Denial of Service Attack Archive

Draft U.S. government recommendations on ways to reduce the threat of automated botnets launching denial of service attacks and spreading malware are too weak, says a cyber security expert.

The report from the departments of Homeland Security and Commerce issued last week, “definitely did not go far enough,” John Pescatore, director of emerging security trends at the SANS Institute, said in an interview.

While praising the report’s urging that manufacturers and end users follow best practices in cyber hygiene, much of it came down to “let’s do the same thing we’ve been doing, but more – more information sharing, government standards,” Pescatore complained.

 

 

 

 

 

 

 

 

 

 

 

Instead, he said the U.S. – and all governments around the world – should use their existing buying and regulatory power to force organizations to better use current technology and force makers of Internet of Things devices to tighten their security.

For example, Pescatore said, the report suggests Washington develop profiles for denial of service protection, then go to the private sector and say it should be providing denial of protection services. “We (already) have denial of service protection services out there,” Pescatore said. “If the government were simply to say every government Web site that touches data or provides information to the public must use denial of service protection services, that would help drive the entire market to ensure they use those types of services.

“And if it said everyone who does business with the (U.S.) government over the Internet must also be using denial of service protection services that also would help. Instead what this report did is say, ‘OK, once we can write documents that would have a government definition of denial of service protection services, then we can talk about doing something.’”

As for IoT manufacturers, Pescatore said there’s no reason for more study. Most governments already have regulatory agencies covering a wide range of products from food to medical devices to transportation that have safety mandates. They should issue cyber security regulations as well, tailored for those industries.

Instead, he said, the report suggests an ecosystem-wide solution is needed. But “making a self-driving car as secure as a medical implant is impossible.”

Pescatore isn’t the first to say regulators have to do more to control IoT devices. U.S. digital security expert Bruce Schneier said much the same thing at last November’s SecTor conference in Toronto. It was also hotly debated at the RSA Conference.

Source: https://www.itworldcanada.com/article/governments-should-use-buying-regulatory-power-to-fight-botnets-expert/400661

The devices and systems we use seem to change or get updated on a daily basis.

As the world changes and our lives become increasingly interconnected, a range of new words and phrases are frequently added to the technological lexicon.

Here’s a few that have popped up during the course of “IoT: Powering the Digital Economy.”

Autonomous vehicle

A vehicle, such as a car or truck, that uses technology and sensors to drive without the need for human assistance.

Uber, Tesla and Alphabet — through its subsidiary Waymo — are just some of the big businesses working on self-driving technologies.

BIM

According to the Institution of Structural Engineers, Building Information Modeling, or BIM, is centered on utilizing digital tools “to efficiently produce information” in order to allow assets to be constructed, maintained and operated.

Biometrics

The U.S. Department of Homeland Security (DHS) describes biometrics as being “unique physical characteristics” that can be utilized for “automated recognition.” Think fingerprints, iris scans and voice recognition.

The applications of biometrics are diverse and wide ranging. Today, we can unlock our smartphones with our fingerprints and use our voices to gain access to sensitive information, such as our banking details. For its part, the DHS says it uses biometrics to, among other things, “detect and prevent illegal entry into the U.S.” and enforce federal laws.

Blockchain

A tamper-proof, distributed digital ledger that records transactions. Instead of different parties in a transaction keeping their own records of that transaction — which could potentially differ and cause confusion — blockchain creates one “master” record. This cannot be changed once a transaction has been recorded. As technology giant IBM notes: “All parties must give consensus before a new transaction is added to the network.”

DDoS

Stands for Distributed Denial of Service. The U.K.’s National Crime Agency (NCA) says that DDoS attacks usually take place when a group of “compromised, controlled computers” send messages to a computer or server simultaneously. The messages are sent involuntarily, the NCA adds.

GDPR

In the European Union, the General Data Protection Regulation will apply from May this year. It will update the 1995 Data Protection Directive, which was introduced at a time when the digital age was in its infancy, and will impact both citizens and businesses.

Among other things, the GDPR will boost people’s right to be forgotten and guarantee free, easy access to their personal data. Organizations and businesses will also have to inform people about data breaches that could negatively impact them, and do this “without undue delay.” Relevant data protection supervisory authorities will also need to be told of any breaches

Internet of Things

The European Commission describes the internet of things as merging “physical and virtual worlds, creating smart environments.”

Think of devices that are connected to the internet and able to “talk” to one another. One example would be a thermostat in your home that you control with your smartphone from your office.

