Information Security News (Oct-24-2016)
--DDoS attack Friday hits Twitter, Reddit, Spotify and others--(Oct-21-2016)
The East Coast was under siege on Friday morning from a large-scale distributed denial of service (DDoS) attack that brought down more than a dozen prominent websites, including Twitter, Spotify, Netflix, GitHub, Amazon and Reddit. The initial attack was followed later in the day by at least two more waves of attack.
The attack against Dyn DNS shuttered a number of widely used sites. Most have returned to normal as of noon EST, although Amazon said it was weakened by a "hostname" issue. It wasn't clear whether that glitch was related to the DDoS attack that hit Dyn, a Manchester, N.H.-based internet performance management company that also offers domain registration services and email products.
The global denial-of-service attack on Dyn's “Managed DNS” infrastructure was so impactful because it went after the basic internet architecture that ties all those sites together – the domain name system, or DNS, which redirects internet users from simple web addresses, such as amazon.com, to the companies' actual web servers.
"Because DNS is vital to every person, business and website across the entire internet for system stability and performance, online businesses commonly outsource DNS management to third-party providers who have better and more reliable infrastructures to operate on behalf of their customers," Jeremiah Grossman, chief of security strategy at SentinelOne, told SCMagazine.com on Friday.
Historically, he said, this has worked to everyone's benefit. "However, what we're now seeing is that in light of the way the infrastructure works in the security landscape, they are attractive targets for large-scale DDoS attacks – because if you take out one of these DNS service providers, you can disrupt a large number of popular online services, which is exactly what we're seeing today."
Given the drastic increase lately in the size and scope of DDOS attacks, Grossman said that DNS providers are scrambling to increase bandwidth capacity to withstand the latest attacks. That's why we have these providers, he said. They do it so that the rest of us that use them don't have to incur the cost of doing so.
“This is a reminder of how effective an attack on one can be an effective attack on many," Intel Security CTO Steve Grobman, told SCMagazine.com on Friday. "DNS is one of those internet infrastructure capabilities upon which we all rely. An attacker seeking to disrupt services to multiple websites may be successful simply by hitting one service provider such as this, a DNS provider, or providers of multiple other internet infrastructure mechanisms."
It's also a reminder of the risk of relying on multi-tenant service providers, be they DNS or a variety of many other managed cloud service providers, Grobman added.
"Delegating service capabilities to such multi-tenant service providers has tremendous benefits over traditional architectures where you're responsible for running your own capabilities," Grobman said. "But it also means that if those services are targeted with attacks of significant scale, all tenant services relying on a provider could be impacted."
Given how much of our connected world must increasingly rely upon such cloud service providers, we should expect more such disruptions, Grobman said. "We must place a premium on service providers that can present backup, failover and enhance security capabilities allowing them to sustain and deflect such attacks."
"As these types of attacks continue to grow in size, frequency and complexity, we must ask ourselves, how can companies prepare for attacks of this astounding new scope and size?,” Steve McGregory, senior director of application and threat intelligence at Ixia, told SCMagazine.com on Friday. One solution he offered was that companies must test to prevent these attacks. "The size of these DDoS attacks have increased by exponential amounts due to the availability of IoT botnets, which are easily used to attack security cameras, routers, and other connected devices."
The availability of these services and large-scale botnets-for-hire makes it relatively easy to launch an attack that can even disrupt the operations of large, robust public websites that are designed to handle high traffic volumes, McGregory said.
“Organizations can mitigate the impact of these attacks by reducing their attack surface – blocking web traffic from the large numbers of IP addresses that are known to be bot-infected, or are known sources of malware and DoS attacks," he stated. "Using an appliance specifically for line-speed IP address filtering can deliver this protection by simply eliminating the malicious traffic, helping to keep resources running.”
DDoS is not a new form of attack in and of itself, but methods and strategies around DDoS continue to evolve in the form of larger and more orchestrated attacks, Paul Calatayud, CTO of FireMon, told SCMagazine.com. "Often, the measure of the level of sophistication of a DDoS attack comes in the form of measured throughput. The attack details are not known in this particular attack, but recent attacks against [security researcher Brian] Krebs are reported to be upwards of 620 Gbps. That is a tremendous amount of data coming at a target at once."
