences, there is plenty that can be done.

It starts with ramping up the security that prevents initial infection and locking down unnecessary trust permissions. Prevention is still better than detection and the expenses involved in containing and resolving the threat. There is a huge difference in the efficacy of many security products and sadly, many of those with the highest marketing budget are far from the most effective.

There are also great, real-time security technologies that can detect, alert or block botnet activity in real-time. These operate by continually analysing network traffic and local system logs.

If your organisation does not have the budget for real-time monitoring, then it is still worth inspecting devices and checking for any suspicious processes that seem to be taking up a lot of memory – especially if any users are reporting their device has slowed down. That can be an indicator of compromise, but only when the botnet is awake and active.

And if you are wondering just how much of a threat botnets are, just think about this: most of our attention as cyber security professionals is on the botnets we can detect and eliminate from our own environments, but the internet of things and sub-standard security present in many devices means the internet is riddled with enough botnets to effectively stop the internet from working.

The only thing stopping that from happening at present is that it would harm rather than profit the hackers. After all, 2019 might just be the year when the proceeds from cyber crime reaches a trillion dollars.

Source: https://www.computerweekly.com/opinion/Security-Think-Tank-Smart-botnets-resist-attempts-to-cut-comms

The network security threat landscape in 2019 is expected to look much like it did in 2018. Here’s a look at six network security challenges for 2019 for businesses and individual users to keep in mind.

In many ways, the network security threat landscape in 2019 will look much like it did in 2018. From viruses to DDoS attacks, even when threats aren’t multiplying in number year over year, they’re managing to become more sophisticated and damaging. Here’s a look at six network security challenges for 2019 for businesses and individual users to keep in mind.

1. A Greater Amount of Sensitive Traffic Than Ever

In a 2018 survey, PwC reported that mobile channels were the only segment that saw growth that year among banking customers. In other words, demand for mobile-friendly banking tools is higher than ever. That means a lot of very sensitive data flowing over public and private networks.

In 2018, security experts from Kaspersky discovered what appeared to be a years-long router-hacking campaign performed by as-yet-unknown cyber-assailants. Researchers discovered digital fingerprints all over the world indicating that routers in public places had been subtly hacked to allow kernel-level access for any device connected to it.

Kernel-level access is the deepest access possible, indicating that the data being sought here was highly personal — including, potentially, banking transactions and communication records.

2. Worms and Viruses

Viruses and worms are some of the most well-known network security challenges. In 2015, Symantec estimated that as many as one million new malware threats are released into the wild every day or a total of 217 million in a calendar year.

In 2017, AV-Test released research indicating that the number of new malware threats had declined for the first time ever, down to 127 million over the year.

Viruses can lay dormant until the user performs an action that triggers it, meaning there’s not always an indication that something’s even amiss. Worms infect specific files, such as documents, and self-replicates itself once it’s inside a target system.

For individual internet users, network architects and IT specialists, anti-virus and anti-malware programs are still necessary for keeping this class of threats at bay. For IT departments especially, high-profile computer bugs are a reminder that a vast majority of attacks target unpatched software and out-of-date hardware. The number of new threats might be gradually declining, but the severity of these threats hasn’t abated.

3. Compelling Students to Enter the STEM Fields

Let’s switch focus for a moment and look at the next generation of people who will detect, fix and communicate about modern threats on the digital seas. All of the STEM fields are vital to national competitiveness but, of the top college majors ranked by a number of job prospects, computer science takes first place.

According to the National Bureau of Economic Research, skills obtained in the fields of math, science and technology are increasingly transferable to, and relevant in, a wide variety of industries and potential career paths. Part of the reason is the ubiquity of technology and the rate of data exchange across the world, which powers commerce, finance, and most other human endeavors.

Unfortunately, the NBER has also indicated that the U.S. requires many more STEM students than it currently has, in order to compete in a digital and globalized world.

The number and types of cyber threats are a huge part of the reason why, with world powers and unknown parties engaging in cyber-espionage and attempted hacking at regular intervals, against both private and public infrastructure. Making a stronger push to get kids interested in these fields will also help address unemployment and opportunity gaps in struggling communities.

4. DDoS Attacks

For companies whose business model revolves around selling digital services, or selling anything else online for that matter, DDoS attacks can be crippling, not to mention ruinously expensive due to lost revenue.

