I did a news story in Infosecurity Magazine yesterday: Meetup Fighting Prolonged DDoS Attack. The gist is that the social network site, meetup — which promotes the idea of both dispersed and local ‘groups’ and group activities — had been under intermittent DDoS attack since last Thursday.
CEO Scott Heiferman has blogged about the attack. It started with an email warning that said the attacker had been commissioned by a competitor to attack him — but that he would abandon the attack on payment of $300. Heiferman thinks the $300 was just to test the water; to see if meetup would be susceptible to further extortion in the future.
That’s possible; but given the commoditization of DDoS as a service, it is equally likely to be the actual cost of the attack; and the attacker was seeing if he could get his fee without the effort of the attack.
But in all of this there is one question unanswered. Heiferman stresses that throughout the attack his engineers have been toiling to keep the site up and running, and actually says that he spends millions of dollars every year on security. What is clear is that he has spent little or nothing on DDoS mitigation — and is possibly still spending nothing on third-party mitigation (else his problem would probably have long been solved).
I spoke to Ashley Stephenson, CEO of Corero Network Security (a DDoS mitigation firm) to try to understand what’s going on. While we don’t yet know who is behind the attack, what if any competitor was involved, nor the type of DDoS attack used, what is clear, Stephenson told me, is that “it appears the meetup site had no proactive defence in place. Similarly their primary ISP or Hosting Provider was not able to successfully defend their customer against the volume or sophistication of the threat.”
But it would have started much earlier. “Long before the demand for cash was made, attackers were likely probing the meetup service, searching for vulnerabilities and preparing to launch an attack that would do the most harm.”
This is one reason why companies need to be proactive and mitigate DDoS before it starts rather than be reactive and attempt to contain an attack when in full sway. “A technology solution with the capabilities to detect, analyze and ultimately mitigate DDoS attacks, could provide an early alert on such suspicious activity, and help to protect against the malicious activity as soon as it escalates.”
Most companies’ preparation for a DDoS attack is simply to ask themselves, ‘would I pay or would I fight?’; but then they fail to ask themselves: ‘OK, how would I fight this?’
“The lesson to be learned here, unfortunately at the expense of meetup,” said Stephenson, “is that businesses need to think proactively and prepare for cyber attack scenarios, before they hit.”
It makes sense. Most companies buy an anti-malware system not because they have a malware infection, but because of the possibility that they might get one. The same mentality needs to be developed about DDoS attacks and DDoS mitigation — it’s best to get the defence in before the attack, because that attack is becoming increasingly more likely, and increasingly more dangerous.
They claim to be super-patriots, but they would destroy every liberty guaranteed by the Constitution. They demand free enterprise, but are the spokesmen for monopoly and vested interest. Their final objective toward which all their deceit is directed is to capture political power so that, using the power of the state and the power of the market simultaneously, they may keep the common man in eternal subjection.
Vice President Henry Wallace, speaking of American Fascists
Damn. I hadn’t realised that Republicans and Democrats and Tories and Labour were all just synonyms for American Fascists.
The days when the West could speak with any moral authority have long gone. Nobody listens any more.
“Vladimir Putin had a telephone conversation with President of the United States Barack Obama on the American side’s initiative,” announced Putin’s office this morning.
The Russian President spoke of a real threat to the lives and health of Russian citizens and the many compatriots who are currently on Ukrainian territory. Vladimir Putin stressed that in case of any further spread of violence to Eastern Ukraine and Crimea, Russia retains the right to protect its interests and the Russian-speaking population of those areas.
That’s as close as you can get to ‘mind your own business’ in diplomatic language.
I got an email this morning from a friend, a world-renowned security expert, and — dare I say it — an ex-detective.
He was in trouble. In Ukraine. He’d been mugged and lost his money. His passport had been impounded by his hotel, and he was stuck. Could I help?
