Senator to Probe Claims of Russian Hacking on U.S. Hacking

TwitterLinkedInFacebookEmail

South Carolina Sen. Lindsey Graham (R) said he would lead a charge to investigate Russia’s interference in the U.S. election and hacks on the Democratic Party. “I think [Donald] Trump should take a real tough tone with Russia, because if he doesn’t, you’re going to allow Russia to begin to break apart alliances,” Graham told CNN’s Manu Raju.

The post Senator to Probe Claims of Russian Hacking on U.S. Hacking appeared first on GigaLaw.

Posted in gigalaw | Tagged | Comments Off on Senator to Probe Claims of Russian Hacking on U.S. Hacking

Sledgehammer DDoS Gamification and Future Bugbounty Integration

Monetization of DDoS attacks has been core to online crime way before the term cybercrime was ever coined. For the first half of the Internet's life, DDoS was primarily a mechanism to extort money from targeted organizations. As with just about every Internet threat over time, it has evolved and broadened in scope and objectives.

The new report by Forcepoint Security Labs covering their investigation of the Sledgehammer gamification of DDoS attacks is a beautiful example of that evolution. Their analysis paper walks through both the malware agents and the scoreboard/leaderboard mechanics of a Turkish DDoS collaboration program (named Sath-ı Müdafaa or "Surface Defense") behind a group that has targeted organizations with political ties deemed inconsistent with Turkey's current government.

In this most recent example of DDoS threat evolution, a pool of hackers is encouraged to join a collective of hackers targeting the websites of perceived enemies of Turkey's political establishment.

Using the DDoS agent "Balyoz" (the Turkish word for "sledgehammer"), members of the collective are tasked with attacking a predefined list of target sites — but can suggest new sites if they so wish. In parallel, a scoreboard tracks participants use of the Balyoz attack tool — allocating points that can be redeemed against acquiring a stand-alone version of the DDoS tool and other revenue-generating cybercrime tools, for every ten minutes of attack they conducted.

As is traditional in the dog-eat-dog world of cybercrime, there are several omissions that the organizers behind the gamification of the attacks failed to pass on to the participants — such as the backdoor built into the malware they're using.

Back in 2010, I wrote the detailed paper "Understanding the Modern DDoS Threat” and defined three categories of attackers — Professional, Gamerz, and Opt-in. This new DDoS threat appears to meld the Professional and Opt-in categories into a single political and money-making venture. Not a surprise evolutionary step, but certainly an unwanted one.

If it's taken six years of DDoS cybercrime evolution to get to this hybrid gamification, what else can we expect?

In that same period of time we've seen ad hoc website hacking move from an ignored threat to forcing a public disclosure discourse, to acknowledgment of discovery and remediation, and on to commercial bug bounty platforms.

The bug bounty platforms (such as Bugcrowd, HackerOne, Vulbox, etc.) have successfully gamified the low-end business of website vulnerability discovery — where bug hunters and security researchers around the world compete for premium rewards. Is it not a logical step that DDoS also make the transition to the commercial world?

Several legitimate organizations provide "DDoS Resilience Testing" services. Typically, through the use of software bots they spin up within the public cloud infrastructure, DDoS-like attacks are launched at paying customers. The objectives of such an attack include the measurement and verification of the defensive capabilities of the target's infrastructure to DDoS attacks, to exercise and test the companies "blue team" response, and to wargame business continuity plans.

If we were to apply the principles of bug bounty programs to gamifying the commercial delivery of DDoS attacks, rather than a contrived limited-scope public cloud imitation, we'd likely have much more realistic testing capability — benefiting all participants. I wonder who'll be the first organization to master scoreboard construction and incentivisation? I think the new bug bounty companies are agile enough and likely have the collective community following needed to reap the financial rewards of the next DDoS evolutionary step.