Smartphone

A cell phone that can connect to the internet, enabling users to carry out a host of tasks. These range from visiting websites and sending instant messages to taking photographs and carrying out financial transactions.

Source: https://www.cnbc.com/2018/01/11/from-the-iot-to-bim-and-ddos-to-gdpr-breaking-down-technological-jargon.html

Old Vulnerabilities still available to be exploited
R.O.B.O.T:
Return Of Bleichenbacher’s Oracle Threat

A joint study by researchers from Ruhr-Universitat Bochum/Hackmanit GmbH and Tripwire VERT has revealed a re-tread of an old vulnerability from 1998 that allows an attacker to leverage RSA decryption and cryptographic operations. It does so by using the private key configured on the vulnerable TLS servers. This latest CVE, dubbed ROBOT (Return Of Bleichenbacher’s Oracle Threat) has a surprisingly large target area, affecting almost a third of the top 100 domains (according to ALEXA).

I won’t detail the history and specifics of the exploit; there is a pretty good overview over at The Hacker News and of course at the researchers own website, where they have provided an online and downloadable tool for testing for this exploit.

What I will bring to attentionare the hardware vendors that are identified as being susceptible to this exploit even today , as it contains some of the biggest names in the IT industry: Cisco, F5, Citrix, and the most surprising isRadware, who specialize in building cybersecurity products. Granted some of the listed platforms are older legacy platforms, but given that the RSA cipher has been deprecated for over a decade, one would assume that patches to remove it would have been offered and applied years ago. One may be led to believe that this type of negligence is one way to incentivize customers to continually spend on expensive hardware upgrades, but of course we all know better than that…..

With regards to DOSarrest and R.O.B.O.T, we’ve long known about the weakness of using RSA ciphers, and only use strong, hardened cipher suites in our operations.

If you are using one of the affected hardware vendors, we can help. With our DDoS Proxy Defense Network, we can take all HTTPS connections and ensure your origin server/s are protected from this CVE, as well as many other vulnerabilities.

Jag Bains, CTO

DOSarrest Internet Security

Source: https://www.dosarrest.com/ddos-blog/old-vulnerabilities-still-available-to-be-exploited-robot/

Shortly after the Securities and Exchange Commission (SEC) warned investors to question cryptocurrency exchanges about the “substantial risks” of loss or theft of cryptocurrency, including those associated with hacking, Bitfinex reportedly experienced a distributed denial of service (DDoS) attack that paralyzed the exchange.
“We are currently under heavy DDoS. API is also down. We are working on further mitigation,” the exchange tweeted Tuesday.
Noting that “bitcoin made the top-10 most targeted industries list, despite its relatively small size and web presence,” Igal Zeifman, security evangelist at Imperva, said, “This young and exponentially growing industry presents a lucrative opportunity for extortionists and other cybercriminals who are always on the lookout for potentially vulnerable and high-profit targets.”

As bitcoin prices fluctuate, Zeifman expects to see attacks escalate. An “alarming number of attacks” over 100Mbps in Q3, “targeting a relatively high number of cryptocurrency exchanges and services,” was “likely related to a recent spike in the price of bitcoin, which more than doubled in the span of the quarter,” he said.

Tuesday’s DDoS attack against Bitfinex “could have been also launched to manipulate bitcoin prices, something offenders have been known to do,” Zeifman said.

Source: https://www.scmagazine.com/ddos-attack-paralyzes-bitfinex/article/718191/

One of the hackers also open sourced the code, enabling criminals to launch their own attacks

Three men have admitted to being the authors of the devastating Mirai botnet, which was used to launch a DDoS attack that took large parts of the internet offline last year before being widely shared with cyber criminals.

Paras Jha, 21, of Fanwood, New Jersey; Josiah White, 20, of Washington, Pennsylvania; and Dalton Norman, 21, of Metairie, Louisiana, all pleaded guilty to operating Mirai last week, in a court case unsealed by the US Department of Justice yesterday.

The trio built the botnet over the summer and autumn of 2016, targeting IoT devices like routers and wireless cameras, and targeting device vulnerabilities that would let Mirai enslave connected gadgets.

Mirai was behind one of the most effective DDoS attacks ever, hammering DNS provider Dyn with access requests from tens of millions of different IP addresses to force it offline and thereby bring down Github, Reddit, Twitter, Spotify and other huge companies that rely on Dyn to route users to their sites.