Monday, January 9, 2017

Three Critical 2017 Predictions for Global Cyber Security

Three Critical 2017 Predictions for Global Cyber Security
Leo Taddeo, Chief Security Officer, Cryptzone

The US will take a more aggressive position on international cyber security that will lead to cyber escalation between Nation States.

Typical to any transition of Presidential power, we’re in a honeymoon period between Nation States. Make no mistake, however: the first thing our adversaries are doing is figuring out where to “pick a fight” to see what they can get away with. 

For example, Russia has a track record of positive initial meetings with President-elects, while they test how much they can extract from them. But soon enough, Russia’s concerns will be intractable and Trump will be forced to face reality: Russia will not change its behavior.

We are already seeing Russia test Trump. Just this week, Putin said about Russia’s military,We can say with certainty: We are stronger now than any potential aggressor. Anyone!” These kinds of comments will not sit well with an aggressive President-elect, and a Cabinet full of former US military.

With relations strained between Trump and the Obama Administration, negotiations between the US and Russia have already been sent into a tailspin. All of this will lead to cyber escalation.

While Trump has been playing nice – some say too nicely – with Russia, he’ll eventually overact and take proactive measures, which is more his style.

Another “Russia intractable” is the Ukraine. Because the US having influence in Ukraine is threatening to Russia, and the US won’t leave Ukraine’s fate in Russia’s hands, both countries will use cyber tools to try and get what they want: information.

China is another example. Cyber relations with China are already unstable with the incoming US leadership. Trump is taking China head on, with regular comments on its currency devaluation, abuse of trade policies and the volatile Taiwan relationship.

In response to a new, perhaps more hostile Trade Secretary,  China has indicated that “China like every other country is closely watching the policy direction the US is going to take.” 

In September 2015, Obama agreed with China that neither side would engage in cyber espionage in business. It was a gentleman’s agreement, based on goodwill, that isn’t binding or enforceable. From detectable cyber activity, there seems to have been a decrease in cyber espionage, supporting the notion that both sides have been honoring the agreement. If that goodwill doesn’t exist with China, and it seems that it does not in the President-elect’s approach, all bets are likely off.

The world is not equipped to handle sophisticated, multi-site cyber attacks, especially against financial institutions. Stolen money will be reinvested in “hacker R&D” creating future chaos. 

Countries and corporations are not prepared to deal with advanced cyber attacks. In the February 2016 Bank of Bangladesh hack against the SWIFT system, criminals stole $81M—and most of it is still unrecovered. Hackers are already re-investing these funds to develop techniques to target lesser protected institutions, which isn’t good news for network defenders.

The IoT is becoming even more commonplace and the lack of set standards and regulations leave us with more and more unsecured devices, widening the playing field of opportunity for hackers.

DDoS is becoming sexy again because we’re entering a different era in terms of volume, in part due to the number of IoT devices now online. We should anticipate an acceleration in DDoS attacks because some of these devices simply can't be fixed or properly secured. 

The October 2016 DYN DDoS attack is a good example of the above two trends. And the IoT botnet (Mirai) used in this attack shows signs of evolving as its source code was released publicly.

Companies will soon make the official transition to cloud, as they’ll stop viewing it as a risk and more of a sanctuary. They’ll also start establishing a “TSA-type security pre-check in line” to services for approved clients that will isolate channels for customers (i.e., they won’t be public facing) in order to avoid the Internet cesspool. 

Context is the next evolution of identity and people will, finally, stop caring about giving up privacy in order to prevent attacks. 

We’ll see identity finally move beyond a username and password: things like what device you’re on, why or what’s the context, enterprise vs. mobile origination, etc. that are seamless (invisible to the user) will take precedent and they’ll be embedded in use, and travel wherever users do.

The resource (device, company, network, app, etc.) will care about who you are in the move to cloud and BYOD environments. As part of this, users will give up privacy to access the resource.

This trade-off is fair. You must provide enough proof of who you are when asking for access to a valuable, shared resource. Users already sign end user license agreements, which most don’t read, and scroll as fast as possible to click accept, granting necessary access. The vast majority of the population views this as a fair and acceptable trade.

