Category - Block DDoS

1
60 Cybersecurity Predictions For 2019
2
The Nigerian Cyber Warfare Command: Waging War In Cyberspace
3
Telcos struggling to mitigate the threats of cyber attacks
4
SIDN, NBIP warn small businesses of increased risk of DDoS attacks
5
Data will be flowing through the retail systems this Black Friday
6
How to secure your online business from cyber threats?
7
Naming & Shaming Web Polluters: Xiongmai
8
Could Your Organisation’s Servers Be A Botnet?
9
190 UK Universities Targeted with Hundreds of DDoS Attacks
10
Beware of Torii! Security experts discover the ‘most sophisticated botnet ever seen’ – and say it is targeting smart home gadgets

60 Cybersecurity Predictions For 2019

I’ve always been a loner, avoiding crowds as much as possible, but last Friday I found myself in the company of 500 million people. The breach of the personal accounts of Marriott and Starwood customers forced us to join the 34% of U.S. consumers who experienced a compromise of their personal information over the last year. Viewed another way, there were 2,216 data breaches and more than 53,000 cybersecurity incidents reported in 65 countries in the 12 months ending in March 2018.

How many data breaches we will see in 2019 and how big are they going to be?

No one has a crystal ball this accurate and it’s difficult to make predictions, especially about the future. Still, I made a brilliant, contrarian, and very accurate prediction last year, stating unequivocally that “there will be more spectacular data breaches” in 2018.

Just like last year, this year’s 60 predictions reveal the state-of-mind of key participants in the cybersecurity industry (on the defense team, of course) and cover all that’s hot today. Topics include the use and misuse of data; artificial intelligence (AI) and machine learning as a double-edge sword helping both attackers and defenders; whether we are going to finally “get over privacy” or see our data finally being treated as a private and protected asset; how the cloud changes everything and how connected and moving devices add numerous security risks; the emerging global cyber war conducted by terrorists, criminals, and countries; and the changing skills and landscape of cybersecurity.

It’s the data, stupid

“While data has created an explosion of opportunities for the enterprise, the ability to collaborate on sensitive data and take full advance of artificial intelligence opportunities to generate insights is currently inhibited by privacy risks, compliance and regulation controls. The security challenge of ‘data in use’ will be overcome by applying the most universal truth of all-time—mathematics—to facilitate data collaboration without the need for trust from either side. For example, ‘zero-knowledge proof’ allows proof of a claim without revealing any other information beyond what is claimed. Software that is beyond trust and based on math will propel this trend forward”—Nadav Zafrir, CEO,Team8

“IT security in 2019 is no longer going to simply be about protecting sensitive data and keeping hackers out of our systems. In this day and age of big data and artificial intelligence—where cooperation on data can lead to enormous business opportunities and scientific and medical breakthroughs—security is also going have to focus on enabling organizations to leverage, collaborate on and monetize their data without being exposed to privacy breaches, giving up their intellectual property or having their data misused. Cybersecurity alone is not going to be enough to secure our most sensitive data or our privacy. Data must be protected and enforced by technology itself, not just by cyber or regulation. The very technology compromising our privacy must itself be leveraged to bring real privacy to this data-driven age”—Rina Shainski, Co-founder and Chairwoman, Duality Technologies

AI is a dual-use technology

AI-driven chatbots will go rogue. In 2019, cyber criminals and black hat hackers will create malicious chatbots that try to socially engineer victims into clicking links, downloading files or sharing private information. A hijacked chatbot could misdirect victims to nefarious links rather than legitimate ones. Attackers could also leverage web application flaws in legitimate websites to insert a malicious chatbot into a site that doesn’t have one. In short, next year attackers will start to experiment with malicious chatbots to socially engineer victims. They will start with basic text-based bots, but in the future, they could use human speech bots to socially engineer victims over the phone or other voice connections”—Corey Nachreiner, CTO, WatchGuard Technologies

“While next-gen technology like Artificial Intelligence (AI) and Machine Learning (ML) are transforming many enterprises for the better, they’ve also given rise to a new breed of ‘smart’ attacks. The ability to scale and carry out attacks is extremely enticing to cybercriminals, including use of intelligent malware. The rise in next-gen threats means that security professionals must be extra vigilant with detection and training against these threats, while also adopting new methods of automated prevention methods”—John Samuel, Senior Vice President and Global Chief Information Officer, CGS

“Cyber defenders have been researching and working on their machine learning/AI/deep Learning for a long time. We expect over the next 5 years that these technologies will also empower adversaries to create more powerful and elusive attacks through a new generation of tools, tactics and procedures. While AI/ML-savvy offensive cybercriminals are in their infancy, this is like any other business. They will invest in whatever provides them the greatest return. Unlike defenders, those on the offense are willing to collaborate and share innovation freely, which could increase rapid development and innovation”—David Capuano, CMO and VP Sales, BluVector

“Automation is the name of the game in security and machine learning is here to help. AI is all about automating expert systems, and security is all about experts answering some form of the question: ‘Does this matter? Does this alert matter? Is this vulnerability risky?’ Machine learning will help filter out the noise, so that the limited number of practitioners out there can use their time most efficiently”—Michael Roytman, chief data scientist, Kenna Security

“Recent updates to exploit kits, specifically natural language and artificial intelligence capabilities, has made the automation of highly convincing and unique social engineering emails a very simple process. Meaning, an attacker can upload a file with one million email addresses and can automate the creation of effective and unique phishing messages to send out to victims”—Brian Hussey, VP of Cyber Threat Detection and Response, Trustwave SpiderLabs

When it comes to using AI in cybersecurity, be wary. AI offers companies huge potential, but it is a largely untapped area. If you do plan to implement it, do a proof of concept to make sure that it integrates into your company’s environment, ensuring that you’re getting the maximum value”—Joan Pepin, CISO and VP of Operations, Auth0

“The focus on artificial intelligence in cybersecurity has led to an arms war, with vendors ratcheting up claims about the number of models or features to sensational levels. In 2019, the focus will shift from quantity to quality of features. Both vendors and their users will recognize that fewer, more precise features, can improve threat detection rates, while ensuring virtually zero false positives”—Adrien Gendre, North American CEO, Vade Secure

As AI-enabled apps continue to proliferate, companies will face a rise in accidental vulnerabilities. Expect to hear about more breaches that aren’t a result of a hack, but can be mapped back to developers leaving large data pools (which power AI-enabled applications) accidentally unprotected. Companies need to be vigilant when working with large data pools, especially customer data, that feed AI in services like Amazon, Facebook and Google, and always double check their configurations”—Alex Smith, Director of Security Products,Intermedia

“With fraud attack rates expected to continue to increase in 2019, costing e-commerce retailers billions of dollars, AI is poised to play a huge role in stopping bad actors in real-time before they strike. Artificial intelligence and machine learning, enhanced by human research, have the ability to protect online merchants from abuse at both the account level and the point of transaction.  AI-driven solutions are becoming a necessity because they instantly prevent fraud, enabling retailers to scale and keep up with the e-commerce giants without sacrificing the consumer experience. Finally, fraud prevention models that use AI can be personalized based on a nuanced understanding of each merchant’s specific pain points and historical data”—Michael Reitblat, Co-Founder and CEO, Forter

The emerging global cyber war

Terrorist-related groups will attack population centers with crimeware-as-a-service. While terrorist-related groups have been tormenting organizations and individuals for years, we anticipate more potentially destructive attacks in 2019. Instead of breaking systems with ransomware, adversaries will leverage new tools to conduct harmful assaults on targeted subjects and organizations. From attacks on data integrity that essentially kill computers to the point of mandatory hardware replacements, to leveraging new technology for physical assaults such as the recent drone attack in Venezuela, attack surfaces are growing and enemies will take advantage. To combat this, organizations must take inventory of their attack landscape to identify and mitigate potential threats before they are exploited. Malcolm Harkins, Chief Security and Trust Officer, Cylance

“We expect nation-state threats to increase significantly in 2019, particularly targeting critical infrastructure. Critical infrastructure systems are extremely vulnerable to both cybersecurity and physical security risks. State-sponsored threats and high-level hackers are constantly looking to gain access to the critical infrastructure of nations worldwide, with the intent of hitting some of our most valuable systems (national security, public health, emergency communications, and more)”—Mike McKee, CEO, ObserveIT

“The nature of cyberwarfare is changing. Russia has led the way in the use of targeted cyber actions as part of larger objectives, and now other nation states are looking to follow the same playbook. While a direct cyberwar is not on the horizon, there will continue to be smaller proxy cyber wars as part of regional conflicts where larger nation state actors provide material support to these smaller conflicts. These regional conflicts will be testing grounds for new tactics, techniques and procedures as larger nation states determine how cyber warfare integrates into their larger military objectives. Nation states will also start experimenting more this year in adding ‘disinformation’ campaigns as part of their cyber warfare efforts. These kinds of attacks will make true attribution more difficult”—Sean McNee, Senior Data Scientist, DomainTools

“As the cyber threat landscape intensifies, adversaries will continue to discover new avenues for attacks. Although satellites aren’t the most common attack surface, it is important for industry professionals to acknowledge the capabilities that threat actors hold over them. Security concerns continue to grow within the satellite industry, with execs even forming a government-backed clearinghouse to share information on cyber threats to space assets. From military satellites to GPS technology and even communication satellites, adversaries are able to conduct targeted attacks to gain access to these crucial systems—some of which are highly classified networks. As these threat actors refine their skills, we anticipate major attacks on satellite systems as a new form of nation-state warfare”—John Cassidy, CEO and Co-Founder, King & Union

The year of protected privacy, finally?

