Looking forward to another local speaking event here in Sacramento:
By invitation only, DSA Technologies is hosting FBI expert Kurt Pipal and licensed Computer Forensics Investigator Michael Reese to discuss the current state of Cybercrime in the Northern California & Sacramento Area. Executives who are responsible for the public perception for their organizations should attend.
This event will feature several security topics frequently seen in the news today, including:
• Financial Fraud
• Intellectual Property Threats
• Identity Theft
• Phishing/Social Engineering scams
• Attacks on Critical Infrastructure
Where: Morton’s Steakhouse
621 Capitol Mall, Sacramento, CA 95814
When: April 19th @ 11:30AM
Event Partners: FBI, Palo Alto Networks
On Wednesday, at about 12:15 pm EST, 1.35 terabits per second of traffic hit the developer platform GitHub all at once. It was the most powerful distributed denial of service attack recorded to date—and it used an increasingly popular DDoS method, no botnet required.
GitHub briefly struggled with intermittent outages as a digital system assessed the situation. Within 10 minutes it had automatically called for help from its DDoS mitigation service, Akamai Prolexic. Prolexic took over as an intermediary, routing all the traffic coming into and out of GitHub, and sent the data through its scrubbing centers to weed out and block malicious packets. After eight minutes, attackers relented and the assault dropped off.
“We modeled our capacity based on fives times the biggest attack that the internet has ever seen,” Josh Shaul, vice president of web security at Akamai told WIRED hours after the GitHub attack ended. “So I would have been certain that we could handle 1.3 Tbps, but at the same time we never had a terabit and a half come in all at once. It’s one thing to have the confidence. It’s another thing to see it actually play out how you’d hope.”
Akamai defended against the attack in a number of ways. In addition to Prolexic’s general DDoS defense infrastructure, the firm had also recently implemented specific mitigations for a type of DDoS attack stemming from so-called memcached servers. These database caching systems work to speed networks and websites, but they aren’t meant to be exposed on the public internet; anyone can query them, and they’ll likewise respond to anyone. About 100,000 memcached servers, mostly owned by businesses and other institutions, currently sit exposed online with no authentication protection, meaning an attacker can access them and send them a special command packet that the server will respond to with a much larger reply.
Unlike the formal botnet attacks used in large DDoS efforts, like against Dyn and the French telecom OVH, memcached DDoS attacks don’t require a malware-driven botnet. Attackers simply spoof the IP address of their victim and send small queries to multiple memcached servers—about 10 per second per server—that are designed to elicit a much larger response. The memcached systems then return 50 times the data of the requests back to the victim.
Known as an amplification attack, this type of DDoS has shown up before. But as internet service and infrastructure providers have seen memcached DDoS attacks ramp up over the last week or so, they’ve moved swiftly to implement defenses to block traffic coming from memcached servers.
“Large DDoS attacks such as those made possible by abusing memcached are of concern to network operators,” says Roland Dobbins, a principal engineer at the DDoS and network-security firm Arbor Networks who has been tracking the memcached attack trend. “Their sheer volume can have a negative impact on the ability of networks to handle customer internet traffic.”
The infrastructure community has also started attempting to address the underlying problem, by asking the owners of exposed memcached servers to take them off the internet, keeping them safely behind firewalls on internal networks. Groups like Prolexic that defend against active DDoS attacks have already added or are scrambling to add filters that immediately start blocking memcached traffic if they detect a suspicious amount of it. And if internet backbone companies can ascertain the attack command used in a memcached DDoS, they can get ahead of malicious traffic by blocking any memcached packets of that length.
“We are going to filter that actual command out so no one can even launch the attack,” says Dale Drew, chief security strategist at the internet service provider CenturyLink. And companies need to work quickly to establish these defenses. “We’ve seen about 300 individual scanners that are searching for memcached boxes, so there are at least 300 bad guys looking for exposed servers,” Drew adds.
Most of the memcached DDoS attacks CenturyLink has seen top out at about 40 to 50 gigabits per second, but the industry had been increasingly noticing bigger attacks up to 500 gbps and beyond. On Monday, Prolexic defended against a 200 gbps memcached DDoS attack launched against a target in Munich.
