STE WILLIAMS

Federal prosecutors are creating a cloud-based database full of personal data extracted from the locked phones of Trump protesters arrested on Inauguration day.

They want to make the data available to the lawyers of 214 defendants accused of felony rioting. According to court papers (PDF) prosecutors filed on Wednesday, the Feds are seeking an order from the court that would prohibit the defense lawyers from copying or sharing the information unless it’s relevant to defend their clients.

On the day of the arrests, January 20, prosecutors claim that more than 200 protesters marched through the heart of Washington DC, causing more than $100,000 in damage. The protesters shattered store windows, set fire to a limo, and hurled projectiles at police in riot gear, who responded with flash-bang grenades, tear gas and pepper spray.

Police arrested what they said were about 230 people who rioted or incited to riot. Not all of those arrested were protesters: rather, sweeping arrests during the inauguration parade indiscriminately targeted rioters, protesters, medics, lawyers and journalists alike.

Police seized the phones of more than 100 of those arrested. Although all of the devices were locked, the government is now in the process of extracting data from the phones and “expects to be in a position to produce all of the data from the searched Rioter Cell Phones in the next several weeks,” according to the filing.

Police also turned to Facebook to mine data about the protesters: subpoenas for account information were being served on Facebook within a week of the arrests, and one arrestee’s Gmail account showed account activity from his or her mobile device while it was in police possession.

The government plans to put each defendant’s extracted phone data in a separate folder on a portal called USAfx. Through that portal, every defendant’s lawyer will be able to access every other defendant’s phone data.

Granted, the prosecutors said, this dump will contain a lot of irrelevant and private data. It will include photos, videos, medical data, and identifying information “that should not be further disseminated,” the government says.

Of course, the government says, the lawyers will check out their own client’s data. And yes, the government expects that they’ll check out other defendants’ personal data, too, as they plan a defense strategy that could pull in associated evidence.

And that gets us to the point of the filing: it’s a request for a protective order that would keep defense lawyers from copying and disseminating the private phone data from defendants besides their own clients… unless it’s relevant to preparing a defense, that is.

If there’s one thing this case makes crystal clear, it’s that the authorities’ success in getting past Apple encryption goes well beyond the prolonged battle over the unlocking of Syed Farook’s iPhone following the San Bernardino shootings.

The government got past Apple’s encryption with the help of an unnamed third party.

Besides the government’s success in breaking into the terrorist’s phone, there are cellphone extraction devices that can be used to crack the locked devices and to extract data including deleted call histories and text messages, as well as data collected by the phone and apps that the user is unaware is being collected, as The Intercept has reported.

As Forbes notes, police have other tools that they can use to pull information from devices, regardless of what operating system they’re running, as well as partners they can call on to hack the devices.

For one, there’s the Cellebrite Physical Analyzer tool to search a phone’s contents. In some, but not all, cases, the courts have decided that law enforcement requires reasonable suspicion to use such a tool.

In the case of the Trump protesters, government officials said they have search warrants to extract data from the phones.

If encryption precludes using a tool like Cellebrite’s, there are partners who can give decryption a go. Forbes cited Mitre Corporation, classified as a Federally Funded Research and Development Center, which is often relied on by government agencies to search mobile devices.

Then again, police could have simply forced those arrested to unlock their phones with their fingerprints. Courts have generally found forced fingerprint biometric unlocking more acceptable than forcing password disclosure (though that’s not stopping Pennsylvania from keeping a child abuse suspect locked up indefinitely until he hands over his password).

Buzzfeed reports that at least one defense lawyer, Christopher Mutimer, plans to oppose government efforts to pull clumps of Trump protesters in for joint trials, which he said “creates a danger of wrongful convictions based on guilt by association.”

Buzzfeed also reports that some defendants have filed motions to dismiss the charges against them, arguing that the indictments aren’t specific enough in tying individuals to particular acts of rioting.

Others argue that the Justice Department has a conflict of interest and should be disqualified, given that the protests were against Trump and he’s now the head of the executive branch. The government hasn’t yet responded to either type of motion.