Well, even Google can recognise a London Scam (Dear Mum, I’ve been mugged in London — please send money); although I personally haven’t seen one for a couple of years now.
But the interesting thing here is that the scammer used the correct email address: firstname.lastname@example.org. Closer inspection showed, however, that the reply address was slightly different: email@example.com.
So what we have is a scammer who had taken the trouble to find a relationship between two people and register an email address close to one of them. We can assume that the real a.person hasn’t been hacked and lost his contact list otherwise the scammer wouldn’t have needed the separate reply-to address. So the question is, how did the scammer tie the two of us together?
Finding my email is not a problem — as a journalist I hardly keep it secret. I would expect the real a.person to be more circumspect, however. And then there’s the relationship. I guess LinkedIn and Twitter serve a few more functions than most of us realise…
This coming week the European Justice and Home Affairs Council (ie, national ministers from the individual national governments) will meet in Brussels. There are several items on the agenda.
Top of the list in a memo released by Viviane Redding is reform of the data protection laws. She says,
I am confident we will be able to build on the momentum injected into the negotiations by the Greek Presidency at the last informal Council meeting in January. Seeing the latest progress, I will continue working with Ministers for an adoption of the data protection reform before the end of this year.
Bottom of the list in a ministerial statement from Theresa May is reform of the data protection laws. She says,
There will be a state of play/orientation debate on the Proposal for a General data Protection Regulation. The UK continues to believe that this proposal is far from ready for a general agreement, and that no such agreement can occur until the text as a whole has been approved. The proposal remains burdensome on both public and private sector organisations and the Government would not want to see inflexible rules on transfers outside the European Economic Area which do not reflect the realities of the modern, interconnected world.
And yes, they really are talking about the same thing. Most of Europe has already agreed the data protection reform proposals; but the UK doesn’t like it and won’t play.
The problem is, providing more protection for our personal information is difficult for the UK. It would upset the three most powerful organizations in the country: GCHQ, Google and Facebook. GCHQ would have its ability to collect our private messages, photos, home videos and internet browsing habits severely curtailed — and of course nobody would want to see that.
Google and Facebook would no longer be able to ship our personal information to servers outside of the UK; that is, the US, from where the NSA/FBI could demand access while declining to allow us to be told (assuming they need to since GCHQ will probably have already intercepted the data via its taps on the fibre cables that run between the two continents and simply handed it en masse to the NSA for storage and safe keeping).
Since these negative arguments would not prove popular to the British public, they are being hidden in spurious and frankly false claims that data protection will cost business. Yes there will be some cost in protecting our data (not nearly as much as the government would like us to believe); but that will be more than compensated by the lower cost of doing business with dozens of different data protection regimes. The net effect of reforming data protection will be greater data protection at a lower overall cost.
But Theresa May doesn’t want us to understand that. She and David Cameron would like us to believe that they are protecting us when they are really just protecting vested interests and actually selling us down the river. They are willing to trade our privacy to keep GCHQ and big American business happy.
There is nothing yet on the AShimmy Blog – organizer of the Security Blogger Awards. But Tripwire, a Platinum Sponsor of the awards, knows the results. “We are pleased to announce that Tripwire’s The State of Security has been selected as the ‘most entertaining security blog’ at the annual Security Bloggers Network Awards for 2014,” it announced yesterday.
This will come as a mortal blow to Kevin Townsend, who learnt a few weeks ago that he had been nominated for the same award despite not being a member of the Security Bloggers Network. But, tragically, it seems to be true. Kevin Townsend’s security blog, euphemistically known as Kevin Townsend’s Security Blog, lost out to Tripwire in the annual ‘most entertaining security blog’ award.
Townsend could not be found at his offices, known as the ‘cupboard under the stairs’; but was eventually located heavily sedated and under 24-hour suicide watch at the local home for the desolate.
Questioned over this latest failure, he was magnanimous in defeat. “We lost,” he said, “to the more entertaining blog. Me and my three-legged cat and $40k company lost to a $100 million company with 400 employees. Tripwire sponsors the awards so deserves its success. I wish them well.”