What causes Calatayud to pause and reflect most in regard to this breaking news is that Dyn DNS is a DNS SaaS provider whose core job is to host and manage DNS services for its clients. "The impact and harm has a ripple effect attributed to the various clients Dyn services. As attackers evaluate their targets, and organizations run to the proverbial cloud for various reasons, it introduces interesting targets for the bad guys."
So, what can be done? First, evaluating dependency on cloud providers remains a risk you cannot outsource, said Calatayud. "Begin to plan for situations where cyberattacks against you may never be directed at you, but rather organizations you come to rely upon."
In the case of this attack and DNS, having a secondary DNS service operating at the same time may have mitigated the impact to organizations even when a primary provider goes down, Calatayud said. "Cloud governance becomes an element of a CISO security program.”
Will Gragido, director of advanced threat protection at Digital Guardian, agreed that DDoS attacks have become increasingly problematic over the last several years, particularly owing to the rise of botnets. "Organizations all over the world fall prey to them as do individuals," he told SCMagazine.com on Friday. "In many instances, the underlying attack infrastructure is tied directly to botnets, a type of malicious code and content ecosystem family which the threat research and mitigation community has been attempting to mitigate globally for more than a decade."
Further, with the advent of the internet of things, Gragido said the potential for a botmaster to expand their botnet's size is now greater than ever before. "Increased size and diversity aids in not only allowing the botmaster to remain in business but also ensures that they are able to carry out their desired outcome when those resources are called upon to do so."
Organizations, he added, need to consider mitigative solutions (services or point products) designed to provide protection against complex, volumetric DDoS attacks on a global basis in order to withstand such attacks.
While this particular attack may not have been motivated by extortion, a new model of ransom-based attacks – infrastructure ransom as a service (IRaaS) – could be on the horizon, motivated to pay off threats for fear of infrastructure-wide customer outages, Thomas Pore, director of IT at Plixer, told SCMagazine.com.
"An infrastructure outage, such as DNS, against a service provider impacting both the provider and customers may prompt a quick ransom payoff to avoid unwanted customer attrition or larger financial impact," Pore said.
Should a provider come under attack, customers suffering from the extortion impact may start looking to move their services to another provider capable of mitigating the attacks, Pore said. "This prediction model could suggest a greater financial impact from customer attrition than paying off a few bitcoin to avoid the attack to begin with."
Then what happens if these extortion attempts begin to arrive regularly? This may emerge into a new business model, with a consistent revenue stream, Pore said.
“Despite decades of facing outages due to malformed traffic and data flooding, websites remain highly vulnerable to legacy attack vectors," Mike Ahmadi, global director – critical systems security at Synopsys, told SCMagazine on Friday. "Website providers need to constantly test their implementations with rigor in order to ensure that they can remain viable in an increasingly hostile environment."
The avalanche of IoT devices has created an environment where software and implementation flaws can be exploited at previously unseen levels, effectively turning them into widely distributed information weapons, Ahmadi said, adding that what may have been adequate robustness in the past no longer holds true.
As with most software designs from the 1980s, security was generally not considered when creating DNS, Craig Young, security researcher at Tripwire, told SCMagazine.com. Rather, the infrastructure was originally designed for early networks like ARPANET to allow human-friendly names in place of traditional network addresses, Young pointed out. "Because the web is so dependent on this system, it becomes a very visible point of failure as is the case today with service provider Dyn. Without DNS, there is essentially no internet from the perspective of all but the most sophisticated users."
Young hopes that service providers will take this as a cue that they need to distribute their DNS across multiple providers to avoid this as a single point of failure.
“They're innovating," Chase Cunningham, director of cyber operations at A10 Networks, told SCMagazine.com on Friday. "This is a new spin on an old attack, as the bad guys are finding new and innovative ways to cause further discontent."
It was an interesting point to see that the bad guys are moving upstream for DDoS attacks on the DNS providers, instead of just on sites or applications, Cunningham said.
“Threat actors are leveraging unsecure IoT devices to launch some of history's largest DDoS attacks,” said Cunningham. “The immediate solution is for manufacturers to eliminate the use of default or easy passwords to access and manage smart or connected devices."
