The report said that the share of attacks from Linux botnets almost doubled (to 70 per cent) – and Linux bots are the most effective tool for the SYN-DDoS attack method. This is the first time that Kaspersky DDoS Intelligence has registered such an imbalance between the activities of Linux- and Windows-based DDoS bots.
SYN DDoS is one of the most common attack scenarios, but the proportion of attacks using the SYN DDoS method increased 1.4 times compared to the previous quarter and accounted for 76 per cent.
Oleg Kupreev, lead malware analyst at Kaspersky Lab said that it is Linux which is to blame.
“Linux servers often contain common vulnerabilities but no protection from a reliable security solution, making them prone to bot infections”, says. “These factors make them a convenient tool for botnet owners. Attacks carried out by Linux-based bots are simple but effective; they can last for weeks, while the owner of the server has no idea it is the source of an attack. Moreover, by using a single server, cybercriminals can carry out an attack equal in strength to hundreds of individual computers. That’s why companies need to be prepared in advance for such a scenario, ensuring reliable protection against DDoS attacks of any complexity and duration”.
Brazil, Italy and Israel all appeared among the leading countries hosting botnet Command and Control (C&C) servers. South Korea is the clear leader in terms of the number of C&C servers located on its territory, with its share amounting to 70 per cent. Brazil, Italy and Israel saw the amount of active C&C servers hosted in these countries nearly triple.
DDoS attacks affected resources in 70 countries over the report period, with targets in China suffering the most (77 per cent of all attacks). Germany and Canada both dropped out of the top 10 rating of most targeted countries, to be replaced by France and the Netherlands.
The report also identifies an increase in the duration of DDoS attacks. While the proportion of attacks that lasted up to four hours fell from 68 per cent in Q1 to 60 percent in Q2, the proportion of longer attacks grew considerably – those lasting 20-49 hours accounted for nine per cent (and those lasting 50-99 hours accounted for four per cent (one per cent in Q1).
The longest DDoS attack in Q2 2016 lasted 291 hours (12 days), an increase on the Q1 maximum of eight days.
Intel Security, Kaspersky Lab and Europol have teamed up to launch a new initiative designed to educate people about the threat of ransomware and offer keys that can unlock devices without having to pay the fraudsters.
The No More Ransom portal, which also has the backing of the Dutch National Police, has been put together in response to the rising threat from ransomware which had almost one million victims in Europe last year.
The portal will contain material designed to educate users about the threat of ransomware and where it comes from, but it is the access to some 160,000 keys that is most notable. These cover numerous ransomware strains, most notably the Shade trojan that emerged in 2014. This is a particularly nasty ransomware spread via websites and infected email attachments.
However, the command and control servers for Shade that stored the decryption keys were seized by law enforcement, and the keys were given to Kaspersky and Intel Security.
These have now been entered into the No More Ransom portal so that victims can access their data without paying the criminals.
Jornt van der Wiel, security researcher with Kaspersky’s global research and analysis team, explained that the portal will help people to take a stand against the rise of ransomware.
“The biggest problem with crypto-ransomware today is that when users have precious data locked down they readily pay criminals to get it back. That boosts the underground economy, and we are facing an increase in the number of new players and the number of attacks as a result,” he said.
“We can only change the situation if we coordinate our efforts to fight against ransomware. The appearance of decryption tools is just the first step on this road.”
Raj Samani, EMEA chief technology officer at Intel Security, echoed this sentiment. “This collaboration goes beyond intelligence sharing, consumer education and takedowns to actually help repair the damage inflicted on victims,” he said.
“By restoring access to their systems, we empower users by showing them they can take action and avoid rewarding criminals with a ransom payment.”
Mozilla is taking legal action to find out whether its code was affected during an FBI investigation into Tor, the privacy browser that shares a lot of Firefox code.
Mozilla has concerns that the FBI has found a vulnerability that it will not disclose. The firm wants to know what it might be so that it can apply a fix. The FBI has not helped out, so the software company has taken its case to the courts.
“User security is paramount. Vulnerabilities can weaken security and ultimately harm users. We want people who identify security vulnerabilities in our products to disclose them to us so we can fix them as soon as possible,” said Mozilla lawyer Denelle Dixon-Thayer in a blog post as she explained that this is not a political action.
