On 18 April 2017, the One World Hotel was besieged by a massive crowd. One might have thought they were there for a rock concert. They were really there for the Amazon Web Services Summit 2017. Join us at AWS Summit 2017 and find out what’s new in Amazon Web Services!
The AWS Summit 2017
With 2 keynotes and over 20 technology sessions, the AWS Summit 2017 was a great opportunity for IT managers and professionals to get updated on the latest AWS services, and what they have in the pipeline.
The highlight of the AWS Summit 2017 was a 90-minute keynote by Adrian Cockcroft, Vice President of Cloud Architecture Strategy, Amazon Web Services.
Here are some key takeaways from his presentation :
Amazon Web Services is adding new capabilities on a daily basis, with over a thousand in 2016.
Amazon will introduce Lightsail, a simple VPS service, to the Singapore AWS Region in the next few weeks.
Amazon Athena allows you to quickly query data stored in S3, whether it is compressed and/or encrypted. It will also be available in the Singapore AWS Region in the next few weeks.
Amazon Connect is a cloud-based contact center solution that is available today. It leverages Amazon Lex for natural language understanding and automatic speech recognition, and AWS Lambda for data and business intelligence.[adrotate group=”2″]
AWS also announced the Amazon Aurora PostgreSQL-Compatible Edition service, which is currently in developer preview. It promises to offer several times better performance than a typical PostgreSQL database at 1/10th of the cost.
AWS Lambda just introduced support for Node.js 6.10 and C#, AWS Serverless Application Model and Environment Variables.
The existing AWS DDOS protection has been branded as AWS Shield. It protects all web applications from volumetric and state exhaustion attacks.
The new AWS Shield Advanced service is designed to protect enterprises against more sophisticated attacks. It includes advanced notifications and cost protection, as well as WAF (Web Application Firewall) at no additional cost.
22 December 2016 – 2016 saw a huge number and variety of cyber attacks, ranging from a high-profile DDoS using hijacked Internet-facing security cameras to the alleged hacking of party officials during the US election. The year also saw a rising tide of data breaches, from organizations big and small, and significant losses of people’s personal information. With the year almost over, Joergen Jakobsen, regional vice president for Asia-Pacific and Japan (APJ) at Sophos, looks into his crystal ball to predict the top cyber security trends for 2017:
#1 : Shift from exploitation to targeted social attacks.
Cybercriminals are getting better at exploiting the ultimate vulnerability – humans. Ever more sophisticated and convincing targeted attacks seek to coax users into compromising themselves. For example, it’s common to see an email that addresses the recipient by name and claim they have an outstanding debt the sender has been authorized to collect. Applying shock by pretending to be borrowing authority or law enforcement are common and effective tactics. The email directs users to a malicious link that they are panicked into clicking on, opening them up to attack. Such phishing attacks can no longer be recognized by obvious mistakes.
#2 : Financial infrastructure at greater risk of attack.
The use of targeted phishing and “whaling” continues to grow. These attacks use detailed information about company executives to trick employees into paying fraudsters or compromising accounts. We also expect more attacks on critical financial infrastructure, such as the attack involving SWIFT-connected institutions which cost the Bangladesh Central Bank $81 million in February. SWIFT recently revealed that there have been other such attacks and it expects to see more, stating in a leaked letter to client banks: “The threat is very persistent, adaptive and sophisticated – and it is here to stay”.
#3 : Exploitation of the Internet’s inherently insecure infrastructure.
All Internet users rely on ancient foundational protocols, and their ubiquity makes them nearly impossible to revamp or replace. These archaic protocols that have long been the backbone of the Internet and business networks are sometimes surprisingly flaky. For example, attacks against BGP (Border Gateway Protocol) could potentially disrupt, hijack, or disable much of the Internet. And the DDoS attack on Dyn in October (launched by a myriad of IoT devices), took down the DNS provider and, along with it, access to part of the internet. It was one of the largest assaults seen and those claiming responsibility said that it was just a dry run. Large-scale ISPs and enterprises can take some steps to respond, but these may well fail to prevent serious damage if individuals or states choose to exploit the Internet’s deepest security flaws.