Consumer adoption will be tricky, he admitted, but this change is critical for the greater security of all. "This response will hinder many of the global botnets that are created and deployed for malicious use.”
One thing is certain, Plixer's Pore added, DDoS attacks are not going away anytime soon.
--Mirai botnets linked to massive DDoS attacks on Dyn DNS, Flashpoint says--(Oct-21-2016)
Mirai botnets like the ones recently used in distributed denial of service (DDoS) attacks on a French internet service provider and a well-known security researcher were at least partly responsible for the waves of DDoS attacks against Dyn DNS that took down Twitter, Spotify, Netflix, GitHub, Amazon and Reddit and other websites Friday, according to a Flashpoint blog post.
Mirai does its dirty work on Internet of Things (IoT) devices and “Flashpoint has confirmed that at least some of the devices used in the Dyn DNS attacks are DVRs, further matching the technical indicators and tactics, techniques, and procedures (TTPs) associated with previous known Mirai botnet attacks,” the post said.
Flashpoint noted that while “Mirai botnets were used in the October 21, 2016 attack against Dyn, they were separate and distinct botnets from those used to execute the DDoS attacks against “Krebs on Security” and [French Internet provider] OVH.”
After “Anna_Senpai,” the hacker behind the Mirai botnet used to attack Krebs, released the malware's source code online, “copycat hackers have used the malware to created botnets of their own in order to launch DDoS attacks,” making it difficult to draw a relationship between Friday's DDoS attacks, which were still ongoing well into the evening, and previous attacks where Mirai botnets were used.
Chris Sullivan, general manager of Intelligence/Analytics at Core Security Inc., said “the really frightening part” of the Friday attacks, which he called a “new breed of very high volume DDoS,” is not that organizations “will be struggling with these new attacks for some time, but that the underlying weakness which makes them successful can and will be used to unleash more serious attacks that steal credit cards and weapons designs, manipulate processes like the SWIFT global funds transfers, and even destroy physical things the 30,000 PCs at Saudi Aramco.”
Current defenses don't cut it against attacks that exploit the security shortcomings of devices like baby monitors and thermostats. “IoT devices don't have the memory and processing to be secured properly, so they are easily compromised by adversaries and it's very difficult to detect when that happens,” Sullivan said in comments emailed to SCMagazine.com.
Justin Fier, director of cyber intelligence and analysis at Darktrace, said that while IoT makes life easier “it's also putting us at risk—as it's become painfully apparent how easy it is to hack them.” In comments emailed to SCMagazine.com, Fier called for “better visibility into new technology and the environment in which it's becoming entrenched” otherwise, “we'll continue seeing a pool of vulnerable devices that can be harnessed for these malicious botnet attacks.”
--iPhone 7s arrive logged into strangers' Apple IDs, iOS 10 browser raises privacy concerns--(Oct-06-2016)
While consumers complain that new iPhones are already logged into strangers' accounts, those with functioning devices should be relieved that researchers said a recently discovered private browsing flaw in iOS 10 isn't as bad as it seems.
The iPhone glitch prevents users from signing in to their accounts and from setting up their devices. It reportedly affects new iPhone 7 and 7 Plus models when they are turned on for the first time and iPhone 6S and iPhone 6s Plus models when they are restored to default setting, according to Mac Rumors.
When the device is turned on it triggers an Activation Lock, a security feature of Find My iPhone that prevents others from using a lost or stolen iPhone. One user reported receiving a new phone that looked immaculate with a screen appearing to be in perfect condition after taking it out the box.
“Only problem is, it appears someone has already used it as the iPhone is asking for the account used to activate it — o.....@icloud.com,” one user wrote in a Mac Rumor forum. “Apple say it needs replacing […] Now got to wait for an expedited replacement iPhone once I've returned this one.”
Some users were reportedly able to unlock their phones after providing a proof of purchase at an Apple retail store, scheduling a Genius Bar appointment, or remotely calling Apple's support team.
Separately, late last month, IntaForensics Digital Rorensic Analyst Stacey Jury reported that Apple had made the private browsing feature in iOS 10 “less private” since it doesn't properly delete data, leaving it vulnerable to recovery, according to a Sept. 30 blog post.
