As a software engineer, I like it when things work together in new and surprising ways. And especially when they work together to be even better. Like when my Amazon Echo talks to my Nest, my WeMo light switch, or my garage-door opener. Which makes me wonder: When I’m working, why don’t all my tools talk to each other the same way?
Don’t get me wrong – I’m really proud of our Cisco Collaboration tools and how they work with each other: Cisco Spark with integrated video calling, Jabber integrated with Unified Communications Manager, virtual meeting rooms integrated within WebEx.
Why can’t everything else be as simple to use? Why can’t these same tools talk to my email client or other productivity tools? And why, if I’m repeating the same task, do I have to keep doing it? Why can’t my machine figure out that repetitive, mundane task and just take care of it for me? With the advent of cognitive intelligence, there must be a way to make collaboration even better.
I asked these questions over and over, and my team decided to do something about it. So they went and found the best technology gurus to help make things work together. The result? Cisco and IBM coming together in a global alliance to enhance collaboration. This is really interesting. And very exciting, because we are putting our collective expertise toward integrating your business conversations across all channels.
Not only are we working together to have our collaboration technology connect to IBM’s productivity tools, we’re going to leverage the power of Watson. Yes, that Watson. Imagine that kind of cognitive intelligence coupled with our collaboration tools!
It starts with collaboration services that talk to each other, so you can talk to anyone. IBM Connections Cloud Social and IBM Verse will both be “Cisco aware,” giving them a wide range of collaborative enhancements, including better integration with Cisco Spark and WebEx. Cisco Spark and WebEx will be similarly “IBM aware.” This means that you can host a meeting or call a coworker almost instantaneously from a variety of enterprise applications. Likewise, collaboration tools will have integrated enterprise cloud features.
Together, IBM and Cisco are building an open, integrated platform that will foster inspiration and innovation. We’re using the power of the open cloud to bring together key applications that we need to be our most productive. This platform will capture and understand not only our documents, but also the way we work together.
This integrated platform will leverage the power of Watson to analyze the unstructured data in our conversations, content, and workflows, providing insights and expertise to continuously improve the way we work.
Together, we’re creating an intelligent fabric that connects all collaboration workloads. I like to call it “Intelligent Collaboration.”
This is just the beginning of our new alliance. Over the next few months, we’ll share more details about new integrations and capabilities that combine our collective strengths.
It all comes down to simplifying communication, making it more intelligent, making it incredibly intuitive and easy. In short, making it work together to be better. That’s the future of enterprise collaboration – Intelligent Collaboration.
Let’s celebrate that the Internet of Things has arrived! We know it’s finally here because it got used as a cyber weapon three times starting in September. It started with a massive attack on blogger journalist Brian Krebs, whose website krebsonsecurity.com was hosted and protected by the CDN Akamai. The attack was severe enough to affect Akamai’s other customers, so they dropped their pro-bono defense of the blogger.
Industry researchers (including F5’s) were alerted to a new botnet comprised of DVRs and video cameras and other “things.” But the DVRs and video cams are significant because they have both high CPU capability (which can therefore host sophisticated malware) and high-bandwidth uplinks (from which they launched attacks up to 100 Mbs each). The total attack traffic directed at Krebs was 620 Gbs, which at the time was the world’s largest DDoS attack.
The second attack knocked out OVH, the largest French hosting provider (number three in the world, if you believe the literature) for much of a day. Many media reports listed the OVH attack at nearly double the size of the Krebs attack; a full terabit per second.
The third and possibly worst attack came against Dyn, the DNS services company. Dyn is the DNS provider for many marquee websites, including Twitter, Spotify, and GitHub (where ironically the IoT botnet code was posted).
So, Who Did It?
By strange coincidence, industry luminary Bruce Schneier had been making the interview circuit the previous month warning of massive, nation-state DDoS attacks to come. His inside information came from unnamed industry sources who were spotting calibration DDoS attacks against the core Internet infrastructure.
But, as it turns out, those probing attacks may have been just coincidence. Schneier himself admitted on his blog that he doesn’t think the Dyn attack was a nation-state at all. But maybe that nation-state is just watching and waiting.
The key to attribution in the Krebs, OVH, and Dyn cases may likely come from Brian Krebs himself.
“The attack on DYN comes just hours after DYN researcher Doug Madory presented a talk on DDoS attacks in Dallas, Texas at a meeting of the North American Network Operators Group (NANOG). …the record 620 Gbps DDoS against KrebsOnSecurity.com came just hours after I published the story on which Madory and I collaborated.”
Very likely the adversary is an individual (or small group) with an agenda against Brian Krebs or Doug Madory, or both.
We could all understand that millions of users would be affected by a full-scale China-US cyberwar. But if it turns out to be a personal agenda from a single individual against another single individual? That’s even scarier than a nation-state attack. What kind of Internet have we built when a single person with a grudge against another person can interrupt critical services for millions of people?