Arraignments are scheduled through early April. Follow-up hearings will start in mid-April. At that point, the judge will likely consider evidence-related issues and motions.

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/D0uVnObYEMQ/

Cybercrooks are using a bot to automate the process of breaking into and draining online gift card accounts.

The software nasty, named GiftGhostBot, attempts to steal cash from money-loaded gift cards provided by a variety of retailers around the globe, according to Distil Networks.

Any website – from luxury retailers to supermarkets to major coffee distributors – with gift card processing capabilities could be a target. Distil has seen this attack on almost 1,000 websites since it first detected it late last month.

Fraudsters are using the bespoke cybercrime tool to generate lists and lists of account numbers, and request the balance for each number. Whenever this brute-force attack throws up an actual balance, rather than an error or zero, the account number is automatically logged.

The criminals can then either resell these confirmed account numbers on the dark web or use them to purchase goods. There appears to be no other authentication involved: just the digits you’d find on the card, which can be guessed by software. GiftGhostBots are being distributed across worldwide hosting providers, mobile ISPs, and data centers, executing JavaScript mimicking a normal browser to avoid detection.

GiftGhostBot lies about its identity by using rotating user-agent strings (Credit: Distil)

On average, the operators of GiftGhostBot can test as many as 1.7 million gift card account numbers per hour, we’re told.

“Like most sophisticated bot attacks, GiftGhostBot operators are moving quickly to evade detection, and any retailer that offers gift cards could be under attack at this very moment,” said Rami Essaid, chief exec of Distil Networks.

“While it is important to understand that retailers are not exposing consumers’ personal information, consumers should remain vigilant. Check gift card balances, contact retailers and ask for more information.”

More technical details on the GiftGhostBot cybercrime tool can be found in a blog post by Distil Networks here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/24/giftghostbot_harvests_giftcard_creds/

Buying a cyber insurance policy can be complex and difficult. Make sure you’re asking these questions as you navigate the process.

(Image: Panchenko Vladimir via Shutterstock)

Cyber insurance is a growing field putting business and security leaders to the test as they navigate the often tricky process of researching and purchasing policies. Technology is quickly changing, and so is risk.

Insurance for cybersecurity is different from other types of insurance because the nature of threats is constantly changing. A hurricane doesn’t change intensity because a building code changes, but cybercriminals will change their strategies as technology and risk evolve.

“New trends like BYOD, [and] IoT make tech strategy change all the time,” says Portnox CEO Ofer Amitai. “It’s really a problem for businesses to assess their policies and terms. Technology is so dynamic. It’s difficult to say what’s going on; what’s their risk.” 

These changes make it harder for underwriters and companies to stay abreast of the landscape. During the tricky process of buying cyber insurance, you’ll ask and answer questions about your company, security posture, and other factors to determine which policy is best for you, and how much coverage you should buy. 

It’s worth noting the research process is changing for businesses as the marketplace gets more competitive, notes David Bradford, chief strategy officer and director of strategic partner development at Advisen. Because insurers are fighting to underwrite the same businesses, they’re making the purchasing process less burdensome for clients.

That said, insurance remains a tricky field to navigate, especially for companies new to it.

Here, Bradford and Amitai share questions businesses frequently ask — and those they should be asking — in researching insurance. Keep these in mind as you ponder which policy will work best for you.

[Bradford will give a presentation called Cyber Insurance 101 during Interop ITX, May 15-19, at the MGM Grand in Las Vegas. To learn more about his presentation, other Interop security tracks, or to register click on the live links.]

 

Kelly is an associate editor for InformationWeek. She most recently reported on financial tech for Insurance Technology, before which she was a staff writer for InformationWeek and InformationWeek Education. When she’s not catching up on the latest in tech, Kelly enjoys … View Full Bio

Article source: http://www.darkreading.com/risk/intro-to-cyber-insurance-7-questions-to-ask/d/d-id/1328481?_mc=RSS_DR_EDT

New WikiLeaks data dump describes “Sonic Screwdriver,” other CIA exploits for Mac desktops and iPhones

The Apple desktop and mobile product vulnerabilities that were revealed this week, in a WikiLeaks data dump of documents allegedly describing several secret CIA projects, were all fixed years ago, Apple said Friday.