Since the discovery, independent third-party researchers, including Russian computer forensics software firm Elcomsoft, have played down the significance of the supposed vulnerability spotted by Jury, according to The Register.
“We looked at iOS private browsing mode a little bit, but have not found any issues - implementation seems to be good enough; all temp files seem to be properly deleted, visited links are not being saved in history etc.,” ElcomSoft researcher Vladimir Katalov told the publication.
--Apple pushing out OS update automatically--(Oct-04-2016)
Apple is pushing out its new macOS Sierra as an automatic download, according to The Loop.
The Cupertino, Calif.-based company told the site that the update will download on users' computers in the background beginning this week – if a user has automatic downloads enabled in their preferences.
While the upgrade will be pushed to computers, users will be alerted and must then initiate the install manually.
The download would not occur should a user's computer be unable to handle the 5G of space needed or if an older computer is not equipped to integrate the upgrade.
Alternatively, users can download the new version from Apple's App Store.
While some sites are raising concerns over the “pre-download” process, comparing the rollout to the negative response Apple earned for its automatic push of a U2 music download with its launch of iPhone 6, automatic downloads have been an option for some time on Macs and iOS.
--Yahoo, complying with U.S. intelligence directive, searched emails--(Oct-04-2016)
At the behest of a directive handed down by U.S. intelligence officials, Yahoo built a custom software program in secret to dig through all of its customer's emails, according to a Reuters report.
Hundreds of millions of Yahoo Mail accounts were searched in response to a classified U.S. government directive from the National Security Agency (NSA) or FBI directed at Yahoo's legal team, according to unidentified sources who were said to be former employees of the agencies.
The specifics of what the intelligence agencies were looking for is unknown, the sources said, only that a search for a set of characters was requested, i.e., a phrase appearing in an email or an attachment.
This is not the first time phone or internet companies have complied with requests from intelligence agencies to hand over data on customers, but experts who spoke with Reuters said they had never seen such a wide-sweeping collection of real-time web data. It also appears that a custom computer program was used for the trawling.
Reuters reported that according to two former employees, Marissa Mayer, Yahoo's chief executive agreed to the agencies' request with dissent from other executives at the firm. Alex Stamos, the firm's CISO, departed in June 2015 as a consequence, they said, moving to a similar post at Facebook.
It's unknown at this time whether the federal agencies filed directives with other phone or internet providers. However, there is precedent owing to amendments in 2008 to the Foreign Intelligence Surveillance Act, which sanctions intelligence agencies to make the demand of U.S. phone and internet companies to hand over customer data in matters of preventing terrorist attacks and other intelligence gathering.
Reuters reported that Mayer and Yahoo General Counsel Ron Bell left the firm's security team out of the loop and had company engineers create a program capable of digging through email messages in search of the character string requested by the intelligence agencies. The data could then be stored for remote retrieval.
When Yahoo's security team detected the program in May 2015, a few weeks after the install, they initially believed they were under attack from hackers.
Reuters reported that CISO Stamos resigned after finding out that Mayer had approved the FISA request. He was left out of the decision, he said, and the move put users' security at risk, he reportedly told colleagues, as a bug in the programming could allow hackers to gain access to accounts.
"We're deeply concerned with today's Reuters report," Mark Rumold, senior staff attorney at the Electronic Frontier Foundation (EFF), told SCMagazine.com on Tuesday. "This type of broad, warrantless surveillance of hundreds of millions of Yahoo users plainly violates the Fourth Amendment."
But it might not be uncommon. "Unfortunately, it sounds very similar to the type of surveillance AT&T and Verizon allow the NSA to conduct on their networks, as well," Rumold said. "This type of upstream surveillance is unconstitutional on Verizon and AT&T's networks, and it's unconstitutional on Yahoo's networks as well."
While the Reuters story, if it is accurate, "may at first blush seem to be another black eye for Yahoo on the privacy front," Michael Sutton, CISO at Zscaler, in a statement emailed to SCMagazine.com, urged that "we shouldn't be quick to rush to judgement or single out Yahoo. It's unlikely that Yahoo alone received the classified U.S. government directive to search all incoming email messages."
He explained that "such a broad directive suggests that the intelligence community needed to cast a wide net, which likely included other providers," but noted that "unfortunately, the very process of such directives precludes transparency and prohibits others from even revealing the existence of such a request."