How Did We Get Here?
F5 has been monitoring the hunt for Internet of Things (IoT) devices for over a year now. Our first report on this issue was published in July of 2016 and showed a 140% increase in year-over-year telnet and SSH brute force scans. Telnet and SSH are widely used remote administration ports, and they are often left unknowingly exposed to the Internet with vendor default (or easy to guess) user name and passwords.
The unprecedented DDoS attacks on Krebs, OVH, and Dyn in October of 2016 used exactly this technique (scanning for telnet ports and vendor default passwords on IoT devices) to create a botnet of unique capability.
Everyone’s a target again. The bot herders aren’t afraid to turn their cyber weapon against some of the largest providers in the world—targets that were previously thought untouchable.
While these attacks might feel like they happened overnight, in reality, the bot herder has been slowly searching for, finding, and compromising vulnerable IoT devices for at least a year.
The collective firepower is likely an order of magnitude greater than previous botnets; north of terabits per second.
The IoT botnet includes (but is not limited to) the following advanced DDoS techniques. The prescriptive guidance section below will provide recommendations on how to mitigate these, when possible.
HTTP GET Floods Resistant to Redirection
HTTP GET floods were already pernicious. For years, attackers have been able to disable web sites by sending a flood of HTTP requests for large objects or slow database queries. Typically, these requests flow right through a standard firewall because they look just like normal HTTP requests to most devices with hardware packet processing. The Mirai attack code takes it a step further by fingerprinting cloud-based DDoS scrubbers and then working around any 302 redirects that the scrubbers send back. Redirects used to be a good way to stymie simple bots, but this one isn’t simple.
DNS Water Torture
The Mirai bot includes a “water torture” attack against a target DNS provider. This technique is different from the regular DNS reflection and amplification attack because it requires significantly fewer queries to be sent by the bot, letting the ISP’s recursive DNS server perform the attack on the target authoritative DNS server. In this attack, the bot sends a well-formed DNS query containing the target domain name to resolve, while appending a randomly generated prefix to the name. The attack becomes effective when the target DNS server becomes overloaded and fails to respond. The ISP’s DNS servers then automatically retransmits the query to try another authoritative DNS server of the target organization, thus attacking those servers on behalf of the bot.
“For example, the impact of the attack generated a storm of legitimate retry activity as recursive servers attempted to refresh their caches, creating 10-20X normal traffic volume across a large number of IP addresses. When DNS traffic congestion occurs, legitimate retries can further contribute to traffic volume.
It appears the malicious attacks were sourced from at least one botnet, with the retry storm providing a false indicator of a significantly larger set of endpoints than we now know it to be. We are still working on analyzing the data but the estimate at the time of this report is up to 100,000 malicious endpoints.”
F5 researcher Liron Segal had detailed the mechanics of the bot’s Water Torture attack in his post weeks earlier—Mirai, the Bot that took down Krebs.
Updated Layer 4 Attacks
According to the bot’s creator, the so called “TCP STOMP” attack is a variation of the simple ACK flood intended to bypass mitigation devices. While analyzing the actual implementation of this attack, it seems that the bot opens a full TCP connection and then continues flooding with ACK packets that have legitimate sequence numbers in order to hold the connection alive.
Given our understanding of the individual threat vectors with the new IoT bot, we can provide some guidance for the mitigation of those individual threat vectors.
Let’s be clear before we start the guidance. The Krebs, OVH, and Dyn attacks are in a class by themselves. Clearly, existing DDoS mitigation techniques did not easily throw back the attackers—hence the outages and the headline media coverage. However, mitigation eventually did take effect in many cases. And proper architecture, such as using Anycast and dispersed data centers helped, as well. Note that the West Coast and western regions of the US were largely unaffected by the Dyn attack.
Our guidance comes from our own customers. F5 has been delivering applications for the world’s marquee brands for twenty years, and many of those customers get attacked with DDoS every day. Our most experienced customers break their defenses into three or four zones:
DNS, where applicable
A superlative DDoS-resistant architecture therefore looks like this:
This is the DDoS protection reference architecture, which has been widely used by F5 customers for years. The full reference architecture and recommended practices can be found at F5.com. However, for faster consumption, the guidance relevant to these attacks is detailed below.
The French hosting company OVH was hit with a volumetric attack of 990Gbs. There were reports that the Dyn attack peaked at 1.2 terabits. Attacks of that size can usually only be mitigated by cloud scrubbers that specialize in defense at scale. Cloud scrubbers, including F5’s Silverline DDoS Protection, intercept the attack traffic, scrub it clean, and send only the good traffic to the target over pre-arranged tunnels.
Guidance: Organizations should ensure they have agreements with one or more cloud scrubbers prior to getting attacked. Configuring the pre-arranged tunnels is not something that can easily be done in the midst of a volumetric attack. Contract with a cloud scrubbing DDoS defense as part of your DDoS strategy.