Managing privacy will be the new normal, like securing data or paying taxes. Privacy will continue on a similar path as the evolution of cybersecurity. The number of breaches and privacy-related incidents will continue to rise, up and to the right. This rise will be comprised of peaks and valleys. Like with security, a standard of constant privacy will become the new normal. For example, while many organizations treated GDPR as a project, with a finite end, compliance is a continuous exercise that requires the same focus and vigilance as security or taxes”—Chris Babel, CEO, TrustArc

Consumers will start to reclaim control and monetize their data. Ownership of customer data will transition away from businesses and back toward customers themselves, and new services will emerge that empower customers to even monetize their own personal data and rent it back to companies. Data is the fuel that powers AI, and customers will realize they have the power to drive their own AI-based experiences by reclaiming data control”—Dr. Rob Walker, vice president, decision management and analytics, Pegasystems

“GDPR was a great first step, but global regulation and governance still remain a complex web. The United States will continue to fall further and further behind in competency and international relations as our federal compliance efforts simply aren’t moving fast enough to meet worldwide requirements. Countries where privacy is prioritized and seamlessly integrated will see the most optimal growth”—Tomas Honzak, Chief Information Security Officer, GoodData

“Data protection legislation will continue to influence societal expectations on security, which will trickle down to companies and their supply chains.  Consumers have always felt protective of their data, but with new legislation redefining the data landscape, consumers have grown more confident in demanding their data be treated with respect, that its uses are kept visible and clear, and that it is used only as they agreed. The pressure these new societal expectations will exert cannot be overstated, both on public-facing companies and through them all the way down their supply chains. Make no mistake, security and data handling are seen now by all successful companies to be as critical to business and contracts as confidentiality and liability limits have always been”—Geoff Forsyth, CTO, PCI Pal

There will be a lot more focus on privacy and security of connected cars. The information from the connected car is arguably more sensitive than our credit card information – where do we go, when do we go there, when are we home, where do we shop and work, where do our kids go to school and what locations do we go to at what time. There will be breaches of this personal information and bad things that happen as a result. There will be more of the takeover scenarios where an external (bad) actor can take over the technology. This too will result in backlash and involvement of political and legal entities to begin to make laws and precedents. What can law enforcement access and discover to use for investigation purposes?”—Todd Walter, chief technologist, Teradata

“As privacy concerns grow, there will be an increasing interest in privacy-preserving machine-learning techniques that are able train accurate models without compromising privacy”—Prasad Chalasani, Chief Scientist, MediaMath

The global regulatory environment will become more challenging as regulators and governments worldwide continue to strive to implement better data privacy protection as was done with GDPR. While this is a great progress, we’re going to see these governments counter to gain more access to information”—Phil Dunkelberger, CEO, Nok Nok Labs

“As governments implement new data privacy regulations, enterprises will increasingly adopt a ‘Privacy First’ approach to data management. However, the challenges these enterprises will face as they seek to integrate data privacy best practices into their existing applications, as well as new mobile, IoT and other applications, will be significant. Enterprises will need AI-powered, automated, outcome-driven data management solutions to address these challenges if they hope to implement strong data privacy policies without sacrificing productivity or agility”—Don Foster, senior director of worldwide solutions marketing, Commvault

“In 2019, the US government will NOT adopt any new digital privacy policies despite the recent congressional hearings with Twitter, Facebook, Google, etc.”—Kevin Lee, Trust and Safety Architect, Sift Science

The Cloud changes everything and everything is connected… and vulnerable

“Your smart fridge will start scamming you. IoT-connected appliances such as refrigerators and washing machines already produce unattended payments that the user cannot personally verify. Fraudsters see this vulnerability now and will begin to take advantage of it”—Uri Rivner, Chief Cyber Officer, BioCatch

“In 2019, the two main targets for cyber-attackers will be the cloud and user devices. Operating systems on user devices provide more functionality than ever before, making them more vulnerable and an easy target for attackers. At the same time, users will expect more flexibility and the ability to work with any OS, any application, and on any device. As organizations look provide security, privacy, and productivity, they will have to shift to a new, ‘zero trust’ device architecture”—Tal Zamir, CEO, Hysolate

“IoT, in its current state, is not secure. There are secure devices out there, but they are the exception rather than the rule. Perhaps more concerning is that there are no revolutions in IoT security on the horizon. IoT will continue to be vulnerable in 2019”—Erez Yalon, Head of Security Research, Checkmarx

“A marked shift from network security towards identity-based application security will take place next year. The cloud causes traditional control planes to become obsolete. From firewalls and IPS’s to host-based security tools, current technologies cannot be implemented in an effective and constructive manner. Application identities, in a similar process that user identity underwent in the last couple of years, will conquer the main stage”—Ran Ilany, CEO, Portshift

“With Waymo, Cruise, Uber and other autonomous vehicle industry players rushing to the market and expanding previously limited pilots to wider scale public deployments, we predict that a self-driving car used ‘in production’ will be hacked. The immediate implications are unlikely to be life-threatening, however, they will only strengthen concerns about a potential nightmare scenario like car ransomware”—Nir Gaist, CTO and co-founder, Nyotron

Teams will shift to prioritizing cloud-delivered security solutions over traditional appliance-based point products. In addition, teams will shift to simplifying security architectures by prioritizing solutions that provide consolidated feature sets that would have traditionally required numerous separate point products. This will be driven by a vastly expanded attack surface and necessary operational efficiency for understaffed teams”—Gene Stevens, CTO & Co-Founder, ProtectWise

“From Windows to IoTs, Apple and Microsoft have invested colossal amounts in information security to make it very difficult for attackers to enter. In addition, due the accelerated growth in the number of IoT vendors and a severe lack of regulation, significant investments are now being made in developing breakthrough attack capabilities in this field”—Eilon Lotem, CTO, SAM Seamless Network

IoT-enabled device innovation will continue to outpace the security built into those devices and Federal government regulation will continue to inadequately define the laws and fines required to affect change. State-level regulations will be enacted to improve the situation, but will likely fall short in impact, and in many cases, only result in a false sense of consumer confidence with respect to the security of these devices”—Carolyn Crandall, Chief Deception Officer, Attivo Networks.

