We’re fast approaching the biggest holiday shopping season for retailers. Just how big? According to the National Retail Federation’s annual consumer spending survey, consumers plan to spend an average of $935.58 each this holiday season in 2016. What’s more, 41% of consumers plan to start their shopping this month. Every year, consumers entrust their financial and personal information (everything from credit card data to home addresses) to retailers both big and small. But are these stores doing enough to keep their customers’ data safe?
As the hacktivist community continues to grow and evolve, so do the tools and services at a hacker’s disposal. The digital divide between skilled and amateur hackers continues to grow. This separation in skill is forcing those with limited knowledge to rely solely on others who are offering paid attack services available in marketplaces on both the Clearnet and Darknet. While most hacktivists still look to enlist a digital army, some are discovering that it’s easier and more time efficient to pay for an attack service like DDoS-as-a-Service. Cyber criminals that are financially motivated market their attack services to these would-be hacktivists looking to take down a target with no knowledge or skill.
Following the public release of the Mirai (You can read more about it here) bot code, security analysts fear for a flood of online attacks from hackers. Mirai exposes worm-like behavior that spreads to unprotected devices, recruiting them to form massive botnets, leveraging factory default credentials and telnet to brute and compromise unsuspecting user’s devices.
Soon after the original attacks, Flashpoint released a report identifying the primary manufacturer of the devices utilizing the default credentials ‘root’ and ‘xc3511’. In itself, factory default credentials should not pose an enormous threat, however combined with services like Telnet or SSH enabled by default and the root password being immutable, the device could be considered a Trojan with a secret backdoor, a secret that now has become public knowledge.
The unprecedented attacks launched recently against Brian Krebs’ blog (Krebs on Security) and the hosting provider OVH highlight the immense damage from IoT-driven botnets, and really signal a new age of attacks.
For years, security evangelists have been talking about the potential for IoT-driven attacks, a message that has often been met with a combination of eye rolls and skepticism. That’s likely no longer the case after these latest attacks. It’s a shift I experienced first-hand at the SecureWorld event in Denver where I participated in a panel on the current threat landscape. Suddenly, the IoT threat has more attention in such a setting, whereas in the past it held more merit in the future threats panels and discussions. This week’s panel elicited a palpable degree of anxiety from the audience about what these attacks mean for security professionals.
On Tuesday, September 20th around 8:00PM, KrebsOnSecurity.com was the target of a record-breaking 620Gbps volumetric DDoS attack designed to take the site offline. A few days later, the same type of botnet was used in a 1Tbps attack targeting the French webhoster OVH. What’s interesting about these attacks was that compared to previous record-holding attacks, which were less than half the traffic volume, they were not using amplification or reflection. In the case of KrebsOnSecurity, the biggest chunk of the attack traffic came in the form of GRE, which is very unusual. In the OVH attack, more than 140,000 unique IPs were reported in what seemed to be a SYN and ACK flood attack.
You might be surprised at who is behind the most recent cases of cyber-attacks on schools. Would you guess that in many cases, it’s the students themselves? Whether because they want to change their grades or attendance, because they feel it’s fun or they want to test the limits of how much they can get away with, it’s becoming a larger problem across the globe. Part of the issue is the ease in which kids can now access the Darknet, and the increasingly low costs to hire someone to hack the system for them.
Australia’s Prime Minister Malcolm Turnbull recently raised the issue of cyber security education during a Washington D.C. speech. The intention behind such a sentiment is a good one. Teaching cyber security to the public, and making it a part of the education curriculum is essentially a public safety lesson akin to ‘Don’t Do Drugs,’ ‘Don’t Talk To Strangers’, and ‘Be Alert And Aware Of Your Surroundings.’
However, as a society we are at a crossroads where our children have vastly more knowledge of the cyber landscape than adults. Teachers still struggle with computer basics while students are hacking the schools’ computer systems to change their grades, create DDoS attacks on the day of critical testing, and worse.
