Denial of Service Archive

Every employee at your organisation should be prepared to deal with right to be forgotten requests.

It’s estimated that 75% of employees will exercise their right to erasure now GDPR (General Data Protection Regulation) has come into effect. However, less than half of organisations believe that they would be able to handle a ‘right to be forgotten’ (RTBF) request without any impact on day-to-day business.

These findings highlight the underlying issues we’re seeing in the post-GDPR era and how the new regulations put businesses at risk of being non-compliant. What is also worrying, is that there are wider repercussions for organisations not being prepared to handle RTBF requests.

No matter how well business is conducted, there is always the possibility of someone who holds a grudge against the company and wants to cause disruption to daily operations. One way to do this, without resorting to a standard cyber-attack, is through inundating an organisation with RTBF requests. Especially when the company struggles to complete one request, this can drain a company’s resources and grind the business to a halt. In addition to this, failing to comply with the requests in a timely manner can result in a non-compliance issue – a double whammy.

An unfortunate consequence of the new GDPR regulations is that the right to erasure is free to submit, meaning it is more likely customers or those with a grudge will request to have their data removed. There are two ways this can be requested. The first is a simple opt-out, to remove the name – usually an email address – from marketing campaigns. The other is a more time consuming, complex discovery and removal of all applicable data. It is this second type of request where there is a potential for hacktivists, be-grudged customers, or other cyber-attackers to weaponise the regulation requirement.

One RTBF request is relatively easy to handle – as long as the company knows where its data is stored of course – and the organisation actually has a month to complete the request from the day it was received. However, if a company is inundated with requests coming in on the same or consecutive days, it becomes difficult to manage and has the potential to heavily impact daily operations. This kind of attack is comparable to Distributed Denial of Service (DDoS) attacks – for example the attack on the UK National Lottery last year which saw its entire online and mobile capabilities knocked out for hours because cyber criminals flooded the site with traffic – with companies becoming overloaded with so many requests that it has to stop their services entirely.

When preparing for a flood of RTBF requests, it is essential that all organisations have a plan in place that streamlines processes for discovery and deletion of customer data, making it as easy as possible to complete multiple requests simultaneously.

Don’t let your weakest link be your downfall

The first thing to consider is whether or not the workforce is actually aware of what to do should a RTBF request come in (let alone hundreds). Educating all employees on what to do should a request be made – including who in the company to notify and how to respond to the request – is essential in guaranteeing an organisation is prepared. It will mean that any RTBF request is dealt with both correctly and in a timely manner. The process must also have clearly defined responsibilities and actions able to be audited. For companies with a DPO (Data Protection Officer) or someone who fulfils that role, this is the place to begin this process.

Discovering data is the best defence

The key to efficiency in responding to RTBF requests is discovering the data. This means the team responsible for the completion of requests is fully aware of where all the data for the organisation is stored. Therefore, a complete list of where the data can be found – and how to find it – is crucial. While data in structured storage such as a database or email is relatively simple to locate and action, it is the unstructured data, such as reports and files, which is difficult to find and is the biggest culprit of draining time and resources.

Running a ‘data discovery’ exercise is invaluable in helping organisations achieve an awareness of where data is located, as it finds data on every system and device from laptops and workstations to servers and cloud drives. Only when you know where all critical data is located, can a team assess its ability to delete it and, where applicable, remove all traces of a customer. Repeating the exercise will highlight any gaps and help indicate where additional tools may be required to address the request. Data-At-Rest scanning is frequently found as one part of a Data Loss Prevention (DLP) solution.

Stray data – a ticking time bomb

Knowing where data is stored within the organisation isn’t the end of the journey however. The constant sharing of information with partners and suppliers also has to be taken into account – and for this, understanding the data flow into and out of the company is important. Shared responsibility clauses within GDPR rules means that all partners involved with critical data are liable should a breach happen or a RTBF request cannot be completed. If critical data sitting with a partner is not tracked by the company that received the RTBF request, it makes it impossible to truly complete it and the organisation could face fines of up to 20 million EUR (or 4% of their global turnover). Therefore, it’s even more important to know how and where critical data is moving at all times, minimising the sharing of information to only those who really need to know.

While there is no silver bullet to prevent stray data, there are a number of technologies which can help to control the data which is sent both in and out of a company. Implementing automated solutions, such as Adaptive Redaction and document sanitisation, will ensure that no recipient receives unauthorised critical data. This will build a level of confidence around the security of critical data for both the organisation and the customer.

With the proper processes and technologies in place, dealing with RTBF requests is a straightforward process, whether it is a legitimate request, or an attempt by hacktivists or disgruntled customers to wreak havoc on an organisation. Streamlining data discovery processes and controlling the data flowing in and out of the company will be integral in allowing a business to complete a RTBF request and ultimately defend the organisation against a malicious use of GDPR.

Source: https://www.itproportal.com/features/gdpr-a-tool-for-your-enemies/

A German hacker who launched DDoS attacks and tried to extort ransom payments from German and UK firms was sentenced last month to one year and ten months of probation.

The hacker, identified by authorities only as 24-year-old Maik D., but known online as ZZb00t, was fingered for attacking companies such as eBay.de, DHL.de, billiger.de, hood.de, rakuten.de, DPD.de, EIS.de, ESL.eu, but also some UK firms.

Hacker would launch DDoS attacks and then extort victims

ZZb00t would act following the same pattern. He’d first warn companies via Twitter, and then launch DDoS attacks, taking down services from hours to up to a day.

Maik, who in real life was an IT security consultant, would often criticize companies for their poor security practices.

“Sadly but true @[REDACTED] your servers just sucks,” he wrote in one tweet. “Never thought that [REDACTED] was so extremely poorly protected. It’s more than embarrassing,” he wrote in another.

He’d often claim his actions were only for the purpose of exposing security weakness, claiming he was a vulnerability hunter.

But Maik wouldn’t launch DDoS attacks just out of the kindness of the kindness of his heart so that companies would improve security. The hacker would often send emails promising to stop attacks for a payment in Bitcoin.

Hacker arrested after one company pressed charges

His DDoS and extortion campaigns have been tracked all last year by German blog Wordfilter.de [1, 2, 3, 4]. A recently released Link11 report details the hacker’s tactics.

The hacker was active at the same time as another DDoS extortion team named XMR Squad, and Link11 claims in its report that there was a working relationship and coordination of attacks between ZZb00t and XMR Squad members.

Link11 says it documented over 300 of ZZb00t’s tweets related to attacks he carried out before German authorities arrested the suspect on May 23, last year, putting an end to his attacks.

Source: https://www.bleepingcomputer.com/news/security/ddoser-who-terrorized-german-and-uk-firms-gets-off-without-jail-time/

The devices and systems we use seem to change or get updated on a daily basis.

As the world changes and our lives become increasingly interconnected, a range of new words and phrases are frequently added to the technological lexicon.

Here’s a few that have popped up during the course of “IoT: Powering the Digital Economy.”

Autonomous vehicle

A vehicle, such as a car or truck, that uses technology and sensors to drive without the need for human assistance.

Uber, Tesla and Alphabet — through its subsidiary Waymo — are just some of the big businesses working on self-driving technologies.

BIM

According to the Institution of Structural Engineers, Building Information Modeling, or BIM, is centered on utilizing digital tools “to efficiently produce information” in order to allow assets to be constructed, maintained and operated.

Biometrics

The U.S. Department of Homeland Security (DHS) describes biometrics as being “unique physical characteristics” that can be utilized for “automated recognition.” Think fingerprints, iris scans and voice recognition.

The applications of biometrics are diverse and wide ranging. Today, we can unlock our smartphones with our fingerprints and use our voices to gain access to sensitive information, such as our banking details. For its part, the DHS says it uses biometrics to, among other things, “detect and prevent illegal entry into the U.S.” and enforce federal laws.

Blockchain

A tamper-proof, distributed digital ledger that records transactions. Instead of different parties in a transaction keeping their own records of that transaction — which could potentially differ and cause confusion — blockchain creates one “master” record. This cannot be changed once a transaction has been recorded. As technology giant IBM notes: “All parties must give consensus before a new transaction is added to the network.”

DDoS

Stands for Distributed Denial of Service. The U.K.’s National Crime Agency (NCA) says that DDoS attacks usually take place when a group of “compromised, controlled computers” send messages to a computer or server simultaneously. The messages are sent involuntarily, the NCA adds.

GDPR

In the European Union, the General Data Protection Regulation will apply from May this year. It will update the 1995 Data Protection Directive, which was introduced at a time when the digital age was in its infancy, and will impact both citizens and businesses.

