While bots are a common tool of cybercriminals for carrying out DDoS attacks and mining cryptocurrencies, a recent report found they may also be indirectly increasing the price of your airline tickets.

Distil Research Lab’s Threat report, “How Bots Affect Airlines,” found the airline industry has unique cybersecurity challenges when dealing with bad bots, which comprise 43.9 percent of traffic on airlines websites, mobile apps, and APIs, which is more than double the average bad bot traffic across all industries in which only make up an average of 21.8 percent.

One European airline saw a whopping 94.58 percent of its traffic from bad bots, according to the report which analyzed 7.4 billion requests from 180 domains from 100 airlines internationally.

Cybercriminals launch bots to compromise loyalty rewards programs, steal credentials, steal payment information, steal personal information, carry out credit card fraud, and to launch credential stuffing attacks.

When threat actors infiltrates loyalty programs they can potentially shake customer confidence to the point where they no longer use the airlines.

“Once a customer has been locked out of their account by a criminal changing their password, the airline has a customer service problem to solve,” the report said. “The forensics to investigate what happened inside the account is time consuming and costly.”

Researchers added that the costs of reimbursements for the damages are also a negative impact of these bad bots.

The only industry which had a worse bot problem was the gambling industry with an average of 53.08 percent of its traffic coming from bad bots.

These malicious bots are working around the clock in the airline industry as their activity appears consistent every day throughout the week except Friday when there is a peak in traffic. The majority of the traffic comes from the USA as it’s responsible for 25.58 percent of bad bot traffic worldwide, followed by Singapore in second place with 15.21 percent, and China in third with 11.51 percent.

Researchers also learned that of the nearly 30 percent of the domains they reviewed, bad bots encompassed more than half of all traffic with 48.87 of bad bots reportedly using Chrome as their users’ agent.

Not all bots are evil however, some of the bots are used by travel aggregators such as Kayak and other online travel agencies to scrape prices and flight information or even competitive Airlines looking to gather up-to-the-minute market intelligence but even these can hassles.

Some of these unauthorized (OTAs) however may use bots to scrape prices and flight information seeking to gather ‘free’ information from the airline rather than pay for any associated fees by entering into any commercial arrangement requiring a service level agreement, researchers said in the report.

To combat the bad bots, researchers recommend airlines block or CAPTCHA outdated user agents/browsers, block known hosting providers and proxy servers which host malicious activity, block all access points, investigate traffic spikes, monitor failed login attempts, and pay attention to public data breaches.

Source: https://www.scmagazine.com/home/security-news/bots-on-a-plane-bad-bots-cause-unique-cybersecurity-issues-for-airlines/

The election race for the governorship of the state of Georgia promises to be tight, with current estimates showing that Democrat Stacey Abrams and Republican Brian Kemp are in a statistical dead heat. Unfortunately, Georgia is also one of five states that continue to use fully electronic voting with no verified paper ballot trails, raising the specter that, if inconsistencies arise, voters could lose confidence in the result.

Like many companies, the state is behind in implementing good cyber-security measures and having good visibilities over their assets and vulnerabilities. One example: Officials in the Kemp’s office—he is also Secretary of State in charge of elections—used an internet-connected computer to load memory cards containing the voting-system software, potentially giving attackers a pathway to compromise election machines. Over the weekend, the Democratic Party of Georgia pointed out critical vulnerabilities in the election website that Kemp’s office had ignored.

The fact that the all-electronic voting machines do not create paper ballots or some other way to audit the system means that such vulnerabilities could impact the vote, or at least voters’ confidence, Marian Schneider, president of the nonprofit Verified Voting, said during a press briefing on election issues.

“That is a huge risk of attack,” she said. “The takeaway here is, yes, it is a risk, it is not a certainty, [we] can’t get the risk down to zero, but [the problem is] if something happens, it will be very hard to detect and it will be impossible to recover from it.”

As Americans head to the polls this week, Georgia’s travails underscore the cyber-security complexities of conducting elections on a budget, but its efforts—and the efforts of other states—also hold lessons for companies. The threat landscape for elections differs from those faced by most companies but should underscore the multiple pathways to compromise that most companies face.

“There is one thing for sure—we can learn a lot from this election,” said Srinivas Mukkamala, CEO of RiskSense, a cyber-threat management firm. “Trust, misinformation, cyber-physical systems, and whether this is this a lot of FUD [fear, uncertainty and doubt] or are we trying to solve a real problem?”

