Wednesday, October 26, 2016

Actually, this is more concerning.  Any 12-year-old can now take down the Internet!
Dyn DNS DDoS likely the work of script kiddies, says FlashPoint
Business risk intelligence firm FlashPoint has put out a preliminary analysis of last week’s massive denial of service attack against Dyn DNS, and its conclusion is it was likely the work of amateur hackers — rather than, as some had posited, state-sponsored actors perhaps funded by the Russian government.
   Its reasoning is based on a few factors, including a detail it unearthed during its investigation of the attack: namely that the infrastructure used in the attack also targeted a well-known video game company.
“While there does not appear to have been any disruption of service, the targeting of a video game company is less indicative of hacktivists, state-actors, or social justice communities, and aligns more with the hackers that frequent online hacking forums,” writes FlashPoint’s Allison Nixon, John Costello and Zach Wikholm in their analysis.
The attack on Dyn DNS was powered in part by a botnet of hacked DVRs and and webcams known as Mirai.  The source code for the malware that controls this botnet was put on Github earlier this month.  And FlashPoint also notes that the hacker who released Mirai is known to frequent a hacking forum called hackforums[.]net.


Can we use this to estimate what a large DDoS attack might cost?
Government-Ordered Internet Shutoffs Cost $2.4 Billion Last Year
Governments pay a significant price when they disrupt access and connectivity to the Internet because such shutdowns undermine economic growth, jeopardize lives, and erode confidence, Brookings Institution said in a study.
   India suffered the biggest impact valued over $968 million and North Korea was the lowest at $313,666, according to the report.  There had been 14 shutdowns of national apps such as Twitter or Facebook, which was the most costly type of disruption at $1.04 billion.  There were 36 instances of nation-wide internet access cutoff, making that the most frequent type of disruptions.


Interesting.  This has apparently been resolved, but consider what your organization’s reaction to a seemingly random contact claiming your database is insecure might be.  Read the full article.
RBS writes:
We need your help to contact an organization that has thus far been unresponsive to numerous notifications that we have sent about a discovered data breach!  Read on to understand the issue and see how you can help!
We know that we have become a bit of a broken record when it comes to data breaches, and more specifically when it comes to unsecured databases recently.  It’s no secret there are tens of thousands of open, unsecured databases of all types and sizes just sitting out there on the Internet, waiting to have their data plucked off, plundered or otherwise compromised by anyone with the time and inclination to do so.
It was no surprise when our researchers recently came across an open MongoDB installation containing data on more than 8 million users.  What was surprising – and disappointing – is what has happened after the discovery.
Read more on RBS.

(Related)
What to Do When You Suspect a Data Breach: FTC Issues Video and Guide for Businesses
by Sabrina I. Pacifici on Oct 25, 2016
“If your business has experienced a data breach, you are probably wondering what to do next.  The Federal Trade Commission’s new Data Breach Response: A Guide for Business, an accompanying video and business blog can help you figure out what steps to take and whom to contact.  Among the key steps are securing physical areas, cleaning up your website, and providing breach notification.  The guide also includes a model data breach notification letter.  For related advice on implementing a plan to protect customer information and prevent breaches, check out the FTC’s Protecting Personal Information: A Guide for Business and Start with Security: A Guide for Business.  The guide and the video are both in the public domain, so business people can share them with employees and customers, and through their websites and newsletters.”


Sage advice.
   If the end game is preventing something bad from happening, companies typically waste time and money on futile attempts to build an impenetrable wall of systems.  Even if it were possible to build a wall that’s 100% secure, it wouldn’t begin to protect the rapidly growing amount of sensitive data that flows outside the firewall through devices and systems beyond the company’s direct control.
It’s far more important to focus on two things: identifying and protecting the company’s strategically important cyber assets and figuring out in advance how to mitigate damage when attacks occur.


Resources for Ethical Hacking.
Data Leaked by Pagers Useful for Critical Infrastructure Attacks
Pagers are still used in industrial environments and many organizations don’t realize that the messages sent with these devices can be highly useful to malicious actors looking to launch a targeted attack.
After analyzing the use of pagers in the healthcare industry, researchers at Trend Micro have focused their attention on the risk they pose to industrial environments, particularly in critical infrastructure sectors.
Industrial control systems (ICS) can rely on pagers to transmit information that is crucial for the operation of a facility, including events and deviations in the production process.  Pagers are particularly popular as backup communication systems and in areas where cellular coverage is weak.
The problem is that the messages sent to these devices are typically unencrypted, allowing anyone with the technical knowhow and some inexpensive equipment to intercept the information.


If we can buy it, we don’t need a subpoena, right?
Nicky Woolf reports:
Telecommunications giant AT&T is selling access to customer data to local law enforcement in secret, new documents released on Monday reveal.
The program, called Hemisphere, was previously known only as a “partnership” between the company and the US Drug Enforcement Agency (DEA) for the purposes of counter-narcotics operations.
Read more on The Guardian.


IBM may have a winner here.
IBM expands Watson's reach with data platform, iOS integration, bots, education efforts
The barrage of announcements comes as IBM hosts a Watson conference in Las Vegas.  IBM CEO Ginny Rometty will use a keynote speech to outline the Watson portfolio, ecosystem and customer base.


Discuss, debate, does no one educate? 
The Political Environment on Social Media
by Sabrina I. Pacifici on Oct 25, 2016
Pew – “In a political environment defined by widespread polarization and partisan animosity, even simple conversations can go awry when the subject turns to politics.  In their in-person interactions, Americans can (and often do) attempt to steer clear of those with whom they strongly disagree.  But online social media environments present new challenges.  In these spaces, users can encounter statements they might consider highly contentious or extremely offensive – even when they make no effort to actively seek out this material.  Similarly, political arguments can encroach into users’ lives when comment streams on otherwise unrelated topics devolve into flame wars or partisan bickering.  Navigating these interactions can be particularly fraught in light of the complex mix of close friends, family members, distant acquaintances, professional connections and public figures that make up many users’ online networks.  A new Pew Research Center survey of U.S. adults finds that political debate and discussion is indeed a regular fact of digital life for many social media users, and some politically active users enjoy the heated discussions and opportunities for engagement that this mix of social media and politics facilitates.  But a larger share expresses annoyance and aggravation at the tone and content of the political interactions they witness on these platforms…”


The war in streaming TV?
AT&T's new streaming TV service will give you 100+ channels for $35 a month
   The service will debut in November.
DirecTV Now will be a package of live TV delivered over the internet wherever you are — no cable box or satellite dish necessary.
   DirecTV Now's $35 price point undercuts the early industry norms for live-streaming TV.  The market leader Sling TV charges $20 for "25+" channels, and its highest package has about 50 channels for $40.  Sony's PlayStation Vue charges $54.99 for about 100 channels, and its lowest package gives you "60+" channels for $39.99 a month.  Other competitors including Hulu and YouTube are reportedly readying their own packages for streaming live TV but have yet to name a price.  
   "It's pay TV as an app," AT&T's senior vice president of strategy and business development, Tony Goncalves, told Business Insider in a recent interview.

No comments: