Hacking

SPOTLIGHT ON SECURITY

DDoS Attacks Create Smokescreens for Larceny

Systems designed to protect networks against DDoS attacks can themselves be problematic. "There are tactics where traffic can get so bad that it will be 'black holed.' That's like throwing the baby out with the bath water," said NeuStar's Joe Loveless. "You're losing good traffic as well as the bad. With a good scrubbing service, you can maintain the good traffic while eliminating the bad."

Distributed denial of service attacks have evolved from protest tool to criminal weapon.

More than one in three DDoS attacks are used to plant malware or a virus on company systems, and 40 percent of them result in data theft, according toNeuStar’s semiannual DDoS attack and protection report released last week.

“Until two years ago, DDoS attacks were really seen as just a disruption and annoyance tool,” said NeuStar Senior Security Manager Joe Loveless.

“There’s more purpose behind the attacks now than simply to be disruptive,” he told TechNewsWorld.

“DDoS attacks are clearly being used for more sinister purposes,” Loveless continued. “They’re accompanying data breaches, the implementation of malware within an organization, theft of intellectual property, and stealing funds or customer information.”

Frequency Increase

As motives behind DDoS attacks have changed, so too has the frequency of the assaults. Half the companies in North America, Europe, the Middle East and Africa have suffered DDoS attacks, NeuStar reported. More than eight of 10 of those companies (83 percent) have been assaulted more than once.

“We’re seeing an increase in the pace that companies are being attacked,” Loveless said. “They’re being attacked repeatedly, as opposed to one-off attacks.”

Of the 750 organizations analyzed, more than half were attacked — and of those that were attacked, more than half had been attacked at least six times, he noted. “It’s not so much if an organization will be attacked, it’s a matter of how often.”

Scrubbing Traffic

A majority of DDoS atttacks now are on the smaller side, but User Datagram Protocol attacks, “which are quite large, continue to be popular,” Loveless said. “Large attacks over 5 gigabits are more than 40 percent of the attacks that we’ve seen.”

UDP attacks flood random ports on a target with UDP data. It overwhelms the target and makes it unresponsive to anyone trying to access it.

How are organizations protecting themselves against DDoS attacks? There are network appliances that offer a measure of protection, but they can be overwhelmed, too.

There are also cloud solutions. Cloud-based services can intercept all of an organization’s network traffic and reroute it through a scrubbing infrastructure. However, those services need to be accompanied by experts that make sure traffic is being scrubbed and not purged.

“There are tactics where traffic can get so bad that it will be ‘black holed.’ That’s like throwing the baby out with the bath water,” Loveless explained.

“That’s not a good thing, because you’re losing good traffic as well as the bad,” he continued. “With a good scrubbing service, you can maintain the good traffic while eliminating the bad.”

The Cocoon Browser

Web browsers have become a popular conduit for all kinds of cyberattacks. Net marauders are finding it easier to infect a target with malicious software through a browser than to face an organization’s cyberdefenses head-on.

With that in mind, Virtual World Computing has launched a new secure browser called “Cocoon.”

Cocoon’s security rests in the cloud, which means any nastiness you encounter on the Web will occur on VWC’s servers and not on your hard drive. That includes scrutinizing potential threats for malware.

Another benefit of working through the cloud is that all your Web activity is masked to companies trying to track your behavior on the Net by VWC’s servers.

In addition, since your browsing behavior is stored in VWC’s cloud, you can log into Cocoon from any machine and have access to things like your browsing history and bookmarks.

Safety in Isolation

“We isolate everything from your hard drive,” explained Jeff Bermant, CEO of Virtual World Computing. “That way, you don’t run the risk of downloading something that might harm your computer.”

Bromium does much the same thing with its security solution for enterprises. What is new with Cocoon is that it provides this kind of protection to consumers for the first time.

With most users entrenched in their browsing habits, getting them to try something new, no matter how secure, will be an uphill battle, however. What’s more, VWC will be charging an annual subscription fee of US$9.995 for its browser, while all other major browser makers offer their software for free.