#4 : Increased attack complexity.
Attacks increasingly bring together multiple technical and social elements, and reflect careful, lengthy probing of the victim organization’s network. Attackers compromise multiple servers and workstations long before they start to steal data or act aggressively. Closely managed by experts, these attacks are strategic, not tactical, and can cause far more damage. This is a very different world to the pre-programmed and automated malware payloads we used to see – patient and evading detection.
#5 : Growth of malvertising and corruption of online advertising ecosystems.
Malvertising, which spreads malware through online ad networks and web pages, has been around for years. But in 2016, we saw much more of it. These attacks highlight larger problems throughout the advertising ecosystem, such as click fraud, which generates paying clicks that don’t correspond to real customer interest. Malvertising has actually generated click fraud, compromising users and stealing from advertisers at the same time. [adrotate group=”2″]
#6 : Ransomware evolves.
As more users recognize the risks of ransomware attack via email, criminals are exploring other vectors. Some are experimenting with malware that reinfects later, long after a ransom is paid, and some are starting to use built-in tools and no executable malware at all to avoid detection by endpoint protection code that focuses on executable files. Recent examples have offered to decrypt files after the victim shared the ransomware with two friends, and those friends paid to decrypt their files. Ransomware authors are also starting to use techniques other than encryption, for example deleting or corrupting file headers. And finally, with “old” ransomware still floating around the web, users may fall victim to attacks that can’t be “cured” because payment locations no longer work.
#7 : Emergence of personal IoT attacks.
Users of home IoT devices may not notice or even care if their baby monitors are hijacked to attack someone else’s website. But once attackers “own” a device on a home network, they can compromise other devices, such as laptops containing important personal data. We expect to see more of this as well as more attacks that use cameras and microphones to spy on households. Cyber criminals always find a way to profit.
#8 : Rising focus on exploits against virtualized and cloud systems.
Attacks against physical hardware raise the possibility of dangerous new exploits against virtualized cloud systems. Attackers might abuse the host or other guests running on a shared host, attack privilege models, and conceivably access others’ data. And, as Docker and the entire container (or ‘serverless’) eco-system become more popular, attackers will increasingly seek to discover and exploit vulnerabilities in this relatively new trend in computing. We expect active attempts to operationalize such attacks.
#9 : Destructive DDoS ioT attacks will rise.
In 2016, Mirai the malware that turns computer systems running Linux into remotely controlled “bots”, that can be used in large-scale network attacks, showed the massive destructive potential of DDoS attacks as a result of insecure consumer IoT (Internet of Things) devices. Mirai’s attacks exploited only a small number of devices and vulnerabilities and used basic password guessing techniques. However, cybercriminals will find it easy to extend their reach because there are several IoT devices containing outdated code based on poorly-maintained operating systems and applications with well-known vulnerabilities. Expect IoT exploits, better password guessing and more compromised IoT devices being used for DDoS or perhaps to target other devices in your network.
#10 : Technical attacks against states and societies.
Technology-based attacks have become increasingly political. Societies face growing risks from both disinformation (e.g., “fake news”) and voting system compromise. For instance, researchers have demonstrated attacks that might allow a local voter to fraudulently vote repeatedly without detection. Even if states never engage in attacks against their adversaries’ elections, the perception that these attacks are possible is itself a powerful weapon.
On October 1, 2016 – Krebs on Security reported that the source code for the Internet of Things (IoT) botnet malware Mirai had been posted online and was freely available for download. Mirai reportedly spreads through Telnet brute-forcing, indicating that this a current, on-going issue. But what is Telnet and what are the implications of its use?
How The Mirai Malware Uses The Telnet Protocol
As a user, the Internet appears to consist predominately of websites and the servers that support them. It is easy to miss the enormous range of systems that are beneath the surface. In this article, we will plumb the depths of the Internet a little to see what goes on behind the scenes.
While there are almost 14 million devices on the current Internet using the Secure Shell (SSH) protocol to encrypt remote machine access, there are still over 15 million devices using the Telnet protocol.
Telnet was deprecated in favour of SSH as Telnet sends credentials (username/password) in clear-text and any attacker on that network path can intercept the credentials. Additionally, Telnet rarely has brute-force protection enabled so attackers can take their time sending well-known username/password combinations to a device in order to attempt to gain access.