“Today, we filed a brief in an ongoing criminal case asking the court to ensure that, if our code is implicated in a security vulnerability, the government must disclose the vulnerability to us before it is disclosed to any other party.
“We aren’t taking sides in the case, but we are on the side of the hundreds of millions of users who could benefit from timely disclosure.”
The situation arose after an FBI investigation into a Tor-based child abuse site. The site was closed down, and the FBI reportedly installed malware to trace the users.
This suggests that the FBI has a decent way into the software, which raises concerns for Mozilla.
“The relevant issue in this case relates to a vulnerability allegedly exploited by the government in the Tor Browser,” said Dixon-Thayer.
“The Tor Browser is partially based on our Firefox browser code. Some have speculated, including members of the defence team, that the vulnerability might exist in the portion of the Firefox browser code relied on by the Tor Browser.
“At this point, no one (including us) outside the government knows what vulnerability was exploited and whether it resides in any of our code base.
“The judge in this case ordered the government to disclose the vulnerability to the defence team but not to any of the entities that could actually fix the vulnerability. We don’t believe that this makes sense because it doesn’t allow the vulnerability to be fixed before it is more widely disclosed.”
Mozilla would like the FBI to follow the same disclosure procedures as the technology industry and do the decent thing by letting the company know as soon as possible.
“Court-ordered disclosure of vulnerabilities should follow the best practice of advance disclosure that is standard in the security research community,” she said.
“In this instance, the judge should require the government to disclose the vulnerability to the affected technology companies first, so it can be patched quickly.
“Governments and technology companies both have a role to play in ensuring people’s security online. Disclosing vulnerabilities to technology companies first allows us to do our job to prevent users being harmed and to make the web more secure.”
The legislation, which would call for hackers using ransomware to be prosecuted under a statute similar to extortion but geared specifically to cyber crime, easily cleared the state senate’s public safety committee.
Senate Bill 1137 moves next to that body’s appropriations committee. It must be approved by both houses of the California legislature and be signed by Governor Jerry Brown to become law.
A spokesman for the measure’s author, state Senator Bob Hertzberg, said the measure, which was co-sponsored by the Los Angeles County District Attorney’s Office, had been met with little opposition so far.
“We don’t anticipate any problems with the bill, it seems to be getting very strong support,” said Andrew LaMar, communications director for Hertzberg, a Democrat.
Authorities say ransomware attacks, in which hackers use malicious software to lock up data in computers and leave messages demanding payment have surged this year.
More than $209 million in ransomware payments were made in the United States alone during the first three months of 2016, according to FBI statistics cited by Hertzberg’s office.
In March, Hollywood Presbyterian Hospital in Los Angeles paid a ransom of $17,000 to regain access to its systems.
Los Angeles prosecutors, in a letter to the state senate’s public safety committee, said that the bill was needed because current extortion laws are not well tailored toward prosecuting ransomware attacks.
While such attacks have been around longer than a decade, security experts say they have become far more threatening and prevalent in recent years because of state-of-the-art encryption, modules that infect backup systems, and the ability to infect large numbers of computers over a single network.
WhatsApp’s founders said that the application now implements end-to-end encryption, which means only authorized users can decrypt messages.
“The idea is simple: When you send a message, the only person who can read it is the person or group chat that you send that message to,” Jan Koum and Brian Acton wrote in a blog post. “No one can see inside that message. Not cybercriminals. Not hackers. Not oppressive regimes. Not even us.”
The move by WhatsApp comes after fierce debate over the increasing use of encryption and how it affects law enforcement investigations. WhatsApp said in February it had 1 billion users.
In February, a federal magistrate judge ordered Apple to create a special version of its mobile operating system that would help the FBI get into a phone used by one of the San Bernardino mass shooters. Apple objected, setting off a widespread debate.
The order was vacated after the FBI said it had found a way to unlock the phone with the help of a third party. But there are similar cases outstanding.
Devices using WhatsApp hold the encryption and decryption keys to messages sent over the service. That means law enforcement could not go to WhatsApp or another service provider to obtain the keys.