Cyber breaches will have increased impacts on corporate stock prices, especially in the technology and cyber security sector. The rate at which we’re seeing attacks, and the breadth of the impact is alarming but as of yet haven’t had a large impact on stock prices. However, this will soon change as organizations complete their digital transformation and move to the cloud. Once this happens, a breach is going to have a larger impact on their revenue and as a result a detrimental effect on stock price. Another impact of companies moving operations and revenue to the cloud is we’re going to see more criminal and state organizations going after cybersecurity companies to infiltrate code in their distribution base or take them offline to get to the corporations themselves”—Stan Lowe, Global CISO, Zscaler

“Consumers and legislators alike are increasingly aware of the cyber risks facing the automotive industry as vehicles become increasingly connected.Due to the growing number of susceptible entry points in today’s connected cars, it is only a matter of time before the automotive industry experiences further significant cyber-related product recalls. Moving into 2019, it is imperative that OEM and Tier 1 suppliers ensure robust cyber security protections over the course of the vehicle lifespan. A multi-layered, end-to-end security solution that enables over the air system update capabilities will become the norm. Now is the time for automakers to be proactive and take the wheel in deploying effective solutions for automotive cyber security”—Yoni Heilbronn, CMO, Argus Cyber Security

“Cloud and DevOps transformations will rapidly gain pace in 2019, increasing the risk at the web application layer for enterprises. The reason for this increase is simple: the application layer used to be mostly static assets like marketing websites, but flash forward to today, it is now often the primary way an enterprise interacts with their customers (via full featured web applications or APIs that back mobile apps). This massive shift in functionality comes an equally massive shift in risk. The number one lesson for CISOs is that the transformation to cloud and DevOps will be successful if you can shift your security program from being a blocker to an enabler and focus on making your application and DevOps teams security self-sufficient”—Zane Lackey, Co-Founder and CSO, Signal Sciences

Endpoint security will be redefined by detection and response features (EDR), plus managed detection and response (MDR) services. Endpoint prevention (EPP) has been king of the hill for years, now more than 80% of these solutions fall behind on requirements to provide a combined prevention, detection, investigation, response, system management, and security hygiene as a solution set via a single agent for Windows, macOS and Linux systems. Less than 20% of organizations have the resources and skills for mature EDR solutions which will drive the need for MDR services to the majority of companies, even more so for 24/7 coverage”—Tom Clare, Senior Product Manager, Fidelis Cybersecurity

“With IoT growth posing huge unknown risks to enterprises with the introduction of 5G, businesses will increasingly need to invest in both technology and employee training in order to prepare for the next generation threat landscape. What’s more is that 5G will not only give rise to new threats, but it will also provide cyber criminals with new opportunities to carry out attacks that we have seen grow in popularity over the years with greater force and impact. With this in mind, even an organization that ‘does everything right’ to combat threats posed by 5G could still be impacted just as easily as those that are less security savvy”—James Willett, Vice President of Technology, Neustar

“As IoT innovation continues to blossom, more and more IoT devices will continue to get involved in DDoS attacks in 2019. Routers and cameras are the major types of IoT devices involved in DDoS attacks, with routers making up 69.7% of IoT devices exploited to launch DDoS attacks, and 24.7% of cameras in 2017. This is because a great number of routers and web cameras have been introduced into production and living environments, with no sufficient security measures enforced. We have every reason to believe that attacks leveraging the IoT will become more diverse in the future”—Guy Rosefelt, Director of Product management for Threat Intelligence & Web Security, NSFOCUS

“With the number of IoT technologies in the workplace beginning to outnumber conventional IT assets, there is an ever-increasing probability that these devices will be used as entry point by malicious actors to further compromise corporations for data breaches. Expect in 2019 to see this come to reality and several breaches will be directly tied to installed IoT technology”—Deral Heiland, IoT Research Lead, Rapid7

Industrial control systems are the wild-west of cybersecurity at the moment. These systems control factories, buildings, utilities, etc.  Most systems have little-to-no protection, and best practices are still being adopted very slowly. They also represent extremely high-value targets, especially from a strategic point of view.  A few new companies have entered the landscape, but it is still an extremely young industry”—Bryan Becker, application security researcher, WhiteHat Security

“At a time where nearly every device is connected to the internet, vendors should be taking security seriously. Too many of these products, toys, and phone apps that connect to the cloud in an insecure or unencrypted fashion and are at risk. Security issues have been plaguing the IoT market from the very beginning and it will only continue to exacerbate in 2019. IoT manufacturers will continue to race to introduce new products before their competitors bypassing secure coding practices resulting in products that add risk to corporate environments”—Karl Sigler, Threat Intelligence Manager, Trustwave SpiderLabs

“It’s important to consider the role of certificates in a world of connected devices. Nations (and more U.S. states) will follow California’s lead and enact legislation requiring security for IoT networks. This is particularly important for the healthcare, transportation, energy, and manufacturing sectors, which face the highest risk. The legislation stops short of prescribing strong forms of authentication—but thankfully, consortium groups such as the Open Connectivity Foundation and AeroMACS have championed the use of strong certificate-based authentication in their best practice standards for IoT—Damon Kachur, Vice President of IoT, Sectigo

“It may not seem like a big deal for an attacker to compromise your smart-lights, but those can connect to your smart home management device (e.g., Google Home, Amazon Echo), and from there propagate throughout both your physical and notional personal networks. And those networks can be tied to even larger ones that could result in high-profile DDoS attacks. Every added device is an added attack surface, and we’re in for a very rude awakening in the near future”—Ken Underhill, Master Instructor, and Joe Perry, Director of Research, Cybrary

Cybersecurity skill set transformation

“As IT organizations embrace public cloud environments, the threat of cyber-attacks and malicious attempts is a growing phenomenon. However, a gap still exists between the industry’s needs and what can be achieved with the available workforce. As cloud increasingly becomes a part of every IT environment, 2019 will be a key year for re-skilling the workforce, educating new talent and making the right moves to face the cyber challenge”—Avishai Sharlin, General Manager, Amdocs Technology

The role of CISO will become intertwined with CTO. Security will need to integrate into the operations of a business if it is to become an enabler rather than a blocker of innovation. The same can be said for the blurred lines between the roles of the CISO and CTO. We have seen time and again the c-suite take the brunt of the fallout following high-profile security breaches – where the buck used to stop long before the CEO, the fallout from a security breach increasingly takes senior management along with the security and teaching teams. As a result, the distinction between the traditional roles of the CISO and CTO will become yet more gray next year”—Ivan Novikov, CEO, Wallarm

“Security is increasingly starting at the developer level, a trend that will only grow next year. As an industry, we’ve realized that security should lie at the heart of any digital transformation initiative and should never be an afterthought but built-in by design. The code should be secure, as well as the design and processes. DevSecOps should be applied for applications as well as the cloud, infrastructure and work with partners. Organizations will look to create more security ambassadors at the developer level next year who can advocate for employee awareness around the individual’s role in overall security”—Brent Schroeder, CTO Americas, SUSE

“In 2018, cybersecurity was more widely accepted as a board level topic and senior executives became more aware about its impact on achieving business goals and brand protection. Looking toward 2019, boards will want to see objective measurement and validation of program effectiveness, and will continue to bring on independent cybersecurity advisors or add team members with experience in cybersecurity, putting more pressure on CISOs. As a result, the effectiveness of cybersecurity programs will rely more and more on CISOs and their ability to partner with the board and communicate security needs to them. CISOs that can communicate a clear strategy and a measurable plan will have increased support, as well as funding for key initiatives”—Andrew Howard, CTO, Kudelski Security

“It’s no surprise that we are currently in a massive deficit of qualified cybersecurity talent. In 2019, we will see a more modern approach to recruiting and retention in the cybersecurity workforce to fill this void and create more diversity. We will see an uptick in apprenticeship programs, more diverse training, recruiting practices and federal funding to help bridge the enormous talent and diversity gap the industry has today“—Jason Albuquerque, CISO, Carousel Industries

The ever-evolving cybersecurity landscape

“The security industry tends to look at future trends as monumental shifts in attack methodologies, security technologies, or predictions. In reality, shifts in attack methodologies, security technologies, and observations tend to be incremental. Spending 20% of your time enhancing controls on the security essentials can easily yield 80% of your security improvements. The remaining time should be spent on exploring more advanced technologies that can help fill some of the more niche gaps in your security program. In the coming year, shifts in attacks will be incremental if the same old attacks continue to work as they have in the past”—Jason Rebholz, Senior Director at Gigamon

In 2019, we will see advances in mobile biometric sensors. The industry has dipped its toe in the water in regards to fingerprint sensors being placed underneath phone screens as a solution to eliminate the “home button,” expect to see these screen sensors cannonball into becoming the norm. We may even see Samsung extend their capability with Iris beyond phone unlock and Samsung apps. There will be a battle as to which biometric is best, face or fingerprint, with focus on usability rather than performance rates, ultimately this will come down to user preference as to which is more convenient for individuals and fits better with their use cases”—John Callahan, CTO, Veridium

The demand for affordable, managed security service providers will increase dramatically in 2019 due to a rise in attacks on small and medium sized businesses as a result of successful monetization of ransomware, crimeware and extortion by criminal organizations. With the shortage of available security professionals in the workforce, one of the only places SMB’s will be able to turn to in 2019 are MSSPs”—Sharon Reynolds, Chief Information Security Officer, Omnitracs

