Author Archives: Matthew Pascucci

Lessons Learned from the DynDNS DDoS

Posted on by

As everyone probably knows, DynDNS was recently hit by a massive DDoS which in turn caused large sites to be either nonresponsive or extremely sluggish. Dyn DNS was hosting records for these organizations when an application layer SYN flood attack against their DNS service brought them to their knees. The attack caused legitimate DNS requests for these sites to be “lost in the mix” with a steady flow of garbage requests saturating Dyn’s DNS service. After watching the attack play out, I had a few thoughts on the subject I’d thought I’d share. 
I’ve personally fought DDoS attacks in the past and they’re not fun. To be bluntly honest, they’re a pain in the butt.  Many times they come out of nowhere and it’s an all hands on deck situation when the flood starts. But after seeing the recent attacks on Krebs, OVH and now Dyn, it seems that everyone on Twitter has recently become a DDoS expert. It takes some skill and most importantly experience when dealing with DDoS attacks, so let’s not take this subject lightly. We need to learn from our mistakes and the incidents of others to achieve the best security we can possibly offer. Let’s not just start being a Twitter warrior with nothing to back it up. Okay, I feel better now. 
This being said, now that we all know DDoS is a huge issue (because the media doesn’t lie, of course!) those who work in the security field can’t plead ignorance anymore. Just because your industry doesn’t normally see DDoS attacks doesn’t mean they won’t pop up and smack you in the face now. With the tools and vulnerable systems to create massive botnets we might only be seeing the beginning of what’s in store. Everyone in charge of security needs to start the process of creating a DDoS runbook today. This needs to become a table top within your incident response plan. Incident handlers and groups outside of security need to understand how to handle DDoS attacks when they occur. The last thing you want is an attack to occur without any preparation. The Dyn DNS team did a great job explaining to the public how the attack was being handled and gave frequent updates through this site: www.dynstatus.com. This is important during an attack that knocks you off the grid. Communication is key during this time, especially to your customers. 
Another thing to consider is how a DDoS attack will be mitigated. With attacks cranking in at over 1Tbps there is no on-premise DDoS mitigation appliance in the world that’s going to handle the load right off the bat. Not only will they not physically handle the load, but the ISP’s will have issues fulfilling traffic of this magnitude. The current infrastructure just isn’t designed to handle this amount of traffic traversing its network. The best method of mitigating these services isn’t with onsite DDoS appliances, but with cloud providers like Akamai (formerly Prolexic), Cloudflare, or Google Jigsaw. They’ve positioned their network to be resilient, with multiple scrubbing centers throughout the world to absorb and filter the malicious traffic as close to the source as possible. By using anycast and having traffic from customers directed to them via BGP, these cloud providers make sure they don’t become a bottleneck and allow customers to receive large amounts of bandwidth via proxy. I personally feel this is the only way to efficiently defend against the volumetric  attacks we’ve seen this past month.  Also, Colin Doherty was announced as the new CEO of Dyn this October 6th. He was the former CEO of Arbor Networks (a company selling and specializing on premise DDOS solutions). I don’t know if this had anything to do with the situation, but it’s interesting. If anything, hopefully his experience in the industry helped with the mitigation.
For the cloud providers who are absorbing and mitigating DDoS traffic on their networks, they’re going to have to expand their available bandwidth quickly. Many cloud based DDoS mitigation providers need to have bandwidth increased by a certain percentage each time they see an attack increase. They all want to be a particular percentage higher than the largest DDoS attack on record. This is because they too have to scale towards the attacks as they come in. They’re not only dealing with the one large attack occurring today, but possibly three more like it tomorrow at the same time. These providers need to keep a close eye on bandwidth utilization and attack size monthly to keep up with the growing botnet sizes. 
I’m not sure what happened with the Dyn DNS attack from a mitigation standpoint, but it’s a good opening for customers to start speaking with their third party vendors on incident response; especially on DDoS. Many third parties say they have DDoS prevention, but how? Is it home grown? On-premise? In the cloud? These questions need to be answered.  Also, if a DDoS hits a SAAS provider will all clients go down? These and similar questions need to be asked of your cloud providers to validate your hosted services will be available when needed. 
IoT will continually be an issue going forward when it comes to DDoS. I don’t see anything in the near future putting a stop to the abuse of IoT systems on the internet.  In Brian Krebs latest article he mentions Underwriters Laboratories and how they’ve been used in the past to become a sign of approval for devices going to market in the electronics field. I think there does have to be something similar in the future that assist with reviewing the code of appliances before being put onto the internet. At this point I’d settle for standard OWASP top 10 type scans, but would to see static analysis testing done for vulns. I don’t know how this will work with systems overseas, since most of the Miria botnet infected DVR and IP cams from a Chinese company named XiongMai Technologies. Either way, we need to at least follow standard security practices of password management, patching and secure coding when it comes to IoT devices. This isn’t rocket science, especially when many of these systems were using default hardcoded passwords and being logged remotely with telnet. Sigh.
My concern with botnets of this size is that someone’s going to create multiple IoT botnets quietly and unleash something with traffic limits that can’t be stopped. There are other vulnerable IoT systems on the web which will eventually be found, but what if this time they weren’t used right away. What if the creator keeps finding other vulns in different systems and ends up with a botnet-of-botnets with enough power to overwhelm even the largest DDoS cloud providers. Now take this a step further: What if this was then used for political or terrorism?  I know this sounds like fear mongering, but it’s a valid concern. In this case, people would die or be hurt in the process. This is a concern of mine with the amount of insecure IoT devices being connected to the internet today. It might seem farfetched, but it’s no longer outside the scope of reality. The Miria botnet was seen as being used in the Dyn DNS attack (by Flashpoint, L3 and Akamai), but it seems that there were other systems being controlled in the botnet too. It just seems that there a never-ending pool of IoT devices that attacker can select form at this point. 
As of right now I haven’t seen any official motive for the attack, but there doesn’t always have to be one. I saw people mention that it’s a test for the Unites States election, WikiLeaks took credit for it due to America pulling Assange’s internet, internet activists blaming Russia, etc. Either way, everyone in security needs to be prepared for these attacks and if you’re not already planning now, at least start thinking about it. We’re no longer given the luxury of being comfortably numb.