DDoS attacks have made a lot of news recently thanks to WannaCry and others, but the motivation behind them seems to be shifting. Perpetrators today are less concerned with crippling a target’s infrastructure and more interested, potentially, in using DDoS attacks as a distraction while they carry out more sophisticated penetration attempts without interference.

Either way, using the Internet of Things to overwhelm an organization’s digital infrastructure is a type of network security threat became more common in 2017 than in 2016 — up 24 percent — with no obvious signs of relenting. Early detection is the best weapon, as are Web Application Firewalls. Both solutions require either an attentive in-house IT team or effective collaboration with your service provider.

5. Cryptojacking

Cryptocurrencies are either worthless or about to take off in a big way. But despite the uncertainty over its future, the limited applications, and the slow adoption rate, “crypto-jacking” is becoming a favorite pastime of hackers.

Cryptojacking occurs when a malicious app or script on a user’s digital device mines cryptocurrency in the background without the user’s knowledge or permission. “Mining” cryptocurrency requires a fair amount of hardware power and other resources, meaning users who’ve been cryptojacked will find that their programs and devices don’t work as expected.

Worse, the sheer variety of techniques used to introduce cryptojacking scripts into counterfeit and even legitimate web and mobile applications is positively dizzying. And since they come in all shapes and forms, cryptojacking attacks could well have other underhanded intentions beyond mining cryptocurrencies, including accessing forbidden parts of the code or sensitive user information.

6. Bring Your Own Device

Let’s close with a few words of advice about BYOD — bring your own device — policies in the workplace. There are clear benefits to allowing employees to use their favorite devices at work, including higher productivity and morale. But doing so also introduces a panoply of potential security threats.

IT departments already struggle sometimes with keeping computers and devices patched and updated, and the public struggles even more. Thanks to the fragmented nature of the Android operating system, for instance, “most” Android phones and tablets in operation today are not running the latest security fixes, according to security vendor Skycure.

Your employees and your business have a lot to gain from implementing BYOD. But doing so requires a comprehensive set of rules for employees to abide by, including turning on auto-updates for OS patches, completing training on how to respond to phishing attempts and other cybersecurity threats, and delivering regular reminders about good password hygiene.

No network security threat is insurmountable, but most of them do require vigilance — and in most cases, a great IT team or a security-minded vendor.

Source: https://www.readitquik.com/articles/security-2/6-network-security-challenges-in-the-year-ahead/

American tech firm Cloudflare is providing cybersecurity services to at least seven designated foreign terrorist organizations and militant groups, HuffPost has learned.

The San Francisco-based web giant is one of the world’s largest content delivery networks and boasts of serving more traffic than Twitter, Amazon, Apple, Instagram, Bing and Wikipedia combined. Founded in 2009, it claims to power nearly 10 percent of Internet requests globally and has been widelycriticized for refusing to regulate access to its services.

Among Cloudflare’s millions of customers are several groups that are on the State Department’s list of foreign terrorist organizations, including al-Shabab, the Popular Front for the Liberation of Palestine, al-Quds Brigades, the Kurdistan Workers’ Party (PKK), al-Aqsa Martyrs Brigade and Hamas — as well as the Taliban, which, like the other groups, is sanctioned by the Treasury Department’s Office of Foreign Assets Control (OFAC). These organizations own and operate active websites that are protected by Cloudflare, according to fournational security and counterextremism experts who reviewed the sites at HuffPost’s request.

In the United States, it’s a crime to knowingly provide tangible or intangible “material support” — including communications equipment — to a designated foreign terrorist organization or to provideservice to an OFAC-sanctioned entity without special permission. Cloudflare, which is not authorized by the OFAC to do business with such organizations, has been informed on multiple occasions, dating back to at least 2012, that it is shielding terrorist groups behind its network, and it continues to do so.

The Electronic Frontier Foundation and other free speech advocates have long been critical of material support laws. The foundation described them as tools the government has used to “chill First Amendment protected activities” such as providing “expert advice and assistance” ― including training for peacefully resolving conflicts ― to designated foreign terrorist organizations. Many of the designated groups, the EFF has argued, also provide humanitarian assistance to their constituents.

But so far, free speech advocates’ arguments haven’t carried the day — which means that Cloudflare still could be breaking the law.

‘We Try To Be Neutral’

“We try to be neutral and not insert ourselves too much as the arbiter of what’s allowed to be online,” said Cloudflare’s general counsel, Doug Kramer. However, he added, “we are very aware of our obligations under the sanctions laws. We think about this hard, and we’ve got a policy in place to stay in compliance with those laws.” He declined to comment directly on the list of websites HuffPost provided to Cloudflare, citing privacy concerns.