Writing code in order to give effect to the FISA request is new, Trevor Hughes, president and CEO of the International Association of Privacy Professionals (IAPP), told SCMagazine.com on Tuesday.
While Hughes admitted that the full extent of what data was handed over is not yet known, he said the news illustrates the terrible position businesses are finding themselves in. On the one hand, he said, enforcement laws on the books order companies to comply with such directives. But at the same time they have an obligation to customers as stewards of their data.
"They're stuck between a rock and a hard place," he said, pointing out the contrast with the legal dispute earlier this year that pitted Apple against the FBI's request to create a backdoor into a locked iPhone. "Apple took a firm stand," Hughes said. The company was both challenged and critiqued for its stand, he said, but also lauded.
Spying agencies absconding with communications has always been a risk with cloud-based email providers, Chris Wysopal, CTO and co-founder, Veracode, told SCMagazine.com on Tuesday. "Given the PATRIOT Act, unless you have end-to-end encryption in your mail reader with something like PGP, all cloud-based email is at risk."
Wysopal posits that there have been other email providers approached and others that complied, but might not be able to speak about it because of a gag order. "I think this will be a boon for offshore secure email providers, like ProtonMail in Switzerland," he said. "I have recently seen more of my security colleagues using offshore services like this."
What should not be surprising to anyone is that requests of this type are being made, said Sutton of Zscaler. "Intelligence agencies will continue to do what they've been tasked with – protecting the nation through any and all legal means available to them. What's changing is that methods used in the past are no longer viable."
Due to the increasingly distributed nature of communications and enhanced security protections, including encryption, security agencies can no longer do everything in house, he explained. "In order to access the same data, they must now leverage the service providers themselves. While the providers may not be willing participants, with denials of FISA applications by the Foreign Intelligence Surveillance Court being extremely rare, service providers largely have their hands tied when such directives arrive.”
--RAUM weaponizes torrents to deliver malware --(Sep-21-2016)
A new and sophisticated tool dubbed RAUM has been uncovered that targets naďve torrent users who download popular software or media content and then replaces the desired content with malware.
The internet security company InforArmor reported that RAUM has been used to essentially “weaponize” torrents to spread a variety of ransomware types including, CryptXXX, CTB-Locker and Cerber, the online-banking Trojan Dridex and password stealing spyware Pony. It does this through a two-prong attack.
“RAUM is a special system developed by the owners of the identified underground malicious network, used for two things - analysis of trending torrent files on torrent trackers with high number of downloads, and further repacking of this files with malware for further distribution. The system uploads final weaponized torrent file to the same trackers under various stolen user accounts, having good reputation there,” Andrew Komarov, InfoArmor's CIO, told SCMagazine.com in an email.
Once the torrent tracker identifies the most popular content being downloaded at that time, say a pirated version of Microsoft Windows or Office, the legit files are extracted and replaced with malware. The Pirate Bay and Extra Torrent are among the torrents being used, InfoArmor said.
“Later, they upload them to the same trackers, and other trackers, using stolen credentials of ‘seeders', having good reputations on them, as it helps their files to be distributed better. In such way, they infect big number of users systematically,” Komrarov added.
RAUM stands out as a malicious tool as it goes after those least likely to understand the dangers of using torrents.
“This is a pretty unique, but very efficient, model of ransomware and malware delivery, as the people downloading torrents are not very experienced from security perspective, and it is really big. The bad actors optimize costs on malware delivery, and in such cases they don't need to spend resources on new exploits acquisition and "loads" services,” he said.
RAUM, and similar tools, also pose a threat to corporations as their employees may use personal devices to access torrent content, which are then connected to the company network.
“It bypasses firewalls and perimeter defenses, entering via BYOD and corporate assets used offline (off of the corporate domain) for downloading, etc.; completely blocking all software downloads on corporate assets is no longer pragmatic for many companies. This underscores that organizational security defenses must include the ability to identify malware by the behaviors it exhibits within the network and at endpoints. Signature solutions are wholly insufficient,” said Lastline CMO Bert Rankin to SCMagazine.com in an email.
There is no direct defense against RAUM other than not using torrent services, Komarov said.