Categories
cybersecurity

What we know about the cyberattack on major US websites

The cyberattack that brought Twitter, PayPal and hundreds of other online sites to a halt Friday hijacked millions of routers, digital video recorders and other internet-connected appliances to carry out the assault.

The onslaught, which began around 7:10 a.m. EDT, centered on servers run by Dyn, a major provider of services that steer traffic to web pages. The servers at Dyn ground to a halt from the bombardment, which began on the East Coast and spread west in at least three waves throughout the day.

The attack reportedly relied on a strain of malware known as Mirai, which searches the web for devices that are plugged into the network then logs into them via factory default usernames and passwords. The infected devices can then hurl massive amounts of traffic at the target in an attack known as as distributed denial of service (DDoS).

https://twitter.com/Dyn/status/789444349998268416

Sites targeted in a DDoS attack groan under the barrage of traffic until they slow or shutter completely. A similar attack in September on the website KrebsonSecurity involved an assault with many orders of magnitude more intensity than needed to knock sites offline.

“Someone has a botnet with capabilities we haven’t seen before,” Martin McKeay, a senior security advocate at Akamai, told Brian Krebs, the site’s editor, following the attack on the Krebs site. “We looked at the traffic coming from the attacking systems, and they weren’t just from one region of the world or from a small subset of networks — they were everywhere.”

Many of the devices hijacked by Mirai reportedly infect hardware and software made by XiongMai Technologies, a Chinese company that sells the components to manufacturers who mass-produce the parts into DVRs and other devices.

The source code for Mirai was released publicly in September, according to Krebs, who predicted that the internet would soon be awash in attacks such as the one on Dyn, which serves many of the internet’s largest news, entertainment and shopping companies.

Mirai is one of at least two strains of malware that hackers use to launch DDoS attacks, which marshal millions of devices that make up the so-called Internet of Things.

A spokesman for the FBI told the Times that agents were investigating all possible causes, including a state sponsor, in Friday’s attack.

Categories
cybersecurity

Jailbroken iPhones infected by malware

Nearly a quarter of a million owners of Apple’s iPhone may be at risk of having their iTunes accounts hijacked or their devices held hostage by intruders.

That’s because hackers have distributed malware that allows users to steal log-in credentials and purchase apps and media from both the App and iTunes stores, according to a report published Sunday by Palo Alto Networks, a digital security firm.

The attack is thought to be the largest known theft of data from Apple accounts caused by malware, the firm said.

The malware, known as KeyRaider, affects iPhones whose users have disabled, or jailbroke, the operating system on their devices to allow installation of third-party apps. As of Sunday, thieves had used KeyRaider to steal nearly 226,000 valid Apple accounts, along with certificates, private keys and other security features, the firm said.

“The purpose of this attack was to make it possible for users of two iOS jailbreak tweaks to download applications from the official App Store and make in-app purchases without actually paying,” Claud Xiao, a security researcher at Palo Alto Networks, wrote in a blog post.

As of Sunday, about 20,000 people had downloaded the malware, suggesting at least that many people are misapplying credentials stolen from iTunes accounts. The malware, which also allows intruders to hold phones hostage in return for ransom, has appeared in 18 countries, including the U.S., China and U.K.

Palo Alto Networks traced the malware after members of Weiphone, a community of iPhone fans based in China, discovered unauthorized charges in their iTunes accounts.

The malware offers a reminder that jailbreaking carries risks. “Most security experts discourage the practice unless it’s done by highly experienced people who know exactly what code they’re using to circumvent Apple engineers’ safeguards and, once that’s done, what alternative apps they’re installing,” Dan Goodin wrote Monday at Ars Technica.

Categories
cybersecurity Law

EU readies rules to bolster cybersecurity, require notice of data breaches

The European Union is readying an approach to cybersecurity that may subject services as Google and Facebook to breach notification requirements that mirror those for banks and health-care providers.

The Network and Information Security Directive, a proposal under consideration by the European Commission, would require companies in industries deemed critical to strengthen digital safeguards and report breaches to national authorities.

The directive represents one of the first attempts to legislate a rule for security breaches that crosses borders. That stands in contrast to the U.S., which has yet to adopt a national notification law and leaves companies to comply with a series of notification requirements set by states.

Members of the European Parliament who have been negotiating the rules have agreed to extend the reach of the directive to social networks, cloud computing platforms, commerce sites and other digital platforms, according to a report Friday by Reuters.

Under the terms of the directive, which was proposed in 2013, companies that operate so-called critical infrastructure in any of the 28 countries that constitute the EU will be required to report “significant security incidents” as well adopt measures to lessen the risk of cyber threats.

In addition to Internet companies, the directive would require companies in the financial, energy, health and transportation industries to report incidents “having a significant impact on the security of core services.” The EU currently requires telecommunications companies to report such incidents.

Members of the commission are expected to start work this September on a final version of the rule.

Ninety percent of large corporations and 74% of small businesses in the U.K. experienced a security breach in the past year, according to survey published recently by PwC.