The leaked information on the Apple vulnerabilities is from a larger collection of documents that WikiLeaks has dubbed “Vault 7,” containing hitherto classified information on the CIA’s malware tools and hacking capabilities.

The documents show that the CIA’s Embedded Development Branch developed multiple techniques for breaking into Apple phones and desktops and gaining persistence on them.

One of the attacks was dubbed “Sonic Screwdriver” and was designed to let an attacker execute code on peripheral devices, like a USB stick, while a Mac laptop or desktop was booting. The method allowed an attacker to load attack software from a USB device even if a firmware password was enabled to prevent that from happening.

Another leaked document described an alleged CIA implant called “DarkSeaSkies” that was capable of persisting in the Extensible Firmware Interface (EFI) of an Apple MacBook Air system.

Also released this week was a document pertaining to Mac OS X malware developed by the CIA called Triton and an EFI-persistent version of the tool dubbed DerStarke. While some of the tools described in the dump date back to 2013, there is evidence that the CIA has continued to update and use some of the other tools, WikiLeaks claimed in a statement.

Included in the release are details of NightSkies 1.2, an implant for the Apple iPhone that was installed physically on new iPhones. The implant suggests the CIA infected the supply chain of its targets at least since 2008, the site claimed.

In a statement, Apple said the company’s preliminary assessment of the leaked documents shows that the alleged iPhone vulnerability that NightSkies exploited affected only the iPhone 3G and was fixed back in 2009 along with the release of the iPhone 3GS. “Additionally, our preliminary assessment shows the alleged Mac vulnerabilities were previously fixed in all Macs launched after 2013,” the statement said.

As per its usual practice, WikiLeaks has not revealed how it obtained the Vault 7 documents. It has described the documents containing information on the CIA’s entire hacking arsenal. Many security experts believe an insider or insiders with privileged access to the documents provided them to WikiLeaks.

Related stories:

• ‘Entire Hacking Capacity Of CIA’ Dumped On Wikileaks, Site Claims
• What Businesses Can Learn From the CIA Data Breach
• Stockpiling 0-Day Bugs Not So Dangerous After All, RAND Study Shows

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/apple-mac-iphone-bugs-that-cia-allegedly-exploited-were-fixed-years-ago/d/d-id/1328484?_mc=RSS_DR_EDT

Google Chrome engineers railed on Symantec for allegedly issuing thousands of security certificates that had not been properly validated.

Google Chrome engineers this week called out Symantec for failing to properly validate SSL/TLS digital certificates it has issued.

In a scathing blog post, Google Chrome engineers said that since Jan. 19 they have been investigating a “series of failures by Symantec Corporation to properly validate certificates” and that Google’s investigation into 127 Symantec-issued certificates ballooned into at least 30,000.

Symantec fired back in a statement, saying “Google’s statements about our issuance practices and the scope of our past mis-issuances are exaggerated and misleading.”

According to Google Chrome’s Root Certificate Policy, root certificate authorities are expected to ensure that server certificates receive domain control validation, frequently audit logs to monitor for any evidence of unauthorized certificate issuance, and guard their infrastructure against the issuance of fraudulent certificates.

“On the basis of the details publicly provided by Symantec, we do not believe that they have properly upheld these principles, and as such, have created significant risk for Google Chrome users,” Google said in its post.

Google plans to reduce the validity period of a newly released Symantec-issued certificate to nine months or less, and called for Symantec to gradually revalidate and replace its currently trusted certificates on various Chrome releases. In addition, Google said it intends to remove the recognized Extended Validation status for at least one year on Symantec-issued digital certificates.

These changes will result in compatibility issues, Google warned, which will likely cause problems for users and website operators. Site operators will be forced to use certificates from other companies that have authority to issue certificates and users, as a result, will face a “substantial” number of errors until operators make the switch to other certificate authorities.  