”In 2019, healthcare organizations will be the number one target for attackers. The evolution of attacks has made it much harder to secure the industry, creating and growing an entire ecosystem that lends itself to multiple forms of fraud that the attacker can profit off of. For example, in healthcare, when protected health information (PHI) is stolen, attackers are able to steal identities, gaining access to medical information, which the attacker either uses or sells to then obtain prescriptions to be traded or sold illegally”—Bob Adams, cybersecurity specialist, Mimecast

“New, high-profile breaches will push the security industry to finally solve the username/password problem. The ineffective username/password conundrum has plagued consumers and businesses for years. There are many solutions out there—asymmetric cryptography, biometrics, blockchain, hardware solutions, etc.—but so far, the security industry has not been able to settle on a standard to fix the problem. In 2019, we will see a more concerted effort to replace the password solution all together”—Marcin Kleczynski, Founder and CEO,Malwarebytes

“In 2019 we will see an evolution in the two-factor authentication (2FA) process that directly addresses some of the most discussed fraud attacks. It’s a documented fact that the use of 2FA to stop unauthorized account access has exponentially decreased account takeover fraud around the globe, but as fraudsters have evolved, so too must the techniques used to combat them. The increasing prevalence of SIM swap fraud and porting fraud (where attackers take over an end-user phone number so they can intercept one-time passcodes) has led to more collaboration between online businesses and mobile network operators, who can tell those businesses (in real-time) when a SIM swap or porting change has occurred. What we will see as 2019 unfolds is the use of that data to augment 2FA, which will ultimately ensure the continued growing adoption of this important security step by both businesses and their users”—Stacy Stubblefield, Co-Founder and Chief Innovation Officer, TeleSign

“Year-end cyber predictions often focus on specific threat categories and whether or not to expect an increase or decrease in their activity. 2019, however, promises a more fundamental shift in the cyberthreat landscape, for example the impact of social media as an exploding vector for malicious activities and the implications for businesses protecting their assets. Cybersecurity is not an IT problem, it is far wider than just ‘computers’ and the threats ahead in 2019 will make this painfully obvious”—Raj Samani, Chief Scientist and McAfee Fellow, McAfee

“Fraud attacks continue to rise, and we can expect to see them increase in volume up to 2-3X in the coming year. In addition to an increase number of attacks, we anticipate cyber criminals will leverage new tactics to fool retailers and consumers. We will continue to see them utilizing compromised data obtained from data breaches, but beyond that we can anticipate the use of account take over efforts like attacking small and medium-sized online merchants that don’t have proper eCommerce fraud risk technologies, and attacking online merchants with high speed velocity, identity takeover, and brute force high volume attempts”—Steven Gray, Head of Payments, Tax and Fraud, Radial

In 2019, there will be continued consolidation of companies in the security sector, especially for those that have developed technologies that relate to Digital Identities (DIs), including the on-boarding of individuals behind the DIs, the authentication of the individuals behind the DIs (MFA), and the continual management of privileges and access (IAM)”—Todd Shollenbarger, Chief Global Strategist, Veridium

“Small organizations are finally realizing that they need to be as prepared as large organizations when it comes to cybersecurity, making it no longer an IT problem but a larger business challenge within every organization. Additionally, we will see small businesses’ approach to cybersecurity impacting larger organizations through the supply chain vector. Hackers will take advantage of smaller organizations, which often fuel larger business’ supply chains, because they typically have security vulnerabilities that can be more readily exploited than larger ‘targeted’ companies”—Brian NeSmith, CEO and co-founder, Arctic Wolf Networks

“Because security has not been built into established industries like utilities, these sectors are an easy target across the globe and a prime mark for attackers looking to engage in cyber warfare. While their vulnerability has been well-documented, I believe the industry won’t take the threat seriously until something significant occurs—but by then, it will be too late. As we head into 2019, expect this threat to intensify until it finally boils over and results in action. By 2023, Threat X predicts there will be a major attack on a US utility that will finally force the industry to address these vulnerabilities”—Bret Settle, CEO, Threat X

“Risk management is going to become an extremely critical topic for both the public and private sector next year.  As a nation, we are facing complex geopolitical issues and state-sponsored attacks targeting our businesses and government on an enormous scale. Large financial institutions and Silicon Valley companies have already experienced billions of dollars in losses due to decisions being made without effective Enterprise Risk Management. Data is both an asset and a liability and next year we are going to see the regulatory environment become even more complex around data governance, which will see Enterprise Risk Management become a huge priority for the c-suite and board”—David Pigott, Chief Compliance Officer, Neustar

Source: https://www.forbes.com/sites/gilpress/2018/12/03/60-cybersecurity-predictions-for-2019/#57c3994b4352

The Nigerian Cyber Warfare Command: Waging War In Cyberspace

As the threat of state-sponsored cyber-attacks increases, multiple nations are putting together ‘cyber-armies’ able to fight back. The US Cyber Command was created in 2009 with the aim of defending the country’s infrastructure from attack. North Korea also has a cyber warfare unit and in the UK, it was recently revealed that the nation is increasing its ability to wage war in cyberspace with the creation of a new offensive force of up to 2,000 people.

Another country upping its game is Nigeria, which has itself suffered from numerous incidents of cyber-terrorism after jihadist militants Boko Haram migrated to the internet. The nation claims Boko Haram is leveraging social media for recruitment and was responsible for defacing the Defence Headquarters website. The group is also blamed for a hack on the Independent National Electoral Commission (INEC) website on a presidential election day.

In 2016, the Nigerian Army announced plans to take the war against insurgency to the nation’s cyber space. The result is the Nigerian Army Cyber Warfare Command: 150 IT trained officers and men drawn from the corps and services in the Nigerian Army. Their aim: to monitor, defend and assault in cyberspace through distributed denial of service (DDoS) attacks on criminals, nation states and terrorists.

So what led to the setup of the Command? “There have been a lot of issues with Boko Haram and also general cybersecurity problems,” says Eric Vanderburg, vice president of cybersecurity at TCDI, who is also an author and speaker on information security. “Crime is widespread in Africa, but their economy is one of the largest.”

The Nigerian army says it has acquired state of the art technical equipment and experts from IBM are currently configuring its newly procured servers. With the capacity to protect the country’s critical infrastructure, the command will also monitor the Nigerian Army’s networks and advise field commanders on how to use the computer-based weapons systems.

But there will be challenges as the country tries to tackle years of crime taking place in cyberspace. For example, Nigeria is simply training existing officers who might have no previous knowledge or experience in cybersecurity.

“They are all former army and military personnel,” says Vanderburg. “But they really need – even if only for leadership – someone to provide that guidance and specific knowledge on some of the key areas to the new recruits to train them through a programme. I just don’t see how it could be effective without bringing in some experienced people.”

If there isn’t much action, Nigeria’s Command could be more about appearances. “I think it is posturing,” Vanderburg says. “They have resisted some of the cooperation from the US – we had the US-Africa Command, for example.”

In addition: “They have previously said they have eradicated the Boko Haram threat but it’s really still there beneath the surface,” Vanderburg points out. “I think that’s going to be a lot of what happens here: they will do something with the cyber command, maybe fix some small issue and declare the cyber problem fixed.”

Nigeria also wants to show criminals and other nations it is doing something about cybercrime in a country known for its scams and phishing emails. “I think there is going to be an increasing focus on Africa: with how many cyber-attacks are coming out of it and international pressure to solve the problem,” Vanderburg says.

Internationally, Vanderburg stresses the need for a group in each country as well as cooperation between nations. “Each country should have something that helps coordinate local resources in response to cyber threats, but those groups need to work together on an international scale to now identify the problem. If, for example, an event impacts five countries, each of those could then have local units able to respond it.”

Source:https://www.forbes.com/sites/kateoflahertyuk/2018/11/26/the-nigerian-cyber-warfare-command-waging-war-in-cyberspace/#142d9f342fba

Telcos struggling to mitigate the threats of cyber attacks

EfficientIP’s 2018 DNS Threat Report has revealed telecom organisations took an average of 18 hours to mitigate each cyber attack.

The telecommunications sector ranks as one of the worst businesses sectors in its handling of cyber threats.

According to the report from EfficientIP, 43% of telco organisations suffered from DNS-based malware over the past 12 months. It was also highlighted that 81% took three days or more to apply a critical security patch after notification.

Time and money
DNS attacks cost telco organisations, like any other, significant time and money.