Wednesday’s onslaught wasn’t the first time a major DDoS attack targeted GitHub. The platform faced a six-day barrage in March 2015, possibly perpetrated by Chinese state-sponsored hackers. The attack was impressive for 2015, but DDoS techniques and platforms—particularly Internet of Things–powered botnets—have evolved and grown increasingly powerful when they’re at their peak. To attackers, though, the beauty of memcached DDoS attacks is there’s no malware to distribute, and no botnet to maintain.
The web monitoring and network intelligence firm ThousandEyes observed the GitHub attack on Wednesday. “This was a successful mitigation. Everything transpired in 15 to 20 minutes,” says Alex Henthorne-Iwane, vice president of product marketing at ThousandEyes. “If you look at the stats you’ll find that globally speaking DDoS attack detection alone generally takes about an hour plus, which usually means there’s a human involved looking and kind of scratching their head. When it all happens within 20 minutes you know that this is driven primarily by software. It’s nice to see a picture of success.”
GitHub continued routing its traffic through Prolexic for a few hours to ensure that the situation was resolved. Akamai’s Shaul says he suspects that attackers targeted GitHub simply because it is a high-profile service that would be impressive to take down. The attackers also may have been hoping to extract a ransom. “The duration of this attack was fairly short,” he says. “I think it didn’t have any impact so they just said that’s not worth our time anymore.”
Until memcached servers get off the public internet, though, it seems likely that attackers will give a DDoS of this scale another shot.
What is a DDoS Hack and How Do You Avoid Them?
DDoS! It stands for distributed denial of service, a kind of attack that turns insecure, internet-connected devices into a sort of zombie army. So here’s how you can avoid being part of that zombie army.
Hackers are always trying to find creative and new ways to steal data and information from businesses. While spam (unwanted messages in your email inbox) has been around for a very long time, phishing emails have risen in popularity because they are more effective at achieving the desired endgame. How can you make sure that phishing scams don’t harm your business in the future?
Phishing attacks come in many different forms. We’ll discuss some of the most popular ways that hackers and scammers will try to take advantage of your business through phishing scams, including phone calls, email, and social media.
Do you receive calls from strange or restricted numbers? If so, chances are that they are calls that you want to avoid. Hackers will use the phone to make phishing phone calls to unsuspecting employees. They might claim to be with IT support, and in some cases, they might even take on the identity of someone else within your office. These types of attacks can be dangerous and tricky to work around, particularly if the scammer is pretending to be someone of authority within your organization.
For example, someone might call your organization asking about a printer model or other information about your technology. Sometimes they will be looking for specific data or information that might be in the system, while other times they are simply looking for a way into your network. Either way, it’s important that your company doesn’t give in to their requests, as there is no reason why anyone would ask for sensitive information over the phone. If in doubt, you should cross-check contact information to make sure that the caller is who they say they are.
Phishing emails aren’t quite as pressing as phishing phone calls because you’re not being pressured to make an immediate decision. Still, this doesn’t lessen the importance of being able to identify phishing messages. You might receive tailor-made customized phishing messages with the sole intent of a specific user handing over important information or clicking on a link/attachment. Either way, the end result is much the same as a phone call phishing scam;
To avoid phishing emails, you should implement a spam filter and train your employees on how to identify the telltale signs of these messages. These include spelling errors, incorrect information, and anything that just doesn’t belong. Although, phishing messages have started to become more elaborate and sophisticated.
Social media makes it incredibly easy for hackers to assume an anonymous identity and use it to attack you; or, even more terrifying, the identity of someone you know. It’s easy for a hacker to masquerade as someone that they’re not, providing an outlet for attack that can be somewhat challenging to identify. Some key pointers are to avoid any messages that come out of the blue or seemingly randomly. You can also ask questions about past interactions that tip you off that they may (or may not) be who they say they are.
Ultimately, it all comes down to approaching any phishing incident intelligently and with a healthy dose of skepticism.
Last December, government services in Mecklenburg, North Carolina, ground to a halt. What began as a malicious email attachment sent to a county employee turned into a crippling cyberattack that held 48 of the county’s 500 data servers hostage.