Guidance: Attack diffusion can be your friend for volumetric attacks. Remember that DNS can be your friend, too; Anycast your global data centers for replicated content to diffuse DDoS attacks when they happen. Each data center that participates with Anycast can help divide the attack.
The Mirai bot includes several layer 4 attacks in its arsenal: standard SYN floods, TCP floods, and UDP floods. These ancient threat vectors must be mitigated either at a cloud scrubber or, if they are sufficiently small, at the network defense tier in the data center. The network defense tier is built around the network firewall. It is designed to mitigate computational attacks such as SYN floods and ICMP fragmentation floods. This tier also mitigates volumetric attacks up to the congestion of the ingress point (typically 80 to 90 percent of the rated pipe size).
Guidance: Many firewalls are not resistant to DDoS attacks unless properly configured. Check with your network firewall vendor for settings. Some customers will put anti-DDoS devices in front of their firewalls to repel layer 4 attacks.
Guidance: The F5 firewall module (BIG-IP Advanced Firewall Manager (AFM)), was designed specifically to repel layer 4 attacks. Some architects use BIG-IP AFM for just this case—either in front of, or replacing conventional network firewalls. Hardware appliances with AFM use field programmable gate arrays to repel more than 30 types of packet floods and offload the work from the CPU.
The Mirai bot can generate impressive HTTP GET floods and handle directs. Because GET floods look like normal traffic to the network defense devices, they must be handled at the application tier. GET floods are by far the most common application layer attack type that F5 sees, and there are many ways to mitigate them, depending on the product portfolio that a customer is wielding.
Guidance: For bots that can handle simple redirects, F5 recommends either throttling connections based on their request-per-second metric or by using what is called a “login-wall.” A login wall requires a connection to be authenticated to the application before it can consume non-cached or dynamic resources such as database queries.
There are two DNS issues worth talking about in regards to the Dyn attack. The first and most straightforward is what to do if your DNS provider is taken offline by one of the new types of attacks. Dyn was the name-service provider for Twitter, GitHub, and Spotify, so when Dyn was blocked, end-users were unable to find IP addresses for these services.
Guidance: Build resiliency into your DNS plan that includes, but is not limited to, multiple DNS providers to serve addresses for your critical applications. In this way, if one of the providers succumbs to an attack temporarily, the other provider can serve your addresses. It may slow your end users by a few milliseconds, but your applications and services will still be available.
The second issue is what to do if your own DNS server comes under attack. DNS is the most targeted service with HTTP being second. When DNS is disrupted, all external data center services (not just a single application) are affected. This single point of total failure, along with the often under-provisioned DNS infrastructure, makes DNS a tempting target for attackers.
Recall that even if your own server isn’t under attack, an outage downstream of you could cause a different set of DNS servers to flood your DNS servers with requests as they try to fill their own caches. Dyn reported 10 to 20 times normal requests when this happened with them, and that was from legitimate DNS servers trying to cope with the situation.
Guidance: A significant percentage of DNS services are under-provisioned to the point where they are unable to withstand even small-to-medium-size DDoS attacks. DNS caches have become popular as they can boost the perceived performance of a DNS service and provide some resilience against standard DNS query attacks. Attackers have switched to what is called “no such domain” (or NXDOMAIN) attacks, which quickly drain the performance benefits provided by the cache.
For F5 customers, F5 recommends front-ending the DNS services with the DNS proxy module called F5 DNS Express™. DNS Express acts as an absolute resolver in front of the existing DNS servers. It loads the zone information from the servers and resolves every single request or returns NXDOMAIN. It is not a cache and cannot be emptied via NXDOMAIN query floods.
Guidance: Remember that DNS can be your friend during a DDoS attack; Anycast your global data centers for replicated content to diffuse DDoS attacks when they happen.
Guidance: Consider the placement of DNS services. Often the DNS service exists as its own set of devices apart from the first security perimeter. This is done to keep DNS independent of the applications it serves.
Some large enterprises with multiple data centers serve DNS outside the main security perimeter using a combination of BIG-IP DNS with DNS Express and the BIG-IP AFM firewall module. The main benefit of this approach is that the DNS services remain available even if the network defense tier goes offline due to DDoS.
The Krebs, OVH, and Dyn attacks mark a new phase in DDoS. At the same time, they mark the coming of age of the Internet of Things.
As you can see, F5 has a lot of experience researching, combating, and writing about DDoS and we want to work with customers to keep their applications available. This will require vigilance on all our parts—from F5 to partners to customers.
If you are a customer, or even if you aren’t, and you come under attack, remember that F5 Silverline DDoS Protection is only a phone call away: 866-329-4253.