Among other things, the GDPR will boost people’s right to be forgotten and guarantee free, easy access to their personal data. Organizations and businesses will also have to inform people about data breaches that could negatively impact them, and do this “without undue delay.” Relevant data protection supervisory authorities will also need to be told of any breaches

Internet of Things

The European Commission describes the internet of things as merging “physical and virtual worlds, creating smart environments.”

Think of devices that are connected to the internet and able to “talk” to one another. One example would be a thermostat in your home that you control with your smartphone from your office.

Smartphone

A cell phone that can connect to the internet, enabling users to carry out a host of tasks. These range from visiting websites and sending instant messages to taking photographs and carrying out financial transactions.

Source: https://www.cnbc.com/2018/01/11/from-the-iot-to-bim-and-ddos-to-gdpr-breaking-down-technological-jargon.html

A three-week long wave of cyberattacks against several popular dark web marketplaces has left the notorious underground e-commerce economy drenched in uncertainty and wondering if, like earlier this year, this is a prelude another round of arrests.

Just two months after police brought down a slew of the most well-known dark web markets, those left standing can’t quite figure out — nor defeat — who has been behind a three-week long denial-of-service offensive that’s knocked their sites offline.

As if looking to further stoke fear and uncertainty, Deputy Attorney General Rod Rosenstein recently spoke in Washington, D.C. on how the Department of Justice is continuing to target crime on the dark web.

Screen Shot 2017-10-31 at 08.44.51

Paranoia haunts the mood of those who remain as many wait for the next looming law enforcement sting. Those actions have sown a deep distrust among the markets’ purveyors and customers, whom are often looking for drugs, malware, stolen data, exploitation material and other ways to commit fraud.  This is on top of a customer base that already goes to great lengths to conceal identity, hiding behind anonymization technology like the Tor browser, and paying for wares via cryptocurrencies like Bitcoin and Monero.

The turbulence these dark web marketplaces have dealt with beyond the arrests has been unprecedented. Scams and cyberattacks are common, as those looking to replace the reliable crime superstores of the past are struggling. To top it off, a new class of scammers is seizing on the chaos, launching phishing attacks to steal cryptocurrency from the dark web’s faithful.

“This year turned things the other way around,” one dark net market customer lamented on a subreddit dedicated to the marketplaces. “It is like a dead place now to be very honest. Sales have dropped, there are more scammers in the market now, people are losing their money or assets, most of the good vendors are gone, people are scared.”

A host of dark net markets are under attack. This is the error message visitors get when they visit Dream Market.

There are “a few hints but definitely more questions than answers,” Emily Wilson, a researcher at Terbium Labs, told CyberScoop. “We know the markets are being DDoSed, we know it’s a fairly coordinated effort. It’s been going on for two weeks now.”

The attackers have made what some forum administrators call “silly demands,” implying that lucrative extortion is the goal. The latest incident echoes past incidents, like the 2013 denial of service attack against Silk Road when hackers successfully made the market pay a ransom in order to for attacks to stop.

But more recent history shows AlphaBay, the largest dark web market for a period of around three years, went dark for nearly two weeks before it was revealed that an international law enforcement operation was behind the outage.

One result of the attacks are increasing distrust of centralized markets. Instead of sticking to the big players, dark web dwellers are now following smaller, speciality vendors to get their malware, fraudulent data and drugs.

The impact has been uneven. The drug market has been hit hardest, but crooks selling fraud and malware have carried on with little downtime in large part because those economies also operate on the public web.

To deal with the denial-of-service attacks, some markets have put up site mirrors at different addresses. The tactic makes it more difficult for attackers to hit a moving target, but it also makes it easier for phishing scams to fool victims who don’t know which market is real or fake.

“We can’t expect to see nine markets DDoSed forever,” Wilson said. “It depends on who is behind it. The fact that the DOJ has made hardline remarks about going after the dark net makes me think we’ll see increased instability over the coming months and years. The question then is, are people going to pop up new markets and take their chances? Will we see more peer to peer trade? We’re all waiting to see.”

If a mountain of unanswered questions looms over the dark web, at least one has been answered.

“The question we all had six months ago was, ‘Are we going to see another AlphaBay pop up quickly?’” Wilson said. “The answer is no.”

