DDoS tactics are changing
Distributed denial of service attacks (DDoS) are by no means a new phenomenon, but a spate of attacks this week would suggest that how they are being used is changing. Cyber-criminals are increasingly DDoSing organisations to distract defending organisations, or for financial gain by demanding ransoms.
Evernote and Feedly were hit by long-lasting DDoS attacks in the week, with Feedly later reporting that it had been subject to a third DDoS attack during the week – the longevity was no doubt tied to its refusal to pay a ransom to reinstate the service.
Hackers are using DDoS to distract firms while they pilfer information and – at the same time- the Prolexic Security Engineering and Response Team posted a threat advisory outlining that the Zeus Trojan – most often used for data theft and financial fraud in financial services – is now being used too for DDoS attacks.
Feedly has gained plenty of admirers for its stubborn refusal to pay the ransom, and it's a bold move with DDoS remediation costs quoted in some parts as high as £15,000.
Independent security researcher Graham Cluley wrote on his blog: “The danger of paying DDoS blackmailers is that you're only encouraging them to attack you more, perhaps increasing their financial demands next time."
Fred Kost, VP of security solutions at Ixia, agreed adding: "The frequency of DDoS attacks continues to rise with a recent attack that put together five different attack vectors to create a 100 Gbps attack. The attacks against Feedly might be an inflection point for DDoS attacks.
"Up until now they have been disruptive, but now that hackers are demanding some sort of ransom, it makes these attacks more time sensitive and real. Although Feedly came out and said they wouldn't pay the hackers, we will likely see an increase in this type of behaviour and incentivise more attackers to launch DDoS attacks that have ransom demands attached to them.”
Long way to go for privacy
There's a huge fight for online privacy going on right now and it was a big topic of conversation at The Open Rights Group's ‘Don't Spy On Us' campaign, which ran on Saturday in London.
The group - a coalition of leading civil liberties groups in the UK - attracted some high-profile speakers in Wikipedia founders, cryptography expert Bruce Schneier and The Guardian editor Alan Rusbridger and had breakout workshops for attendees, including help with enabling PGP email encryption.
It's something of a surprise then – given the fallout from Google's recent court case defeat in Spain on the ‘right to be forgotten' and on-going work on the privacy-led EU General Data Protection Regulation – that a new study suggests consumers expect to have less privacy in years to come.
EMC's report revealed that 59 percent of UK respondents feel they have less privacy now compared to one year ago, with 84 percent expecting privacy to erode over the next five years.
Inside the world of industrial espionage
Some in the industry continue to stress that state-sponsored cyber attacks are often about industrial espionage - the opportunity to get ahead of the competition.
FireEye said this week that this too extends to mergers and acquisitions, noting a ‘darker side' of companies involved in these deals.
Pointing to last month – which saw Apple purchase Beats and Pfizer's failed bids for AstraZeneca, the company blogged that companies entering into an M&A with an organisation spot “unidentified intrusions and unaudited networks”. It highlights the threat of working with Chinese firms in particular, as businesses may be attacked by threat groups that are seeking to provide the Chinese entity with an advantage in negotiations.
FireEye has released two case studies, in which it observed three successful attacks against two major corporations during their M&A events:
The first company was attacked twice whilst going to the market with a new “ground-breaking” healthcare product, shortly after acquiring a company that had developed the proprietary process to make it. The attackers subsequently stole test data, presumably to accelerate development of their related product.
The second company was broken into by Chinese hackers whilst in talks to purchase a Chinese subsidiary as part of its expansion into the market – the attackers stole communications presumably discussing the acquisition and, shortly after, the Chinese government killed the discussions.
Bank of England combats cyber threats
Another key announcement this week saw not-for-profit organisation CREST announce that it has been working with UK Financial Authorities – the Bank of England, Her Majesty's Treasury, and the Financial Conduct Authority – to develop CBEST, a new framework for sharing detailed threat intelligence and delivery cyber security tests and benchmarking for UK financial services providers.
CBEST is the first initiative of its type to be led by any of the world's central banks and comes shortly after the successful completion of Waking the Shark II.
In a speech on Wednesday to the Bankers Association, Andrew Gracie, Executive Director Resolution, at the Bank of England, stressed the importance of CBEST to help UK financial services organisations protect against increasingly sophisticated cyber-attacks on their core systems.
CBEST will help UK financial services organisations to protect against sophisticated cyber attacks, and fifers from existing security testing because it is “threat intelligence based, is less constrained and focuses on the more sophisticated persistent attacks against critical systems and essential services”.
“Although existing penetration testing services in the financial services sector have provided a good level of assurance against traditional attacks, they do not address more sophisticated cyber attacks on critical assets,” said Ian Glover, president of CREST. “CBEST tests have been designed to replicate the behaviours of serious threat actors, assessed by Government and commercial intelligence providers as posing a genuine threat to important financial institutions.”
Data breach losses on the rise
Risk Based Security's Data Breach Quickview report released earlier this week revealed that while the number of data breach incidents remain comparable year-on-year (Q1 2014 – Q1 2013), the number of records lost per incident is increasing.
The number of records exposed in Q1 2014 exceeded 176 million – representing a 46 percent increase compared to last year.
It added: “The report also highlights the continuing trend of targeting user names, e-mail addresses, and passwords. Although this type of information in and of itself typically doesn't hold the same value as Social Security or credit card numbers, this data can be the keys to opening up the doors that access more valuable information. The continued focus on this type of data may be indicative of more complex or better-planned attacks currently happening involving third-parties and on the horizon."