Alternatively, law enforcement could get access to WhatsApp messages if a suspect divulged his or her phone’s passcode or the passcode could be obtained another way.
It is also possible that a software vulnerability in the app could allow law enforcement access. Experts believe that may have been how the FBI unlocked the San Bernardino shooter’s iPhone.
WhatsApp’s encryption uses an open-source protocol called Signal, which is also used in an encrypted messaging app of the same name. Signal was developed by Open Whisper Systems.
The FBI has promised to aid local law enforcement authorities in cracking encrypted devices, in a letter that refers to the federal agency’s success in accessing the data on an iPhone 5c running iOS 9 that was used by one of the San Bernardino terrorists.
The agency did not, however, explicitly promise investigators that it would deploy the same tool, said to have been developed by an outside organization, on other iPhones.
The FBI had earlier demanded in court that Apple should assist it in its attempts to crack by brute force the passcode of the iPhone used by the terrorist, without triggering an auto-erase feature that could be activated after 10 unsuccessful tries.
It changed its stance and informed the court that it was trying out a technique from an external organization that could possibly help it access the data on the phone. It later informed the court that it was able to access the data on the phone and that Apple’s help would not be required.
The FBI did not disclose in court the method it had used to access the data and whether it was device specific or could be used on other iPhones.
The letter by the FBI to local investigators appears to be a response to requests for help from local agencies after the hack of the phone used by the San Bernardino shooter, Syed Rizwan Farook, but does not make commitments.
“We know that the absence of lawful, critical investigative tools due to the ‘Going Dark’ problem is a substantial state and local law enforcement challenge that you face daily,” according to a copy of the letter obtained by BuzzFeed News and some other news outlets. The FBI has previously said that even when law enforcement has the legal authority to intercept and access communications and information, backed by court orders, it faces a ‘Going Dark’ problem to technically access the data in motion or at rest in devices.
“As has been our longstanding policy, the FBI will of course consider any tool that might be helpful to our partners,” it added. “Please know that we will continue to do everything we can to help you consistent with our legal and policy constraints. You have our commitment that we will maintain an open dialogue with you. We are in this together.”
The plan calls for a $3.1 billion fund to replace outdated IT infrastructure; a new position of federal chief information security officer; a commission to study cybersecurity problems, and a program to recruit cybersecurity experts into government roles.
The U.S has been working since 2009 to improve the nation’s cyber defenses, most recently with the Cybersecurity Act of 2015, which promotes better information sharing between private industry and government, said Michael Daniel, special assistant to the President and cybersecurity coordinator, in a phone briefing with reporters Monday.
“Despite this track record, the cyberthreat continues to outpace our current efforts,” he said. “Particularly as we continue to hook more and more of our critical infrastructure up to the Internet, and as we build out the Internet of things, cyberthreats become only more frequent and more serious.”
The U.S. has faced serious data breaches and intrusions over the past two years. An attack on the Office of Personnel Management, the federal personnel agency, resulted in the theft of data including Social Security numbers, and in some cases fingerprints, of 21.5 million people.
In November 2014, the State Department took its unclassified email system offline after it detected suspicious activity. The shutdown came just two weeks after the White House reported unusual activity on the unclassified Executive Office of the President network.
Overall, the government wants to allocate $19 billion for cybersecurity spending in fiscal 2017, a 35% increase over the current year.
The proposed $3.1 billion Information Technology Modernization Fund would be used to replace systems that pose a high risk and to investigate more modern architectures, such as cloud services.
Teenage hackers are making merry with the online world of CIA director of national intelligence James Clapper.
This is the second bout of attacks from the group of technology tearaways, according to Motherboard, which reports on the Clapper problem and its connection to a group known as Crackas With Attitude.
A member of the group, a young chap called Cracka, told Motherboard that access to a range of Clapper accounts had been seized, and that Clapper and the CIA haven’t a clue what’s going on.
“I’m pretty sure they don’t even know they’ve been hacked. You asked why I did it. I just wanted the gov to know people aren’t fucking around, people know what they’re doing and people don’t agree #FreePalestine,” he said.
The claims were supported by the Office of the Director of National Intelligence, which confirmed that something has happened and that the authorities are looking into it.