 

Dawn Kawamoto is a freelance writer and editor. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET’s News.com, TheStreet.com, AOL’s DailyFinance, and The … View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/google-slams-symantec-for-failures-in-ssl-tls-certificate-process/d/d-id/1328483?_mc=RSS_DR_EDT

Star Trek fans might remember an episode from the original series where our heroes were transported to a mirror universe where their counterparts served an evil version of the Federation. At the end of “Mirror Mirror“, it is the alternate universe’s Spock who begins to set things right.

One has to wonder if the creators of the recently discovered Kirk ransomware had that episode in mind. SophosLabs threat researcher Dorka Palotay told Naked Security that this new specimen appeared a few days ago.

It hasn’t shown much by way of teeth to date – the lab has only seen two samples so far. But its features are certainly noteworthy.

It’s encrypted, Jim

The first sample is Star Trek-themed, which appends .kirked to the name of the encrypted files. The ransom note that goes with it offers a program called Spock to decrypt the files – for a fee, of course.

The Kirk ransomware is written in Python and uses the usual encryption methods: AES to encrypt the files and RSA to encrypt the AES key. The encrypted AES key is saved in a file called pwd. Decryption is impossible without this file.

Palotay said the ransomware displays a message box, claiming to be the so-called Low Orbital Ion Cannon program, an open source network stress-testing application. Then it encrypts more than 600 different file types.

The second sample is a variant of Kirk ransomware, which calls itself Lick ransomware. Palotay said:

It works very similar to the previous one, except that it appends .Licked extension to the encrypted files, sends the encrypted key to pastebin.com and disguises itself as a decryptor.

Monero is the new (or old) latinum

Unlike the ransomware families SophosLabs has seen so far, this family uses Monero for ransom payment, which is a cryptocurrency similar to bitcoin. Monero has already been popular among cyber-criminals. You could say it’s the new latinum – the favored currency of the Ferengi. Or, you could say it’s the old one. (These temporal paradoxes give us a headache.)

SophosLabs researcher Attila Marosi wrote a paper last year about Mal/Miner-C malware, which criminals are using to mine this cryptocurrency.

SophosLabs detects this ransomware as Troj/Ransom-EJN.

How to protect yourself

Though this ransomware seems small at the moment, it’s worth a reminder about the advice we regularly offer to prevent (and recovering from) attacks by ransomware and other malware.

Here are some links we think you’ll find useful:

• To defend against ransomware in general, see our article How to stay protected against ransomware.
• To protect against JavaScript attachments, tell Explorer to open .JS files with Notepad.
• To protect against misleading filenames, tell Explorer to show file extensions.
• To learn more about ransomware, listen to our Techknow podcast.
• To protect your friends and family against ransomware, try our free Sophos Home for Windows and Mac.

---

Techknow podcast — Dealing with Ransomware:

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ZUVBXH0KmrY/

US officials have charged a 48-year-old Lithuanian man in connection with attacks on two big US tech companies that cost them $100m.

Evaldas Rimasauskas allegedly masqueraded as an Asian-based computer hardware manufacturer to trick the companies’ employees into transferring money into accounts that he controlled, said the US Attorney’s office for the southern district of New York.

The unsealed indictment didn’t name names, identifying the victim companies only as “a multinational technology company” and “a multinational online social media company”.

According to the Department of Justice (DOJ), Rimasauskas, from Vilnius, was arrested in Lithuania last week. Between at least 2013 until sometime in 2015, he allegedly registered and incorporated a company in Latvia that had the same name as the Asian-based vendor, which was a legitimate business partner of the two victimized companies.

Rimasauskas allegedly had the funds wired to bank accounts in Latvia and Cyprus. From there, he allegedly shuffled the funds quickly into banks throughout the world, including in Latvia, Cyprus, Slovakia, Lithuania, Hungary, and Hong Kong.

It was a thorough scam: he allegedly came up with forged invoices, contracts, and letters that looked like they’d been executed and signed by executives and agents of the two companies.

