Week 04: Vulnerability Scanning

Distributed denial of service attacks are on the rise, even as attack volume falls. According to the article, total DDoS attacks increased 129 percent in Q2 2016 from Q2 2015, and during the second quarter, Akamai mitigated a total of 4.919 DDoS attacks.

This reminds me of last week’s article that talked about 911 emergency phone system is vulnerable to DDoS attacks. When the total volume of attack falls, DDoS is still a major way that used by hackers since it is relatively simple. This gives FCC another warning, they should solve the problem as soon as possible.

The article also mentioned, as far as regional notes go, Brazil experienced a 197% increase in attacks sources from the region-the top country of origin for all web application attacks. The United States meanwhile ranked second among countries for total web application attacks, seeing a 13% decrease in attacks compared to Q1 2016.

 

Link: http://www.infosecurity-magazine.com/news/ddos-sees-tripledigit-growth-in/

When I originally posted, I didn’t see that someone already posted the news about CyMotive, so here is a different article that focuses on a study conducted by Tripwire, an industry leader in enterprise-class security, compliance, and IT operations solutions.

“According to the Department of Homeland Security, the energy sector faces more cyber attacks than any other industry. Despite the frequency in attacks, energy IT professionals participating in Tripwire’s survey were very confident in their ability to collect the data needed to detect a cyber attack…

“‘These results show that most security professionals are assuming they are doing the right things to secure their environments, but lack real world data to back up their assumptions,’ said Travis Smith, senior security research engineer for Tripwire. ‘This highlights the importance of testing security controls to ensure they are functioning as expected. It’s not enough to install security tools throughout the environment. You must test the policies and procedures to be confident the controls in place will stop or detect real-world intrusions…'”

http://www.businesswire.com/news/home/20160919005017/en/Tripwire-Study-Energy-Sector-Professionals-Overconfident-Cyber

I find it especially worrisome that an industry so essential to our success as a country—and demonstrably under constant cyber attack—seems to overestimate its capability to detect and respond to such attacks.

Sometimes aspiring Pokemon masters want that extra edge to their game and go looking for guides on how to play the game better. Looking in the Google Play Store may have led the players astray as one guide was secretly malware. Kaspersky was able to detect a trojan inside the app but said that multiple defenses made it difficult to reverse engineer to see how it fully works. One defense is that it delays any bad activity by two hours to try to thwart those who are trying to see what it can do. It also doesn’t do anything bad until it receives a respond from the server that is calling the shots. Once its determined its a desireable victim, it downloads files to attempt to root the phone and then grant itself root access. The Play Store reports half a million installs but Kaspersky claims they have only confirmed 6,000 infections live right now. Luckily the worst thing the app has done so far is install its own ads to make money.

 

The hacker may continue to publish under other psuedonyms for the next big gaming craze that might hit app stores. It is also worrying that hackers are trying to implement anti-virtual machine technology making it harder to create a testing environment that you can reset if things go wrong.

 

http://news.softpedia.com/news/rogue-pokemon-app-roots-and-hijacks-android-devices-508310.shtml

https://blog.kaspersky.com/pokemon-go-malware/12953/

With all the recent concern about the security of Internet-connected cars, it probably comes as no surprise that Volkswagen has formed an automotive cyber security firm with three former members of Israel’s Shin Bet intelligence agency, including its former head Yuval Diskin. They are calling the new firm CyMotive Technologies. According to Gartner, there are already 22 cyber security companies either focused on automobiles or containing divisions that do. The article seems to suggest that CyMotive will be the first such company directly affiliated with a car manufacturer.

http://www.usatoday.com/story/tech/news/2016/09/16/volkswagen-cymotive-israeli-group-car-automotive-cybersecurity-company/90491834/

The New York State Department of Financial Services has proposed a new regulation imposing significant new cybersecurity requirements on banks, insurance companies, and other financial services institutions regulated by DFS .

The new requirements will require such institutions to, among other things, establish and maintain a cybersecurity program, create an immediate response plan for security breaches, and designate a qualified individual to serve as Chief Information Security Officer (“CISO”).  The Proposed Regulation contemplates an effective date of January 1, 2017, with compliance required 180 days later

http://www.jdsupra.com/legalnews/new-york-state-proposes-new-27798/

When the government was able to unlock the San Bernardino shooter’s iPhone, they backed off of their demands that Apple assist with the breaking into the device.  They did not, however, provide Apple with details into how they were able to unlock the iPhone.  In my opinion, and apparently the opinion of the Associated Press, Gannett Satellite Information Network (”USA TODAY”), and Vice Media, this is a disservice to the millions of taxpayers that use iOS devices.  These organizations are suing the FBI for not disclosing how they were able to break into the phone.  This leaves potentially millions of iOS devices exposed to the vulnerability that allowed the FBI to obtain access to a locked iPhone.

The NIST Cybersecurity Framework, a government published set of standards, encourages information sharing about vulnerabilities and threats between private and public organizations.  I am a strong advocate of this principal because as companies work together to share information to protect against cyber threats, the benefits of increased security extends beyond the walls of the organization that identified the cyber threat.  It also helps us to collectively solve for vulnerabilities that are identified and shared.

In this case, however the FBI appears to be withholding information about the vulnerability for their own benefit.  If they publicly share the method in which they were able to unlock the device (or even privately with Apple), the folks in Cupertino will almost certainly address the security flaw immediately.

There is a fine balance between strong security and enabling our law enforcement to investigate, however I am not in favor of providing back doors to law enforcement and withholding security flaws that leave millions exposed.

Article links:

https://www.cnet.com/news/fbi-sued-over-apple-iphone-hack-by-vice-ap-gannett/

https://www.documentcloud.org/documents/3109606-16-Cv-1850-Dkt-No-1-Complaint.html

 

This past Wednesday, private information about international athletes leaked on the internet.  This information was allegedly leaked from the World Anti-Doping Agency, and included 25 medical drug exemptions given to athletes from 8 different countries.  As many of you may know, Russia was banned from competing in the Olympics in several sports this summer in Rio, due to a systematic doping scandal with Russian athletes in all sports.  The hackers originally gained access through a phishing technique used against the whistle-blower that accused Russia of state-sponsored doping.  There is no proof that Russia was behind the cyber-attack, but all evidence suggests it was a hacking group called “Tsar Team” or “Fancy Bear”.

 

http://www.technewsworld.com/story/83906.html?google_editors_picks=true

This article written by the CEO of Carbonite, a business that backs up more than 1.5 million businesses worldwide, would have to give up their encryption technology if the legislation proposed by Senators Burr and Feinstein is passed. The legislation they are proposing makes companies provide a “backdoor” to their encryption if a judge deems it necessary. Ali explains that if cyber criminals were to discover these backdoors that it would be like “…building a home with state-of-the-art alarm systems, but then cutting off the power to them.” Ali also says that it would essentially undermine years of progress by engineers in encryption technologies back tracking their progress and making systems ultimately more vulnerable. The government needs to strongly think about cyber security as a whole and see how something like this could plague both the internet and the US economy.

Article: https://hbr.org/2016/09/backdoor-government-decryption-hurts-my-business-and-yours