Continue reading Lessons Learned from the DynDNS DDoS

Posted in SBN

United States vs Russia: Cyber-Saber Rattling Reachs All Time High

Posted on by
The cyber-saber rattling has reached an all-time high between the United States and Russia. According to the NBC News and other media outlets: 

“Current and former officials with direct knowledge of the situation say the CIA has been asked to deliver options to the White House for a wide-ranging “clandestine” cyber operation designed to harass and “embarrass” the Kremlin leadership.” 

While America is “choosing targets”, or as Joe Biden recently said in the link above, preparing to “send a message to Putin” which will be “at a time of our choosing” is falling directly into what our adversary’s want. They’re goading us into creating another cold war, except this time its cyber related.

What America, or honestly anyone under attack, needs to do first it establish a solid defense of their own networks and systems. We’re worrying too much about attacking other nations, or showing who has the biggest cyber muscles, that we’re continually leaving ourselves vulnerable to attack. A nation under the microscope, especially during an election year, needs to hunker down and protect itself before anything else. We keep hearing questions about how our leaders will increase cyber security and their first response to this question is to go on the attack. Today’s cyber-elephant is Russia, yesterday it was China, next month it will be someone else, but we’re still not fixing the problem. This problem is combined with everyone sucking at security to begin with and having the ol’ cyber beer muscles when they’re offended/hacked. What makes a nation with its new found cyber toys think going on the offense with a weak defense will succeed? Not good.  