Written by Gunter Ollmann, Chief Security Officer at Vectra

Follow CircleID on Twitter

More under: Cyberattack, Cybercrime, DDoS

Posted in circleid | Tagged , , | Comments Off on Sledgehammer DDoS Gamification and Future Bugbounty Integration

Call for nominations for PIR Board of Directors

Dan York of the Internet Society let us know that PIR is seeking nominations for their board of directors. Three positions are open this year on the board of the nonprofit organization behind .ORG/.NGO/.ONG. The deadline is this Sunday, December 11. https://www.internetsociety.org/call-nominations-pir-board-directors

The post Call for nominations for PIR Board of Directors appeared first on TheDomains.com.

Posted in thedomains | Tagged | Comments Off on Call for nominations for PIR Board of Directors

Where is the Standard ‘Socket’ for Broadband?

When you plug into a broadband socket, what you are accessing is a distributed computing service that supplies information exchange. What is the service description and interface definition?

For inspiration, we can look at the UK power plug.

One of the great unsung fit-for-purpose innovations in British society is the BS1363 13 ampere power plug and socket. This is superior to other plugs by virtue of its solid construction and safe design.

Firstly, the three square prongs make for excellent electrical contact. It is practically impossible to wobble the plug to cause sparks or intermittent connectivity. The 'success mode' of clean, continuous power is fully covered off. But that's not all.

When the earth prong goes into the socket, it opens up shutters than reveal the live power. Small children can't put sticky fingers in the socket, to the occasional regret of a frustrated parent of a screaming toddler. Yanking on the cord also does not easily apply undue force to the electrical components causing a dangerous fracture. Another great thing about a British plug is the fuse. If there is too much demand, then it cuts out, rather than going on fire. So as a design, the 'failure modes' are also well covered off.

When you stand in the store to buy an electrical appliance, it is easy to tell what the rated demand is in terms of volts and amps. The capability of the supply is also clear, both for the whole dwelling, as well as in-building distribution like multi-socket power strips. You know your cooker needs a special supply, and that you can't power your tumble dryer off an AA battery soldered onto a socket.

In summary, a fit-for-purpose interface between supply and demand does three things: it enables 'success' for specific uses; it sufficiently limits 'failure' for those uses; and it clearly communicates what uses it is suitable for to the buyer.

What is missing in broadband is the conceptual equivalent of the standardised plug and socket. The interface between demand and supply is defined at an electrical level, but the overall service of information exchange is (mostly) undefined. As a result we are left with two less than satisfactory approaches to service delivery.

One technical approach is how we use 'over the top' applications like iPlayer today. It is as if we leave an unshielded live information 'virtual cable' exposed directly to end users. 'Success modes' are enabled, since many applications work some of the time, but the constraint on their 'failure modes' is weak.

In this model, users are not sufficiently 'insulated' from one another. Performance 'brown outs' from overload are common, as our example with video sign language demonstrates. As your children come home from school and go online, the performance of your important work application tangibly plummets.

Alternatively, we have vertically integrated network services, more like how traditional landline phone calls or cable TV work. The information 'virtual cable' from the appliance is 'hard-wired' into the wall, and it can't be switched over.

Whilst performance is predictable, and the service is usually fit-for-purpose, it is a highly inflexible approach. The price of constraining the 'failure mode' is a severe limit on the number of 'success modes'. Vertical integration reduces consumer choice, with a high cost for any services delivered.

The need to 'insulate' the application from other uses may even result in a complete parallel infrastructure, as we have created in the UK for smart meters, at a cost of billions of pounds.

The resources spent on special-purpose smart meter connectivity could have delivered an enormous improvement in the general-purpose infrastructure useful for transport, healthcare and emergency services. We certainly can't afford to build duplicate infrastructures for every industry and application whose needs diverge even slightly from basic Internet access.

To break free from this situation the policy community needs to engage with three key questions:

  • What is the service that broadband delivers and what are its supply characteristics?
  • How should those characteristics be quantified for both wholesale/B2B and consumer retail consumption?
  • What should the "standard interface" be at the network termination point, so devices can ascertain the supply capability and what demand it can safely satisfy?