Summertime is almost over, and back-to-school season is upon us. Beginning now, students all across the globe are beginning to register for their classes, purchase their school supplies, and start working on assignments for the upcoming year. But among these students, there are some who will get up to no good – hacking into the school systems to alter records, to disrupt the school’s normal operations, and to see just how much damage they can do. Let’s take a closer look at some of the reasons why kids are hacking their schools:
Hackers all over the internet today are slowly adapting to the changes in the attack marketplace. Many notorious DDoS groups like Lizard Squad, New World Hackers and others have already entered the DDoS as a Service business, monetizing their capabilities in peace-time by renting out their powerful stresser services. But it’s not just DDoS. It’s all attack services including application-based attacks. These marketed services are now allowing novice hackers with little know-how to launch attacks via affordable tools that are available on the Clearnet. This growth is healthy for any market but has forced vendors to take on more of a traditional marketing strategy.
It’s late July and the ‘boys of summer’ are in full swing, if you’ll pardon the pun. I’m a huge baseball fan and love most everything about the sport, including the mystique surrounding many of its unwritten rules. These rules, as their name suggests, cannot be found in any official rule book issued by Major League Baseball or other governing bodies. Nonetheless, they are firmly planted in players’ and coaches’ minds, and have their own system of self-policing administered mostly on the field. Typically penalties come in the form of a high-inside fastball for those that break them. Among the most established of these unwritten rules is the stealing of signs, a practice with many infamous examples throughout the game’s history. My personal favorite sign-stealing story surrounds the Chicago White Sox, who reportedly used a single light bulb in the centerfield scoreboard, turning it on-or-off to signal pitches to the home team batter.
Currently, the game and Major League Baseball is dealing with an entirely different type of stealing, with the recent case and sentencing of Chris Correa, a former executive with the St. Louis Cardinals. Last week, Correa received some ‘chin music’ of his own, being sentenced to nearly four years in prison by a U.S. District Court in Texas for masterminding a hack of the Houston Astros personnel database in search of insights into their player scouting. What’s particularly interesting here is that Correa wasn’t after any pitching or base-running signs, future lineups or other form of in-game strategic insight. Rather, he was after a pool of data that most every Major League Baseball team (and indeed professional teams in other sports) has come to view as highly valuable intellectual property, player analytics.
You might also like: A View from the Corner Offices: New Research on C-Suite Security Mindset
The Digitization of Baseball
In much the same way businesses in all industries have undergone a digital transformation over the past twenty years, baseball too has undergone its own transformation. This isn’t about Major League Baseball teams selling tickets or memorabilia through a website. The digitization of baseball has to do with the current fascination around in-depth player statistical performance as an indicator of future success. Baseball has always been big on statistics, of course. Few if any games lend themselves to an analysis of numbers the way baseball does. However, in recent years this has taken on a whole new level through the work of what’s often referred to as Sabermetrics, popularized by the book Moneyball by Michael Lewis. In the same way the hyper-statistically driven online advertising industry transformed marketing, Sabermetrics and its followers have turned the long-standing ideas of player scouting on their head. The creation of new statistics found to hold strong correlation to individual and team success have a wave of young math nerds turning their attention to our national pastime. Heck, there’s even an annual conference hosted by MIT Sloan School of Business on the topic of advanced sports analytics.
No one is immune
Perhaps the biggest takeaway beyond the implications of baseball is how this hack reinforces the fact that ‘no one is immune’ from today’s cyber-security threats. As with any business, as more value gets put around proprietary data, more and more attackers will seek to steal that data and/or disrupt operations by tying that data up. The competitively motivated attack is another interesting and important dynamic for organizations to consider. We’ve seen situations with customers where attacks against applications seemed primarily focused on interrupting ecommerce and other transactions, potentially to the benefit of other competing companies more immediately able to satisfy demand. In one particularly unique case, a major U.S.-based airline became the target of cyber-attacks that used bots programmed to “scrape” their site, looking for certain flights, routes and classes of tickets. With the bots acting as faux buyers—continuously creating but never completing reservations on those tickets—the airline was unable to sell the seats to real customers. In essence, the airline’s inventory was held hostage, and a growing number of flights were taking off with empty seats that could have been sold. Additionally, the bots could have been gathering valuable competitive pricing information, including information on the complex formulas that adjust pricing based on current demand.
What should by now be obvious to all is that any business has a wealth of valuable data within its systems. Baseball, just as any ecommerce or financial services organization, has a responsibility to protect that data in order to maintain its value. So the next time you watch a baseball game, consider all the data behind the moves you see on the field. And appreciate the importance to its owners of keeping that data as secure as consumer credit cards or personal health records.