As for the IoT threat, blackhats share with each other all the time (they shared Mirai after it attacked Krebs and OVH, and it was used in the Dyn attack). We in the InfoSec community need to take a page from their playbook by banding together to solve this global IoT problem. We have no choice but to do this. It’s human nature to understand problems, fix, and therefore evolve.
There will no doubt be hiccups over the next few years while attacks grow in size, scrubbing services grow in bandwidth to accommodate these large attacks, and IoT device manufactures figure out how to deal with their device insecurities. Organizations and consumers have to get used to this evolving threat, like all other major issues before this one.
The economics of cyber security are completely lopsided. There are a seemingly infinite number of cyber security risks out there, with more and more popping up every day. Hackers appear to have unlimited resources, and cybercriminals are literally reinvesting their lucrative profits into new and innovative ways to exploit, extort, and steal from your organization.
But… in order to foil, frustrate, and impede the nefarious schemes of these very well-equipped and well-funded adversaries, we as cyber security professionals are grudgingly allocated a hopelessly limited budget. The meagerness of which we are then asked to stretch ever so thinly across every conceivable threat vector out there in order to assure the business (management, executives, and the board) that, “We’re doing everything possible.” If this scenario seems familiar — and not just because it reminds you of the plot of Mission Impossible — you’re not alone.
A CISO I know explained the problem to me in this way, “I’m given a cyber security budget the size of a jar of peanut butter and then I’m asked to spread it equally and evenly over an attack surface about the size of the moon. The worst part isn’t that it’s impossible, it’s that I’m going to be held accountable when it fails.”
Unfortunately, you’re never going to get enough Jif to do the job right so long as the business continues to think of cyber security as an IT problem — rather than the real, enterprise-level, risk-management problem it truly is.
Changing the Rules
It may seem a no-win situation, but maybe not. As Captain Kirk taught us when he became the first person to ever beat the Kobayashi Maru test (whenever we geeks need leadership guidance, we should always look to James T. Kirk), “If you can’t win the game, then change the rules.”
When it comes to cyber security budgets and priorities, these are the game-changing conversations CISOs need to be having with the business:
No more “sensational” headlines, please!
It doesn’t matter what cyber security risks you saw on CNN that threaten other organizations, so please stop sending me all of those “interesting stories” to read. What matters most are the specific risks that threaten our organization. These are the ones we need to talk about and focus on. All too often, non-technical executives get distracted and caught up in the dramatic media-driven “breach of the month” horror stories and lose sight of what the specific and probably mundane-sounding threats are to their own organization.
Prioritize the crown jewels.
What are our most critical digital assets that we must protect and how should we prioritize our security strategy accordingly? These crown jewels may include the obvious ones: customer credit card information for a retail organization, the source code for a software company, or personal health information for a hospital. But they may also include not so obvious ones such as a file share with detailed merger and acquisition documentation that only the finance department is aware of. Without context, IT can’t make these decisions; only the business can intelligently direct and prioritize. Or, at the very least, understand that they need to be involved in the discussion.
If we can’t see it, we can’t protect it.
Do we have in place the full visibility and tools we need across the network and enterprise to monitor and protect what is most valuable and most vulnerable? If not, then funding these initiatives needs to be an enterprise-wide, strategic priority. Business leaders need to understand that cyber security is no longer a cost of doing business, it’s a cost of staying in business and, therefore, needs to be appropriately funded. The only way to do this is to have leaders calculate the financial impact of the identified risks and work together to prioritize solutions accordingly.
Aim to Super Size That Jar of Peanut Butter
Business leaders like to discuss the bottom line. Unfortunately, they often see cyber security as a cost center because they don’t fully understand the impact that an attack or breach could have in real financial terms or the competitive advantages they could gain from earning and maintaining “trust” in the marketplace. It’s on us as cyber security professionals to change their perspective and challenge their assumptions by engaging them in these game-changing discussions.
In the end, we may only get a slightly bigger jar of peanut butter, but at least we’ll know exactly where best to spread it in order to make it stick.
to prevent or deter an insider incident or attack. Further, only nine percent of surveyed companies ranked their insider threat prevention methods as very effective. Yet as recent headlines show, the insider threat is very real and cannot be ignored.
To protect against insider threats, organizations must first understand—and identify— what the threat is. Our newly released eBook uncovers common misconceptions about insider threats, illustrates how these threats have manifested in real-world situations and provides new insight to help organizations reduce risk across four main categories:
Exploited Insiders: These are high-value employees specifically targeted by external attackers, usually via phishing. Attackers target employees to gain a foothold inside an organization.
External Insiders: Did you know that by 2017, 41 percent of workers will be temps, contractors or consultants? Just like employees, these external “insiders” are also a target exploited by cyber attackers.
Malicious Insiders: While accounting for only 26 percent of insider attacks, malicious insiders, such as disgruntled or angry employees, are the source of some of the most costly and difficult attacks to detect.
Unintentional Insiders: Most employees are just trying to do their jobs well—yet poor security habits too often put systems at risk.