“We’re aware of the matter and we reported it to the appropriate authorities,” said spokesman Brian Hale, before going mute.
Cracka, representing himself on Twitter as @dickreject, is less quiet. He has tweeted a number of confirmatory and celebratory messages that are not particularly flattering about the CIA and its abilities.
This is the group’s second bite at the CIA cherry. The teenagers walked into the personal email account of CIA director John Brennan last year and had a good look around. Some of the impact of this was washed away when it was discovered that Brennan used an AOL account for his communications.
“A hacker, who describes himself as an American high school student, has breached the CIA boss’s AOL email account and found a host of sensitive government files that one assumes a government official shouldn’t be sending to his personal email address,” said security comment kingpin Graham Cluley at the time.
“I’m not sure what’s more embarrassing. Being hacked or having an AOL email account.”
The company said email and password details were likely gathered either through malware downloaded during phishing attacks or indirectly through data breaches of other companies that stored Time Warner Cable’s customer information, including email addresses.
The company said it has not yet determined how the information was obtained, but there were no indications that Time Warner Cable’s systems were breached.
Time Warner Cable spokesman said it was recently notified by the Federal Bureau of Investigation that some customers’ email addresses including account passwords “may have been compromised.”
The company said it is sending emails and direct mail correspondence to encourage customers to update their email passwords as a precaution.
Thousands of small businesses continue to suffer intermittent outages of their websites in the crucial lead up to Christmas, after their provider Moonfruit took all sites offline yesterday.
A statement from the company at 1pm today said: “Our operations team is continuing to work on resolving the service issue. We are making progress but unable to provide specific details at this time. Once again, we’re really sorry for the disruption. Your patience and understanding is very much appreciated.”
A further update was scheduled for 3pm but had not materialized at the time of publication.
The identikit website creator made the unusual decision after facing a prolonged DDoS attack against its servers last Thursday from a hacking group calling itself Armada DDoS. The company is believed to have had renewed threats of further attacks and is still suffering a significant degradation of service.
The motives for the attack are currently unknown.
Moonfruit began restoring service this morning, but at 1pm many customers were still having problems, and the main Moonfruit site was offline.
Moonfruit is one of the oldest sites of its type, dating back to 2000. The British company was initially advertising-based and free before moving to a subscription model when the last bubble burst.
The whole system was based on Adobe Flash until recently, but has been adapted for HTML5, which represents an important step in its survival as more browsers stop rendering the ageing platform.
However, the company announced earlier today that it is taking all its sites offline for 12 hours after a sustained distributed denial-of-service (DDoS) attack on its servers.
Moonfruit Update, 14/12/2015: https://t.co/5xkHAshFT9 and your sites will be offline today. Please read: https://t.co/w2CvVG1xqQ
— Moonfruit (@moonfruit) December 14, 2015
Dave Larson, chief operating officer at Corero Network Security, said: “Unfortunately, the sheer size and scale of hosting or data centre operator network infrastructures and their massive customer base presents an incredibly attractive attack surface due to the multiple entry points and significant aggregate bandwidth that acts as a conduit for a damaging and disruptive DDoS attack.
“As enterprises of all sizes increasingly rely on hosted critical infrastructure or services, they are placing themselves at even greater risk from these devastating DDoS attacks, even as an indirect target.”
DDos attacks grew by a third in just the past quarter. A Swedish bank was brought down last month, while GitHub was taken offline earlier in the year by an attack thought to have originated in China.
Moonfruit customers have expressed their anger at the short notice and timing of the outage. Many are obviously concerned about potential loss of sales in the run up to Christmas, but Moonfruit maintained that the downtime is necessary to make “infrastructure changes”.
“We have been working with law enforcement agencies regarding this matter and have spared no time or expense in ensuring we complete the work as quickly as possible,” said the company’s director, Matt Casey, in a statement posted to the Moonfruit Facebook page.
The Moonfruit site, which is built on its own platform is back up and running. A further statement from Moonfruit last night said, “We know how painful this has been for you and your business. We have used the time well and our defenses have improved substantially. Thank you for your patience and support throughout this crisis. We are nearly there and hope to fully restore service by early evening.