Telnet, however, has other interesting angles to it for security research. As it has been deprecated, it is typically still visible on legacy equipment, in particular network infrastructure equipment. In short, Telnet typically appears on older network equipment. This is very helpful shorthand for an attacker.
The equipment in question falls into a number of basic categories:
Routers, Firewalls and VPNs for organizations
(Industrial) Control Systems
One major issue for older network equipment running telnet, is that they typically do not have the same security engineering practices as modern devices. For example, default credentials. Whilst many devices unfortunately still ship with default credentials, some devices even advertise that they are currently configured to use them!
The routers of one well-known manufacturer have default administrator credentials detailed in the telnet banner. Our research has yielded over 20,000 of these devices currently connected to the Internet, some of which were from within government departments.
Home routers are an attractive target for people attempting to make DDoS botnets as vulnerabilities that these devices have are frequently wormable. That is, a piece of code can be deployed which autonomously seeks out vulnerable devices, compromises them and uses these freshly compromised devices as launching pads for the next wave of attacks.
In a twist of events, one worm infecting Linux home routers, called Wifatch or REINCARNA, actually displays a warning message on the Telnet banner that the device has been infected and provides instructions for how the user can protect him or herself. Our research indicated over 82,000 infected devices that were infected by REINCARNA. The banner is displayed below:
“Telnet and other backdoors have been closed to avoid further infection of this device. Please disable telnet, change root/admin passwords, and/or update the firmware.”
The Telnet banner is also often used to issue legal threats, for example, “PRIVATE ELECTRONIC DEVICE” yields 139 results. The threat of “imprisonment” is also wielded by 3048 devices. Military systems have their own kinds of banners informing the user that information on its usage is collected “or purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct, law enforcement, and counterintelligence investigations.”
Other more esoteric devices such as Automatic Number Plate Recognition (64 devices), 3G backup routers (31 devices), GPRS modems (33 devices) and cable set-top boxes (213 devices). The full numbers are naturally much higher, but we simply want to demonstrate the diversity of devices connected to the public Internet.
Our research shows that legacy network protocols can still endanger us today. The combination of cleartext passwords – such as no encryption, default or weak credentials – and ease of brute-forcing make Telnet an attractive target. Coupled to that is the fact that Telnet is still often enabled on network devices. The perfect storm? It remains to be seen.
Support Tech ARP!
If you like our work, you can help support our work by visiting our sponsors, participate in the Tech ARP Forums, or even donate to our fund. Any help you can render is greatly appreciated!
Hackers have plenty of impetus for targeting large enterprises, especially government agencies, financial institutions and health care organizations. Even large entertainment firms such as Sony Pictures, retailers like Target and telecommunications companies including TalkTalk have been exploited by cyber criminals.
That said, the highest valued companies are not the easiest targets, especially since there are relatively few of them compared to the amount of small and medium-sized businesses. Hackers on the prowl will follow any and all leads to a quick payday. Often, this means firing into the crowd, so to speak.
Cyber criminals will have better success going after a larger number of targets than trying to orchestrate advanced targeted attacks against one bigwig organization. Even as cyber criminals continue to become more ambitious, in all likelihood, cyber attackers will continue to go after smaller businesses in 2016. For this reason, it’s worth reviewing some of the biggest cyber threats currently facing SMBs.
Distributed denial of service attacks represent a huge cyber threat to any business, but especially to SMBs that can only afford limited bandwidth. As hinted at in the name, the purpose of a DDoS attack is to shut down a server, thereby blocking user access to specific Web services or applications. This is accomplished by flooding network intrastate with meaningless traffic. Hence the name, the heavy distribution of requests results in a network crash.
There are countless motives for orchestrating a DDoS attack. For example, it may be executed in an attempt to shut down specific security services, so as to orchestrate a more serious, supplementary attack. However, more often than not, the goal is extortion. Hackers will flood a network, and will send ransom notes to the company stating that they won’t ease up until a certain amount of money has been paid to them. This is precisely what happened to ProtonMail in late 2015. Cyber attackers shut down the company’s central data center, and then requested a ransom of 15 Bitcoins, the rough equivalent of $6,000. In response to pressure from third parties, ProtonMail paid the ransom. However, the cyber criminals did not ease up.