Some consumers will find the fee a bargain, though, Bermant believes.

“You’re paying us $10 a year to make sure a drive-by doesn’t ruin your day, and we won’t sell your information to someone else,” he told TechNewsWorld. “Other free browsers let people follow you around the Web,. We won’t let people follow you around the Web, but you pay us in exchange for that.”

Privacy Report

When it comes to privacy, you’d think that industries required by government regulators to fund privacy programs would spend more on those programs than industries not required to spend a dime on them. However, that doesn’t seem to be the case.

Spending on privacy programs was higher in unregulated industries than in regulated industries, including the government itself, the International Association of Privacy Professionals said in its annual report released last week.

The median budget for privacy programs in unregulated industries, such as marketing and software, was $300,000. That compares to $250,000 for unregulated industries, such as financial services and healthcare, and $130,000 for government, the IAPP found.

“Government is always fighting resource and budget issues,” observed IAPP Vice President of Research and Education Omer Tene.

How government and regulated industries view privacy may be a key to the discrepancies in spending.

“In regulated industries, privacy is still treated as a legal compliance issue, while the less regulated industries treat it as a strategic issue,” Tene told TechNewsWorld.”As the recognition that it is a strategic issue becomes broader, we will see it rise in importance despite cost cutting measures.”

Breach Diary

  • Sept. 29. Oakland Family Services in Pontiac, Mich., notifies 16,000 people their personal information is at risk after an intruder broke into their computer systems on July 14.
  • Sept. 29. U.S. District Judge William Keith Watkins adopted recommendations of a magistrate judge to allow a class action lawsuit against Triad of Alabama to continue for failure to properly protect patient data stolen by an employee of one of the company’s hospitals.
  • Sept. 30. U.S. District Court in Georgia sentences Dmitry Belorossov, 22, to 54 months in prison for conspiracy to commit computer fraud. The Russian was responsible for the proliferation of Citadel, a malware program that infected more than 11 million computers worldwide, according to the U.S. Attorney’s office in Atlanta.
  • Sept. 30. Kmart Australia alerts an unspecified number of online customers that their personal data is at risk following a breach of its computer systems on Sept. 29.
  • Sept. 30. FierceHealthIT reports the Office of the Inspector General has released two reports critical of the U.S. Department of Health and Human Services’ Office of Civil Rights oversight of the healthcare providers it regulates.
  • Sept. 30. NetDiligence releases annual study of cyberliability claims. Of 160 claims studied, it found the average payout on a claim to be $673,767; for larger companies, $4.8 million; and for the healthcare sector, $1.3 million.
  • Oct. 1. U.S. Office of Personal Management sends letters informing some 21.5 million data breach victims of identity theft and credit monitoring services available to them free of charge.
  • Oct. 1. Bromium releases survey of mobile users revealing 86 percent of them had accessed their corporate network, corporate files or corporate email account from their personal devices. It also found that 64 percent of users participating in the survey had done likewise from a public network.
  • Oct. 2. Experian North America reveals that a breach of one of its servers resulted in theft of personal information of some 15 million applicants for T-Mobile cellphone service.
  • Oct. 2. Scottrade, a stock trading service, reveals personal information on 4.5 million customers was stolen from the company’s computer systems by data thieves.
  • Oct. 2. Trump Hotels warns payment card information for customers who did business with the chain between May 19, 2014, and June 2, 2015, is at risk due to malware infection of the business’ payment system.
  • Oct. 2. Data thieves post to Internet some 15 million gigabytes of data stolen from Patreon, a crowdfunding site for artists.
  • Oct. 2. Australian retailer David Jones reveals personal data of an undisclosed number of online customers is at risk after intruders accessed its computer systems.

