Feds Shut Down 15 Denial of Service Websites

You can get anything on the Internet.  One of the relatively recent additions are web sites that you can pay (I presume in Bitcoin) to “stress” a web site that you don’t like.  Stress is a euphemism for denial of service attacks which force the target site offline.

They have charged 3 men today – two in California and one in Alaska with operating the 15 sites that they took down.

US-JUSTICE-POLITICS-COMPUTERS

The feds claim that these sites, including DOWNTHEM.ORG, NETSTRESS.ORG, QUANTUMSTREESS.NET, VBOOTER.ORG AND DEFCON.PRO, are a significant national  threat.

It is certainly true that these sites, which attack other web sites for a fee, are not a good thing.  It is pretty stupid for people inside the United States to run sites like these and think that they are not going to get caught and prosecuted.  Think of it as the Darwin Effect.

According to the feds, DOWNTHEM.ORG alone had 2,000 customer subscriptions and carried out over 200,000 attacks.

While these “take downs” are interesting, they likely won’t have much of an effect on the overall level of denial of service attacks affecting the Internet.

Many (most?) of these attacks are controlled from places offshore like Russia, China and North Korea and I doubt whether the feds bringing charges against 3 Americans in the U.S. will have much of a deterrent affect in those countries.

Still, there is no downside to taking down these sites and filing charges against the 3 men.  The challenge that the problem is huge and largely offshore.

Today’s operation used cooperation between the U.S., U.K. and Dutch and several companies including Cloudflare and a number of others.  exercising this process is a good thing.

The feds have been pretty active recently in issuing warrants – in many cases to foreigners with a low likelihood of being apprehended, but in this case, if they have not already caught these three, they probably will soon.

The message the feds want to deliver is that there is a possibility that you will be caught and prosecuted – even if the probability is low.  That will be enough to deter some people.

The bigger problem is with sites run in unfriendly countries where even if they get taken down, the bad guys just register a new domain and they are back in business.  Some of these sites operate on the dark web where they are harder to find and harder to take down.

Most of these sites use “zombie” computers to attack people.  Zombies are computers that have been compromised due to poor cyber hygiene. Likely it will be someone’s home computer or a computer in a small business.  Sometimes it is a company’s server in a data center.  In the grand scheme of things, they don’t really care whether the feds coming knocking at your door to tell you that you are running a denial of service attack because even if the feds seize your computer it won’t make it any easier for the feds to find the people behind the attack – unless they are not very skilled.

For businesses, unfortunately, that means that you need to be prepared for a denial of service attack.  Most of the attacks are pretty short and try to get you to pay them to stop the attack.  Most of them will stop on their own, but if you don’t pay they might attack you again and again to try and get you to pay.

Most of the attacks will be able to consume any bandwidth you might have, even if you have a gigabit Internet connection.  Many of the attacks consume 50 gigabits or more per second.

In many cases your Internet provider may help the attacker because it will intentionally take down your internet connection to protect its other customers.  In that case, the attacker wins.  In a few cases, the Internet provider will cancel YOUR service, even though the attack is not the result of anything that you did wrong.  In the U.S., where there is often very little choice of Internet providers, this can be a real problem for businesses.

One thing that you can do is have two Internet connections so at least if one goes down as a result of an attack, the other may still work.  This is not a cheap solution.

Another solution is to use a service like Cloudflare.  This is not easy either because it may require modifications to your web site to make it work.

There is no easy answer to this problem, but if it is important to your business to remain online for your customers and employees, thinking through the risks and the options is mandatory.

Information for this post came from Tech Crunch.

Facebooktwitterredditlinkedinmailby feather

Seven Common Cybersecurity Mistakes to Avoid

Many companies do not have adequate cybersecurity protection on their website and systems.  Why?  Here’s some common misconceptions.

It won’t happen to us

While some attacks are targeted to particular companies, the overwhelming majority of attacks are targets of opportunity.  That means that you are just as likely to be attacked as a Fortune 500 company.  Realistically, smaller firms are an easier attack target because they do not have robust cybersecurity programs.