Cloudflare secures and optimizes websites; it is not a domain host. Although Cloudflare doesn’t host websites, its services are essential to the survival of controversial pages, which would otherwise be vulnerable to vigilante hacker campaigns known as distributed denial-of-service attacks. As the tech firm puts it, “The size and scale of the attacks that can now easily be launched online make it such that if you don’t have a network like Cloudflare in front of your content, and you upset anyone, you will be knocked offline.”

Some of the terrorist sites that HuffPost identified on its server have been used to spread anti-state propaganda, claims of responsibility for terrorist attacks, false information and messages glorifying violence against Americans and civilians. But none of that really matters: Even if al-Shabab were posting cat videos, it would still be a crime to provide material support to the group.

“This is not a content-based issue,” said Benjamin Wittes, the editor in chief of Lawfare and a senior fellow at the Brookings Institution. “[Cloudflare] can be as pure-free-speech people as they want — they have an arguable position that it’s not their job to decide what speech is worthy and what speech is not — but there is a law, a criminal statute, that says that you are not allowed to give services to designated foreign terrorist organizations. Full stop.”

Intermediary websites are shielded from liability for illicit third-party content on their platforms, thanks to the U.S. Communications Decency Act (meaning, for example, that Twitter cannot be held legally accountable for a libelous tweet). This immunity is irrelevant with regard to the material support statute of the USA Patriot Act, which pertains strictly to the provision of a service or resource, not to any offending content, explained Wittes. In this case, Cloudflare’s accountability would not be a question of whether it should be monitoring its users or their content but, in part, whether the company is aware that it is serving terrorist organizations.

“If and when you know or reasonably should know, then you’re in legal jeopardy if you continue to provide services,” said University of Texas law professor Bobby Chesney.

In its terms of use, Cloudflare reserves the right to terminate services “for any reason or no reason at all.” Yet the firm has refused to shut down even its most reprehensible customers, with very few exceptions. Its CEO, former lawyer Matthew Prince, has made it clear that he believes in total content neutrality and that Cloudflare should play no role in determining who’s allowed online. His company is reportedly preparing for an initial public offering that would value it at more than $3.5 billion.

There is a law — a criminal statute — that says that you are not allowed to give services to designated foreign terrorist organizations. Full stop.Benjamin Wittes, senior fellow at the Brookings Institution

Cloudflare’s services range in price from completely free to north of $3,000 per month for advanced cybersecurity. (Kramer declined to say if the sanctioned entities HuffPost identified are paying customers. Material support law applies to both free and paid services.) Its reverse proxy service reroutes visitors away from websites’ IP addresses, concealing their domain hosts and giving them a sense of anonymity. This feature has made Cloudflare especially appealing to neo-Nazis, white supremacists, pedophiles, conspiracy theorists — and terrorists.

Screen Shot 2018-12-14 at 15.18.33

Cloudflare Knows

Cloudflare has knowingly serviced terrorist-affiliated websites for years. In 2012, Reuters confronted Cloudflare about websites behind its network that were affiliated with al-Quds Brigades and Hamas. Prince argued that Cloudflare’s services did not constitute material support of terrorism. “We’re not sending money, or helping people arm themselves,” he said at the time. “We’re not selling bullets. We’re selling flak jackets.”

That analogy bears little relevance. “Material support,” as defined in 18 U.S.C. § 2339B, refers to “any property, tangible or intangible, or service,” excluding medicine and religious materials. Contrary to Prince’s suggestion, it applies to more than money and weapons. A New York man who provided satellite television services to Hezbollah was sentenced in 2009 to 69 months in prison for material support of terrorism. And although the definition is broad, “it really covers anything of value,” Chesney said. “It’s meant to be like a full-fledged embargo.”

In 2013, after journalist James Cook learned Cloudflare was securing a website affiliated with al Qaeda, he wrote an article arguing that the web giant was turning “a blind eye to terrorism.” Prince published his responses to Cook’s questions about serving terrorist groups in a Q&A-style blog post titled “Cloudflare and Free Speech.”

Cook asked what safeguards Cloudflare had in place to ensure it was not supporting illegal terrorist activity; Prince listed none. Cook inquired whether Cloudflare would investigate the website he had identified; Prince suggested it would not. The site is still online and is still secured by Cloudflare.