The documents also bore fake corporate stamps embossed with the companies’ names that were submitted to banks to corroborate the big sums that were fraudulently transmitted via wire transfer. In total, Rimasauskas is charged with swindling more than $100,000,000.

Rimasauskas was charged on Tuesday with one count of wire fraud and three counts of money laundering. Maximum sentences are rarely handed out, but each of those charges carries a maximum sentence of 20 years in prison. If he’s convicted, he’ll serve time: Rimasauskas is also charged with one count of aggravated identity theft, which carries a mandatory minimum sentence of two years in prison.

The attacks Rimasauskas has been charged with are called whaling attacks or CEO email scams. The FBI calls them Business Email Compromise, because they use phony emails that appear to come from a colleague or from a trusted supplier.

Whatever you call them, they’re a type of phishing attack targeted at the biggest fish, with carefully crafted emails sent to senior executives, managers, financial controllers or others who might hold the purse strings at large, lucrative organizations.

In the 10 months leading up to August 2015, whaling attacks cost businesses around the world more than $1.2bn, according to the FBI.

We don’t know which multinational tech behemoth got whaled this time around, but we know of plenty of other companies who’ve been harpooned.

Mattel was one: last year, the toymaker wired out $3m to a hacker’s Chinese bank account and got it back thanks to sheer dumb luck and the good timing of a bank holiday.

As The Register reports, other victims include Ubiquiti, which lost $46.7m in June last year; Belgian bank Crelan, which lost $78m in January; Accenture, Chanel, Hugo Boss, HSBC, and countless smaller victims.

How do I get this harpoon out of my blubber?

The FBI recommends that any company victimized by a whaling attack act quickly.

Regardless of where you are, you should contact your own financial institution immediately and request that they contact the financial institution where the fraudulent transfer was sent.

Then, report it to your country’s cybercrime authorities.

If you’re in the US, contact the FBI and file a complaint, regardless of dollar loss, with the Internet Crime Center (IC3).

In the UK, use Action Fraud. In Australia, you can report cybercrime to the Australian Cybercrime Online Reporting Network, or ACORN.

Oh, and consider getting your top executives to use two-factor authentication (2FA) for their email accounts, to make it harder for crooks to dig into their email traffic remotely, or to send emails right from their account.

Your execs will find that it takes very slightly longer to login when they’re on the road, and we all know that time is money…

…but, then, unexpected money transfers of seven-digit girth are money, too.

💡 READ NOW: Tips to avoid phishing and spear-phishing – stay #CyberAware! ►

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/swCoySGClak/

Users of the Windows Vista operating system have been receiving warning messages from Microsoft for a while, but the clock is ticking down fast with just a few weeks to go: on April 11, Microsoft’s extended support for this operating system will be officially – finally – up.

And yes, before you even say it, there are people still using Windows Vista… though not many.

Microsoft’s last update for the operating system was back in 2007, and the company ended mainstream support for the operating system in April 2012. At that time, Vista’s market share was a little under 10% of all operating systems according to NetMarketShare, and rests at a hair under 1% today. In comparison, Windows XP is still in use with about 8% of desktop users worldwide, especially with healthcare users, even though its extended support was officially pulled in 2014.

Even at its peak, Vista only held about 30% market share, nowhere near the ubiquity of its predecessor Windows XP or its successor Windows 7. Vista was sandwiched between these two operating systems, and often found itself overshadowed by XP’s popularity and longevity in the market: Vista was released more than five years after XP, but Vista’s commercial support was pulled by Microsoft two years before XP’s extended support was up.

Of course, having so many users on outdated and unsupported operating systems poses a major security concern, as these operating systems have numerous, well-known security vulnerabilities but are no longer receiving any kind of support or system patches to fix those issues. Needless to say, users on these unsupported operating systems are a particularly tempting (and easy) target for attackers, which is why we urge you to use an actively supported and updated operating system right away.

If for some reason you remain a Vista holdout despite the April 11, we’d certainly be curious to hear why – let us know in the comments.