As always, we care about the Moonfruit Community and will keep you informed. You have no idea how much the messages of support have meant as we’ve burned the midnight oil over the weekend to put things right, and to better position you for the future.”
The public will see an uptick in successful cyberattacks against their online health records next year; supercomputers like IBM’s Watson will reduce patient deaths and treatment costs by 10% in 2018; and virtual healthcare will soon become routine.
Those are some of the predictions made by IDC’s Health Insights group in a new report.
The report claims that because of a legacy of lackluster electronic security in healthcare and an increase in the amount of online patient data, one in three consumers will have their healthcare records compromised by cyberattacks in 2016.
“Frankly, healthcare data is really valuable from a cyber criminal standpoint. It could be 5, 10 or even 50 times more valuable than other forms of data,” said Lynne Dunbrack, research vice president for IDC’s Health Insights.
Not only do healthcare records often have Social Security and credit card numbers, but they are also used by criminals to file fraudulent medical claims and to get medications to resell.
Healthcare fraud costs the industry from $74 billion to $247 billion a year in the U.S., according to FBI statistics. Fraudulent billing represents between 3% and 10% of healthcare expenditures in the U.S. each year, Dunbrack said.
The biggest problem is that the industry has been a laggard in deploying security technology. Dunbrack pointed to high-profile examples of healthcare providers who experienced massive breaches this past year, including Anthem and Premera Blue Cross.
Anthem reported that nearly 80 million records had been exposed; Premera suffered a breach of more than 11 million records.
“Part of this increase [in cyber attacks] is because there’s more electronic data than ever before,” Dunbrack said. “Some of the things leading to attacks are good things. For example, digitized formats allow [sharing] patient data among providers.”
Additionally, healthcare networks need to increase the sophistication of their security analytics software so they can identify attacks as they’re happening and head them off by learning their patterns.
The Dorkbot malware aims to steal login credentials from services such as Gmail, Facebook, PayPal, Steam, eBay, Twitter and Netflix.
It was first spotted around April 2011. Users typically get infected by browsing to websites that automatically exploit vulnerable software using exploit kits and through spam. It also has a worm functionality and can spread itself through through social media and instant messaging programs or removable media drives.
Microsoft didn’t provide much detail on how Dorkbot’s infrastructure was disrupted. The company has undertaken several such actions over the last few years in cooperation with law enforcement.
Coordinated actions to take botnet servers offline have an immediate impact, but the benefits can be short-lived. Cybercriminals often set up new hosting and command-and-control infrastructure and begin rebuilding the botnet by infecting new computers.
Microsoft said it worked with security vendor ESET, the Computer Emergency Response Team Polska, the Canadian Radio-television and Telecommunications Commission, the Department of Homeland Security’s U.S. Computer Emergency Readiness Team, Europol, the FBI, Interpol, and the Royal Canadian Mounted Police.
Cybercriminals have sold a kit that allows other bad actors to build botnets using Dorkbot. The kit, called NgrBot, is sold in underground online forums, Microsoft wrote in a blog post.
Hacking a major corporation is so easy that even an elderly grannie could do it, according to technology industry character John McAfee.
McAfee said that looking at the world’s worst hacks you can see a common pattern – they were not accomplished using the most sophisticated hacking tools.
Writing in IBTImes said that the worst attack was in 2012 attack on Saudi Aramco, one of the world’s largest oil companies. Within hours, nearly 35,000 distinct computer systems had their functionality crippled or destroyed, causing a massive disruption to the world’s oil supply chain. It was made possible by an employee that was fooled into clicking a bogus link sent in an email.
He said 90 per cent of hacking was social engineering, and it is the human elements in your organization that are going to determine how difficult, or how easy, it will be to hack you.
The user is the weakest link in the chain of computing trust, imperfect by nature. And all of the security software and hardware in the world will not keep a door shut if an authorized user can be convinced to open it, he said.
“Experienced hackers don’t concern themselves with firewalls, anti-spyware software, anti-virus software, encryption technology. Instead they want to know whether your management personnel are frequently shuffled; whether your employees are dissatisfied; whether nepotism is tolerated; whether your IT managers have stagnated in their training and self-improvement.”