Written by Martin Geddes, Founder, Martin Geddes Consulting Ltd

Follow CircleID on Twitter

More under: Broadband, Policy & Regulation

Posted in circleid | Tagged , | Comments Off on Where is the Standard ‘Socket’ for Broadband?

Where is the Standard ‘Socket’ for Broadband?

When you plug into a broadband socket, what you are accessing is a distributed computing service that supplies information exchange. What is the service description and interface definition?

For inspiration, we can look at the UK power plug.

One of the great unsung fit-for-purpose innovations in British society is the BS1363 13 ampere power plug and socket. This is superior to other plugs by virtue of its solid construction and safe design.

Firstly, the three square prongs make for excellent electrical contact. It is practically impossible to wobble the plug to cause sparks or intermittent connectivity. The 'success mode' of clean, continuous power is fully covered off. But that's not all.

When the earth prong goes into the socket, it opens up shutters than reveal the live power. Small children can't put sticky fingers in the socket, to the occasional regret of a frustrated parent of a screaming toddler. Yanking on the cord also does not easily apply undue force to the electrical components causing a dangerous fracture. Another great thing about a British plug is the fuse. If there is too much demand, then it cuts out, rather than going on fire. So as a design, the 'failure modes' are also well covered off.

When you stand in the store to buy an electrical appliance, it is easy to tell what the rated demand is in terms of volts and amps. The capability of the supply is also clear, both for the whole dwelling, as well as in-building distribution like multi-socket power strips. You know your cooker needs a special supply, and that you can't power your tumble dryer off an AA battery soldered onto a socket.

In summary, a fit-for-purpose interface between supply and demand does three things: it enables 'success' for specific uses; it sufficiently limits 'failure' for those uses; and it clearly communicates what uses it is suitable for to the buyer.

What is missing in broadband is the conceptual equivalent of the standardised plug and socket. The interface between demand and supply is defined at an electrical level, but the overall service of information exchange is (mostly) undefined. As a result we are left with two less than satisfactory approaches to service delivery.

One technical approach is how we use 'over the top' applications like iPlayer today. It is as if we leave an unshielded live information 'virtual cable' exposed directly to end users. 'Success modes' are enabled, since many applications work some of the time, but the constraint on their 'failure modes' is weak.

In this model, users are not sufficiently 'insulated' from one another. Performance 'brown outs' from overload are common, as our example with video sign language demonstrates. As your children come home from school and go online, the performance of your important work application tangibly plummets.

Alternatively, we have vertically integrated network services, more like how traditional landline phone calls or cable TV work. The information 'virtual cable' from the appliance is 'hard-wired' into the wall, and it can't be switched over.

Whilst performance is predictable, and the service is usually fit-for-purpose, it is a highly inflexible approach. The price of constraining the 'failure mode' is a severe limit on the number of 'success modes'. Vertical integration reduces consumer choice, with a high cost for any services delivered.

The need to 'insulate' the application from other uses may even result in a complete parallel infrastructure, as we have created in the UK for smart meters, at a cost of billions of pounds.

The resources spent on special-purpose smart meter connectivity could have delivered an enormous improvement in the general-purpose infrastructure useful for transport, healthcare and emergency services. We certainly can't afford to build duplicate infrastructures for every industry and application whose needs diverge even slightly from basic Internet access.

To break free from this situation the policy community needs to engage with three key questions:

  • What is the service that broadband delivers and what are its supply characteristics?
  • How should those characteristics be quantified for both wholesale/B2B and consumer retail consumption?
  • What should the "standard interface" be at the network termination point, so devices can ascertain the supply capability and what demand it can safely satisfy?

Written by Martin Geddes, Founder, Martin Geddes Consulting Ltd

Follow CircleID on Twitter

More under: Broadband, Policy & Regulation

Posted in circleid | Tagged , | Comments Off on Where is the Standard ‘Socket’ for Broadband?