This infographic details recent industry findings and statistics on insider threats, and highlights how insiders across all four categories can use privileged access to cause intentional or unintentional damage.
For additional information on the topic, read our eBook for details about insider threats and gain guidance on how your organization can contain and detect these attacks.
FireEye’s report “Red Line Drawn” determined that a range of political, economic and other forces were contributing to a shift in Chinese cyber operations more than a year prior to the Xi-Obama agreement. Since mid-2014, we have observed an overall decrease in successful network compromises by China-based groups against organizations in the U.S. and 25 other countries. Making sense of this reality both from a global perspective and from a cyber defender’s perspective requires consideration at multiple levels.
First, at the level of international relations and grand strategy, intrusions on U.S. and Western targets have not stopped. “Red Line Drawn” highlights 13 companies subject to intrusions in the past year. China-based operations have diminished for some, but continued for others where theft can often be explained as an espionage-related exception to the Xi-Obama agreement. In this respect, for those unfortunate targets still in the Chinese crosshairs, nothing has changed.
Beyond the U.S. and some Western targets, there are indications that Chinese cyber activity may have increased. It is possible and likely that Chinese operators previously attacking U.S. and Western targets have been re-tasked to exploit victims in Asia. For these organizations, the changes reported in “Red Line Drawn” brings little relief. Moreover, at global scale, lasting change is measured in years and not days or even months. Many of the contributing factors to the visible change in China cyber operations are potentially temporary, such as internal reorganization and heightened regional tension.
On the larger global perspective, changes in the activity of state-related offensive operations are welcomed by all parties; however, China’s ability and desire to stop all of the cyber operations it is ultimately responsible for is still unknown. A framework published by Jason Healey of the Atlantic Council in 2012 highlights the responsibilities of a nation to stop many different types of cyber operations generated by its citizens and within its borders. His paper “Beyond Attribution: Seeking National Responsibility in Cyberspace” outlines various aspects of state responsibility for cyber operations.
At the deepest level of control, cyber operators are state-integrated, meaning a government attacks targets using government and integrated third party proxy forces. State-executed attacks are similar, but use only government forces. However, there are many other ways in which a nation can support cyber operations beyond state-executed and state-integrated attacks. These include state-rogue-conducted attacks that involve government forces acting on their own initiative without top-down authorization. There are also state-ordered attacks that occur when the government directs third parties to conduct an attack, and state-coordinated attacks where government is involved in coordinating attacks. Similar categories include state-shaped and state-encouraged attacks.
At this point in the analysis of Chinese offensive operations, it is unclear how deep the level of control or influence of the Chinese government extends. Because the level of activity has dropped, potential Chinese state-integrated, state-executed, and possibly state-rogue-conducted operations may have been curbed – or at least redirected to non-U.S. targets. State-ordered, state-coordinated, state-shaped and state-encouraged actions may still be in force. The remaining three levels of responsibility include: state-ignored, where the government is aware of attacks but is unwilling to take action; state-prohibited-but-inadequate, where the government wants to stop attacks but is incapable of doing so; and state-prohibited, where the government wants to and can stop attacks emanating from its digital territory.
It remains to be seen what impact these possibly temporary factors will have in China’s cyber operation policy. Similarly, the changes reported in “Red Line Drawn” could also be just a temporary part of a more complex and active long-term Chinese plan. The passing of time will allow for continued reassessment of the threat posed from Chinese cyber operations, but for now, vigilance is appropriate.
Moving to a more micro level of analysis, the security approach for individual organizations should not change. Security teams do not just focus their defensive activities against targeted threat actors from China. Targeted threat operators from Russia, North Korea, Iran, and other countries continue to be active, with most increasing their participation and more nation-state participants conducting cyber operations every month. For instance, the period since mid-2014 has witnessed an increase in aggressive cyber activity from Russia, coinciding with that country’s invasion of Ukraine. Cyber criminals have become increasingly aggressive, opportunistic and novel in their ways to monetize information. In addition there is hacktivism and cyber terrorism. The threat to individual organizations is more real and challenging than ever.
Beyond targeted threat activity, every organization connected to the Internet must be able to defend itself against opportunistic attackers. Simply possessing any information or computing resources of value makes Internet-enabled organizations a worthwhile target for opportunistic intruders. The rise of ransomware that encrypts data, paired with the willingness of criminals to issue tailored extortion demands, has severely stressed the security resiliency of law firms, hospitals, state agencies and countless others. Distributed denial of service (DDoS) attacks remain another weapon of choice for digital extortionists, with threats to “dump” personally identifiable information, intellectual property and other confidential data on the Internet rounding out the list of worries facing security managers worldwide.
Findings in the “Red Line Drawn” report demonstrate that China’s cyber operations pace against the U.S. and 25 other countries has decreased; however, both at a macro and micro level, the threat landscape is always changing and still indicates significant risk. Until more time has passed, we advocate remaining vigilant when assessing and preparing for Chinese cyber operations while also preparing for the rapid changes in non-Chinese threats.