We Don’t Need to do monitoring

Marriott is the poster child of what happens if you don’t have adequate monitoring in place.  That mistake, possibly including the mistake above, caused hackers to be able to roam freely inside Marriott-Starwood’s customer information for FOUR YEARS before being detected. You have to monitor.  Everything.  All the time.

Not implementing the basics

One of the biggest breaches in U.S. history, Equifax, happened because they didn’t patch a known vulnerability in one of their servers.  Equifax also used a userid of Admin and a password of Admin for one of their servers. Implement the basics.

Failing to inventory where data is located

If you don’t know where it is, you can’t protect it.  You have to know where your data comes from, where it goes to and how it gets there.  That documentation must be kept current as well.  Once you have it you have to look at it to figure out where the weaknesses are.

Not testing the security

Assuming that things are secure is a big mistake.  We work with white hat (good guy) hackers.  Often it takes them 5-10 minutes to break in to their targets.  This includes physical intrusions as well as cyber intrusions.

One of the most important and least acted on testing is on applications that a company’s software development teams create.

Not making cybersecurity training mandatory and often

Users are the most common source cyber compromises.  Many companies still do training once a year.  Annual training is not very effective because people forget really quickly.  Train early and train often.

Not addressing the risk from your vendors

Vendors represent a huge risk to most companies.  A few really famous vendor induced breaches include Target, Home Depot and the Office of Personnel Management.  There are many more and many that are never disclosed.  Many of the recent retail point of sale breaches were the result of bad security on the part of vendors.  Maybe you can sue your vendors to recover your losses.  Maybe not.  If you do sue, expect not to see a dime, even if you win, for years.  And, your customers don’t care if one of your vendors caused the breach.  It is still your fault.

While just doing the basics won’t make you bulletproof, it will make it harder and hopefully the bad guys will go elsewhere.

Information for this post came from Compliance and Ethics.

Facebooktwitterredditlinkedinmailby feather

Colorado Healthcare Provider Fined $111,000 For HIPAA Violations

It seems that the US Department of Health and Human Services Office of Civil Rights is increasing enforcement actions against health care providers and their vendors (known as business associates).  While one might have suspected that enforcement actions would be down under this administration, in fact, the opposite is true and fines are up.

In this case, the Pagosa Springs (Colorado) Medical Center paid $111,000 plus for failing to terminate the access of a former employee to a patient calendar program.

The calendar only contained information on 557 patients, so this is not a massive breach.

They also did not obtain a signed Business Associate Agreement from Google, who’s software they were using.

The former employee accessed (but didn’t appear to do anything evil with the data) the data twice, two months apart.

The medical center had to enter into a corrective action program that included a number of items including improved policies, training and other items.

OCR Director Roger Severino said that enforcement will increase under his watch.

Evidence of this is that this is the third enforcement action in the last month.

On December 4th, a Florida based physicians group paid a $500,000 fine for various HIPAA violations.

A week prior to that, OCR settled with a Hartford based practice for $125,000 for impermissible disclosure of protected health information.

Putting this all together, it would seem to lend some credence to OCR’s claim that enforcements are up.

In the first case, only 557 records were involved.  That translates to a fine of $200 per record disclosed.

In addition, to fine someone for not having a BAA with a company like Google indicates that they definitely want people to obey the process, without regard to there being significant risk (on the part of Google).  After all, Google probably has as good a security as the best medical practices.

The HIPAA compliance process is complex and even daunting, but failing to follow it can be expensive.

It also appears that the Office of Civil Rights has a very long memory as one of these fines was for something that happened 7 years ago, in 2011.

Our recommendation is to follow the process and document what you have done.  Though that can be painful, so is writing a check to the government for $100,000 or even $500,000.

Information for this post came from Health IT Security.

 

 

Facebooktwitterredditlinkedinmailby feather

News Bites for the Week Ending December 14, 2018

Patches This Week

Adobe’s December patch list fixed 87 separate bugs in Acrobat and Acrobat Reader.  39 of these are rated critical.  Last week they patched a critical zero day in Flash (Details here).

 

 

More Spy Cams

The other day I reported the the DEA was buying spy camera enclosures to hide inside of street lights (here), well that is not the only place they are hiding them.

Again, Assuming they follow the rules, there is nothing illegal about these efforts.  The Register is reporting that the DEA is buying high end spy cams built into seemingly ordinary shop vacs.  While we don’t know the brand of shop vac, we do know that the camera is a Cannon M50B, a high end camera that does remote pan, tilt and zoom.

The camera/shop vac could we just left around or it could come attached to a government agent/janitor.

Whatever it takes to catch a crook.

 

O2 and its Partners Take Cell Service Down Because They Forgot to Update an Encryption Certificate

Last week millions of European and Asian cell phone users – customers of O2 and its partners – went without cell service and Internet for around 24 hours because someone forgot to renew an encryption certificate.  He is probably looking for a new job right now.

The network equipment was made by telecom giant Ericsson, so you can’t blame the problem on lack or resources or not having the expertise.  Details at ZDNet.

Bottom line here is that managing the details of any operational system is critical, especially if your mistakes will be publicly visible.

 

Kay Jewelers and Jared Jewelers fix Data Leak

Sometimes the bad guys don’t need to break in to steal information; sometimes companies leave out a welcome mat.

In this case, these two jewelers, both owned by Signet Jewelers, sent confirmation emails that allowed anyone to change the link in a confirmation email to see another customer’s order information – name, address, what they orders, how much they paid and the last four of their card number.

I have seen this many times before and it is an easy problem to avoid if your developers are trained to look for these kind of issues.

While not the worst data leak in the world, not a good thing.  They have since fixed the problem.  Source: Brian Krebs.

 

Google + To Shut Down Even Earlier After New Breach

Sometimes even the great Google can’t catch a break.

After an API flaw in October exposed data on 500,000 users, Google fixed it but announced plans to shut down the struggling social network In August 2019.

But now Google announced another flaw that affects over 50 million users and Google has changed it’s mind and will shut down Google + in April instead of August.  The information visible includes name, email, occupation and age and possibly other information, but Google says that it doesn’t think anyone exploited this new bug, which was created when they fixed the old bug.  Source: The Hacker News.

House Oversight and Government Reform Committee Says Equifax Responsible for Breach

A House committee spent 14 months and an unknown amount of money telling us what we already knew:  The Equifax breach was totally preventable and that CEO Richard Smith (who walked away from the breach with a $90 million golden parachute) had a growth strategy that lacked a clear IT management structure, used outdated technology and was not prepared to respond to the breach.   The Democrats say that there was a  missed opportunity to recommend concrete reforms and Equifax says that while they agree with the report, there are lots of factual errors in .  Our government at work.  Source:  The Hill.

Facebooktwitterredditlinkedinmailby feather

The Swatters have Moved on to the Next Thing

Swatting is the practice of phoning in fake 911 calls about life threatening situations and having SWAT respond to random houses, scaring the crap out of the occupants and often times doing thousands of dollars of damage, which the municipality has to pay for using tax dollars.

Earlier this year a gamer swatted what he thought was another gamer that he was upset with, but he had the wrong address and when SWAT arrived, they shot and killed the homeowner.  The officers did not face any charges and 25 year old Tyler Barriss pleaded guilty and will be sentenced to at least 20 years in jail.

Not satisfied at making small amounts of chaos and killing small numbers of innocent people, authorities today were faced with hundreds of bomb threat emails directed at schools, businesses and government buildings.   While no one was killed by police responding today, a large amount of police resources were wasted and police were likely diverted from responding to other incidents.

Some police departments, like New York, treated the bomb threats as hoaxes, but that could backfire badly if next time any of the bombs are real.

