Les Bell
Blog entry by Les Bell
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Valentine's Day - For the Scammers in Your Life
Yesterday we brought you the US FTC's latest update on the statistics and the favourite lies of romance scammers. This was by way of warning for today's big event, but now comes another warning: Valentine's Day is always accompanies by a wave of scam emails targeting the emotionally vulnerable.
Bitdefender reports that roughly 83% of Valentine-themed spam emails in recent weeks were marked as scams, peaking during the last week. Although scammers predominantly targeted the US (45% of reports), they covered Europe, Asia-Pacific and Australia for good measure - although Ireland, with 7% of reports, seems disproportionately victimized.
Spam email subjects covered a range of lures:
- the perfect romantic rose bear gift is here to ensure your loved one feels truly loved
- up to 93 off canvas sales valentine's day
- spice up your life with a new romance
- 15 bottles of wine to celebrate valentine s day
- confirmation receipt 100 valentine s day gifts
- ukrainian woman are near you date them for valentine
- Gentlemen, Are You Ready For Valentine's Day?
In some cases, the scammers were offering those last-minute or good-value gifts, while others were obviously intended to capture the interest of the lonely and dateless.
The blog post contains a number of samples which might be useful in awareness sessions.
Bîzgă, Alina, What’s love got to do with it? 4 in 5 Valentine’s Day-themed spam emails are scams, Bitdefender Antispam Lab warns, blog post, 14 February 2023. Available online at https://www.bitdefender.com/blog/hotforsecurity/whats-love-got-to-do-with-it-4-in-5-valentines-day-themed-spam-emails-are-scams-bitdefender-antispam-lab-warns/.
Cloudflare Blocks Record HTTP DDoS Attack
Last weekend, DDoS mitigation firm Cloudflare really earned their pay, detecting and mitigating dozes of what they term hyper-volumetric DDoS attacks. The majority of these attacks peaked at around 50 to 70 million HTTP requests per second (rps) with the largest exceeding 71 million rps - the largest such attack reported to date, over 35% higher than the previous record of 46 million rps in June 2022.
For most web servers, every HTTP request will invoke some code - most commonly PHP, but also node.js JavaScript code, .NET or Java. This may in turn invoke other subsystems - middleware, databases, API's on other servers - all committing resources such as memory, CPU cycles and network, and taking time. The objective here is not to consume bandwidth and fill the victim's upstream pipe - it is to consume resources.
In this case, the targeted sites included a gaming provider, cryptocurrency companies, hosting providers and cloud computing platforms; the latter can generally scale well to handle such attacks - but unless customers have quotas in place, they could face massive bills for such attacks. The requests were delivered over HTTP/2 and originated from over 30,000 IP addresses, mostly administered by multiple cloud providers. In light of this and previous attacks from cloud provider addresses, Cloudflare will be providing eligible service providers with a free botnet threat intelligence feed about their own IP address space.
This weekend's activity is no surprise; DDoS attacks have been increasing in size, sophistication and frequency, particularly with the growth of relatively inexpensive DDoS-as-a-service platforms run by cybercriminals. HTTP DDoS attacks have been growing by an average of 79% year on year; even worse, the number of volumetric attacks - those exceeding 100 Gbps - has grown by 67% quarter on quarter, and attacks that last more than three hours has grown by 87% quarter on quarter.
Yoachimik, Omer, Julien Desgats and Alex Forster, Cloudflare mitigates record-breaking 71 million request-per-second DDoS attack, blog post, 14 February 2023. Available online at https://blog.cloudflare.com/cloudflare-mitigates-record-breaking-71-million-request-per-second-ddos-attack/.
Google Agrees with DHS/CISA: Companies Need to Step Up
Some readers will think, 'Finally! Somebody gets it!' in response to this story, while others will not like it at all. But the US Department of Homeland Security thinks that tech companies should be held accountable for security vulnerabilities and the consequential breaches - and Google agrees.
In an opinion piece for Foreign Affairs (paywalled), Jen Easterly, Director of the Cybersecurity & Infrastructure Security Agency with the Department of Homeland Security, and Eric Goldstein, Executive Assistant Director, wrote:
“The incentives for developing and selling technology have eclipsed customer safety in importance. […] Americans…have unwittingly come to accept that it is normal for new software and devices to be indefensible by design. They accept products that are released to market with dozens, hundreds, or even thousands of defects. They accept that the cybersecurity burden falls disproportionately on consumers and small organizations, which are often least aware of the threat and least capable of protecting themselves.”
Their argument is that tracking, identifying, arresting and prosecuting cybercriminals such as ransomware operators is only addressing a symptom. In fact, cybercrime remains relatively low-risk, due to cross-border jurisdictional issues and the difficulties of securing convictions. By comparison with armed robbery or even burglary, it's a walk in the park with much higher returns.
Criminal syndicates now operate like businesses, on a massive scale; while some operate at the premium end of the market, developing 0days and exploiting them against highly-defended targets, the majority work in the commodity market, routinely exploiting well-known vulnerabilities that remain unpatched - either because no patch exists, no patching mechanism exists, or patch distribution, testing and deployment is poorly managed.
Add to that rapidly-evolving technology that rewards companies for being first to market with a minimum viable product, and which favours innovative functionality over security. Compounding the problem is a massive market that sells 'solutions' - products and services that aim to add security to complex and fragile systems. The result - well, you can see it every day, and it may well pay your wages.
As Google's blog post points out, the answer is to incentivize companies to pay attention to the security architects' mantras: secure by default and secure by design. We need to shift resources left, from incident response to engineering security into the software development process. I love this quote, which I originally encountered as part of the philosophy of test pilots - who are primarily engineers, not daredevils, and who are to aviation what testers are to software, only with a lot more skin in the game:
"The object of the game, gentlemen, is not to cheat death: the object is not to let him play."
Patrick Poteen, Sgt. U.S. Army
If the software industry doesn't embed this idea culturally as a core value, it is likely that governments - operating collaboratively and internationally - will start to legislate it in ways that we may not want at all.
We're going to have to up our game.
Easterly, Jen and Eric Goldstein, Stop Passing the Buck on Cybersecurity: Why Companies Must Build Safety Into Tech Products, Foreign Affairs, 1 February 2023. Available online at https://www.foreignaffairs.com/united-states/stop-passing-buck-cybersecurity.
Walker, Kent and Royal Hansen, The US Government says companies should take more responsibility for cyberattacks. We agree, blog post, 13 February 2023. Available online at https://security.googleblog.com/2023/02/the-us-government-says-companies-should.html.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.