We asked if he would carry on despite this latest setback, but had to explain that his reply is neither biologically nor physiologically possible. He took one of the grapes we had brought him, but he spat it out, hissing, “sour!” — and he seemed to drift back into a delirium-soaked half-life, mumbling about tents and the direction of the wind.
Sadly, we have to report that Townsend’s blog is likely to hang around. Once they let him out of the home, that is.
When I wrote the piece, Is the AV industry in bed with the NSA, I concluded that on balance it probably is. I have no evidence. It’s just that I cannot believe that an organization complicit in developing and deploying its own malware, and able to ‘socially engineer’ RSA into doing its bidding, would leave AV untouched.
Obviously I spoke to people in the industry. In private conversation with one contact, while accepting his own protestations of innocence, I asked, “What about McAfee and Symantec?” He paused; but then said, “If I had to question anyone, those are the two names that would come to mind.”
I should say, again, that I have no evidence. It’s just doubts born out of the repetition of hyped-up statistics, frequently used by government to justify its actions, and what appears to be preferential treatment from government.
A couple of months later, the Dutch digital liberty group Bits of Freedom wrote to the leading AV companies for a formal position. One of the questions it asked was, “Have you ever been approached with a request by a government, requesting that the presence of specific software is not detected, or if detected, not notified to the user of your software?”
My understanding is that some, but not all, AV companies replied, in writing, that they do not collaborate with governments.
F-Secure’s Mikko Hyppönen spoke yesterday at the TrustyCon conference. I wasn’t there, so this is from The Register’s report:
A surprising number of governments are now deploying their own custom malware – and the end result could be chaos for the rest of us, F-Secure’s malware chief Mikko Hyppönen told the TrustyCon conference in San Francisco on Thursday…
While ESET, F-Secure, Norman Shark, Kaspersky, Panda and Trend Micro replied to Bits of Information, Symantec and McAfee (among others) have not responded, Hyppönen claimed.
Same names. Coincidence? I wonder.
The American tech giants – Facebook in this instance – still don’t get it over the NSA spying programmes
The following is a transcription of a brief interview given by Mark Zuckerberg. The original can be found on TechCrunch here.
I’ve tidied it up a bit – removed the ‘ums’ and ‘rights’ and ‘you knows’ – just to make it more legible. I struggled over that because they clearly demonstrate where Zuckerberg is comfortable and where he is not comfortable with what he says; but I went ahead because what he says rather than his level of comfort is important to me. Anyway, here’s what is left:
We take our role really seriously. I think its my job and our job to protect everyone who uses Facebook and all the information that they share with us. It’s our government’s job to protect all of us and also to protect our freedoms and protect the economy, and companies; and I think they did a bad job of balancing those things. So frankly I think that the government blew it. I think that they blew it on communicating what they [were doing]; basically the balance of what they were going for.
The morning after the start of [the scandal] breaking, people asked [the government] what they thought; and the government’s comment was, “Oh don’t worry, basically we’re not spying on any Americans.”
Right. Wonderful. That’s really helpful to companies who are trying to serve people around the world, and [it's] really gonna inspire confidence in American internet companies. Thanks for going out there and being really clear about what you’re doing. I think that was really bad.
We’ve being pushing just to get more transparency on this, and I actually think we’ve made a big difference. The big question that you get from all the coverage is, what’s the volume of the total number of requests going on? Is it closer to a thousand requests that the government is making of us, or is it closer to 100 million? I mean, from the coverage and from what the government has said you would not know the difference. But we worked really hard with the government, behind the scenes, to get to the point where we could release the aggregate number of requests. It was around 9000 in the last half year.