Some buildings were evacuated like city hall in Aurora, Illinois, the News & Observer in Raleigh, North Carolina, a suburban Atlanta courthouse and businesses in Detroit.

In the Denver area, Columbine High School, the site of one of the first mass school shootings (in 1999) and the genesis of a total shift in police response tactics to active shooter incidents, went into lockdown as sheriffs and bomb squad techs looked for bombs.  That bomb threat was phoned in rather than sent by email.

Today’s events will likely give swatters more ideas and put police in more no win situations.

The FBI has mobilized a national investigation.

As a target of a swatting incident, the best advice is to remain calm and do as instructed by the police.  Let them sort it out and deal with the fallout later.  Since the police have no way to know if the threat is real and who the “bad guys” are, they, unfortunately, sometimes make mistakes.

In this case, building owners, in cooperation with police, sheriffs and other law enforcement agencies had to make decisions.  Those decisions, if wrong, have the potential for catastrophic consequences.  

It is interesting that different law enforcement agencies had different responses – from evacuation to shelter in place to ignoring the threat completely. 

Since swatting has been around for several years and continues to be a problem for law enforcement, I suspect that this new version of mass swatting will continue that trend.

Police are not saying if they think today’s events are the work of one person or group of people or many, but I doubt that even if they arrest and prosecute a few people that it will discourage other crazies from trying it.

What is unprecedented in today’s activities is the scale – going from coast to coast and encompassing schools, religious institutions, government buildings and private businesses – over a hundred in all.

It seems likely that if this becomes popular that it is inevitable that people will die in the chaos.

Unfortunately, there is not much that you can do preemptively to avoid these situations.  In the case of the Kansas man who was shot and killed by police, the emergency call was eventually traced to a phone in Los Angeles, but that took days to figure out.  When police get a 911 call, they have to react in seconds.

It is likely that police and sheriff’s dispatchers are looking at options after today, but I do not see many good options.

Information for this post came from the AP and The FBI.

 

 

Facebooktwitterredditlinkedinmailby feather

NSA Says US Companies Losing Ground to Chinese on Cyber Attacks

Rob Joyce, long time NSA cyber executive, former special assistant to the President for cybersecurity, cybersecurity coordinator for the National Security Council and all around cyber guru says that we are in trouble.

He said that Chinese cyber attacks have increased in recent months, targeting critical infrastructure.

He says that he is worried that they are preparing for disruptive operations against that critical infrastructure.

What is he considering critical infrastructure?

  • The US Energy sector (like lights, heat, water, etc.)
  • Finance (banking)
  • Transportation (Planes, trains and automobiles)
  • Healthcare (doctors, hospitals and clinics)

Other than that, things are pretty good.

This is, of course, in addition to Chinese theft of intellectual property and espionage.

These comments are in advance of what is likely new government charges of hacking by the Chinese and additional sanctions.

So as long as you don’t drive a car, take public transit, have lights and heat where you live, use a bank, need to see a doctor or use any technology, you have nothing to worry about.

What do you need to do?

If you own or manage a US business, you need to up your cybersecurity game.

What does that mean?  Patching, employee training and alerting are a good beginning – but just a beginning.

Probably over 99% of attacks are targets of opportunity, meaning that the bad guys have no idea who they are attacking.

This includes consumers.  We hear stories regularly of people losing thousands to hackers.  If you have thousands to spare so that you don’t care if you lose a few thousand to a hack, then don’t worry about it.

If that would be a problem, then you need to up your game too.  Learn when not to click and how to protect yourself, patch your computers and phones and take other precautions.

For the Chinese and others, they will keep hacking until they get in.  Somewhere.  Anywhere.

While this may not sound nice, you need to protect yourself so that the hackers attack your neighbor rather than attacking you.  They will attack the easiest target.  If you can help your neighbor too so that the hackers go to a different  town, that is OK, but number one is to protect your information and your money.

If you need assistance, contact us, but please take this seriously.

Information for this post came from Reuters.

Facebooktwitterredditlinkedinmailby feather