While a lot of potential attacks are ones commonly seen by companies—such as phishing, denial-of-service and database-injection attacks, such as SQL-command injection—the threat landscape faced by election officials also demonstrates other, less popular methods of compromise.

Here are five lessons that companies can learn from the current election security landscape.

1. Trust is valuable, so disinformation is a danger.

In May, election officials in Knoxville, Tenn., faced a nightmare: Minutes before the primary election results would be posted online, a denial-of-service attack crashed the county’s server. While the issue did not affect election results, it did cause citizens to question whether the integrity of the election was compromised, according to a news report in Vox. Attackers also used the chaos to slip into the election tally system and view the code, according to the report.

Such attacks undermine trust in election systems, as does disinformation pushed through fake accounts on social media. The infrastructure for such propaganda is enormous: Twitter removed 90 million suspect accounts in May and June, a pace that seems to be continuing.

“When you go to a restaurant, you assume that the health department has been in there—you would not buy food by some person on a street corner because there is no sense of trust,” said Shawn Henry, president of services and chief security officer for cyber-security firm CrowdStrike. “But people are consuming media every day without knowing the source.”

Companies should look to their brand on social media to keep consumer trust in their products. In addition, service disruption should be considered as a significant risk. Attacks on both can undermine consumer confidence, Henry said.

2. Physical security is important.

At the DEFCON hacking convention in August, a group of voting-security activists taught kids techniques for hacking voting machines and tabulating systems. Among the problems found: A system used in 18 states could be hacked in two minutes by picking the lock and using a program to load malicious software onto the system.

“[I]t takes the average voter six minutes to vote,” stated a report on the results. “This indicates one could realistically hack a voting machine in the polling place on Election Day within the time it takes to vote.”

Companies need to worry about insiders having physical access to systems. Many adversaries will try to get someone hired into a company, use a contractor to gain access to sensitive areas or co-opt someone already working for a company, said CrowdStrike’s Henry.

“If you are looking at comprehensive nation-state programs, they are looking at the physical aspect,” he said. “That’s not speculation. It is happening.”

3. The most obvious hack is not the most dangerous.

Because election machines are, usually, not connected to the internet, many election officials consider them to be safe. As Georgia’s election officials learned, however, there are other ways to attempt to compromise such systems.

In a court case filed in 2017, voting-security experts revealed that sensitive information on Georgia’s registered voters had already been downloaded from a purportedly secure database, that officials in the Secretary of State’s office used an internet-connected computer to load memory cards containing the voting-system software, and that the voting machines could be hacked without even being connected to the internet by installing software onto the USB memory stick.

Yet, in September, a U.S. district court judge ruled that there was not enough time to fix the issues and so allowed Georgia to continue using the all-electronic systems.

Companies should conduct threat modeling exercises to identify overlooked avenues of attack. In addition, third-party suppliers and contractors need to be evaluated as potential sources of risk, said RiskSense’s Mukkamala.

“It is not just a need to understand your own systems—you have to understand your vendors and their systems,” he said. “The unfortunate situation is that most of the election vendors are not very sophisticated in cyber-security. Often, small third-party suppliers are similarly unsophisticated.”

4. Have a crisis plan.

Because misinformation and denial-of-service on election officials’ pages can undermine trust in election systems, officials need to have a crisis response plan in place. Having such a plan in place was the primary recommendation of the DEFCON Voting Village 2018 report, which pointed to the publication of false election results in Ukraine and distributed denial-of-service (DDoS) attacks on industry and election sites as potential threats.

“Organizational leaders should anticipate what conditions might be created by a cyber attack on their systems … and create a plan for how to communicate with the public and other stakeholders under such conditions,” the report recommended. “This plan should be part of a local or state government’s overall emergency planning.”

5. When nation-states are involved, organizations need help.

The May attack on Knox County election systems, the massive efforts of the Internet Research Agency in Russia, and continuing attacks and probes on states’ election systems underscore that nation-states are looking to disrupt U.S. elections and deepen the divides between parties.

Companies have dealt with similar attacks for at least a decade, but defending against such well-resourced attackers is difficult. Both election systems and businesses need government collaboration to better defend against such attacks, said CrowdStrike’s Henry.

“All organizations need to understand that there are nation-states that are interested in their information,” he said. “It also provides an asymmetrical threat. There are nations that can impact the U.S., and they don’t have the weaknesses that we have.”

With the latest evidence showing not just Russian operatives targeting the U.S., but also attackers from Iran and potentially China running their own operations, the U.S. government is doing more to protect election systems and companies.