We’re taking the bait Russia is throwing at us and we’re being drawn into another fight for no reason. If we put the same focus on protecting our data that we did trying to exploits someone else, we might not be in this mess. Our attackers are going to change and by trying to pummel them into submission will only increase the attacks towards us. We need to clean our house first before we even consider going on the offensive. I’m not saying we should sit back and let other nations bully us from afar, but there needs to be real wisdom on when we should initiate an offense. We surely shouldn’t engage because we’re embarrassed or because our pride is hurt. Lord knows we’ve attempted similar attempts ourselves. Hopefully, we’ll realize this before it’s too late.

Continue reading United States vs Russia: Cyber-Saber Rattling Reachs All Time High

Posted in SBN

Universities Get an “F” in Cyber Security

Posted on by
In a recent article by “The Institute”, it brings up the topic that students and schools are both shying away from Cyber Security education. Within their article it goes on to say:
“Only three of the top 50 university computer science programs in the United States require students to take a cybersecurity course, and many don’t even offer a class on the subject, according to a recent study by CloudPassage, a cloud computing security company.”
They happen to quote our friends at Cloudpassage and the study they did regarding the same subject. Within their study, they have a few Key Findings, but this one stands out:
“None of the top 10 U.S. computer science programs require a cybersecurity course for graduation. In fact, three of the top 10 university programs don’t even offer an elective course in cybersecurity.”
This finding shows that the leaders in charge of education aren’t taking cyber security seriously. It’s still seen as an afterthought and not a skill that can be applied to all industries of academia. This limited mindset has helped cause a gap in knowledge and is lead employers left scrambling when it comes to hiring real talent. Consider this quote from their article: 
“The skills gap is so wide, he says, that employers are recruiting from other fields, like biology and law, to find talent. People in such fields, he points out, have learned skills required of cybersecurity professionals, such as problem-solving and finding flaws in human and legal systems, which can translate to computer systems.”
I’m glad that security is becoming integrated into schools, but it’s concerning that it’s more of an afterthought, instead of a requirement. Hopefully, as time goes by we’ll continue to see the awareness of cyber security pushed into all disciplines during the education process and beyond.

Continue reading Universities Get an “F” in Cyber Security

Posted in SBN

The Biggest Cybersecurity Threats Are Inside Your Company

Posted on by
This may come as a shock to the majority of the public but the amount of threats (as defined by CSOs, IT managers and security specialists) are found within the confines of the company itself.  Yes, hackers do still exist and there are times when they succeed in their nefarious deeds and penetrate security measures and cause a breach.  And, while this type of cyberthreat is the kind to be highlighted in the front pages of newspapers and magazines, it represents but a small fraction of cybersecurity threats to a company.
Whether they want to believe it or not, the biggest threat to the overwhelming majority of companies comes from within.  Whether their actions were intentional or not, employees not hackers are considered to be larger threats to a company’s security.  Most alarming is that these incidents of error are not decreasing, but are increasing steadily.
In a recent study by IBM, it was found that a third of all cyberattacks that a company faces can be directly linked to the actions of (or lack thereof) its employees.  Disgruntled employees who often have access to sensitive, and even classified, data are a likely cause.  These employees simply copy the data to a flash drive or upload it to a third party cloud service, and just like that the company’s security measures have been breached.  These types of offenders are usually trained and know the ins-and-outs of the system enough to bypass its security protocols.  These employees are methodical and act with deliberate intent, often having planned the heist for week or months ahead of time.
Then there are opportunists.  These bad apples often stumble across a weak link in the security fence, quickly exploit it and harvest any and all data made available to them.  They often do not know what to do with the data they just pilfered.  If the data contains money that can be easily liquidated then that is the most likely course of action, however another likely event is that they would sell the information on the black market, which in this day and age is easily accessible via the Dark Web.
Finally, there is the last category which is a catch all for errors of omission.  These can include anything from poor email handling strategies to bad decision making and phishing strategies.  Basically, in this category employees do not intend to expose their company to a cyberthreat, but because they failed to pursue the correct course of action, they have basically let the fox in the hen house.
The bad news is that these are very real scenarios and the roles that insiders play in putting the company in danger is has been on a steep uptick.  The good news, is that strategies can be implemented to decrease such incidents and even eliminate them altogether (in some cases).  Errors of omission, while broader, may be the easiest to tackle, that is because there are protocols that can be created to plug the leaks and fortify the wall of security that surrounds a company’s systems.  Email handling, web surfing and download protocols should be created and enforced throughout the organisation without exception.  And yes, that includes the C-suite of executives.
The human component is a bit harder to deal with, as you never know when the “switch” will be flung in the minds of people.  What may be a great and stalwart employee one day, may very well be a malicious hacker the next day.  Compartmentalisation of systems and restricting access to those that have been cleared to do so will definitely decrease the amount of intrusions and internal hacks that occur.  Furthermore, making things just a little bit harder to access is often all it takes to deter or hinder the opportunist from going through with the crime.  By creating a blacklist of sharing software and cloud services that can be run on company devices, you are effectively decreasing the number of outlets with which a disgruntled employee can smuggle out company data.  Employ deep analytics that are able to track who has accessed what files and directories, and it should be able to send out a warning if file transfers are taking place.
It should go without saying, but it is still worth to mention that the easiest way to prevent a lot of intrusions and cybersecurity threats is to implement a data security plan.  Many would be surprised at how the implementation of even the most minimal of security measures is effective at deterring a great deal of threats, both externally and internally.  The amount of threats your company is exposed to just gets smaller, the more layers of security are added.  While this last piece of advice may seem like a “no-brainer”, the sad fact is that more often than not businesses choose to operate without even the most basic of cybersecurity measures.