A hyper-connected world offers a lot of benefits, but it also comes with a lot of risk. President Obama has said it himself. Just this past week on Jimmy Kimmel Live, he wondered aloud, “How do we continue to get all the benefits of being in cyberspace, but protect our finances, protect our privacy? What is true is that we are all connected. We’re all wired now.” And he’s right. We are all wired these days, mostly due to the Internet of Things (IoT), an ever-growing network of physical objects that have network connectivity, allowing them to send and receive data. IoT devices range from webcams to DVRs, and its market is booming. And unfortunately, with this boom comes one in IoT-specific attacks, with the most recent one occurring across the entire East Coast.
This massive attack saw thousands of IoT devices transformed into botnets, thanks to a malware variant called Mirai. Cybercriminals used this army of infected IoT devices, then constructed one of the largest DDoS (Distributed Denial of Service) attacks in recent history. Their target was a DNS provider called Dyn, which temporarily knocked major sites such as Twitter, Github, and Etsy offline.
These crooks used IoT devices for a reason – they’re user-friendly, accessible, and don’t always have stringent security standards. This makes them easily manipulated by attackers.
So how exactly were the crooks able to pull off this attack? Two words: default passwords.
The majority of IoT devices are shipped out to users with default passwords already set by factory manufacturers. Though the intention is to make setup easier, or access more streamlined, these default passwords are an open invitation for hacks. Default passwords and usernames are relatively easy for hackers to guess and crack. In some cases, they can pull up lists of defaults with a simple internet search. In addition, automatic updates aren’t always a feature for IoT devices, which makes it more difficult for security patches to be applied when flaws are discovered.
In summary, IoT devices are, in cases like these, sitting ducks. But one great thing came out of this DDoS attack: it got people’s attention. Important people’s attention. IT professionals and government officials alike are now recognizing the security issues demanding resolution across connected devices. The conclusion: IoT devices need to be held to higher security standards, and action is increasingly being taken.
As smart devices continue to hit the shelves at break-neck speed, security standards for connected gadgets are no longer just a concern, they’re a necessity. Manufacturers of IoT products must take additional security measures before devices hit the retail floor, and users must do their own part to ensure their security with the connected gadgets they buy.
As IoT security continues to progress, here are a few tips to keep in mind if you use connected devices:
Change your default passwords. I’ve said it before, but it bears repeating: reset the default password on your connected device the moment you bring it home. Make sure your password is long, strong, and unique. And if you’re someone who has trouble remembering multiple passwords (I’m sure you have more than one device you’re password-protecting), turn to a password management solution, like Intel Security True Key.
Keep security top of mind when buying an IoT device. When you’re thinking of making your next IoT gadget purchase, make sure to do your research first. Start by looking up the device in question’s security standards. A simple Google search on the product, as well as the manufacturer, will often do the trick.
In June 2016, we published a blog about a phishing campaign targeting the Apple IDs and passwords of Chinese Apple users that emerged in the first quarter of 2016 (referred to as the “Zycode” phishing campaign). At FireEye Labs we have an automated system designed to proactively detect newly registered malicious domains and this system had observed some phishing domains that were designed to appear as legitimate Apple domains. Most of the domains reported by this system were suspended in June 2016, which resulted in a loss of momentum for the Zycode phishing campaign. Throughout the second quarter of 2016, the Zycode phishing campaign was in hibernation.
We recently observed a resurgence of the same phishing campaign when our systems detected roughly 90 phony Apple-like domains that were registered from July 2016 to September 2016. Once again, Chinese Apple users are being targeted for their Apple IDs and passwords using the same content reported on in our earlier blog. The majority of these domains are registered in the .com TLD by email accounts from qq[.]com, and the IPs of these domains point to mainland China, as seen in Figure 1.
Figure 1: Google map showing the location of the hosted phishing domains
What has not Changed?
What has Changed?
Apparently the domains and email addresses used in previous version of the campaign were effectively taken down. Now the attackers have moved to a new malicious infrastructure; new domains, IPs and email addresses are being used for this campaign. The new domain names for the campaign are listed in Table 1, while their IPs and registrant emails are reported in Table 2 and Table 3, respectively.
Table 1: Apple phishing domains serving the Zycode phishing kit.
Table 2 shows the list of unique IPs, which are not the same as what was seen before.
Table 2. IP addresses used by the domains.
Unique Email Addresses
The email addresses used to register these domains, showing no similarity with email addresses in the previous campaign, are shown in Table 3.
Table 3. List of unique registrant emails.
Table 4 shows the registrant names, which have no similarity with the previous registrant name information.
Table 4. List of registrant names used by the phishing domains.