Source: https://www.cyberscoop.com/dark-web-ddos-attacks-dream-market-wall-street-market/

A new tactic for DDoS is gaining steam: the pulse wave attack. It’s called such due to the traffic pattern it generates—a rapid succession of attack bursts that split a botnet’s attack output.

According to Imperva’s latest Global DDoS Threat Landscape Report, a statistical analysis of more than 15,000 network and application layer DDoS attacks mitigated by Imperva Incapsula’s services during Q2 2017, the largest network layer assault it mitigated peaked at 350Gbps. The tactic enables an offender to pin down multiple targets with alternating high-volume bursts. As such, it serves as the DDoS equivalent of hitting two birds with one stone, the company said.

“A DDoS attack typically takes on a wave form, with a gradual ramp-up leading to a peak, followed by either an abrupt drop or a slow descent,” the company explained. “When repeated, the pattern resembles a triangle, or sawtooth waveform. The incline of such DDoS waves marks the time it takes the offenders to mobilize their botnets. For pulse wave attacks, a lack of a gradual incline was the first thing that caught our attention. It wasn’t the first time we’ve seen attacks ramp up quickly. However, never before have we seen attacks of this magnitude peak with such immediacy, then be repeated with such precision.”

Whoever was on the other end of these assaults, they were able to mobilize a 300Gbps botnet within a matter of seconds, Imperva noted. This, coupled with the accurate persistence in which the pulses reoccurred, painted a picture of very skilled bad actors exhibiting a high measure of control over their attack resources.

“We realized it makes no sense to assume that the botnet shuts down during those brief ‘quiet times’,” the firm said. “Instead, the gaps are simply a sign of offenders switching targets on-the-fly, leveraging a high degree of control over their resources. This also explained how the attack could instantly reach its peak. It was a result of the botnet switching targets on-the-fly, while working at full capacity. Clearly, the people operating these botnets have figured out the rule of thumb for DDoS attacks: moments to go down, hours to recover. Knowing that—and having access to an instantly responsive botnet—they did the smart thing by hitting two birds with one stone.”

Pulse-wave attacks were carried out encountered on multiple occasions throughout the quarter, according to Imperva’s data.

In the plus column, this quarter, there was a small dip in application layer attacks, which fell to 973 per week from an all-time high of 1,099 in Q1. However, don’t rejoice just quite yet.

“There is no reason to assume that the minor decline in the number of application layer assaults is the beginning of a new trend,” said Igal Zeifman, Incapsula security evangelist at Imperva—noting the change was minor at best.

Conversely, the quarter for the fifth time in a row saw a decrease in the number of network layer assaults, which dropped to 196 per week from 296 in the prior quarter.

“The persistent year-long downtrend in the amount of network layer attacks is a strong sign of a shift in the DDoS threat landscape,” Zeifman said. “There are several possible reasons for this shift, one of which is the ever-increasing number of network layer mitigation solutions on the market. The commoditization of such services makes them more commonplace, likely driving attackers to explore alternative attack methods.”

For instance one of the most prevalent trends Incapsula observed in the quarter was the increase in the amount of persistent application layer assaults, which have been scaling up for five quarters in a row.

In the second quarter of the year, 75.9% of targets were subjected to multiple attacks—the highest percentage Imperva has ever seen. Notably, US-hosted websites bore the brunt of these repeat assaults—38% were hit six or more times, out of which 23% were targeted more than 10 times. Conversely, 33.6% of sites hosted outside of the US saw six or more attacks, while “only” 19.5% saw more than 10 assaults in the span of the quarter.

“This increase in the number of repeat assaults is another clear trend and a testament to the ease with which application layer assaults are carried out,” Zeifman said. “What these numbers show is that, even after multiple failed attempts, the minimal resource requirement motivates the offenders to keep going after their target.

Another point of interest was the unexpected spike in botnet activity out of Turkey, Ukraine and India.

In Turkey, Imperva recorded more than 3,000 attacking devices that generated over 800 million attack requests, more than double the rate of last quarter.

In Ukraine and India, it recorded 4,300 attacking devices, representing a roughly 75% increase from Q1 2017. The combined attack output of Ukraine and India was 1.45 billion DDoS requests for the quarter.

Meanwhile, as the origin of 63% of DDoS requests in Q2 2017 and home to over 306,000 attacking devices, China retained its first spot on the list of attacking countries.

Source: https://www.infosecurity-magazine.com/news/pulsewave-ddos-attacks-mark-q2/