About the Author
Leo Taddeo, former Special Agent in Charge of the FBI's NY cybercrime office, is now member of the Citizens Crime Commission of NYC and CSO at Cryptzone.

Tuesday, December 20, 2016

Hackers Can Access Flight Controls through Entertainment System

Just in time for your Christmas and holiday travel!

12/20/2016 - Eskenzi PR Ltd. - IOActive recently did some research into a flaw in an in-flight entertainment system used by major airlines including Emirates, Virgin and Qatar that could let hackers access a planes' controls.

Commenting on this, Art Swift, president of the not-for-profit prpl Foundation that aims to make the IoT more open, interoperable and secure, said, "Travellers this holiday season will be horrified to hear that in-flight entertainment systems could be used to help hackers gain access to their favourite airline’s flight control system, but the truth is it’s something which prpl has been talking about publicly since the flaw was first disclosed - and it’s not just airplanes that are at risk. Technology plays an important role in getting us from here to there, but without separation of critical aspects within the systems that keep things like critical controls such as steering, braking or heating and cooling that could potentially cause damage apart from less critical aspects like entertainment. Hackers can worm their way around systems and potentially cause real devastation. For this reason, the prpl Foundation has come up with its free "Security Guidance for Critical Areas of Embedded Computing" for developers, manufacturers and engineers that outlines exactly how this security separation is possible."

What’s Ahead for 2017: The RSAC Advisory Board Industry Predictions

If you’re wondering where things are headed in the coming year, you’re not alone. RSA reached out to its RSA Conference Advisory Board to find out what they expect will happen in the world of cybersecurity as we enter 2017. From intergovernmental cyber-conflicts to a rocky road for the Internet of Things, read what’s potentially around the corner.

Thursday, December 1, 2016

Top 10 Rock and Roll Cybersecurity Predictions for 2017

It's that time of year again. Time for information security predictions for 2017. This year, we have an interesting twist on predictions by tying them to classic rock lyrics. It's interesting how prescient the lyrics are.

Monday, November 7, 2016

Hacking the Elections

Quick key take aways from Hacking the Elections by Ian Gray

-- The U.S. election landscape is made up of approximately 9,000 different state and local jurisdictions, providing a patchwork of laws, standards, processes, and voting machines. This environment is a formidable challenge to any actor -- nation-state or not -- who seeks to substantially influence or alter the outcome of an election. Doing so would require mastering a large number of these disparate cyber environments and finding a multitude of ways to manipulate them. An operation of this size would require vast resources over a multi-year period -- an operation that would likely be detected and countered before it could come to fruition.

-- WikiLeaks founder Julian Assange continues to claim objectivity and transparency in his reporting; however, recent events have shown that WikiLeaks may be a pawn -- witting or unwitting -- that has been leveraged by the Russian government as an outlet for stolen information damaging to the Democratic National Party

-- While Guccifer 2.0’s sources are debatable, the hacker has indeed been effective in launching an information and propaganda campaign that has, at least to some degree, disrupted the track of the U.S. election.

-- Aside from the various political-influence campaigns, the FBI has confirmed that malicious actors have been scanning and probing state voter databases for vulnerabilities. Though the actors were operating on servers hosted by a Russian company, those attacks are not, for the moment, being attributed to an actual Russian state-sponsored campaign.

Click here to read the entire article.

Thursday, October 27, 2016

New Stats on Dyn DDoS Attack Size

Imperva Releases More Information on the Dyn Attack

Ofer Gayer, product manager at Imperva for the Incapsula product line, explains:

“There is still quite a bit of speculation swirling on the size of the DDoS attack on Dyn last Friday. We know there were 100,000 Mirai botnet nodes – which is not especially large in our experience. So, in our estimation, there are two likely causes. The attack may have been a high-volume attack – over 500 million packets per second – that overwhelmed the Dyn infrastructure. Or, the attack may have been relatively small – 50-100 million packets per second – and the attack itself was “amplified” by what is known as a retry storm from their millions of legitimate users, making the job of differentiating between good and bad traffic very hard.”
Additional Information:

Q. Is a 100,000-node botnet big?
A. Not really.  Example of a 180,000-node botnet mitigated

Q. Are DNS services especially vulnerable?
A. They do suffer from being open systems:

"Effective DDoS mitigation is synonymous with accurate traffic filtering. For that reason DNS amplification attacks are actually easier to deflate as all uninitiated DNS responses are highly suspect and could be filtered on-edge, without any impact on the regular traffic flow. For example, one could categorically drop all unexpected DNS responses to port 53.