In general, telcos are taking too long to mitigate an attack; requiring an average of three employees to collectively spend over 17 hours per attack.

Due to how time-intensive the mitigation process can be, the report found that the average cost per DNS attack is rising for the telecommunications sector. Last year, a single DNS attack cost a telco organisation $622,100. This year the research shows telcos lose an average of $886,560 from each DNS attack, an increase of 42% in just 12 months.
Commenting on the reason behind these attacks, David Williamson, CEO of EfficientIP says: “Telco organisations attract complex, sophisticated cyber attacks as they hold sensitive customer data, and are also critical for providing unified communication services to businesses With a large part of their customer base operating online, strong network security has become a business necessity for the entire telco sector in general. Ensuring consistency and reliability in service is a crucial step towards providing elevated customer satisfaction.”

Reputational damage
The ramifications on telcos’ brands, while undergoing cyber attacks, is damaging.

Brand reputation was likely to suffer due to service issues:

• 45% had to close down specific affected processes and connections.
• 38% suffered cloud service downtime.
• 33% reported a compromised website.
• 31% endured in-house application downtime.
• 30% reported sensitive customer information stolen.

Recommendations for telcos
Working with some of the world’s largest telecommunication brands such as Orange and Vodafone to protect their networks, EfficientIP recommends five best practices:

• Rethink and simplify DNS architectures by replacing intermediary security layers with an adapted DNS security solution. As well as reducing administration and maintenance costs, this helps guarantee availability of service.

• Augment your threat visibility using real-time, context-aware DNS transaction analytics for behavioral threat detection. Businesses can detect all threat types, and prevent data theft to help meet regulatory compliance such as GDPR and US CLOUD Act.

• Apply adaptive countermeasures relevant to threats. The result is ensured business continuity, even when the attack source is unidentifiable, and practically eliminates risks of blocking legitimate users.

• Decentralise DNS architecture to cope with heavy growth of traffic. In addition to enhancing user experience, placing purpose-built, high performance DNS servers in points of presence significantly improves security against DDoS attacks.

• Incorporate DNS into a global network security solution to recognize unusual or malicious activity and inform the broader security ecosystem. This allows holistic network security to address growing network risks and protect against the lateral movement of threats.

Source: https://www.information-age.com/telcos-cyber-attacks-123476699/

SIDN, NBIP warn small businesses of increased risk of DDoS attacks

Small and medium-sized businesses are much more at risk of DDoS attacks than many think, according to research by the Dutch domain registrar SIGN and the internet providers group NBIP. The two groups conducted research on the .nl websites affected by such attacks and the organisations affected. In total, 237 DDoS attacks were identified in the year to June 2018.

Web shops selling consumer goods such as clothes, cosmetics and garden equipment have a bigger chance of being hit by DDoS attacks, the research found. On average the resulting damage costs EUR 1.8 million.

A common cause is the use of shared hosting. To save costs, small online sellers often share a server with other websites. They are then affected if another site on the server is hit by an attack. The chance of collateral damage is 35 times higher in such a case.

The public sector and larger banks remain the most likely target of direct attacks. The study estimates the direct damage cost EUR 59.6 million, while collateral effects cost another EUR 10 million.

The damages are based on the 237 attacks identified and estimates for the consequences if the attacks succeeded. If no protective measures are taken, the total cost to society from DDoS attacks is estimated at EUR 1 billion per year.

Source: https://www.telecompaper.com/news/sidn-nbip-warn-small-businesses-of-increased-risk-of-ddos-attacks–1269808

Data will be flowing through the retail systems this Black Friday

Resellers that support the retail sector will be keeping a keen eye on how their customers react to the huge amounts of data that will be generated this coming weekend.

Resellers selling into the retail sector are about to go through one of the most stressful weeks of the year as their customers gear up for Black Friday.

With this weekend marking one of the main moments consumers spend big before Christmas the emphasis might be on getting the best deals but for those with an eye on the IT the next few days is going to be about data.

On the one hand that means making use of the data around offers and stock to ensure that customers get current information about what a retailer can offer.

“Last year Black Friday itself was worth a total of £2.5bn in sales to the UK economy. However, if retailers fail to stand out against the intense competition, Black Friday could well be a Bleak Friday for them,” said Chris Haines, director of consulting at Amplience.

“To make the most out of the week and the increasingly important Cyber Monday, retailers should be focusing on their digital content. Retail is steadily marching towards the web, and Black Friday this year will be fought out online and on mobile,” he added.

But it is also about ensuring that data is protected, particularly over some of the busiest days of the year.

“Thanks to the popularity of ecommerce sites and credit card payments, the Black Friday shopping season has become synonymous with a peak in credit card thefts, site spoofing and DDoS attacks. It’s as much an occasion for cyber criminals as it is for consumers looking for a bargain,” said Spencer Young, rvp EMEA at Imperva.

“Retailers must also take responsibility for investing time and effort in testing their security measures ahead of the season,” he added.

There are also dangers that some retailers will get caught out by different shopping patterns and Ajmal Mahmood, customer solution architect, KCOM, warned against wrongly interpreting the sales the go through the tills.

“Buying habits change during big sales events, with some consumers making more impulse purchases, some stocking up on discounted items and some simply shopping as usual. It’s prudent for retailers to isolate the data collected during sales events, to ensure that they don’t significantly affect their personalisation algorithms across the year,” he said.

Source: https://www.computerweekly.com/microscope/news/252452793/Data-will-be-flowing-through-the-retail-systems-this-Black-Friday

How to secure your online business from cyber threats?

Ecommerce revenue worldwide amounts to more than 1.7 trillion US dollars, in the year 2018 alone. And the growth is expected to increase furthermore.

However, with growth comes new challenges. One such problem is cybersecurity. In 2017, there were more than 88 million attacks on eCommerce businesses. And a significant portion includes small businesses.

Moreover, online businesses take a lot of days to recover from the attacks. Some businesses completely shut down due to the aftermath of the security breaches.

So, if you are a small business, it is essential to ensure the safety and security of your eCommerce site. Else, the risks pose a potential threat to your online business.

Here we discuss some basics to ensure proper security to your eCommerce site.

Add an SSL certificate

An SSL Certificate ensures that the browser displays a green padlock or in a way shows to the site visitors that they are safe; and that their data is protected with encryption during the transmission.

To enable or enforce an SSL certificate on your site, you should enable HTTPS—secured version of HyperText Transfer Protocol (HTTP)—across your website.

In general, HTTP is the protocol web browsers use to display web pages.

So, HTTPS and SSL certificates work hand in hand. Moreover, one is useless without the other.

However, you have to buy an SSL certificate that suits your needs. Buying a wrong SSL certificate would do no good for you.

Several types of SSL certificates are available based on the functionality, validation type, and features.

Some common SSL certificates based on the type of verification required are:

  1. Domain Validation SSL Certificate: This SSL certificate is issued after validating the ownership of the domain name.
  2. Organization Validation SSL Certificate: This SSL certificate additionally requires you to verify your business organization. The added benefit is it gives the site visitors or users some more confidence. Moreover, small online businesses should ideally opt for this type of SSL certificate.
  3. Extended Validation SSL Certificate: Well, this type of SSL certificate requires you to undergo more rigorous checks. But when someone visits your website, the address bar in the browser displays your brand name. It indicates users that you’re thoroughly vetted and highly trustworthy.

Here are some SSL certificate types based on the features and functionality.

  1. Single Domain SSL Certificate: This SSL certificate can be used with one and only one domain name.
  2. Wildcard SSL Certificate: This SSL certificate covers the primary and all the associated subdomains.
    Every subdomain along with the primary domain example.com will be covered under a single wildcard SSL certificate.
  3. Multi-Domain SSL Certificate: One single SSL certificate can cover multiple primary domains. The maximum number of domains covered depends on the SSL certificate vendor your purchase the certificate from. Typically, a Multi-Domain SSL Certificate can support up to 200 domain names.

Nowadays, making your business site secure with SSL certificate is a must. Otherwise, Google will punish you. Yes, Google ranks sites with HTTPS better than sites using no security.

However, if you are processing online payments on your site, then SSL security is essential. Otherwise, bad actors will misuse your customer information such as credit card details, eventually leading to identity theft and fraudulent activities.

Use a firewall

In general, a firewall monitors incoming and outgoing traffic on your servers, and it helps you to block certain types of traffic—which may pose a threat—from interacting or compromising your website servers.

