IC3 Issues Alert on DDoS Extortion Campaigns

Original release date: July 31, 2015

The Internet Crime Complaint Center (IC3) has issued an alert to U.S. businesses about a rise in extortion campaigns. In a typical incident, a business receives an e-mail threatening a Distributed Denial of Service (DDoS) attack to its website unless it pays a ransom. Businesses are warned against communicating directly with attackers and advised to use DDoS mitigation techniques instead.

Users and administrators are encouraged to review the IC3 Alert for details and US-CERT Security Tip ST04-015 for more information on DDoS attacks.

This product is provided subject to this Notification and this Privacy & Use policy.

Best Practices to Protect You, Your Network, and Your Information

Original release date: July 31, 2015

The National Cybersecurity and Communications Integration Center (NCCIC) and its partners responded to a series of data breaches in the public and private sector over the last year, helping organizations through incident response actions, conducting damage assessments, and implementing restoration and mitigation actions.

During NCCIC’s recent work, following best practices proved extremely effective in protecting networks, the information residing on them, and the equities of information owners. The recently updated National Institute of Standards and Technology Cybersecurity Framework highlights best practices.

Cybersecurity is a risk management issue. Our experience demonstrates that individuals and organizations may reduce risk when they implement cybersecurity best practices. The following are examples of best practices you should consider implementing today as part of your cybersecurity strategy:

  1. Implement Two-Factor Authentication: Two-factor authentication works to significantly reduce or eliminate unauthorized access to your networks and information.
  2. Block Malicious Code: Activate application directory whitelisting to prevent non-approved applications from being installed on your network.
  3. Limit Number of Privileged Users: System administrators have privileged access that gives them the “keys to your kingdom.” Limit system administrator privileges only to those who have a legitimate need as defined by your management directives.
  4. Segment Your Network: Don’t put all your eggs in one basket by having a “flat network”. Use segmentation techniques so that if one part of your network is breached that the integrity of the rest of the network is protected.
  5. Lock Your Backdoors: Third parties that share network trust relationships with you may prove to be an Achilles heel by serving as an attack vector into your network. Take action to ensure that all network trust relationships are well-protected using best practices. Have a means to audit the effectiveness of these defenses. Consider terminating or suspending these relationships until sufficient controls are in place to protect your backdoors.

For more information on cybersecurity best practices, users and administrators are encouraged to review US-CERT Security Tip 13-003: Handling Destructive Malware to evaluate their capabilities encompassing planning, preparation, detection, and response. Another resource is ICS-CERT Recommended Practice: Improving Industrial Control Systems Cybersecurity with Defense-In-Depth Strategies.

This product is provided subject to this Notification and this Privacy & Use policy.

New attack on Tor can deanonymize hidden services with surprising accuracy

Computer scientists have devised an attack on the Tor privacy network that in certain cases allows them to deanonymize hidden service websites with 88 percent accuracy.

Such hidden services allow people to host websites without end users or anyone else knowing the true IP address of the service. The deanonymization requires the adversary to control the Tor entry point for the computer hosting the hidden service. It also requires the attacker to have previously collected unique network characteristics that can serve as a fingerprint for that particular service. Tor officials say the requirements reduce the effectiveness of the attack. Still, the new research underscores the limits to anonymity on Tor, which journalists, activists, and criminals alike rely on to evade online surveillance and monitoring.

"Our goal is to show that it is possible for a local passive adversary to deanonymize users with hidden service activities without the need to perform end-to-end traffic analysis," the researchers from the Massachusetts Institute of Technology and Qatar Computing Research Institute wrote in a research paper. "We assume that the attacker is able to monitor the traffic between the user and the Tor network. The attacker’s goal is to identify that a user is either operating or connected to a hidden service. In addition, the attacker then aims to identify the hidden service associated with the user."

Read 6 remaining paragraphs | Comments

UK Supreme Court to re-consider compensation rights under Data Protection Act

This week, Google has been granted permission to appeal to the UK Supreme Court as part of the decision in Google Inc. v. Vidal-Hall & Others (2015). This is about rights to claim compensation for breaches of the Data Protection Act.

Compensation rights are defined in Section 13 of the Data Protection Act. Section 13 permits individuals to claim compensation for (i) damage; or (ii) damage and distress (but not, generally, distress alone).

Earlier this year the Court of Appeal, in this case, ruled that individuals could claim compensation for “mere distress”.  This potentially opened the door to the risk of mass claims for data privacy breaches.  Imagine you have a large data breach and this affects a few thousand, hundred thousand or even a million customers.  If each can claim a small sum for associated distress (pretty easy to do!) this adds up to a big liability.  This risk applies to any breach of the Act and isn’t limited to organisations that use cookies to track individuals as in the Google case.

We expect the Supreme Court to hear this some time early next year.  We will keep you posted on developments.

For more info, here’s the Supreme Court post: https://www.supremecourt.uk/news/permission-to-appeal-decisions-28-july-2015.html