While it may seem normal, even natural, for companies to keep their vigilant eyes looking outwards.  They should pay an equal attention, if not greater, to the on-goings and threats that may come from within.  So why then does it seem that only external attacks make the headlines?  Well that’s because no company ever wants to admit that it hires criminals or those that can be perceived as criminals.  There are public relations and optics to worry about after all.  Now more than ever, companies must know or should know their employees on a much deeper level in attempt to discern their motives, intent and whether or not they are seeking to harm the company.  This is not to say that company’s should not trust its employees, indeed doing so may very well lead to that company’s demise.  However, the figures do not lie.  Attacks are coming from within, and since companies are already investing in security to prevent attacks from without, it should not take that much more to implement measures from internal cyberattacks.

Guest Author – David Share
Director at Amazing Support
http://www.amazingsupport.co.uk/
David has held positions as Operations Director and Head of IT in legal and professional firms for more than 10 years. He is a Director and co-owner of Amazing Support, a Microsoft Silver accredited and specialist Managed IT Support and IT Services company. David actively helps SME businesses receive better Managed IT Support and IT Services in the London and Hertfordshire areas. He also assists overseas companies who are looking to expand their business operations into the UK and helps with their inward investment IT process. A professional member of The Chartered Institute for IT (BCS) and an event speaker promoting business start-ups and technology awareness. Married with a son, you will often see him riding his bicycle around the Hertfordshire towns! David regularly participates in charity bike rides for the British Heart Foundation.

 

Continue reading The Biggest Cybersecurity Threats Are Inside Your Company

Posted in SBN

The Winner of the 2016 Presidential Election is: Cybersecurity! (sorta)

Posted on by

Watching the train wreck, which is this year’s race for President of the Unite States of America, has shown me that the true winner of these debates is Cybersecurity (yeah that’s corny, but seriously read on). Never have I personally seen cybersecurity, or the lack of security, play such a large part in an election year. No matter who becomes President next month, it’s been interesting to see the effects that security has played in both campaigns. This is both encouraging, since there has been some major light shown on some serious issues, and disappointing, because these are the same concerns being brought up year after year. Either way, here are some keystone moments (and links) from this year that highlight cyber security as the clear winner of this year’s election:

