Cyber Grinches Could Disrupt Holidays’ Biggest Shopping Weekend

Online spending last year exceeded US$5.8 billion on Black Friday and Cyber Monday, according to Adobe, and that figure is expected to be even higher this year.

“If you want to mess with the economy, that’s the most disruptive time to do that,” said John Wu, CEO ofGryphon.

“A lot of retail sales have shifted from brick and mortar to online these days,” he told TechNewsWorld. “Cyber Monday is a huge day for a lot retailers.”

Easy Target for Bot Herders

If hackers want to disrupt shopping during the Black Friday-Cyber Monday weekend, they’ll likely use a botnet composed of devices connected to the Internet of Things to do it. Such botnets recently attacked DNS server provider Dyn, disrupting Internet service in the United States.

Attackers also used them to launch one of the largest DDoS attacks ever on the website of security blogger Brian Krebs.

“The reason IoT devices are being used now is because they’re so easily attacked,” Wu said. “They also have enough processing power on them to carry out these kinds of attacks.”

What’s more, devices like routers and DVRs are always on, so they’re always available for enlistment in an assault on a website.

“You can have a huge effect because you can control lots of the devices — in some cases hundreds of thousands — and flood a server,” Wu said, “and it’s very difficult to prevent these attacks, because they’re coming from IP addresses around the world. You can’t scale your bandwidth fast enough to prevent it.”

During Black Friday-Cyber Monday weekend, the situation will be exacerbated by a legitimate surge in traffic.

“Some sites went down last year because they couldn’t handle the spike in traffic to them,” Wu explained. “You could compound that effect with a denial of service attack.”

 Cyber Grinches Could Disrupt Holidays' Biggest Shopping Weekend

10 Million Logins an Hour

Botnets can do more than disrupt shopping traffic during Black Friday-Cyber Monday weekend. They can crack into user accounts at e-commerce sites, using the millions of username and password pairs available on the Internet from hundreds of recent data breaches.

“Because human beings resuse their passwords, that attacker is going to be successful when he uses a password stolen from another website,” said Omri Iluz, CEO of PerimeterX.

“On average, a person uses six passwords for all their online activity,” he noted.

“These attacks are very successful,” Iluz told TechNewsWorld. “With 10,000 bots, thousands of accounts can be compromised in a matter of hours.”

Automation is crucial to those kinds of attacks, however, he said. “It’s only meaningful if they can run 10 million or more login attempts in an hour to get the success rate they need.”

Gift Card Scams on Steroids

Digital desperadoes also have brought the power of bots to another holiday scam: compromising gift cards. After figuring out how gift card numbers are generated for a retailer, an attacker can write a script for the botnet to execute to determine if there’s a balance on the card.

A hacker could check tens or hundreds of millions of combinations in that way and then register and sell cards discovered to have a balance.

Unsafe mobile apps also might victimize Black Friday-Cyber Monday shoppers.

Researchers found 5,198 Black Friday apps in global app stores for a recent RiskIQ study. Of those, one in 10 already had been tagged as malicious and unsafe to use.

Be Paranoid

Online bandits also are exploiting the reputation of some of the largest e-commerce sites on the Web to prey on consumers.

The top five brands leading in e-commerce have had a combined total of more than 1,950 blacklisted URLs that contain their branded terms as well as “Black Friday” and are linked to spam, malware or phishing, the RiskIQ report notes.

The same is true of apps from those brands. More than 1 million blacklisted apps reference one of the leading e-commerce brands in either their title or description, according to the study.

While consumers can’t do anything about a DDoS attack on one of their favorite shopping sites, they can protect themselves from attacks aimed directly at them.

“Consumers need to be paranoid about what kinds of things people might do to lure them into scams,” said Venkat Rajaji, senior vice president for marketing at Core Security.

“You’ve got to keep your guard up during the holiday season. Don’t click on any link in a consumer email unless it’s a highly, highly trusted source,” he told TechNewsWorld.

“You’ve got to be paranoid,” Rajaji added. “You’ve got to assume the worst when you’re shopping.”