Upcoming Security Events

  • Oct. 7. What’s in Your Incident Response Toolkit? 2 p.m. ET. Webinar sponsored by Lifars and Guidance Software. Free with registration.
  • Oct. 9-11. B-Sides Warsaw. Pastwomiasto, Anders 29, Warsaw, Poland. Free with registration.
  • Oct. 12-14. FireEye Cyber Defense Summit. Washington Hilton, 1919 Connecticut Ave. NW, Washington, D.C. Registration: before Sept. 19, $1,125; after Sept. 18, $1,500.
  • Oct. 13. Protecting Your Users from Online Attackers. 2 p.m. ET. Dark Reading webinar. Free with registration.
  • Oct. 14. Latest DDoS Attacks Trends — Excerpts from Arbor ATLAS Global Statistics. 10 a.m. ET. Webinar by Arbor Networks. Free with registration.

  • Oct. 14. Best Practices in DDoS Defense: Real World Customer Perspectives. 11 a.m. ET. Webinar sponsored by Networks. Free with registration.
  • Oct. 14. Arbor Solutions for the Next Decade of DDoS Defense. 9 a.m. ET. Webinar sponsored by Arbor Networks. Free with registration.
  • Oct. 14. Securing Cloud Communications for the Enterprise. 2 p.m. ET. Webinar sponsored by Twillo. Free with registration.
  • Oct. 15. SecureWorld Denver. The Cable Center, 2000 Buchtel Blvd., Denver, Colorado. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Oct. 15-16. B-Sides Los Angeles. Dockweiler Youth Center and State Beach. Free.
  • Oct. 16-18. B-Sides Washington D.C. Washington Marriott Metro Center, 775 12th St NW, Washington, D.C. Free.
  • Oct. 17-18. B-Sides So Paulo. Pontifcia Universidade Catlica de So Paulo, So Paulo, Brazil. Free.
  • Oct. 19-21. CSX Cybersecurity Nexus Conference. Marriott Wardman Park, 2660 Woodley Rd. NW, Washington, D.C. Registration: before Oct. 14 — member, $1,595; nonmember, $1,795. After Oct. 14 — member, $1,795; nonmember, $1,995.
  • Oct. 28. The Cyber-Centric Enterprise. 8:15 a.m. ET. Virtual conference. Free with registration.
  • Oct. 28-29. SecureWorld Dallas. Plano Centre, 2000 East Spring Creek Parkway, Plano, Texas. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.Oct. 28-29. Securing New Ground. Conference sponsored by Security Industry Association. Millennium Broadway Hotel, New York City. Registration: after Sept. 7 — member, $1,095; nonmember, $1,495; CISO, CSO, CIO, $300.
  • Nov. 4. Bay Area SecureWorld. San Jose Marriott, 301 South Market St., San Jose, California. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Nov. 7. B-Sides Dallas/Fort Worth. UT Dallas, Science Learning Center building. Free.
  • Nov. 10. FedCyber 2015 Annual Summit. Tyson’s Corner Marriott, 8028 Leesburg Pike, Tyson’s Corner, Virginia. Registration: $395; academic, $145; government and military, free.
  • Nov. 11-12. Seattle SecureWorld. Meydenbauer Center, 11100 NE 6th St., Bellevue, Washington. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Nov. 13-14. B-Sides Delaware. Wilmington University, New Castle Campus, 320 North Dupont Highway, New Castle, Delaware. Free with registration.
  • Nov. 24-25. Cyber Impact Gateway Conference. ILEC Conference Centre and Ibis London Earls Court, London, UK. Registration: Before Oct. 9 — end users, Pounds 1,799 plus VAT; solution providers, Pounds 2,799 plus VAT. Before Oct. 30 — end users, Pounds 1,899 plus VAT; solution providers, Pounds 2,899 plus VAT. Standard — end users, Pounds 1,999 plus VAT; solution providers, Pounds 2,999 plus VAT.
  • Dec. 12. Threats and Defenses on the Internet. Noon ET. Northeastern University, Burlington Campus, 145 South Bedford St., Burlington, Massachusetts. Registration: $6.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Hacking

Technewsworld Channels