The attack prevented services ranging from intakes at the county jail to processing applications for marriage licenses. Contractors were among those hit the hardest. Unable to schedule inspections or receive approval to pour foundations or complete electrical work, contractors had to put development projects on hold during the multiday recovery process.
“Real estate firms have been generally lucky where they have not experienced the type of breaches that you see in other industry sectors, and that has probably given many people a false sense of security,” Baker Tilly Cybersecurity and IT Risk Senior Manager Mike Cullen said. “As other businesses get better at security, criminals are looking for easy targets. Construction and real estate could be such targets because they have historically not always taken the necessary precautions.”
Cullen works with Baker Tilly clients to lead and execute IT risk assessments, IT process audits and information security assessments, among other cybersecurity initiatives. Historically, real estate companies were at lower risk because they maintained less personal information and intellectual property than financial or healthcare businesses. More recently, attackers have been drawn to the select pool of wealthy investors real estate ventures attract, Cullen said.
Data like personal information, blueprints and schematics, access to building technology systems and financial information can be sold or used to gain a competitive advantage. Money can be skimmed from tenant and vendor accounts or credit cards and extorted directly thanks to ransomware. Last June, property management firm BNP Paribas Real Estate reported a ransomware attack that took down most of its global systems.
The rise of the Internet of Things, which I call Internet of Threats has brought the threat of cyberattacks more directly into tangible property. Building managers have started to embrace more systems that allow them to manage security infrastructure, HVAC, lighting controls and utilities remotely. This gives hackers another point of entry for attacking systems and stealing data, Cullen said.
In the past, building management systems were more proprietary and offline, creating a higher barrier to entry for hackers. Newer building systems are more standardized, using software obtained from vendors. These programs, like all software, come with vulnerabilities that hackers can exploit. Many companies may also have insufficient password protection or outdated antivirus programs that contribute to heightened cyberrisk.
More than directly sabotage the systems themselves, hackers can pull personal data from “smart” or intelligent building infrastructure. In November 2013, hackers infiltrated Target Corp.’s HVAC contractor’s systems to steal the payment card records and other personal information of nearly 110 million customers. The company reported a gross financial loss of $252M by the end of Q4 2014 as a result of the cyberattack.
Risk will continue to rise as intelligent buildings gain popularity. According to Faculty Executive, an estimated 95% of building systems connected to the internet have insecure connections, and 65% of vendors have remote access to building systems.
Talking to vendors about potential cyberthreats and hiring a dedicated person in charge of cybersecurity are the first steps real estate companies should take in arming themselves against the growing risk, Cullen said. Companies must have an employee who spends at least 50% of their time on the job dealing with cybersecurity.
Once key personnel are put in place, creating a security program that is specific to the type of real estate business and adaptable to new threats will ensure a strong defense against future attacks.
“It is impossible to prevent 100% of every attack,” Cullen said. “Your security program needs to include how you react to an incident so that you can respond in a timely and thoughtful way instead of a fire drill, figure-it-out-as-you-go strategy.”
Global spending on cybersecurity will exceed $1 trillion over the next five years, from 2017 to 2021, with 1.5 million cybersecurity job openings by 2019. While the industry is growing, real estate might not be able to attract the same top talent as the finance or healthcare sectors.
“Other industries have more money to attract top talent and CRE has not been willing to spend as much on cybersecurity, which means they are not getting the best resources,” Cullen said. “To be prepared for what is ahead, real estate companies will need to invest more in cybersecurity.”
Unlike the initial reports suggested about Intel chips being vulnerable to some severe ‘memory leaking’ flaws, full technical details about the vulnerabilities have now been emerged, which revealed that almost every modern processor since 1995 is vulnerable to the issues.
Disclosed today by Google Project Zero, the vulnerabilities potentially impact all major CPUs, including those from AMD, ARM, and Intel—threatening almost all PCs, laptops, tablets, and smartphones, regardless of manufacturer or operating system.
These hardware vulnerabilities have been categorized into two attacks, named Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715), which could allow attackers to steal sensitive data which is currently processed on the computer.