The first main takeaway here is that DDoS attacks remain a significant threat to all organizations, but especially companies that offer Web-based services, and in particular, SMBs that might not have significant bandwidth. The second lesson from the incident is that any SMB that falls prey to an attack should not pay a ransom. Recovery will be time consuming, and will most likely impact revenue. However, paying cyber criminals a ransom only for them to continue the attack will result in even more lost money. When it comes to prevention, network vigilance is key. Any early signs of an impending DDoS attack may make it possible to mitigate the effects. Laying out a smart network infrastructure that can evenly distribute barrage of traffic may also alleviate some of the strain.
Striking the point of sale
Point-of-sale malware is not a new cyber threat, but it’s one that has become especially prominent in the past few years. According to Trend Micro, SMBs were hit particularly hard in 2015, having accounted for 45 percent of all scenarios involving POS malware. Everything from restaurants to boutiques to small service providers are heavily targeted, mainly because cyber security is not quite as strong for these companies. Not to mention, smart, sneaky new strains of POS malware are always being created.
For example, Trend Micro researchers recently discovered a form of malware that seeks out POS systems in a network. Dubbed “Black Atlas,” the malware does not appear to target specific companies in any particular industry. However, SMBs are the most likely to be affected.
Other POS threats come in the form of skimmers. These are basically rigged payment processing units that are designed to collect card information, which is then sold on the Dark Web. Part of the reason this is such a big problem for SMBs is because smaller businesses are more likely to purchase less-expensive, poorly vetted card payment systems. Some of these are actually pre-configured with skimmers. In fact, Trend Micro noted that in China, cyber criminals can actually receive text messages every time a skimmer successfully plunders payment information.
In order to avoid being snagged by a POS malware scam, SMBs are encouraged to always purchase verified, well-known payment processing systems. This will significantly reduce the threat of skimmers. Defending against POS malware is slightly more complicated as strains continue to become more elaborate, and generally more difficult to detect. There have been several cases in the past few months of hotel chains having customer payment information stolen as a direct result of POS malware.
The good news, however, is that the use of EMV chip technology significantly reduces the chances of payment information being pilfered. Rather than using the same code for every transaction – as magnetic stripes do – these chips generate a single-use script for each purchase, so that even if hackers to manage to collect this information, it is essentially useless.
Therefore, SMBs are encouraged to make the shift to EMV card processing systems as soon as possible, especially considering that as of October 2015, liability for stolen payment data shifted to merchants. Any business that does not have EMV card reading technology, and is hacked, can therefore be held accountable for the ensuing damages. Many small businesses can hardly afford to become the victim of a POS malware ploy, let along cover subsequent legal damages.
Phishing scams will always be a problem for companies of all sizes. As long as corporations continue to fall for these ploys, hackers will work tirelessly to bring down their targets, which include SMBs. Much like DDoS attacks, modern phishing scams often take the extortion angle. One of the most prominent, recent examples is the notorious CryptoLocker strain. There are various forms of encryption malware, and many of them start off as phishing scams.
Basically, an employee might receive an email with a request to download a certain PDF or XML. In theory, an aware user should be cognizant of the danger involved with downloading a shady file, but on a particularly busy day, a phishing email may trick even the most wary of workers. Upon opening the cleverly disguised executable, files on the network are locked down. What typically follows is a payment request in order to decrypt the files.
Other phishing ploys might target social media portals, so as to take control of an account. For an SMB that relies on its Web presence to drive traffic to brick-and-mortar locations – for example, a restaurant, bar or mechanic shop – a hacked company Facebook page isn’t exactly choice marketing. Regardless of the targeted medium, a phishing scam can cause serious productivity setbacks for SMBs.
When it comes to securing against phishing scams and cyber threats in general, employee vigilance is hugely important. Granted, even this won’t always be enough to prevent a business from becoming the victim of a cyber attack. For the real tricky threats, SMBs will have to rely on threat protection.