How to Avoid Being a Victim
Apple provides information on phishing here and here, and on iCloud security here. There are simple ways for a user to be more secure against this and similar attacks. The following are a few tips:
Cyberwarfare and cybersecurity are hitting the campaign trail as both U.S. presidential candidates discuss their national security positions. We’re witnessing verbal attacks between Hillary Clinton and Donald Trump on the topic, and even their vice presidential candidates are throwing out barbs as seen in the recent debates.
Unfortunately, while the rhetoric seems to loom aplenty, the topic of cyberwarfare is very serious and complex. Even the notion of who is a good actor or bad actor is one that is becoming highly subjective with obfuscation, misdirection and stealth — which is becoming the norm.
There are two key points that were relevant in the recent debates around cybersecurity. The first focused on “asymmetric enemies” and the second centered around information sharing and building alliances. Both of these topics are important to delve further.
Many nation-states with limited warfare capabilities have invested in cyberwarfare as a means to gain strategic military and political advantages. Investing in cyberwarfare can level the playing field or even gain them a geopolitical edge. The reason is cyberwarfare by its very nature is highly asymmetric. The victim or targeted group needs to defend against all forms of an attack, while the threat actors only need to find just one weakness to break through.
This inherent asymmetry between the attacker and defender is one that highly favors the attacker and tilts the scales in their favor, particularly in cyberwarfare where backdoors, bugs and vulnerabilities abound. Consequently, we are seeing increased investments by nation-states.
The inherent asymmetry between the attacker and defender follows the key notion that organizations cannot keep the attackers out. They are already in your networks. Security organizations must implement advanced threat-defense strategies based on rapid detection, remediation and containment from within.
Once the attacker infiltrates, the asymmetry reverses. The attacker has to evade all forms of detection while security ops hunt to find one footprint that can lead to the attacker. This is an important mindset shift as it pertains to cyber strategy.
Clearly we won’t hear the presidential candidates talk about this, since admitting that someone can break through our defenses is alarming. But it is already happening and it is important to acknowledge.
So, what can organizations do? Information sharing and building alliances came up during the vice presidential debates. This is important. In fact, critically important. The reason is that both the attacker and defender are constantly in a feedback loop.
Military face-offs follow in a similar suit. Col. John Boyd, a U.S. Air Force pilot, developed the OODA loop concept explaining how Air Force pilots who face each other are in a constant feedback loop. OODA, which stands for observe, orient, decide, act, demonstrates how battling pilots are continuously observing, orienting themselves and building situational awareness. Using this awareness, they could quickly adjust and decide on a course of action, execute and then re-observe to assess a new situational awareness, and so on. The pilot who could close his loop faster was able to get inside and disrupt the loop of the other pilot, thereby gaining the upper hand.
This approach can be applied to cyberwarfare strategy. Once we realize the attacker has breached our defenses, detecting their activities and containing them is very much a game of shortening our own OODA loop. The same approach applies; how quickly can organizations reach situational awareness, the observe and orient phases, and take immediate action?
Points made in the vice presidential debate advocated information sharing through strong alliances. It is a critical piece in the observe and orient phases. If we can build strong alliances among our security community to share threat data and intelligence via a common platform, we have the ability to shorten the observe and orient phases of the cycle. We can quickly make decisions, take action and re-vector faster than the attacker. In doing so, we disrupt the lateral movement of the attacker and increase our abilities to detect footprints and trace behaviors and activities that lead to containment.
With the presidential elections quickly approaching, the candidates continue their cybersecurity and cyberwarfare debate. More to come as we cover developments as it relates to our industry.
“Do you have any insect repellent? I’ve been told my computer has a bug.”
There is no doubting that cyber security is a very technical subject, and with the current state of hacking for profit and the games of cat and mouse among nation states, it’s more stressful than ever. With Halloween just around the corner, we thought we’d offer up a “treat” designed to bring cyber security professionals a laugh or two.
We have all heard the phrase, “you’re only as secure as the weakest link,” and sometimes the teams we support ask cringe-worthy questions that really make us wonder. To have a bit of fun, the Imperva team decided to ask attendees at the 2016 Black Hat cyber security conference to share the most ridiculous question they’d been asked during their IT security career.
The Imperva team compiled a list of the top 25 answers. It’s our Halloween treat to you. We hope you enjoy it.
“Can you get hacked if you hide your computer?”
“Should I phone HR? I need to send some money somewhere to get my files back from someone.”
“Are there hackers at Black Hat?”
“Why does hacking only happen in America?”
“Is hacking a recent occurrence? My parents didn’t get hacked.”
“What is the hacking worst case scenario? Losing money, stealing information or end of the world?”
“How long would it take to hack McDonalds?”
“I keep pressing the help key on my keyboard but no one is coming. What’s taking so long?”
“Is this a cup holder – pointing to CD-ROM holder?”
“Do you also provide security services like body guards?”