“A website is speech. It is not a bomb,” Prince wrote in his post. “We do not believe that ‘investigating’ the speech that flows through our network is appropriate. In fact, we think doing so would be creepy.”

Creepy or not, if a company receives a tip that it has customers who are sanctioned terrorists or has reason to believe that could be the case, it should absolutely investigate so as not to risk breaking the law, experts said. (Kramer noted Prince’s remarks are “from six years ago” and said Cloudflare does take such tips seriously.)

“This is a criminal statute that we’re talking about, so companies bear a risk by putting their heads in the sand,” said Georgetown Law professor Mary McCord, a former head of the Justice Department’s national security division. “A company has got to spend money, resources [and have] lawyers to make sure it’s not running afoul of the law. The risk it takes if it doesn’t is a criminal prosecution.”

President Donald Trump’s administration also urges due diligence. “We encourage service providers to follow the lead of the big social media companies, whose terms of service and community standards expressly enable them to voluntarily address terrorist content on their platforms, while exploring ways to more expeditiously tackle such content,” a White House official told HuffPost.

The international hacktivist group Anonymous accused Cloudflare of serving dozens of ISIS-affiliated websites in 2015, which Prince shrugged off as “armchair analysis” by “15-year-old kids in Guy Fawkes masks.” In media interviews, he maintained that serving a terrorist entity is not akin to an endorsement and said only a few of the sites on Anonymous’ list belonged to ISIS. Prince hinted that government authorities had ordered Cloudflare to keep certain controversial pages online. The FBI, Justice Department, State Department, Treasury Department and White House declined to comment on that assertion.

Last year, Cloudflare disclosed that the FBI subpoenaed the company to hand over information about one of its customers for national security purposes. The FBI, which also uses Cloudflare’s services, rescinded the subpoena and withdrew its request for information after Cloudflare threatened to sue. Neither Cloudflare nor the FBI would comment on this matter.

Over the past two years, the Counter Extremism Project, a nonpartisan international policy organization, has sent Cloudflare four detailed letters identifying a total of seven terrorist-operated websites on its server. HuffPost has viewed these letters, which explicitly address concerns about material support of terrorism, and Kramer acknowledged that Cloudflare received them.

“We’ve never received a response from [Cloudflare],” said Joshua Fisher-Birch, a content review specialist at the Counter Extremism Project. Five of the seven flagged websites remain online behind Cloudflare today, more than a year after they were brought to the firm’s attention.

“I think they’re doubling down on free speech absolutism at all costs,” he added. “In this case, that means they’re going to allow terrorist and extremist organizations to use their services and to possibly spread propaganda, try to recruit or even finance on their websites.”

HUFFPOST

In August 2017, Cloudflare cut off services to the Daily Stormer, a website that had allegedly been involved in a neo-Nazi rally that month in Charlottesville, Virginia, where a counterprotester was killed.

‘Assholes’ vs. Terrorists

Kramer said he was not able to comment in detail on specific cases in which outside actors such as journalists and Anonymous informed Cloudflare about possible terrorist organizations using its services, but he noted that Cloudflare works with government agencies to comply with its legal obligations.

“Our policy is that if we receive new information that raises a flag or a concern about a potentially sanctioned party, then we’ll follow up to figure out whether or not that’s something that we need to take action on,” he said. “Part of the challenge is really to determine which of those are legitimate inquiries and which of those … are trying to manipulate the complaint process to take down people with whom they disagree.”

Cloudflare was flooded with such complaints in August 2017, when activists pleaded with the firm to terminate its services for the Daily Stormer, a prominent neo-Nazi website that was harassing the family of a woman who had recently been killed in violence surrounding a neo-Nazi rally in Charlottesville, Virginia.

Prince initially refused to drop the Daily Stormer, but as public outrage intensified, he reluctantly pulled the plug. “The people behind the Daily Stormer are assholes and I’d had enough,” he later said in an email to his team. The rationale behind that decision raised questions among Cloudflare’s staff, according to Wired.

“There were a lot of people who were like, ‘I came to this company because I wanted to help build a better internet … but there are some really awful things currently on the web, and it’s because of us that they’re up there,’” one employee said. Another wondered why Cloudflare would consider shutting down Nazis but not terrorists.

Source: https://www.huffingtonpost.ca/entry/cloudflare-cybersecurity-terrorist-groups_us_5c127778e4b0835fe3277f2f