As the denial of service (DDOS) attack against Dyn shook the internet a little over a week ago, it brought to the public forefront the changing dynamics of power in the online world. In the kinetic world of the past, the nation state equivalent was all-powerful, since it alone could raise the funds necessary to support the massive military and police forces necessary to command societies. In the online world, however, the “armies” being commanded are increasingly used against their will, massive networks of infected drone machines formed into botnets. The cost of acquiring, powering, cooling, connecting and operating these virtual soldiers are borne by private individuals and corporations, with criminal enterprises able to co-opt them into massive attack botnets. What does this suggest is in store for the future of the online world? The notion of using large botnets to launch globally distributed DDOS attacks is by no means a new concept and in fact has become a hallmark of the modern web. Indeed, I remember as a freshman in college 16 years ago seeing a new Linux server installed where I worked one morning and seeing the same machine being carted off by the security staff that afternoon after it had been hacked and converted into a botnet drone just a few hours after being plugged in. What makes the attack against Dyn so interesting is the scale at which it occurred and its reliance on compromised Internet of Things devices, including DVRs and webcams, allowing it to command a vastly larger and more distributed range of IP addresses than typical attacks. Making the attack even more interesting is the fact that it appears to have relied on open sourced attack software that makes it possible for even basic script kiddies to launch incredibly powerful attacks with little knowledge of the underlying processes. This suggests an immense rebalancing in the digital era in which anyone anywhere in the world, all the way down to a skilled teenager in his or her parent’s basement in a rural village somewhere in a remote corner of the world, can take down some of the web’s most visible companies and wreak havoc on the online world. That preliminary assessments suggest that the attack was carried out by private actors rather than a nation state only reinforces this shift in online power. Warfare as a whole is shifting, with conflict transforming from nations attacking nations in clearly defined and declared geographic battlespaces to ephemeral flagless organizations waging endless global irregular warfare. In the cyber domain, as the battleground of the future increasingly places individuals and corporations in the cross hairs, this raises the fascinating question of how they can protect themselves? In particular, the attack against Dyn largely mirrored an attack against Brian Krebs’ Krebs on Security blog last month, which raises the specter of criminals and nations being able to increasingly silence their critics, extort businesses and wreak havoc on the online world, perhaps even at pivotal moments like during an election day. In the physical world, the nation state offers protection over the physical assets of companies operating in its territories, with military and police forces ensuring the sanctity of warehouses, office buildings and other tangible assets. However, in the digital world, state hackers from one country can easily compromise and knock offline the ecommerce sites of companies in other nations or leak their most vital secrets to the world. In the case of Brian Krebs’ site, his story thankfully has a happy ending, in which Alphabet’s Jigsaw (formerly Google Ideas) took over hostingof his site under their Project Shield program. Project Shield leverages Google’s massive global infrastructure to provide free hosting for journalistic sites under sustained digital attack, protecting them from repressive governments and criminal enterprises attempting to silence their online voices. Looking to the future, what options do companies have to protect themselves in an increasingly hostile digital world? Programs such as the Project on Active Defense by George Washington University’s Center for Cyber & Homeland Security are exploring the gray space of proactive countering and highly active response to cyberattacks. For example, what legal and ethical rights does a company have to try and stop an incoming cyberattack? Can it “hack back” and disable key command and control machines in a botnet or take other active approaches to disrupt the incoming traffic? What happens if a company remotely hacks into a control machine to disable it and it turns out it is an infected internet-connected oven in someone’s house and in the process of disabling it, the oven malfunctions and turns to maximum heat and eventually catches fire and burns the house down? Is the company responsible for the damage and potential loss of life? What legal responsibilities and liabilities do device manufacturers have to develop a more secure Internet of Things? If a company in 2016 still sells devices with default administrative passwords and well-known vulnerabilities that make them easy prey for botnets, should the companies bear the same burden as any other consumer safety issue? As over-the-air remote security updates become more common, should legislation be passed to require all consumer devices have the ability to be remotely updated with security patches? As the modern web celebrates more than 20 years of existence, somewhere over those last two decades the web has gone from a utopia of sharing and construction of a brighter future to a dystopia of destruction and unbridled censorship. Will the web grow up and mature to a brighter security future or will it descend into chaos with internet users fleeing to a few walled gardens like Facebook that become the “safe” version of the web? Only time will tell. Source: http://www.forbes.com/sites/kalevleetaru/2016/10/31/the-dyn-ddos-attack-and-the-changing-balance-of-online-cyber-power/#73a1613de230
The recent massive DDoS attack against DNS provider Dyn has jolted (some of) the general public and legislators, and has opened their eyes to the danger of insecure IoT devices. It is clear by now that it will take joint action by all stakeholders – users, manufacturers, the security industry, ISPs, law enforcement and legislators – to put an end to this particular problem, but it will take quite some time. Theoretical stopgap solutions In … More ?