We’ve all known for quite some time that e-voting security has been a disaster. This election cycle is the first time that I’ve seen such attention brought up regarding it (which is awesome). I’m expecting to have both sides blame it as a potential reason that they really lost to the other (you don’t think they’d actual accept defeat do you?). But, seriously, this is a big deal. I completely agree for adding additional regulation within this area and whole heartedly concur that this technology should be deemed as critical infrastructure. I don’t freely like to adding regulation to technology, but in this case I think it’s important. When hackers, or nation states, have the capability to influence the election of a country the citizen of that nation have their voices silenced and democracy is no longer present. This is a big deal and probably the biggest issue I’ve seen come from this election from a cybersecurity perspective. 
It’s interesting to see how easy it is to shift blame when needed, but it’s happened to both sides already. At this point the DNC and the RNC have had to comment on whether or not Russia is attempting to influence the debates by hacking into the DNC and dumping data to WikiLeaks. There was some dirty laundry released by Wikileaks showing a few issues occurring within the DNC during the election process that eventually lead to the resignation of the DNC party leader. This has been the year of doxing where no information is considered safe! Hopefully, this sheds light on the way data is handled and how other countries and organizations can use it if not. I really think this is just the beginning on the way foreign powers will attempt to sway elections using hacking as their tool for disruption. 
It was found that anyone within Hillary Clinton’s campaign who was going to speak about Donald Trump, in a disparaging way, was to use Signal for their communication. Signal is an encryption app for mobile devices that’s been vetted via open source. This shows that people are now putting thought behind what they’re sending and is increasing awareness and the usability of encryption. 
Hillary Clinton’s tech team used a tool called Bleachbit in order to wipe her mail server. Over the past couple months due to security issues the Clinton campaign has turned to cybersecurity tools to defend, or hide depending on your party affiliations (LOL), data that’s been communicated through her campaign. Whatever way you lean, just the mention of these tools in the media shows how far we’ve come. 
The original Guccfier made a name for himself for admittedly saying he hacked Hillary Clinton’s mail server. After being held in custody his namesake came through again and someone is purportedly releasing information regarding the DNC that was compromised. This has been reported to be the Russians, but it shows the anonymity of the internet and how old methods of dealing with political issues has now become irrelevant. 
Edward Snowed and others are making the case that he should be granted a Presidential pardon from Obama before he leaves office. It’s of my personal opinion that Edward Snowden did America, actually the entire global, a service by unmasking the issue of mass surveillance. What he did was illegal, but it was needed to bring reform. Revolutions are never legal and it will be interesting to see if President Obama assists with coming through with his promise of protecting whistleblowers. 
This is has been discussed at nausea, but it’s really what started the debate of cybersecurity in this years election. The debate of hosting a personal mail server and determining which messages to be deleted by that user is still raging. Clinton has admitted that it was a mistake and hopefully this stops others from being careless in the future with sensitive information. 
Not to pick on the DNC, but it seems that many of these cyber issues have been related to their party, it was reported that there were many phishing attempts generated towards Clintons site and email, some on which she seems to have fallen for. This shows that phishing is still an attack vector that attackers are going to fall back on as their default tool, because people will eventually fall for it. 
Throughout the year cybersecurity has become a speaking point to the candidates. From talking about offense attacks, Snowden, how to handle the complex problem of security going forward, etc. it shows that his is something not only on the candidate’s minds, but the people’s minds. This is proof cyber security is an epidemic if it’s being brought up between the Syria crisis, budget issues and unemployment. 
So, with all these cyber related issues being brought up during this year’s election, it’s a major win for security. I’m that these these issues being brought up will continue the conversation and assist with awareness, not only with the government, but with other organizations and people. At this point if Trump, Clinton get elected or giant meteorite destroys earth (third option is looking good right now), cyber security has taken center stage the past couple months and I’m optimistic it could bring about positive change.

Continue reading The Winner of the 2016 Presidential Election is: Cybersecurity! (sorta)

Posted in SBN