“Do you have any insect repellent; I’ve been told my computer has a bug?”
“Can you please tell me who is going to hack me?”
“If I unplug my computer does it mean I can’t get hacked?”
“Is malware good or bad? I have some on my computer.”
“Can you make money from hacking?”
“I have nothing to lose, why are hackers coming after me?”
“Is anything secure anymore?”
“I know I can’t get hacked; I use antivirus software.”
“Are there pills for a computer virus?”
“Can you only get hacked once?”
“Can hackers steal all my money, even if I keep it in a piggybank?”
“I understand hackers can attack my computer, but I keep everything private on my phone. I know hackers can’t access that.”
“How can I hack Facebook?”
“Is hacking preventable?”
“Would I always know if I have been hacked?”
“Cyber security is undoubtedly a very complex subject. However, some of these questions are slightly alarming. If an employee doesn’t know what a CD-ROM drive is, can we trust they won’t fall prey to an email phishing scam?Humans, unlike software, are virtually impossible to patch. Hence, user education, while helpful at times is highly overrated. Technologies that provides a solid defense line for security professionals when humans fail are paramount to keeping your data safe,” said Amichai Shulman, CTO of Imperva.
FastPOS malware, known for the speed with which it exfiltrated data often at the expense of stealth, has been upgraded to make it more covert – just in time for Christmas.
FastPOS putting a damper on the pre-Christmas buying festivities for retailers
The FastPOS malware that infects point of sale terminals has been updated in time for the Christmas shopping season, becoming harder to detect.
That’s according to a blog posts from Trend Micro which discovered a new variant of the malware that has undergone some significant upgrades.
FastPOS malware is known for its speed, and as the Trend Micro blog explained, up until now the malware stole data as fast as possible, taking as much as it could even at the expense of stealth.
However, from samples of the point-of-sale malware collected by the company last month, it found “an unusual network connection in one of the endpoints of a company based in North America”. The implication is that the malware has become modular and aware of the system it is infecting.
“FastPOS’s first incarnation was multithreaded, having one process for each functionality – keylogging, RAM scraping, and self-updating. In its latest iteration, the malware makes use of different components hidden in its resource instead of writing everything in one file,” said the researchers. It also has separate components for 32-bit and 64-bit systems.
The modular components comprise a keylogger and a RAM scraper to monitor processes and scan for credit card track data, which are then sent to the main service. Stolen information is now stowed in mailslots, a mechanism for applications to store and retrieve messages.
“The use of mailslots to evade AV detection isn’t new,” said the researchers. “Since mailslots are memory-residing temporary files, it enables attackers to save information about the infected system without leaving traces of a physical file.”
The firm said the developer’s approach to updating their malware is significant.
“Modular malware such as FastPOS can be harder to detect as some of the components can be programmed not to work without another. Others such as FastPOS’s do not depend on other components and can be self-executed, but only if the arguments for them are known,” said Trend Micro.
It added that uncovering a component doesn’t guarantee others can be found either. “For instance, FastPOS’s main service and RAM scraper can be seen running as a service, making them easier to remove. However, the keylogger component can be harder to notice as its code is injected into explorer.exe’s process memory,” the researchers said.
It added that the update shows that its developer is active and isn’t shying away from trying new tactics – from switching memory to mailslots for data storage to using different versions of the same platform to create the malware.
“The deployment is also quite suspect, as the malware’s development cycle seems to keep pace with the retail sale season.”
Fortunato Guarino, cybercrime and data protection advisor at Guidance Software, told SCMagazineUK.com that this reinforces the importance of strong endpoint detection and response (EDR) tools that can alert an organisation to a POS attack and prevent hackers from actually extracting any data.
“To do this they need to work ‘under the assumption of compromise’, that is, take a proactive approach to tracking down any warning signs of unauthorised or unusual behaviour. POS terminals are endpoints like any other; security teams need to have 360-degree visibility into these systems in order to identify indicators of compromise quickly, so the appropriate response and remediation can happen to prevent or minimise the impact,” he said.
Smrithi Konanur, payments, web and mobile global product manager at HPE Security-Data Security, told SC that retail malware is typically designed to steal clear data in memory from Point of Sale (POS) applications, resulting in the loss of magstripe data, EMV card data or other sensitive data exposed at the point of sale.
“And unfortunately, POS systems are often the weak link in the chain – they should be considered insecure even after implementing EMV. A POS terminal in constant use is usually less frequently patched and updated, and is thus vulnerable to all manner of malware compromising the system to gain access to cardholder data,” he said.
“Any businesses using POS systems can avoid the impact of these types of advanced attacks. Payment strategies like Point-to-Point Encryption are the best data-centric solutions to prevent such security breaches that target data in transit. Point-to-Point Encryption solutions that are implemented using proven methods, such as Format-Preserving Encryption are available to neutralise data from breaches either at the card reader, at the point of sale, in person or online.”