Muct of this information can be picked up on the dark web and the interernet underground, he added.
“”Are you prepared for a world where grandma or anyone else can quickly obtain, on the wide open web, all of the necessary information for a social engineering hack? Is your organization prepared?” he said.
The Infamous Darkode cyber crime forum is back up after being slammed to the ground by the US authorities earlier this year.
The forum has notoriety status, and is the kind of black market where people might have traded, sold or bought malware, zero-day exploits and access to compromised servers.
Darkode launched in 2007 and was apparently frequented by outfits including the Lizard Squad. The last time we checked Darkode.com it was showing an FBI seizure notice designed to put the wind up shoppers and visitors.
Security firm Damballa said that a reloaded version is back, but that it is loaded with plastic bullets and is not the threat it once was. However, while it was once a .com site it is now on the dark web. This certainly makes it more sinister.
Damballa said in a blog post that the problem with the Darkode redux is apparently its design. The site is open to all visitors, at least those that traverse the dark web, and usernames, forum posts and anything else you might want to see is available without log-in information.
“The forum administrator, Sven, is a very generic handle but we know that he’s a previous member of Darkode. As for the rest of the members, there is a mix of HackForum members usually called HF skids and DamageLab members. This gives you an idea about the quality of the forum,” Damballa said with a firm dose of shade.
“In terms of security, the forum is also accessible without the Tor software. It can be accessed from any browser without anonymity. Another poor design of the forum.”
It took 17 law enforcement agencies to take down the original site, but this one could potentially blow over in a gust. Damballa reckons that it does not present much risk.
“From the posts we reviewed, no significant activity stood out. It felt like a bad Darkode imitation with rigorous rules. There was no discussion of banking trojans or similar high-profile malware,” the company added.
“The criminal community has low trust in the ‘new’ Darkode forum. The lack of security and misconfiguration shows that Darkode can’t be trusted and will never regain its former glory. Another Darkode fail. In previous times, we’d provide the link, but this time we aren’t because it’s just not worth anyone’s time.”
We are a long way away from the talk we endured in the early summer, when the UK National Crime Agency (NCA) was swaggering around scalp in hand.
“This has been a truly global operation, targeting the infrastructure of an online hub for high-end cyber crime and suspected members of its criminal community,” said Steven Laval, senior investigating officer at the NCA National Cyber Crime Unit.
“Despite the exclusive nature of Darkode and the technical skills of its users, this action shows once again that we can identify and pursue those we believe are seeking to offend through an apparently secure online environment far removed from their victims.”
IBM has claimed that sophisticated criminals are responsible for 80 percent of cyber attacks, and that there are probably a lot of kids and amateurs accounting for the remaining 20 percent.
The IBM X-Force Threat Intelligence Quarterly 4Q 2015 (PDF) described this 20 percent as “script kiddies”, claiming that the attacks reveal their amateurishness. However, when people are not messing about they are able to carry out some catastrophic and expensive hacktrocities.
“The script kiddies scour the internet for ‘low hanging fruit’, the servers that can be compromised quickly and easily, and they use them for a limited time to send spam and scan other servers on the internet,” said the report.
“Or they deface the website and move on to other targets once they are discovered. These script kiddies give little thought to covering their tracks.
“In contrast, stealthy attackers might gain access to a system by exploiting the same vulnerability as the script kiddies, but they use a far more sophisticated combination of commercial tools, malware/rootkits and backdoors to increase their access level on the client’s network and compromise additional systems over several weeks of expansion.”
There is plenty to worry about, naturally, and IBM has plenty of things to spook us with. The report starts with saying that 2015 has been the year of ransomware. The FBI has already reported that such exploits have bagged attackers $18m over the period, and that it expects the problem to extend into 2016.
Take a look around your office before you read alert number two. This is the insider danger. The report said that this trend has played out since 2014, and that 55 percent of all attacks in 2015 were down to insiders, or at least people with inside information.
Perhaps as a result of this – we are not data analysts – IBM has also seen an increase in boardroom involvement and spending. Some 88 percent of respondents to a survey said that their relevant budgets had increased over the period.