However, this isn’t the case for seemingly legitimate DNS flood queries, which cannot be dismissed before they are individually processed at the server level.

With on-edge filtering bypassed, and the path to the server CPU cores laid wide open, DNS floods have the potential to bring down even the most resilient of networks. "

Q. How can companies prevent attacks on their DNS infrastructure?

Q. Is Mirai that sophisticated?

Q. Has the Incapsula network been hit with Mirai?

Q. What’s a big DDoS attack measured in million packets per second (Mpps)

Wednesday, October 26, 2016

Corero Warns of Powerful New DDoS Attack Vector with Potential for Terabit-Scale DDoS Events

New zero-day attack vector has significant amplification factor and could be used to enhance effectiveness of botnet tools used to launch recent attacks on Dyn, Krebs on Security and OVH
Marlborough, MA and London, UK – October 25, 2016 –  Corero Network Security today disclosed a significant new zero-day DDoS attack vector observed for the first time against its customers last week.  The new technique is an amplification attack, which utilizes the Lightweight Directory Access Protocol (LDAP). LDAP is one of the most widely used protocols for accessing username and password information in databases like Active Directory, which is integrated in most online servers. 

While Corero’s team of DDoS mitigation experts has so far only observed a handful of short but extremely powerful attacks against their protected customers originating from this vector; the technique has potential to inflict significant damage by leveraging an amplification factor seen at a peak of as much as 55x. Therefore, in terms of its potential scale, if combined with the Internet of Things botnet that was utilized in the recent 655 Gigabyte attack against Brian Krebs’s website, we could soon see new records broken in the DDoS attack landscape, with potential to reach tens of Terabits per second in size in the not too distant future.  The DDoS landscape has been extremely volatile in recent weeks, particularly with the release of the Mirai code and subsequent Mirai infected Internet of Things (IoT) devices, and we expect this trend to continue for the foreseeable future. 

Dave Larson, CTO/COO at Corero Network Security, explains: “This new vector may represent a substantial escalation in the already dangerous DDoS landscape, with potential for events that will make recent attacks that have been making headlines seem small by comparison. When combined with other methods, particularly IoT botnets, we could soon see attacks reaching previously unimaginable scale, with far-reaching impact. Terabit scale attacks could soon become a common reality and could significantly impact the availability of the Internet– at least degrading it in certain regions.” 

Reflection and Amplification Attacks
In this case, the attacker sends a simple query to a vulnerable reflector supporting the Connectionless LDAP service (CLDAP) and using address spoofing makes it appear to originate from the intended victim. The CLDAP service responds to the spoofed address, sending unwanted network traffic to the attacker’s intended target. 

Amplification techniques allow bad actors to intensify the size of their attacks, because the responses generated by the LDAP servers are much larger than the attacker’s queries. In this case, the LDAP service responses are capable of reaching very high bandwidth and we have seen an average amplification factor of 46x and a peak of 55x. 

Dave Larson explains: “LDAP is not the first, and will not be the last, protocol or service to be exploited in this fashion. Novel amplification attacks like this occur because there are so many open services on the Internet that will respond to spoofed record queries. However, a lot of these attacks could be eased by proper service provider hygiene, by correctly identifying spoofed IP addresses before these requests are admitted to the network. Specifically, following the best common practice, BCP 38, described in the Internet Engineering Task Force (IETF) RFC 2827, which describes router configurations that are designed to eliminate spoofed IP address usage by employing meaningful ingress filtering techniques, would reduce the overall problem of reflected DDoS by at least an order of magnitude.

“Today’s DDoS attacks are increasingly automated, meaning that attackers can switch vectors faster than any human can respond. The only effective defense against this type of DDoS attack vector requires automated mitigation techniques. Relying on out-of-band scrubbing DDoS protection to stop these attacks will cause significant collateral damage. Given the short duration and high volume attacks, legacy solutions simply cannot identify and properly mitigate in time to protect network availability.