Both attacks take advantage of a feature in chips known as “speculative execution,” a technique used by most modern CPUs to optimize performance.
“In order to improve performance, many CPUs may choose to speculatively execute instructions based on assumptions that are considered likely to be true. During speculative execution, the processor is verifying these assumptions; if they are valid, then the execution continues. If they are invalid, then the execution is unwound, and the correct execution path can be started based on the actual conditions,” Project Zero says.
Therefore, it is possible for such speculative execution to have “side effects which are not restored when the CPU state is unwound and can lead to information disclosure,” which can be accessed using side-channel attacks.
The first issue, Meltdown (paper), allows attackers to read not only kernel memory but also the entire physical memory of the target machines, and therefore all secrets of other programs and the operating system.
“Meltdown is a related microarchitectural attack which exploits out-of-order execution in order to leak the target’s physical memory.”
Meltdown uses speculative execution to break the isolation between user applications and the operating system, allowing any application to access all system memory, including memory allocated for the kernel.
“Meltdown exploits a privilege escalation vulnerability specific to Intel processors, due to which speculatively executed instructions can bypass memory protection.”
Nearly all desktop, laptop, and cloud computers affected by Meltdown.
Spectre Attack: The second problem, Spectre (paper), is not easy to patch and will haunt people for quite some time since this issue requires changes to processor architecture in order to fully mitigate.
Spectre attack breaks the isolation between different applications, allowing the attacker-controlled program to trick error-free programs into leaking their secrets by forcing them into accessing arbitrary portions of its memory, which can then be read through a side channel.
Spectre attacks can be used to leak information from the kernel to user programs, as well as from virtualization hypervisors to guest systems.
“KAISER patch, which has been widely applied as a mitigation to the Meltdown attack, does not protect against Spectre.”
According to researchers, this vulnerability impacts almost every system, including desktops, laptops, cloud servers, as well as smartphones—powered by Intel, AMD, and ARM chips.
What You Should Do: Mitigations And Patches
Many vendors have security patches available for one or both of these attacks.
Windows — Microsoft has issued an out-of-band patch update for Windows 10, while other versions of Windows will be patched on the traditional Patch Tuesday on January 9, 2018
MacOS — Apple had already fixed most of these security holes in macOS High Sierra 10.13.2 last month, but MacOS 10.13.3 will enhance or complete these mitigations.
Linux — Linux kernel developers have also released patches by implementing kernel page-table isolation (KPTI) to move the kernel into an entirely separate address space.
Android — Google has released security patches for Pixel/Nexus users as part of the Android January security patch update. Other users have to wait for their device manufacturers to release a compatible security update.
Mitigations for Chrome Users:
Since this exploit can be executed through the website, Chrome users can turn on Site Isolation feature on their devices to mitigate these flaws.
Here’s how to turn Site Isolation on Windows, Mac, Linux, Chrome OS or Android:
Copy chrome://flags/#enable-site-per-process and paste it into the URL field at the top of your Chrome web browser, and then hit the Enter key.
Look for Strict Site Isolation, then click the box labeled Enable.
Once done, hit Relaunch Now to relaunch your Chrome browser.
There is no single fix for both the attacks since each requires protection independently.
The U.S. federal officials have arrested three hackers who have pleaded guilty to computer-crimes charges for creating and distributing Mirai botnet that crippled some of the world’s biggest and most popular websites by launching the massive DDoS attacks last year.
According to the federal court documents unsealed Tuesday, Paras Jha (21-year-old from New Jersey), Josiah White (20-year-old Washington) and Dalton Norman (21-year-old from Louisiana) were indicted by an Alaska court last week on multiple charges for their role in massive cyber attacks conducted using Mirai botnet.
Mirai is a piece of nasty IoT malware that scans for insecure routers, cameras, DVRs, and other Internet of Things devices which are still using their default passwords and then add them into a botnet network, which is then used to launch DDoS attacks on websites and Internet infrastructure.
According to his plea agreement, Jha “conspired to conduct DDoS attacks against websites and web hosting companies located in the United States and abroad” by ensnaring over 300,000 IoT devices. He also demanded payment “in exchange for halting the attack.”
