“Internet of Things” DDoS Attack Highlights Hacker’s Ingenuity

Posted By: Elizabeth Rowe | November 1, 2016 | 0 Comments

The lead stories this week are about the internet outage on October 21st.  DYN, a company that hosts domain name servers for the Internet was hit by a denial of service attack.  The loss of the service meant that the internet didn’t have the resources to translate domain names into IP addresses required to route the request properly.  The main point of the story is that the attackers used devices such as DVRs and IP cameras, instead of computers.  The attackers were able to infect thousands of these devices, and when instructed, the devices started to flood DYN.  The traffic got so heavy that the company was unable to execute legitimate requests.

The bad guys will continue to think outside the box and use new methods to attack us. We can’t afford to let our programs and tools stagnate or we will lose our battle to protect our sensitive information.  Let’s talk, share information, and constantly review our controls.

Hacked Cameras, DVRs Powered Massive Internet Outage

A massive and sustained Internet attack that has caused outages and network congestion today for a large number of Web sites was launched with the help of hacked “Internet of Things” (IoT) devices, such as CCTV video cameras and digital video recorders, new data suggests. At first, it was unclear who or what was behind the attack on Dyn. But over the past few hours, at least one computer security firm has come out saying the attack involved Mirai, the same malware strain that was used in the record 620 Gpbs attack on my site last month. At the end September 2016, the hacker responsible for creating the Mirai malware released the source code for it, effectively letting anyone build their own attack army using Mirai.  Mira scours the Web for IoT devices protected by little more than factory-default usernames and passwords, and then enlists the devices in attacks that hurl junk traffic at an online target until it can no longer accommodate legitimate visitors or users.  According to researchers at security firm Flashpoint, today’s attack was launched at least in part by a Mirai-based botnet. Allison Nixon, director of research at Flashpoint, said the botnet used in today’s ongoing attack is built on the backs of hacked IoT devices — mainly compromised digital video recorders (DVRs) and IP cameras made by a Chinese hi-tech company called XiongMai Technologies. The components that XiongMai makes are sold downstream to vendors who then use it in their own products.  “It’s remarkable that virtually an entire company’s product line has just been turned into a botnet that is now attacking the United States,” Nixon said, noting that Flashpoint hasn’t ruled out the possibility of multiple botnets being involved in the attack on Dyn.

KrebsOnSecurity, October 21, 2016

Hackers Used New Weapons to Disrupt Major Websites Across U.S.

SAN FRANCISCO — Major websites were inaccessible to people across wide swaths of the United States on Friday after a company that manages crucial parts of the internet’s infrastructure said it was under attack.

The New York Times, October 21, 2016

A Massive Cyberattack Blocked Your Favorite Websites; FBI and Homeland Security are Investigating

The Department of Homeland Security and the FBI are investigating a massive cyberattack that stopped or slowed access to Twitter, Spotify, Amazon and other sites Friday by targeting a firm responsible for routing Internet traffic their way.

LA Times, October 21, 2016

Spreading the DDoS Disease and Selling the Cure

Earlier this month a hacker released the source code for Mirai, a malware strain that was used to launch a historically large 620 Gbps denial-of-service attack against this site in September. That attack came in apparent retribution for a story here which directly preceded the arrest of two Israeli men for allegedly running an online attack for hire service called vDOS. Turns out, the site where the Mirai source code was leaked had some very interesting things in common with the place vDOS called home.

KrebsOnSecurity, October 19, 2016

Explaining Privacy And Cybersecurity To A Corporate Board

Cybersecurity is — and should be — a major concern for lawyers. Earlier this year, for example, we learned about Russian hackers targeting top big law firms. But cybersecurity isn’t just an issue for attorneys in law firms. It also presents challenges for in-house lawyers, who often find themselves on the front lines of response when the companies they represent get hacked, exposing the private, confidential information of thousands or even millions of customers. Some say that if you work for a big enough company, it’s not a matter of if you’ll be hacked, but when.

Above The Law, October 19, 2016

Government Alleges Former NSA Contractor Stole ‘Astonishing Quantity’ of Classified Data Over 20 Years

Federal prosecutors in Baltimore on Thursday said they will charge a former National Security Agency contractor with violating the Espionage Act, alleging that he made off with “an astonishing quantity” of classified digital and other data over 20 years in what is thought to be the largest theft of classified government material ever.

The Washington Post, October 20, 2016

75% Of Orgs Lack Cybersecurity Expertise

Three-quarters of organizations lack skilled cybersecurity experts—resulting in more breaches.  A study from Tripwire found that 66% of respondents faced increased security risks due to this workforce shortage; and 69% have attempted to use technology solutions to fill the gap.  Finding cyber-talent is easier said than done: A full 72% said they had challenges hiring skilled cybersecurity experts; half said their organizations do not have an effective program to recruit, train and retain skilled cybersecurity experts.  It’s only going to get worse: A study by Frost & Sullivan, conducted on behalf of (ISC)2, estimates that by 2020 there will be a shortfall of 1.5 million trained cybersecurity professionals.

InfoSecurity Magazine, October 21, 2016

Tough Federal Cybersecurity Standards for Big Banks Proposed

Federal banking regulators are proposing tough new standards designed to bolster cybersecurity at the nation’s largest banking institutions. The proposed standards, published on Oct. 19 by the Federal Deposit Insurance Corp., the Federal Reserve Board and the Office of the Comptroller of the Currency, are aimed at institutions with $50 billion or more in assets. They will be finalized after a comment period that ends Jan. 17. But FDIC spokesman David Barr tells Information Security Media Group that no timeframe has been set for when the new standards could take effect.  The proposal comes after a February hack that drained $81 million from Bangladesh’s central bank and the 2014 hack at JPMorgan Chase that compromised data on millions of customers.

BankInfoSecurity, October 19, 2016

Elizabeth Rowe

Elizabeth Rowe

Elizabeth tracks the shifting payments landscape for both PSCU and its member owners. Focusing on the interstice of the economy, competition, consumers, technology, payment products and channels and regulatory guidance, Elizabeth gleans the key challenges and opportunities facing our industry, our strategic plans and our success fulfilling our mandate of serving the American consumer.
Elizabeth Rowe




Leave a Reply