“Our adversaries are trying to undermine our country on a persistent and regular basis, whether it’s election season or not,” Christopher Wray, director of the FBI, said in an August briefing on election security. “There’s a clear distinction between activities that threaten the security and integrity of our election systems and the broader threat from influence operations designed to influence voters. With our partners, we’re working to counter both threats.”

Source: http://www.eweek.com/security/security-lessons-companies-can-learn-from-the-u.s.-elections

Kaspersky Lab has noticed an overall decline in the number of DDoS attacks this year, which may be due to many bot owners reallocating the computing power of their bots to a more profitable and relatively safe way of making money: cryptocurrency mining.

However, there is still a risk of DDoS attacks causing disruption, despite attackers not seeking financial gain.

The Kaspersky Lab DDoS Q3 report marked a continued trend in attacks aimed at educational organisations, as they open their doors after a long summer and students head back to school.

Attackers were most active during the third quarter in August and September, proven by the number of DDoS attacks on educational institutions increasing sharply at the start of the academic year.

This year, the most prominent attacks hit the websites of one of the UK’s leading universities – the University of Edinburgh – and the US vendor Infinite Campus, which supports the parent portal for numerous city public schools.

Analysis from Kaspersky Lab experts has found that the majority of these DDoS attacks were carried out during term time and subsided during the holidays.

More or less the same result was obtained by the British organisation Jisc.

After collecting data about a series of attacks on universities, it determined that the number of attacks fell when students were on holiday.

The number of attacks also decreases outside of study hours, with DDoS interference in university resources mainly occurring between 9am and 4pm.

Overall, between July and September, DDoS botnets attacked targets in 82 countries.

China was once again first in terms of the number of attacks.

The US returned to second after losing its place in the top three to Hong Kong in Q2.

However, third place has now been occupied by Australia – the first time it’s reached such heights since Kaspersky Lab DDoS reports began.

There have also been changes in the top 10 countries with the highest number of active botnet C&C servers.

As in the previous quarter, the US remained in first place, but Russia moved up to second, while Greece came third.

Kaspersky DDoS protection business development manager Alexey Kiselev says, “The top priority of any cybercriminal activity is gain.

“However, that gain doesn’t necessarily have to be financial. The example of DDoS attacks on universities, schools and testing centres presumably demonstrates attempts by young people to annoy teachers, institutions or other students, or maybe just to postpone a test.

“At the same time, these attacks are often carried out without the use of botnets, which are, as a rule, only available to professional cybercriminals, who now seem to be more concerned with mining and conducting only well-paid attacks.

“This sort of ‘initiative’ shown by students and pupils would be amusing if it didn’t cause real problems for the attacked organisations which, in turn, have to prepare to defend themselves against such attacks,” Kiselev says.

Source: https://datacentrenews.eu/story/universities-seeing-rise-in-ddos-attacks

Servers for Square Enix Co.’s popular online game “Final Fantasy XIV” has been hit by a series of cyberattacks since early October, preventing some users from accessing the service, its publisher said Thursday.

The distributed denial of service (DDoS) attacks, in which multiple hacked computers are used to flood the target system, were carried out to an “unprecedented extent” against data centers in Japan, North America and Europe, Square Enix said.

The identities of the attackers are not yet known, although information security experts suspect links to cheap online services that carry out so-called DDoS attacks.

Two major attacks in early October and late October prevented game players from logging in to the service or cut off their connections for up to 20 hours, according to the company.

Square Enix has taken steps against the attacks but the servers were attacked again Tuesday night, disrupting the service for some 50 minutes.

“FFXIV” had previously been subjected to DDoS attacks. A study by a U.S. internet company has showed that some 80 percent of DDoS attacks worldwide are targeted at game services.

“The attacks may have been carried out by people who commit the offense for pleasure, hold a grudge against the company or seek money,” said Nobuhiro Tsuji, an information security expert.

“The attacks have extended over a long period, and, while it is costly, there is no choice but to boost countermeasures,” the expert at SoftBank Technology Corp. said.

In 2014, a high school student in Kumamoto Prefecture was found to have used an online DDoS attack service to disrupt a different game company’s operations after he became frustrated with the way the game services were managed. He was referred to prosecutors the same year.

Source: https://www.japantimes.co.jp/news/2018/11/01/business/tech/players-affected-online-game-final-fantasy-xiv-hit-unprecedented-cyberattacks/#.W9yKTuIpCUk

Back in November 1988, Robert Tappan Morris, son of the famous cryptographer Robert Morris Sr., was a 20-something graduate student at Cornell who wanted to know how big the internet was – that is, how many devices were connected to it. So he wrote a program that would travel from computer to computer and ask each machine to send a signal back to a control server, which would keep count.