Between September and October 2016, Jha advertised Mirai botnet on multiple dark web forums using the online monikers “Anna Senpai.” He also admitted to securely wiping off the virtual machine used to run Mirai on his device and then posting the source code of Mirai online for free.
Since then, other cybercriminals have used the open-source code of the botnet to create their own Mirai variants in a variety of different cyber attacks against their targets.
Paras Jha (a.k.a Anna Senpai) and his business partner Josiah White (a.k.a Lightspeed and thegenius) are the same people who were outed by blogger Brian Krebs earlier this year after his blog was also knocked offline by a massive 620 Gbps of DDoS attack using Mirai botnet.
According to Jha’s LinkedIn profile, he is a 21-year-old passionate programmer from Fanwood, U.S., who knows how to code in multiple programming languages and is positioned as president of a DDoS mitigation firm, ProTraf Solutions.
White admitted to creating the Mirai botnet’s scanner to identify and hijack vulnerable internet-connected devices to enlist in the botnet, while Norman (a.k.a Drake) admitted to identifying private zero-day vulnerabilities and exploits to build into the massive botnet.
From December 2016 to February 2017, the trio successfully infected more than 100,000 computing devices to form another powerful botnet, called Clickfraud, which was designed to scam online ad networks by simulating clicks on ads for the purpose of artificially generating revenue.
A week after the massive DDoS attack, the source code of Mirai was released on the widely used hacker chat forum Hackforums by Jha who, under the name Anna-senpai, wrote he had “made their money…so it’s time to GTFO.”
“So today, I have an amazing release for you,” he wrote. “With Mirai, I usually pull max 380k bots from telnet alone. However, after the Kreb [sic] DDoS, ISPs been slowly shutting down and cleaning up their act. Today, max pull is about 300k bots, and dropping.”
Once Mirai source code was out, various cyber criminals started exploiting the IoT malware to launch powerful DDoS attacks against websites and Internet infrastructure, one of which was the popular DNS provider Dyn, which was DDoSed by a botnet of an around 100,000 Mirai malware-infected devices.
“The defendants’ involvement with the original Mirai variant ended in the fall of 2016, when Jha posted the source code for Mirai on a criminal forum. Since then, other criminal actors have used Mirai variants in a variety of other attacks.” DOJ said.
The trio faces a sentence of up to five years in prison.
Crime does not pay, it will eventually catch up to you !!!
The Internet of Things is poised to revolutionize apartment home systems and appliances, but it also increases the security and privacy threats to apartment firms. At the 2017 NMHC OPTECH Conference & Exposition, a panel of leading security experts shared best practices for ensuring that apartment firms are mindful of the new threats as they integrate smart home devices into their communities.
The panel’s moderator, Mike Smith, vice president at White Space Building Technology Advisors, advised that as apartment firms add IoT devices to their communities, they need to look for products that are specifically designed for multifamily, noting, “if you buy a product at Home Depot, it is probably not designed for the complex nature of multifamily security needs.”
Panelist Michael Reese, Chief Information Officer for USA Properties Fund, agreed, saying that he views “IoT as Internet of Threats, not Internet of Things,” and recommended this view as apartment firms evaluate smart home technology. Kevin Gerber, project manager at Forest City Enterprises, noted that it is critical to educate staff on the new technologies and maintaining strong security protocols, and highlighted the need for a strong support structure.
Panelists agreed in the importance of segregating networks as a critical step in good cyber hygiene. Yousef Abdelilah, innovation and product management leader at American Tower, stressed the importance of implementing different layers of security to protect systems. Hackers don’t want to spend a significant amount of time trying to hack a system and will move on to systems that have fewer layers and are, therefore, easier to access.
Bill Fisher, security engineer at the National Cybersecurity Center of Excellence, part of the National Institute of Standards and Technology (NIST), commented that “IoT threat mitigation is not that different from past cyber threats. Best practices for strong cyber hygiene aren’t new. Right now, the onus is on the end-user to ask right questions and educate him or herself until market correction forces vendors pushes vendors to address security.” NIST provides best practices and a customizable approach to managing cyber risk through the NIST Cybersecurity Framework.