Firewalls are available in both virtual and physical variants. And it depends on the type of environment you have in order to go with a specific firewall type.

Many eCommerce sites use something called a Web Application Firewall (WAF).

On top of a typical network firewall, a WAF gives more security to a business site. And it can safeguard your website from various types of known security attacks.

So, putting up a basic firewall is essential. Moreover, using a Web Application Firewall (WAF) is really up to the complexity of the website or application you have put up.

Protect your site from DDoS attacks

A type of attack used to bring your site down by sending huge amounts of traffic is nothing but denial-of-service-attack. In this attack, your site will be bombarded with spam requests in a volume that your website can’t handle. And the site eventually goes down, putting a service disruption to the normal/legitimate users.

However, it is easy to identify a denial-of-service-request, because too many requests come from only one source. And by blocking that source using a Firewall, you can defend your business site.

However, hackers have become smart and highly intelligent. They usually compromise various servers or user computers across the globe. And using those compromised sources, hackers will send massive amounts of requests. This type of advanced denial-of-service attack is known as distributed-denial-of-service-attack. Or simply put a DDoS attack.

When your site is attacked using DDoS, a common Firewall is not enough; because a firewall can only defend you from bad or malicious requests. But in DDoS, all requests can be good by the definition of the Firewall, but they overwhelm your website servers.

Some advanced Web Application Firewalls (WAF) can help you mitigate the risks of DDoS attacks.

Also, Internet Service Providers (ISPs) can detect them and stop the attacks from hitting your website servers. So, contact your ISP and get help from them on how they can protect your site from DDoS attacks.

If you need a fast and straightforward way to secure your website from distributed-denial-of-service attacks, services like Cloud Secure from Webscale Networks is a great option.

In the end, it is better to have strategies in place to mitigate DDoS attacks. Otherwise, your business site may go down and can damage your reputation—which is quite crucial in the eCommerce world.

Get malware protection

A Malware is a computer program that can infect your website and can do malicious activities on your servers.

If your site is affected by Malware, there are a number of dangers your site can run into. Or, the user data stored on your servers might get compromised.

So, scanning your website regularly for malware detection is essential. Symantec Corporation provides malware scanning and removal tools. These tools can help your site stay safe from various kinds of malware.

Encrypt data

If you are storing any user or business related data, it is best to store the data in encrypted form, on your servers.

If the data is not encrypted, and when there is a data breach, a hacker can easily use the data—which may include confidential information like credit card details, social security number, etc. But when the data is encrypted, it is much hard to misuse as the hacker needs to gain access to the decryption key.

However, you can use a tokenization system. In which, the sensitive information is replaced with a non-sensitive data called token.

When tokenization implemented, it renders the stolen data useless. Because the hacker cannot access the Tokenization system, which is the only component that can give access to sensitive information. Anyhow, your tokenization system should be implemented and isolated properly.

Use strong passwords

Use strong passwords that are at least 15 character length for your sites’ admin logins. And when you are remotely accessing your servers, use SSH key-based logins wherever possible. SSH key-based logins are proven to be more secure than password-based logins.

Not only you, urge your site users and customers to use strong password combinations. Moreover, remind them to change their password frequently. Plus, notify them about any phishing scams happening on your online business name.

For example, bad actors might send emails to your customers giving lucrative offers. And when a user clicks on the email, he will be redirected to a site that looks like yours, but it is a phishing site. And when payment details are entered, the bad actor takes advantage and commits fraudulent activities with the stolen payment info.

So, it is important to notify your user base about phishing scams and make your customers knowledgeable about cybersecurity.

Avoid public Wi-Fi networks

When you are working on your business site or logging into your servers, avoid public wifi networks. Often, these networks are poorly maintained on the security front. And they can become potential holes for password leaks.

However, public wifi networks can be speedy. So, when you cannot avoid using a public wifi network, use VPN services like ProtonVPN, CyberGhost VPN, TunnelBear VPN, etc, to mitigate the potential risks.

Keep your software update

To run an online business, you have to use various software components, from server OS to application middleware and frameworks.

Ensure that all these components are kept up to date timely and apply the patches as soon as they are available. Often these patches include performance improvements and security updates.

Some business owners might feel that this is a tedious process. But remember, one successful cyber attack has the potential to push you out of business for several days, if not entirely.

Conclusion

In this 21st century, web technology is growing and changing rapidly. So do the hackers from the IT underworld.

The steps mentioned above are necessary. But we cannot guarantee that they are sufficient. Moreover, each business case is different. You always have to keep yourself up to date. And it would help if you took care of your online business security from time to time. Failing which can make your business site a victim of cyber attacks.

Source: https://londonlovesbusiness.com/how-to-secure-your-online-business-from-cyber-threats/

Naming & Shaming Web Polluters: Xiongmai

What do we do with a company that regularly pumps metric tons of virtual toxic sludge onto the Internet and yet refuses to clean up their act? If ever there were a technology giant that deserved to be named and shamed for polluting the Web, it is Xiongmai — a Chinese maker of electronic parts that power a huge percentage of cheap digital video recorders (DVRs) and Internet-connected security cameras.

In late 2016, the world witnessed the sheer disruptive power of Mirai, a powerful botnet strain fueled by Internet of Things (IoT) devices like DVRs and IP cameras that were put online with factory-default passwords and other poor security settings.

Security experts soon discovered that a majority of Mirai-infected devices were chiefly composed of components made by Xiongmai (a.k.a. Hangzhou Xiongmai Technology Co., Ltd.) and a handful of other Chinese tech firms that seemed to have a history of placing product market share and price above security.

Since then, two of those firms — Huawei and Dahua — have taken steps to increase the security of their IoT products out-of-the-box. But Xiongmai — despite repeated warnings from researchers about deep-seated vulnerabilities in its hardware — has continued to ignore such warnings and to ship massively insecure hardware and software for use in products that are white-labeled and sold by more than 100 third-party vendors.

On Tuesday, Austrian security firm SEC Consult released the results of extensive research into multiple, lingering and serious security holes in Xiongmai’s hardware.

SEC Consult said it began the process of working with Xiongmai on these problems back in March 2018, but that it finally published its research after it became clear that Xiongmai wasn’t going to address any of the problems.

“Although Xiongmai had seven months notice, they have not fixed any of the issues,” the researchers wrote in a blog post published today. “The conversation with them over the past months has shown that security is just not a priority to them at all.”

PROBLEM TO PROBLEM

A core part of the problem is the peer-to-peer (P2P) communications component called “XMEye” that ships with all Xiongmai devices and automatically connects them to a cloud network run by Xiongmai. The P2P feature is designed so that consumers can access their DVRs or security cameras remotely anywhere in the world and without having to configure anything.

To access a Xiongmai device via the P2P network, one must know the Unique ID (UID) assigned to each device. The UID is essentially derived in an easily reproducible way using the device’s built-in MAC address (a string of numbers and letters, such as 68ab8124db83c8db).

Electronics firms are assigned ranges of MAC address that they may use, but SEC Consult discovered that Xiongmai for some reason actually uses MAC address ranges assigned to a number of other companies, including tech giant Cisco Systems, German printing press maker Koenig & Bauer AG, and Swiss chemical analysis firm Metrohm AG.

SEC Consult learned that it was trivial to find Xiongmai devices simply by computing all possible ranges of UIDs for each range of MAC addresses, and then scanning Xiongmai’s public cloud for XMEye-enabled devices. Based on scanning just two percent of the available ranges, SEC Consult conservatively estimates there are around 9 million Xiongmai P2P devices online.

[For the record, KrebsOnSecurity has long advised buyers of IoT devices to avoid those advertise P2P capabilities for just this reason. The Xiongmai debacle is yet another example of why this remains solid advice].

BLANK TO BANK

While one still needs to provide a username and password to remotely access XMEye devices via this method, SEC Consult notes that the default password of the all-powerful administrative user (username “admin”) is blank (i.e, no password).

The admin account can be used to do anything to the device, such as changing its settings or uploading software — including malware like Mirai. And because users are not required to set a secure password in the initial setup phase, it is likely that a large number of devices are accessible via these default credentials.

Even if a customer has changed the default admin password, SEC Consult discovered there is an undocumented user with the name “default,” whose password is “tluafed” (default in reverse). While this user account can’t change system settings, it is still able to view any video streams.

Normally, hardware devices are secured against unauthorized software updates by requiring that any new software pushed to the devices be digitally signed with a secret cryptographic key that is held only by the hardware or software maker. However, XMEye-enabled devices have no such protections.