Follow @NakedSecurity
Follow @mvarmazis

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/LfxtA637FBE/

As a reporter covering security a decade ago, most of the focus was on the latest Windows threats. That’s where all the serious attacks were happening.

As Apple rolled out each new product, particularly the iPhone in 2007, I waded into the age-old debate over who was more secure: Apple or Microsoft.

The experts would tell me much the same thing as they do now: that Macs are targeted less frequently because Windows has the greater market share, not necessarily because it’s more secure. Nevertheless, cases of Apple-oriented malware were few and far between, written about in theoretical terms and not as a clear and present danger until the last couple years.

Looking at the latest avalanche of documents stolen from the CIA and made public by WikiLeaks, we now see that the CIA was targeting Apple devices well ahead of everyone else. And those involved were quite nerdy about it, showing off their sci-fi fan credentials by naming projects after such items as the Doctor’s trusty Sonic Screwdriver.

The latest leak

The latest document dump shows the agency has been creating tools to bypass devices from Apple for at least a decade.

This release is called “Dark Matter” and is the second from an archive known as “Vault7” – from which the first leak was posted by WikiLeaks earlier this month. After the first dump was posted, detailing attacks that would require physical access to devices, vendors pointed out that many of the exploits detailed in the documents had since been patched.

Earlier this week, WikiLeaks offered to work with technology companies including Apple, Google and Microsoft to help them patch the vulnerabilities detailed in the CIA documents in return for a list of demands.

Apple responded with this less-than-friendly reply:

Night Skies and Sonic Screwdrivers

As we delve into the details, let’s begin with the Dark Matter homepage. There, WikiLeaks describes the latest release this way:

Today, March 23rd 2017, WikiLeaks releases Vault 7 “Dark Matter,” which contains documentation for several CIA projects that infect Apple Mac firmware (meaning the infection persists even if the operating system is re-installed) developed by the CIA’s Embedded Development Branch (EDB). These documents explain the techniques used by CIA to gain ‘persistence’ on Apple Mac devices, including Macs and iPhones and demonstrate their use of EFI/UEFI and firmware malware.

Here’s a breakdown of the tools documented and their purpose:

Sonic Screwdriver: Fans of Doctor Who know that the Sonic Screwdriver is the Doctor’s trusty device for analysis and defense. In the CIA’s world, it’s a “mechanism for executing code on peripheral devices while a Mac laptop or desktop is booting,” allowing attackers to “boot its attack software even when a firmware password is enabled”. The CIA’s Sonic Screwdriver infector is stored on the modified firmware of an Apple Thunderbolt-to-Ethernet adapter. The documentation for this was released internally at CIA headquarters November 29 2012.

DarkSeaSkies: This is “an implant that persists in the EFI firmware of an Apple MacBook Air computer” and consists of “DarkMatter”, “SeaPea” and “NightSkies”, plus EFI, kernel-space and user-space implants. Internal documents show a January 26 2009 release date.

NightSkies: In a December 2008 document describing the NightSkies malware for an iPhone 3G running iOS 2.1, the CIA explains that once exploited, it granted the agency complete control over an infected device. One passage notes: “The tool operates in the background providing upload, download and execution capability on the device. NS is installed via physical access to the device and will wait for user activity before beaconing. When user activity is detected, NS will attempt to beacon to a preconfigured LP [listening post] to retrieve tasking, execute the instructions, and reply with the responses in one session.”

SeaPea: This document, last updated in November 2008, shows that while NightSkies ran on Mac OS X 10.5.2 and higher, a rootkit named SeaPea was running on Mac OS X Tiger 10.4, launched 12 years ago.

Mac security expert Pedro Vilaca, who specializes in reverse engineering and rootkits, told Forbes that the leaked documents show the CIA as an early adopter of Mac hacking. “They have a good interest in Mac targets, which makes sense since many high-value targets love to use Macs.”

Is there a silver lining in these leaks?