The program worked well – too well, in fact. Morris had known that if it traveled too fast there might be problems, but the limits he built in weren’t enough to keep the program from clogging up large sections of the internet, both copying itself to new machines and sending those pings back. When he realized what was happening, even his messages warning system administrators about the problem couldn’t get through.

His program became the first of a particular type of cyber attack called “distributed denial of service,” in which large numbers of internet-connected devices, including computers, webcams and other smart gadgets, are told to send lots of traffic to one particular address, overloading it with so much activity that either the system shuts down or its network connections are completely blocked.

As the chair of the integrated Indiana University Cybersecurity Program, I can report that these kinds of attacks are increasingly frequent today. In many ways, Morris’s program, known to history as the “Morris worm,” set the stage for the crucial, and potentially devastating, vulnerabilities in what I and others have called the coming “Internet of Everything.”

Unpacking the Morris worm

Worms and viruses are similar, but different in one key way: A virus needs an external command, from a user or a hacker, to run its program. A worm, by contrast, hits the ground running all on its own. For example, even if you never open your email program, a worm that gets onto your computer might email a copy of itself to everyone in your address book.

In an era when few people were concerned about malicious software and nobody had protective software installed, the Morris worm spread quickly. It took 72 hours for researchers at Purdue and Berkeley to halt the worm. In that time, it infected tens of thousands of systems – about 10 percent of the computers then on the internet. Cleaning up the infection cost hundreds or thousands of dollars for each affected machine.

In the clamor of media attention about this first event of its kind, confusion was rampant. Some reporters even asked whether people could catch the computer infection. Sadly, many journalists as a whole haven’t gotten much more knowledgeable on the topic in the intervening decades.

Morris wasn’t trying to destroy the internet, but the worm’s widespread effects resulted in him being prosecuted under the then-new Computer Fraud and Abuse Act. He was sentenced to three years of probation and a roughly US$10,000 fine. In the late 1990s, though, he became a dot-com millionaire – and is now a professor at MIT.

Rising threats

The internet remains subject to much more frequent – and more crippling – DDoS attacks. With more than 20 billion devices of all types, from refrigerators and cars to fitness trackers, connected to the internet, and millions more being connected weekly, the number of security flaws and vulnerabilities is exploding.

In October 2016, a DDoS attack using thousands of hijacked webcams – often used for security or baby monitors – shut down access to a number of important internet services along the eastern U.S. seaboard. That event was the culmination of a series of increasingly damaging attacks using a botnet, or a network of compromised devices, which was controlled by software called Mirai. Today’s internet is much larger, but not much more secure, than the internet of 1988.

Some things have actually gotten worse. Figuring out who is behind particular attacks is not as easy as waiting for that person to get worried and send out apology notes and warnings, as Morris did in 1988. In some cases – the ones big enough to merit full investigations – it’s possible to identify the culprits. A trio of college students was ultimately found to have created Mirai to gain advantages when playing the “Minecraft” computer game.

Fighting DDoS attacks

But technological tools are not enough, and neither are laws and regulations about online activity – including the law under which Morris was charged. The dozens of state and federal cybercrime statutes on the books have not yet seemed to reduce the overall number or severity of attacks, in part because of the global nature of the problem.

There are some efforts underway in Congress to allow attack victims in some cases to engage in active defense measures – a notion that comes with a number of downsides, including the risk of escalation – and to require better security for internet-connected devices. But passage is far from assured

There is cause for hope, though. In the wake of the Morris worm, Carnegie Mellon University established the world’s first Cyber Emergency Response Team, which has been replicated in the federal government and around the world. Some policymakers are talking about establishing a national cybersecurity safety board, to investigate digital weaknesses and issue recommendations, much as the National Transportation Safety Board does with airplane disasters.

More organizations are also taking preventative action, adopting best practices in cybersecurity as they build their systems, rather than waiting for a problem to happen and trying to clean up afterward. If more organizations considered cybersecurity as an important element of corporate social responsibility, they – and their staff, customers and business partners – would be safer.

In “3001: The Final Odyssey,” science fiction author Arthur C. Clarke envisioned a future where humanity sealed the worst of its weapons in a vault on the moon – which included room for the most malignant computer viruses ever created. Before the next iteration of the Morris worm or Mirai does untold damage to the modern information society, it is up to everyone – governments, companies and individuals alike – to set up rules and programs that support widespread cybersecurity, without waiting another 30 years.