Does that number tell us everything we want? No. And that’s why when the conversations get to the point where we weren’t going to make further progress, we decided to sue them so that we could reveal, is it 1000 or 2000 or 3000 or 4000 or 8000 of the 9000 requests. But the reality is, because of the transparency that we pushed for, now people can know and deserve to know that the number of requests that the government is making is closer to 1000 (it’s 9000 or less in the last six months), and definitely not, you know, 10 million or 100 million…
Really, Mark? Do you think that knowing the NSA made just over 1000 requests for your customers’ details rather than 9000 makes it all right – and that they can carry on, without judicial oversight, as they are? It’s the fact, not the volume, of NSA spying that is wrong, just plain wrong. Until the American tech giants stop hiding behind their really quite meaningless ‘transparency’ demands and empty successes over the NSA, then anger – and especially non-American anger – will remain at a high level.
Oh; and did I mention the word ‘hypocrite’? Facebook suggesting that the NSA isn’t taking sufficient care over users’ privacy? Really?
There was never any doubt that the detention of David Miranda at Heathrow under section 7 of the Terrorism Act was in fact legal. Now the arbiters of The Law have confirmed it in a judgment delivered earlier this week.
There is some good news, some bad news and a lot of not-unexpected news in this judgment. The not-unexpected news is that the Terrorism Act allows GCHQ to do just about whatever it pleases. The manufactured War against Terror has had the effect of turning the UK into a police state under the control of the security services and enforced by Her Majesty’s Constabulary. Anything can be defined, with a little imagination, as a potential act of terrorism; and therefore under the jurisdiction of the over-broad power of the Terrorism Act.
The good news is that the police did not immediately nor automatically accept GCHQ’s request for a port stop (ie, detention) on David Miranda as he passed through Heathrow. It was not until the police received a detailed request precisely applied to the Terrorism Act that they were effectively forced to respond. From the ruling:
“We assess that MIRANDA is knowingly carrying material, the release of which would endanger people’s lives. Additionally the disclosure, or threat of disclosure, is designed to influence a government, and is made for the purpose of promoting a political or ideological cause. This therefore falls within the definition of terrorism and as such we request that the subject is examined under Schedule 7.”
from the David Miranda judgment
Compare this to my assessment at the time:
So, three tests for terrorism. Applying these to David Miranda, and assuming that his laptop contained Snowden documents (which would be reasonable suspicion),
- the stated purpose of the leaks is to influence government
- the stated purpose could be described as both ‘political’ and ‘ideological’
- the effect, according to government, could result in increased terrorist attacks against the UK (that is, “a serious risk to the health or safety of the public”) and is also designed “to interfere with or seriously to disrupt an electronic system” (that is, GCHQ’s Tempora surveillance system).
I think it is quite clear that under the Terrorism Act, David Miranda is a terrorist.
Was David Miranda’s detention a legal and reasonable application of the Terrorism Act?
The bad news is that this is absurd. David Miranda is clearly not a terrorist. That means that what he was doing was an act of terrorism. That means that helping a journalist (in this case Glenn Greenwald) do his job, which most people would define as being in the public interest, can in itself be an act of terror — and that, frankly, is scary.
The Arbiters of The Law effectively confirm that the invocation of the Terrorism Act removes all other freedoms and rights:
In my judgment the Schedule 7 stop was a proportionate measure in the circumstances. Its objective was not only legitimate, but very pressing. The demands of journalistic free expression were qualified in the ways I have explained. In a press freedom case, the fourth requirement in the catalogue of proportionality involves as I have said the striking of a balance between two aspects of the public interest: press freedom itself on one hand, and on the other whatever is sought to justify the interference: here national security. On the facts of this case, the balance is plainly in favour of the latter.
This is a sad day for natural justice. But we cannot blame the judges. Their function is to interpret the law. Nor can we blame the police. Their function is to enforce the law. The blame rests solely on our weak politicians, under the sway of over-powerful intelligence services, who make the laws. It is the intelligence services, through threats and blackmail, who get their wishes translated into law. It is weak politicians who have sold out the people.