In fact, the researchers found it was trivial to set up a system that mimics the XMEye cloud and push malicious firmware updates to any device. Worse still, unlike with the Mirai malware — which gets permanently wiped from memory when an infected device powers off or is rebooted — the update method devised by SEC Consult makes it so that any software uploaded survives a reboot.

CAN XIONGMAI REALLY BE THAT BAD?

In the wake of the Mirai botnet’s emergence in 2016 and the subsequent record denial-of-service attacks that brought down chunks of the Internet at a time (including this Web site and my DDoS protection provider at times), multiple security firms said Xiongmai’s insecure products were a huge contributor to the problem.

Among the company’s strongest critics was New York City-based security firm Flashpoint, which pointed out that even basic security features built into Xiongmai’s hardware had completely failed at basic tasks.

For example, Flashpoint’s analysts discovered that the login page for a camera or DVR running Xiongmai hardware and software could be bypassed just by navigating to a page called “DVR.htm” prior to login.

Flashpoint’s researchers also found that any changes to passwords for various user accounts accessible via the Web administration page for Xiongmai products did nothing to change passwords for accounts that were hard-coded into these devices and accessible only via more obscure, command-line communications interfaces like Telnet and SSH.

Not long after Xiongmai was publicly shamed for failing to fix obvious security weaknesses that helped contribute to the spread of Mirai and related IoT botnets, Xiongmai lashed out at multiple security firms and journalists, promising to sue its critics for defamation (it never followed through on that threat, as far as I can tell).

At the same time, Xiongmai promised that it would be issuing a product recall on millions of devices to ensure they were not deployed with insecure settings and software. But according to Flashpoint’s Zach Wikholm, Xiongmai never followed through with the recall, either. Rather, it was all a way for the company to save face publicly and with its business partners.

“This company said they were going to do a product recall, but it looks like they never got around to it,” Wikholm said. “They were just trying to cover up and keep moving.”

Wikholm said Flashpoint discovered a number of additional glaring vulnerabilities in Xiongmai’s hardware and software that left them wide open to takeover by malicious hackers, and that several of those weaknesses still exist in the company’s core product line.

“We could have kept releasing our findings, but it just got really difficult to keep doing that because Xiongmai wouldn’t fix them and it would only make it easier for people to compromise these devices,” Wikholm said.

The Flashpoint analyst said he believes SEC Consult’s estimates of the number of vulnerable Xiongmai devices to be extremely conservative.

“Nine million devices sounds quite low because these guys hold 25 percent of the world’s DVR market,” to say nothing of the company’s share in the market for cheapo IP cameras, Wikholm said.

What’s more, he said, Xiongmai has turned a deaf ear to reports about dangerous security holes across its product lines principally because it doesn’t answer directly to customers who purchase the gear.

“The only reason they’ve maintained this level of [not caring] is they’ve been in this market for a long time and established very strong regional sales channels to dozens of third-party companies,” that ultimately rebrand Xiongmai’s products as their own, he said.

Also, the typical consumer of cheap electronics powered by Xiongmai’s kit don’t really care how easily these devices can be commandeered by cybercriminals, Wikholm observed.

“They just want a security system around their house or business that doesn’t cost an arm and leg, and Xiongmai is by far the biggest player in that space,” he said. “Most companies at least have some sort of incentive to make things better when faced with public pressure. But they don’t seem to have that drive.”

A PHANTOM MENACE

SEC Consult concluded its technical advisory about the security flaws by saying Xiongmai “does not provide any mitigations and hence it is recommended not to use any products associated with the XMeye P2P Cloud until all of the identified security issues have been fixed and a thorough security analysis has been performed by professionals.”

While this may sound easy enough, acting on that advice is difficult in practice because very few devices made with Xiongmai’s deeply flawed hardware and software advertise that fact on the label or product name. Rather, the components that Xiongmai makes are sold downstream to vendors who then use it in their own products and slap on a label with their own brand name.

How many vendors? It’s difficult to say for sure, but a search on the term XMEye via the e-commerce sites where Xiongmai’s white-labeled products typically are sold (Amazon, Aliexpress.com, Homedepot.com and Walmart) reveals more than 100 companies that you’ve probably never heard of which brand Xiongmai’s hardware and software as their own.  That list is available here (PDF) and is also pasted at the conclusion of this post for the benefit of search engines.

SEC Consult’s technical advisory about their findings lists a number of indicators that system and network administrators can use to quickly determine whether any of these vulnerable P2P Xiongmai devices happen to be on your network.

For end users concerned about this, one way of fingerprinting Xiongmai devices is to search Amazon.com, aliexpress.com, walmart.com and other online merchants for the brand on the side of your device and the term “XMEye.” If you get a hit, chances are excellent you’ve got a device built on Xiongmai’s technology.

Another option: open a browser and navigate to the local Internet address of your device. If you have one of these devices on your local network, the login page should look like the one below:

Another giveaway on virtually all Xiongmai devices is pasting “http://IP/err.htm” into a browser address bar should display the following error message (where IP= the local IP address of the device):

According to SEC Consult, Xiongmai’s electronics and hardware make up the guts of IP cameras and DVRs marketed and sold under the company names below.

What’s most remarkable about many of the companies listed below is that about half of them don’t even have their own Web sites, and instead simply rely on direct-to-consumer product listings at Amazon.com or other e-commerce outlets. Among those that do sell Xiongmai’s products directly via the Web, very few of them seem to even offer secure (https://) Web sites.

SEC Consult’s blog post about their findings has more technical details, as does the security advisory they released today.

In response to questions about the SEC Consult reports, Xiongmai said it is now using a new encryption method to generate the UID for its XMEye devices, and will not longer be relying on MAC addresses.

Xiongmai also said users will be asked to change a devices default username and password when they use the XMEye Internet Explorer plugin or mobile app. The company also said it had removed the “default” account in firmware versions after August 2018. It also disputed SEC Consult’s claims that it doesn’t encrypt traffic handled by the devices.

In response to criticism that any settings changed by the user in the Web interface will not affect user accounts that are only accessible via telnet, Xiongmai said it was getting ready to delete telnet completely from its devices “soon.”

KrebsOnSecurity is unable to validate the veracity of Xiongmai’s claims, but it should be noted that this company has made a number of such claims and promises in the past that never materialized.

Johannes Greil, head of SEC Consult Vulnerability Lab, said as far as he could tell none of the proclaimed fixes have materialized.

“We are looking forward for Xiongmai to fix the vulnerabilities for new devices as well as all devices in the field,” Greil said.

Here’s the current list of companies that white label Xiongmai’s insecure products, according to SEC Consult:

9Trading
Abowone
AHWVSE
ANRAN
ASECAM
Autoeye
AZISHN
A-ZONE
BESDER/BESDERSEC
BESSKY
Bestmo
BFMore
BOAVISION
BULWARK
CANAVIS
CWH
DAGRO
datocctv
DEFEWAY
digoo
DiySecurityCameraWorld
DONPHIA
ENKLOV
ESAMACT
ESCAM
EVTEVISION
Fayele
FLOUREON
Funi
GADINAN
GARUNK
HAMROL
HAMROLTE
Highfly
Hiseeu
HISVISION
HMQC
IHOMEGUARD
ISSEUSEE
iTooner
JENNOV
Jooan
Jshida
JUESENWDM
JUFENG
JZTEK
KERUI
KKMOON
KONLEN
Kopda
Lenyes
LESHP
LEVCOECAM
LINGSEE
LOOSAFE
MIEBUL
MISECU
Nextrend
OEM
OLOEY
OUERTECH
QNTSQ
SACAM
SANNCE
SANSCO
SecTec
Shell film
Sifvision/sifsecurityvision
smar
SMTSEC
SSICON
SUNBA
Sunivision
Susikum
TECBOX
Techage
Techege
TianAnXun
TMEZON
TVPSii
Unique Vision
unitoptek
USAFEQLO
VOLDRELI
Westmile
Westshine
Wistino
Witrue
WNK Security Technology
WOFEA
WOSHIJIA
WUSONLUSAN
XIAO MA
XinAnX
xloongx
YiiSPO
YUCHENG
YUNSYE
zclever
zilnk
ZJUXIN
zmodo
ZRHUNTER

Source: https://krebsonsecurity.com/2018/10/naming-shaming-web-polluters-xiongmai/

Could Your Organisation’s Servers Be A Botnet?