Can we extinguish the Mirai threat?
Bet shops ready for old layer 3 stayers, less for IoT swoopers, says Akamai “The race that stops a nation” could also stop betting agencies if the regular barrage of timely distributed denial of service attack (DDoS) extortionists utilise insecure embedded devices, Akamai says.…
Read more here:
Melbourne Cup is ‘top op for hacked camera DDoS extortionists’
When Mary Shelley wrote Frankenstein, she imagined the misguided doctor assembling his creature from dead body parts, who instead of elevating science, created something dark and terrible. A modern day Mary might well imagine the monster being assembled, not from arms and legs, from nanny-cams, door locks, and DVRs. It would be hard to miss the events of the past few weeks. In September, security reporter Brian Krebs was hit by a massive DDoS attack. … More ?
See the original article here:
Building the IoT monster
And break every computer crime law along the way A GitHub user going by Leo Linsky has forked a repo created by researcher Jerry Gamblin to create an anti-worm “nematode” that could help to patch vulnerable devices used in the massive Mirai distributed denial of service attack.…
See the article here:
Boffin’s anti-worm bot could silence epic Mirai DDoS attack army
The Internet of Things: blessing or curse? That depends on how much you value your privacy against the ability of your fridge to order fresh milk. Either way, we are now more vulnerable to hackers. Here’s how. I won’t even attempt to answer the question in my opening gambit. Who can say for sure this early whether the Internet of Things is a blessing or a curse (aside from the fact that clichés are always a curse). For one this is something we all have to decide for ourselves – hopefully, after diligent public debate. We all have to decide what privacy is in the digital era, and whether it’s important to us. We may support more stringent data protection laws, even a global bill of rights. Or we may find ourselves in the “post-privacy” camp and not really care. It also depends on how highly we value our digital security. Unbeknownst to us Take the DDoS (distributed denial-of-service) attack that brought down a litany of popular websites last Friday (21.10.2016). The affected websites included Esty, Github, HBO Now, PayPal, Pinterest, Playstation Network, Recode, Reddit, Spotify, Twitter, Netflix, Yammer, and Yelp. Your fridge, your mom’s webcam, computers at the local school, and a kid’s doll may have all taken part – without your even knowing it. Someone, somewhere launched a piece of malware called Mirai. We’ve known about Mirai – so something was in the wind. And DDoS attacks themselves have been around for ages. Mirai searched for poorly-protected, networked devices. That is, household devices that had little or no password protection. Reports suggest these included DVRs and webcams made by a Chinese company called Hangzhou XiongMai, which has since issued a recall on its webcams in the US. Mirai turned the connected devices into its slaves. They then launched the DDoS attack on servers run by Dyn, a so-called DNS host, and home to all those websites. Usually, when you call up a website, your “request” goes via one of these servers. But when the servers are overloaded with bad requests consisting of incomplete data, or they are bombarded with more requests than they can handle, they basically freak out. And no one is served. That’s what happened on Friday. Your fridge, webcam, toy truck and thousands more emitted a coordinated attack of useless information, bringing down some of the world’s most popular websites. The rest is history… Friday’s Mirai attack may well be history now, but it’s one which will surely repeat itself. Many, many times. The question is, where will it all end? If it’s only Netflix and Spotify you can’t access, you may really not care. Certainly if they are back up and running within a few hours. But what if it’s a vital government website, online access to your local hospital, the police, or the energy grid… and what if the attack lasts for days, weeks even? This is what we mean when we talk about cybersecurity. Private, commercial concerns, even dating apps, shouldn’t come into it. And yet what we do – and allow – at a private level can have a momumental impact on society. We may think it’s just the fridge ordering our milk or Barbie chatting to our kids. But we forget that every electronic device these days – especially those connected to the network – is vulnerable to hackers. And the Mirai attack has reminded us they can all be reprogrammed to do whatever the hackers want. Source: http://www.dw.com/en/how-our-household-devices-get-hacked-and-join-zombie-bot-networks-in-ddos-attacks/a-36181744
There’s no shortage of conspiracy theories when it comes to guessing who’s behind cyber attacks. So when it was announced that a distributed denial of service (DDoS) attack was behind last week’s crash of an Ontario online literacy test for about 190,000 high school students the list was long. –One of the thousands of computer-literate students who want to Get Back At the Education System? (No shortage of them…) –One of the tens of thousands of Ontario high school graduates who want to Get Back At the Education System (Some of whom are reading this right now …) –General mischief makers around the world (Really no shortage of them) –The usual suspects blamed for everything bad (Russia, China). OK, probably not Russia and China. But with DDoS-as-a-service available on the dark web (all you need is Tor and a credit card) and — here’s the tricky part — the right URL — it’s not hard to launch an attack anywhere on the planet. Who had that URL and how they got hold of it is the question. It may not have been that hard because last week’s test was preceded by earlier, smaller ones. What we do know for sure is that on Monday the provincial Education Quality and Accountability Office (EQAO) said the Oct. 20 province-wide trial of the online Ontario Secondary School Literacy Test (OSSLT) had to be terminated because of what it called an “intentional, malicious and sustained” DDoS attack. “An extremely large volume of traffic from a vast set of IP addresses around the globe was targeted at the network hosting the assessment application,” the office said in a statement. No personal or private student information was compromised, it added. According to a statement Thursday from the EQAQ, a third party hosted the application. “We planned for a variety of cyber incidents,” the statement said, “but we are unable to disclose the specifics of this information because of the need to protect our infrastructure’s security. What we can say, however, is that we did not anticipate a DDOS of this magnitude. A forensics firm is investigating. “We were shocked to learn that someone would deliberately interfere with the administration of the online OSSLT,” Richard Jones, the office’s director of assessment, said in a statement. “There will be discussions over the next few weeks to determine how to strengthen the system, and we will continue to work with Ontario’s education community to understand how best to use online assessments to benefit our province’s students.” —Richard Jones, Director, Assessment Last week’s exercise was was a voluntary trial to test the system’s readiness before the regularly scheduled administration of the OSSLT — either online or on paper — in March 2017. The office is determined to keep to that schedule. Source: http://www.itworldcanada.com/article/ontario-literacy-test-abandoned-due-to-ddos-attack/387852
Exploit can halt attacks from IoT devices Security researchers have discovered flaws in the Mirai botnet that might be used to mitigate against future attacks from the zombie network.…
Recent cyber-attacks using botnet armies of hacked “internet of things” devices highlights the pressing need for improved security.
Smart home threat
The nation’s top intelligence official on Tuesday said state-sponsored hackers likely weren’t behind the distributed denial-of-service (DDoS) attacks that disrupted internet access across the United States last week. Weighing in on the outages during an event at the Council on Foreign Relations in Washington, D.C., National Intelligence Director James Clapper said investigators believe a “non-state actor” was likely responsible for the DDoS attacks that made it difficult to access some of the world’s most popular websites Friday. “That appears to be preliminarily the case,” Mr. Clapper said, The Hill reported. “But I wouldn’t want to be conclusively definitive about that, specifically whether a nation state may have been behind that or not.” “The investigation’s still going on,” he added. “There’s a lot of data going on here.” Beyond the Beltway, private sector security researchers like those employed by Flashpoint, a business risk intelligence firm that’s analyzed the attacks, hold a similar opinion. “Despite public speculation, Flashpoint assesses with a moderate degree of confidence that the perpetrators behind this attack are most likely not politically motivated, and most likely not nation-state actors,” its researchers wrote Tuesday. In fact, Flashpoint said its investigation revealed that the same infrastructure used to disrupt access to websites like Twitter and Netflix was also used to attack a well-known video game company — an indication that the culprits of the crippling DDoS weren’t necessarily waging assault on behalf of a foreign power. “While there does not appear to have been any disruption of service, the targeting of a video game company is less indicative of hacktivists, state-actors or social justice communities, and aligns more with the hackers that frequent online hacking forums,” Flashpoint’s researchers wrote. “These hackers exist in their own tier, sometimes called ‘script kiddies,’ and are separate and distinct from hacktivists, organized crime, state-actors, and terrorist groups. They can be motivated by financial gain, but just as often will execute attacks such as these to show off, or to cause disruption and chaos for sport.” “I think they are right,” agreed Mikko Hypponen, chief research officer for security firm F-Secure. “I don’t believe the Friday attackers were financially or politically motivated. It was such an untargeted attack, it’s hard to find a good motive for it. So: kids,” he told TechCrunch. As authorities attempt to identify the culprits responsible for waging last week’s DDoS attacks, investigators have at least found out how the hackers were able to disrupt internet access North America and Europe. Researchers say the outage occurred after hackers compromised millions of internet-connected household devices like video recorders and digital cameras, then used those products to overload a widely used Domain Name System (DNS) — an online directory that enables web users to navigate from site to site. The director of the Department of Homeland Security said Monday that DHS has “been working to develop a set of strategic principles for securing the Internet of Things, which we plan to release in the coming weeks.” Source: http://www.washingtontimes.com/news/2016/oct/26/historic-ddos-attack-likely-waged-by-non-state-act/