Posts Tagged ‘cyber security’

Updated: Massive cyberattack leading to slowdown across the web

By The Associated Press - Wednesday, March 27, 2013 - 0 Comments

LONDON – A record-breaking cyberattack targeting an anti-spam watchdog group has sent ripples of…

LONDON – A record-breaking cyberattack targeting an anti-spam watchdog group has sent ripples of disruption coursing across the Web, experts said Wednesday.

Spamhaus, a site responsible for keeping ads for counterfeit Viagra and bogus weight-loss pills out of the world’s inboxes, said it had been buffeted by the monster denial-of-service attack since mid-March, apparently from groups angry at being blacklisted by the Swiss-British group.

“It is a small miracle that we’re still online,” Spamhaus researcher Vincent Hanna said.

Denial-of-service attacks overwhelm a server with traffic — like hundreds of letters being jammed through a mail slot at the same time. Security experts measure those attacks in bits of data per second. Recent cyberattacks — like the ones that caused persistent outages at U.S. banking sites late last year — have tended to peak at 100 billion bits per second.

But the furious assault on Spamhaus has shattered the charts, clocking in at 300 billion bits per second, according to San Francisco-based CloudFlare Inc., which Spamhaus has enlisted to help it weather the attack.

“It was likely quite a bit more, but at some point measurement systems can’t keep up,” CloudFlare chief executive Matthew Prince wrote in an email.

Patrick Gilmore of Akamai Technologies said that was no understatement.

“This attack is the largest that has been publicly disclosed — ever — in the history of the Internet,” he said.

It’s unclear who exactly was behind the attack, although a man who identified himself as Sven Olaf Kamphuis said he was in touch with the attackers and described them as mainly consisting of disgruntled Russian Internet service providers who had found themselves on Spamhaus’ blacklists. There was no immediate way to verify his claim.

He accused the watchdog of arbitrarily blocking content that it did not like. Spamhaus has widely used and constantly updated blacklists of sites that send spam.

“They abuse their position not to stop spam but to exercise censorship without a court order,” Kamphuis said.

Gilmore and Prince said the attack’s perpetrators had taken advantage of weaknesses in the Internet’s infrastructure to trick thousands of servers into routing a torrent of junk traffic to Spamhaus every second.

The trick, called “DNS reflection,” works a little bit like mailing requests for information to thousands of different organizations with a target’s return address written across the back of the envelopes. When all the organizations reply at once, they send a landslide of useless data to the unwitting addressee.

Both experts said the attack’s sheer size has sent ripples of disruptions across the Internet as servers moved mountains of junk traffic back and forth across the Web.

“At a minimum there would have been slowness,” Prince said, adding in a blog post that “if the Internet felt a bit more sluggish for you over the last few days in Europe, this may be part of the reason why.”

At the London Internet Exchange, where service providers exchange traffic across the globe, spokesman Malcolm Hutty said his organization had seen “a minor degree of congestion in a small portion of the network.”

But he said it was unlikely that any ordinary users had been affected by the attack.

Hanna said his site had so far managed to stay online, but warned that being knocked off the Internet could give spammers an opening to step up their mailings — which may mean more fake lottery announcements and pitches for penny stocks heading to people’s inboxes.

Hanna denied claims that his organization had behaved arbitrarily, noting that his group would lose its credibility if it started flagging benign content as spam.

“We have 1.7 billion people who watch over our shoulder,” he said. “If we start blocking emails that they want, they will obviously stop using us.”

Gilmore of Akamai was also dismissive of the claim that Spamhaus was biased.

“Spamhaus’ reputation is sterling,” he said.

  • U.S. calls for ‘serious’ action by China to stop cyber theft

    By The Associated Press - Monday, March 11, 2013 at 3:23 PM - 0 Comments

    WASHINGTON – The White House is calling for “serious steps” by China to stop…

    WASHINGTON – The White House is calling for “serious steps” by China to stop cyber theft that is intolerable to the international community.

    National Security adviser Tom Donilon’s comments Monday reflect growing concern in Washington over the security risk posed by cyber intrusions and the economic costs for America.