Most organisations are aware that they could be the target of a DDoS attack and have deployed protection to keep their public-facing services online in the face of such attacks. However, far fewer have thought about the potential for their servers to be harnessed for use in a botnet, the group of servers used to conduct such DDoS attacks. Up until a few months ago, attackers typically only used well-known infrastructure services, like DNS resolution servers, to launch and amplify DDoS attacks, but Memcached – a popular database caching system – changed that.

Malicious hackers have begun abusing Memcached to deliver attacks that are amplified to over 50,000 times their original size – one of the largest amplification methods ever detected. Any organisation running Memcached to speeds up their systems is a potential botnet recruit.

How Memcached and similar UDP based service attacks work

Earlier this year, researchers discovered that a flaw in the implementation of the User Datagram Protocol (UDP) for Memcached servers can allow hackers to deliver record-breaking attacks with little effort. Memcached is a distributed memory caching system, originally intended for use in speeding up networks and website applications by reducing database load. Memcached reduces latency and database load by storing data objects in memory, immediately returning them to the caller without requiring a database query.

Usually, Memcached systems are deployed within a trusted network where authentication may not be required. However, when exposed to the Internet, they become trivially exploitable if authentication isn’t turned on. Not only is the cached data accessible to attackers, it’s simple to use the Memcached server for a DDoS attack, if UDP access is enabled. Specifically, with UDP an attacker can “spoof” or fake the Internet Protocol address of the target machine, so that the Memcached servers all respond by sending large amounts of data to the spoofed address, thus triggering a DDoS attack. Most popular DDoS tactics that abuse UDP connections can amplify the attack traffic up to 20 times, but Memcached can take a small amount of attack traffic and amplify the size of the request thousands of times. Thus, a small number of open Memcached servers can be used to create very large DDoS attacks.

The implications to the organisation

If you’re running Memcached with UDP and without authentication, you’re now a likely target for inclusion in a botnet. Should you become part of a botnet, it’s possible that both your servers and your bandwidth will be overloaded, resulting in outages and increased network costs. Indeed, attackers have already demonstrated how badly servers with misconfigured Memcached can be abused and used to launch DDoS attacks with ease.

In addition, unprotected Memcached servers give attackers access to the user data that has been cached from its local network or host, potentially including email addresses, database records, personal information and more. Additionally, cybercriminals could potentially modify the data they access and reinsert it back into the cache without user’s knowledge, thus polluting production applications.

To avoid being assimilated into a Borg-ish botnet, organisations and internet service providers need to take a more proactive approach in identifying any vulnerable servers before damage is done.

What can be done to prevent the severs being recruited?

Despite multiple warnings about threat actors exploiting unprotected Memcached servers, ArsTechnica reported that searches show there are more than 88,000 vulnerable servers – a sign that attacks may get much bigger. Therefore, it’s crucial that organisations ensure they have the correct security measure in place, to avoid being part of this wave.

Attacks of those scale and size cannot be easily defended against by Internet Service Providers (ISPs), thus organisations need to take inventory of any Internet-facing servers and ensure that Memcached is not inadvertently exposed. For any internet-facing servers that require Memcached, they should consider using a Software-Defined Perimeter to ensure that only authorized users will be able to send UDP packets or establish TCP connection. This will prevent attackers from being able to harness servers in a DDoS attack and leverage them to amplify those attacks. In addition, companies need to look at internal servers that are running Memcached, because an internal distributed denial-of-service attack could also be launched from some locally-running malware.

Source: https://www.informationsecuritybuzz.com/articles/could-your-organisations-servers-be-a-botnet/

190 UK Universities Targeted with Hundreds of DDoS Attacks

  • A large number of security attacks have been targeting universities all over the UK.
  • Over 850 DDoS attacks were analyzed across 190 universities.
  • Security experts suspect students or staff to be behind the large-scale attacks.

Over 850 DDoS attacks have taken place in the United Kingdom, that have targeted 190 universities in the 2017-2018 academic year. Security researchers from JISC studied all of the reported attacks and have found clear patterns that tie all of the attacks.

JISC is responsible for providing internet connectivity to UK research and education institutions. After a thorough analysis of all attacks during the past academic year, their study reveals that the attackers are most likely staff or students who are associated with the academic cycle. JISC came to this conclusion because the DDoS activity sees noticeable drops during holidays at universities. More importantly, most of the attacks were centered around the university working hours of 9 am to 4 pm local time.

Frequency of Cyberattacks against UK Universities
Image Courtesy of JISC

Head of JISC’s security operations center John Chapman revealed “We can only speculate on the reasons why students or staff attack their college or university – for the ‘fun’ of disruption and kudos among peers of launching an attack that stops internet access and causes chaos, or because they bear a grudge for a poor grade or failure to secure a pay rise”.

One of the DDoS attacks lasted four days and was sourced to a university’s hall of residence. A larger dip in attacks was noticed this summer compared to the summer of 2017. With an international law enforcement operation going into effect against the number one DDoS-for-hire online market. The website being taken down led to a massive drop in the number of DDoS attacks globally, which indicates that the attacks on the UK universities were not done by professional hackers working with a personal agenda, but hired professionals.

The motive behind these DDoS attacks is unknown, and it may serve as a cover for more sinister cybercriminal activity. Universities often store valuable intellectual property which makes them prime targets for many hackers.

Source: https://www.technadu.com/190-uk-universities-targeted-hundreds-ddos-attacks/42816/

Beware of Torii! Security experts discover the ‘most sophisticated botnet ever seen’ – and say it is targeting smart home gadgets

  • Researchers from Avast have identified a worrying botnet affecting IoT devices
  • Called ‘Torii,’ the virus infects devices at a server level that have weak encryption
  • Virus can fetch and execute different commands, making it ‘very sophisticated’

Keep an eye on your smart home devices.

Security experts have identified what they consider the ‘most sophisticated botnet they’ve ever seen’ and it’s believed to be targeting internet of things gadgets.

Antivirus firm Avast said in a new report they’ve been closely watching a new malware strain, called ‘Torii,’ which uses ‘advanced techniques’ to infect devices.

‘…This one tries to be more stealthy and persistent once the device is compromised, an it does not (yet) do the usual stuff a botnet does like [Distributed Denial of Service attacks], attacking all the devices connected to the internet, or, of course, mining cryptocurrencies,’ Avast researchers wrote in a blog post.

The malware goes after devices that have weak encryption, using the Telnet remote access protocol.

Telnet is a remote access tool that’s primarily used to log into remote servers, but it’s largely been replaced by tools that are more secure.

Once it has identified a poorly secured system, Torii will attempt to steal your personal information.

It’s entirely possible that vulnerable IoT device owners have no idea their device has been compromised.

‘As we’ve been digging into this strain, we’ve found indications that this operation has been running since December 2017, maybe even longer,’ the researchers wrote.

While Torii hasn’t attempted cryptojacking or carried out DDoS attacks, researchers say the malware is capable of fetching and executing commands of different kinds on the infected device, making it very sophisticated.

What’s more, many smart home gadgets are connected to one another, and it’s unclear yet if the malware is capable of spreading to other devices.

‘Even though our investigation is continuing, it is clear that Torii is an example of the evolution of IoT malware, and that its sophistication is a level above anything we have seen before,’ the Avast researchers explained.

Once Torii infects a device, it floods it with information and communicates with the master server, allowing the author of the malware to execute any code or deliver any payload to the infected device, according to researchers.

‘This suggests that Torii could become a modular platform for future use,’ the researchers continued.

‘Also, because the payload itself is not scanning for other potential targets, it is quite stealthy on the network layer. Stay tuned for the follow ups.’

WHAT IS A DDOS ATTACK?

DDoS stands for Distributed Denial of Service.

These attacks attempt to crash a website or online service by bombarding them with a torrent of superfluous requests at exactly the same time.

The surge of simple requests overload the servers, causing them to become overwhelmed and shut down.

In order to leverage the number of requests necessary to crash a popular website or online service, hackers will often resort to botnets – networks of computers brought under their control with malware.

Malware is distributed by tricking users into inadvertently downloading software, typically by tricking users into following a link in an email or agreeing to download a corrupted file.

Source: https://www.dailymail.co.uk/sciencetech/article-6216451/Security-experts-discover-sophisticated-botnet-seen.html

Copyright © 2014. DoS Protection UK. All Rights Reserved. Website Developed by: 6folds Marketing Inc. | Demo Test