Panelists recommended evaluating the ROI on current IoT technology. Fisher commented that installing IoT is a risk decision. Firms need to weigh the convenience of devices versus the risk of security and legal ramifications if a system is hacked.
Reese reminded the audience that ensuring strong information security policy is a senior executive issue, not simply an IT issue, that needs to be implemented throughout the company
These days cybersecurity is a constant headline in the news. It can be easy to go on with business either feeling helpless or like this doesn’t pertain to my business. But with recent headlines highlighting crypto-extortion/ransom-ware and hacking of large enterprises by way of their small business partners, cyber threats have become something that affects all our businesses. But this problem is so-big and so-nebulous, what can we do to stay safe and secure in this ever-changing connected world?
Myth #1 – I’m not a large enterprise, hackers won’t attack me:
Did you know that more than half of the data breach victims are businesses with under 250 employees?1 Hackers are intelligent, and sophisticated, but they’re also often looking for something quick and easy. Small and medium businesses who believe they are not at risk, tend not to invest as much in cybersecurity; thus, making them an easier target. They collect and store a wealth of data, but often don’t realize it’s true value, and therefore don’t put the right measures in place to protect it.
From there, attackers take various routes. They might just encrypt your systems and hold your business for ransom, preventing order processing and other critical functions – often not restoring service when paid. Further the attackers might use data or access gained from the small business to leverage an attack on larger partner organizations. In 2014 Fazio Mechanical Services provided the vector for hackers which lead to Target’s massive breach. What big clients would you lose in this situation?
Myth #2 – Technology will fix everything:
It’s true that professionals use robust technology systems and tools to be prepared against cyberthreats, but technology is only part of the solution and buying and implementing technology solutions without expert configuration and monitoring is a lot like using WebMD.com in place of a doctor to diagnose and treat diabetes. Might you end up doing some beneficial things and even improving your situation? Absolutely! But are you positioned to understand all the complex intersections of causes, tools and treatments, side-effects, etc, to lead to an ideal outcome? It’s possible, but the truth is that you’re probably busy running your business and family.
Beyond technology, one critically underutilized tool in this fight against cybercrime is employee education. The number one risk factor since something like 1995 has been and remains human interaction. According to Verizon’s 2017 Data Breach Investigation Report, 99% of malicious content came from email (93.8%) and web browsers (5.8%). Though all of these threats are not easily detectible by humans, many are. As such, one of the most effective things we can do is to teach employees how to identify and avoid these sorts of threats and to pro-actively test them with controlled and measured phishing tests to determine where additional education may be needed. If employees are properly trained to detect a scam or raise a suspicion, we can prevent many attacks before malware is even in the system.
Myth #3 – I Don’t have funds or resources for cybersecurity:
It might feel like you’re not in a financial position to invest in cybersecurity yet – especially if you believe your business is too small to attract the attention of would-be-hackers. But have you stopped to think about the cost implications of a breach? There’s loss of business due to reputational damage, legal fees, loss of competitive edge, and so much more at stake.
Your local MSP (Managed Service Provider) has an IT Service that can help you. They will take an in-depth approach to cyber security which has proven highly effective by creating layers of security measures which minimize user impact and cost while maximizing return on investment. For instance, endpoint protection as a service solution, which is composed of industry leading anti-virus and web defense software married with best-in-class management and response procedures, has been deployed on 1000’s of systems as best practice.
Cybersecurity Ventures predicts $1 trillion will be spent globally on cybersecurity from 2017 to 20212. Ensure you’re a part of that investment, so you don’t get left behind.
Honored to be speaking at 2017 NMHC OPTECH Conference & Exposition in Las Vegas October 25-27, 2017 Mandalay Bay Resort and Casino.
Hackable Apartments: How to Keep Our Communities Safe When Everything is Going Online With the Internet of Things poised to revolutionize our systems and appliances just as the internet did with our information, the question remains—can we keep these devices safe? Today’s “smart” home demands a modern take on security and privacy as well as possible integrations with property management systems or even new voice activated consumer technology. Online security experts will assess the risk of the internet-enabled apartment and will present best practices to keep your residents and your enterprise safe from hackers.