    Donilon said U.S. businesses are increasingly speaking out about cyber theft emanating from China “on a very large scale.” He said Beijing “should take serious steps to investigate and put a stop to these activities” and recognize the risk to international trade and to U.S.-China relations.

    Donilon was speaking in New York on Asia policy. He stressed the importance of constructive relations with Beijing.

    He said diplomatic relations were good but military dialogue needs improving to prevent the risk of accidental conflict.

  • UK data regulator fines Sony $396,100 for cyberattack on PlayStation Network

    By The Associated Press - Thursday, January 24, 2013 at 5:35 AM - 0 Comments

    LONDON – British regulators fined Sony 250,000 pounds ($396,100) on Thursday for having insufficient…

    LONDON – British regulators fined Sony 250,000 pounds ($396,100) on Thursday for having insufficient security measures to prevent a cyberattack on its PlayStation Network.

    The attack in April 2011 targeted credit card information through Sony’s PlayStation Network and put millions of users’ personal information — including names, addresses, birth dates and account passwords — at risk.

    Britain’s Information Commissioner’s Office said Thursday that security measures in place at the time “were simply not good enough.” It said the attack could have been prevented if software had been up to date, while passwords were also not secure.

    David Smith, deputy commissioner and director of data protection, acknowledged that the fine for a “serious breach of the Data Protection Act” was “clearly substantial” but said that the office makes “no apologies” for that.

    “There’s no disguising that this is a business that should have known better,” he said in a statement. “It is a company that trades on its technical expertise, and there’s no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe.”

    Smith called the case “one of the most serious ever reported” to the data regulator.

  • Fighting cybercrime

    By Luiza Ch. Savage - Wednesday, December 26, 2012 at 7:10 AM - 0 Comments

    As the U.S. attempts to bolster its cybersecurity legislation, will Canada be called on to take part?

    Fighting cybercrime

    Carolyn Kaster/AP

    The revelation that Iranian nuclear centrifuges were sabotaged by the computer worm Stuxnet—reportedly a covert U.S.-Israeli intelligence operation—is unnerving Western security policy-makers who say it is only a matter of time before cyberwar is turned against North America. Will hackers shut down the electrical grid, sending millions into darkness? Could a foreign agent remotely sabotage a pipeline carrying natural gas or crude oil, causing an environmental disaster?

    American lawmakers want to encourage U.S. government agencies to share intelligence about potential threats with private sector companies (who own and operate most of America’s critical infrastructure), and to compel these firms to be more forthcoming about their own vulnerabilities. The issues are complicated: government regulations could prove onerous and costly, and could become quickly obsolete. Companies worry that identifying vulnerabilities could lead to legal liability and higher insurance costs. Civil libertarians also worry that allowing government greater leeway to monitor Internet traffic in search of malicious software could lead to privacy violations. Earlier this year Republicans blocked proposed legislation in the Senate that would have created merely voluntary standards (House Republicans are now talking about drafting their own bill next year, but plans remain vague). Meanwhile, there is speculation that President Barack Obama will weigh in with an executive order this month, in an attempt to fill the void left by congressional paralysis.

    Continue…

  • The auditor general on cyber security, veterans and national finance

    By Aaron Wherry - Tuesday, October 23, 2012 at 11:32 AM - 0 Comments

    The fall report of the Auditor General has been published here. In it, he covers, among other things, cyber security, veterans and the government’s fiscal projections.

    While Finance Canada prepared a draft report in 2007 on the long-term fiscal sustainability analyses that the government committed to issuing that year, the analyses were not published; nor has any report on long-term fiscal sustainability been published since then. While long-term fiscal sustainability analyses have been regularly prepared since 2010, they have not been made public. This lack of reporting means that parliamentarians and Canadians do not have all the relevant information to understand the long-term impact of budgets on the federal, provincial, and territorial governments in order to support public debate and to hold the government to account. Many of the countries that are members of the Organisation for Economic Co-operation and Development (OECD) already publish reports on their long-term fiscal positions.

    The CBC looks at the cyber security findings. The Canadian Press looks at veterans and savings from changes to Old Age Security.

From Macleans