Since WikiLeaks began leaking stolen documents several years ago, many in the security industry have warned that the releases were a threat to national security. But since the leaks have happened and there’s no turning back, the question is if any good can come of this.

It’s a question we asked security experts after the first Vault7 leak a few weeks ago. Eric Cowperthwaite, former VP of strategy for Core Security and now director of managed risk services for Edgile, said at the time that he was conflicted on that question.

As an example he brought up the case of Chelsea Manning, a United States Army soldier convicted by court-martial in 2013 for violating the Espionage Act and other offenses, after giving WikiLeaks nearly three-quarters of a million classified and/or sensitive military and diplomatic documents:

There is good and bad in this. We know that some of the Manning leaks had impacts on military operations. That was part of Manning’s trial. I also found it interesting that Wikileaks alleges that the US intelligence community has a problem keeping its cyberwar tools off the black market. And if the CIA, NSA, etc. can’t keep these things under control, that is something that citizens should know.

That’s why Naked Security will continue to cover the leaks here.

Follow @NakedSecurity
Follow @BillBrenner70

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Bl8GpVthlZw/

The DDoS attack business has advanced to the point that running an attack can cost as little as $7 an hour, while the targeted company can end up losing thousands, if not millions of dollars.

Kaspersky Lab’s experts were also able to calculate that an attack using a cloud-based botnet of 1,000 desktops is likely to cost the providers about $7 per hour. These services typically retail for $25 an hour, allowing cybercrooks to pocket an estimated profit of around $18 per hour.

Crooks operating DDoS services through black market websites often offer a sophisticated service featuring convenient payment and reports about attacks, according to a new study from Kaspersky Lab. In some cases, there is even a customer loyalty programme, with clients receiving rewards or bonus points for each attack.

Attacks are priced based on their generation as well as the source of attack traffic, among other factors. For example, a botnet made up of popular IoT devices is cheaper than a botnet of servers.

Attacks on government websites and resources protected by dedicated anti-DDoS solutions are much more expensive, since the former are high risk, while the latter are more difficult to attack. On one DDoS-as-a-service website, the cost of an attack on an unprotected website ranges from $50 to $100, while an attack on a protected site costs $400 or more.

The location of targets can also be a factor. DDoS attacks on English-language websites, for example, are usually more expensive than similar attacks on Russian-language sites.

A DDoS attack can cost anything from $5 for a 300-second attack to $400 for 24 hours. The average price for an attack is around $25 per hour.

The longest DDoS attack in 2016 lasted 292 hours – or about 12 days – according to Kaspersky Lab’s research.

Kaspersky Lab also identified evidence that DDoS slingers are, in some cases, playing both sides for extra profit. Attackers sometimes demand a ransom from a target in return for not launching a DDoS attack, or to call off an ongoing attack. The ransom can sometimes be the Bitcoin equivalent of thousands of dollars. Those carrying out the blackmail don’t even need to have the resources to launch an attack – sometimes the mere threat is enough.

Some cybercriminals have no scruples about selling DDoS attacks alongside protection from them.

“We expect the profitability of DDoS attacks to continue to grow,” said Russ Madley, head of B2B at Kaspersky Lab UK. “As a result, will see them increasingly used to extort, disrupt and mask other more intrusive attacks on businesses.”

A separate study by DDoS mitigation outfit Imperva Incapsula reported that more advanced application layer DDoS attacks are becoming more commonplace. The number of attacks in Q4 reached an all-time high, with an average of 889 application layer assaults per week. One such attack lasted for more than 47 days. At the same time packet flood network flood attacks are increasing in volume. For example, Imperva Incapsula mitigated a massive 650Gbps network layer assault last December, the largest it has faced down to date.

Attack frequency, meanwhile, has scaled up. On average, 58.3 per cent of websites were targeted more than once, with 13.1 percent being targeted more than 10 times. China continued to be a dominating hub of botnet activity, with some 78.5 per cent of DDoS attacks worldwide originating from IPs in China. US sites featured as targets in more than half (56.7 per cent) of attacks. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/24/ddos_attack_business_models/