Breach Diary

  • Nov. 14. Data breach at Friend Finder Network places at risk personal information in more than 412 million accounts.
  • Nov. 14. Adobe agrees to pay $1 million to 15 states to settle case stemming from 2013 data breach at the company, which resulted in unauthorized access to accounts of some 552,000 people.
  • Nov. 15. Seventeen-year-old boy pleads guilty in UK to data breach last year at telecommunications provider TalkTalk, which resulted in unauthorized access to personal data of nearly 160,000 people.
  • Nov. 15. TalkTalk reports profits more than doubled to $75 million from $31 million during the 12 months following a data breach at the telecommunications provider.
  • Nov. 15. Kryptowire discovers several models of Android mobile devices sold through major U.S.-based online retailers, which contain firmware that collects sensitive personal information without the owner’s knowledge or consent, and sends it to third-party servers.
  • Nov. 16. Workers at Indian security firm AI Solutions discovered selling phone records of Australians from call centers of Optus, Telstra and Vodaphone.
  • Nov. 16. Database configuration error exposes to public Internet personal information of nearly 25,000 members of Sheet Metal Workers Local Union No. 104 in California.
  • Nov. 16. Protenus reports month-to-month decline in healthcare data breaches to 35 in October from 37 in September, although the number of patient records compromised increased to 776,533 from 246,876.
  • Nov. 16. Personal records of more than 34 million residents of the Indian state of Kerala were posted to Facebook by a hacker disenchanted with the security of the state’s computer systems, GulfNews reports.
  • Nov. 17. Chicago Public Schools notifies families of some 30,000 students that confidential information about them was shared improperly with a charter school operator for use in a mail advertising campaign.
  • Nov. 18. The Three mobile network in the UK reports personal information of more than 130,000 customers was compromised by data breach made public earlier in the week and for which three men were arrested on Wednesday.
  • Nov. 18. Michigan State University announces it will notify some 400,000 current and former students and staff of data breach that has compromised their personal information.
  • Nov. 19. Russian telecom watchdog Roskomnadzor discovers data breaches at 55 websites that contain personal information of children who have written to “Father Frost,” the Russian Santa Claus.

Upcoming Security Events

  • Nov. 28-30. FireEye Cyber Defense Summit 2016. Washington Hilton, 1919 Connecticut Ave. NW, Washington, D.C. Registration: through Sept. 30, general admission, $495; government and academic, $295; Oct. 1- Nov. 21, $995/$595; Nov. 22-30, $1,500/$1,500.
  • Nov. 29, Secure Your Enterprise to Maintain Quality of Care. 5 a.m. ET. Webinar by Alto Networks, Free with registration.
  • Nov. 29-Dec. 1. Gartner Identity & Access Management Summit. Caesars Palace, 3570 Las Vegas Blvd., South Las Vegas, Nevada. Registration: $2,850; public sector, $2,350.
  • Nov. 30. Smart Cities & Critical Infrastructure Cyber Attack Vulnerabilities. 9 a.m. ET. Webinar by Cyber Education Centre. Free with registration.
  • Nov. 30. How is Data Analytics Reducing Payments Fraud? 10 a.m. ET. Webinar by BrightTalk and Fiserv. Free with registration.
  • Nov. 30. Cyber Attackers and the Law – Threats, Challenges & Regulations. 11 a.m. ET. Webinar by Centre for Strategic Cyberspace + Security Science. Free with registration.
  • Nov. 30. Threat Hunting for Command and Control Activity. 2 p.m. ET. Webinar by Sqrrl. Free with registration.
  • Nov. 30. Securing the Cloud: Trends in Cloud, Collaboration & Security. 2 p.m. ET. Webinar by Dropbox. Free with registration.
  • Nov. 30. Cyber-Intelligence: Protecting Yourself Against Your Own Worst Enemy. 2 p.m. ET. Webinar by Centre for Strategic Cyberspace + Security Science. Free with registration.
  • Nov. 30. Intelligence: The Planners Strategic Edge. 3 p.m. ET. Webinar by Centre for Strategic Cyberspace + Security Science. Free with registration.
  • Nov. 30. Cyber Supply Chains: Risks & Protection. 4 p.m. ET. Webinar by U.S. Cyber Defence Advisor to NATO. Free with registration.
  • Nov. 30. How Artificial Intelligence Supports Security Science in Security Operations. 5 p.m. ET. Webinar by Centre for Strategic Cyberspace + Security Science. Free with registration.
  • Nov. 30. Best Practices for Preparing for Breaches. 1 p.m. ET. Webinar by Centre for Strategic Cyberspace + Security Science. Free with registration.
  • Dec. 1. The Big Challenge of Big Data: Untangling the Security Conundrum. 11 a.m. ET. Webinar by Gemalto. Free with registration.
  • Dec. 2-3. B-Sides Phliadelphia. Drexel University, 3141 Chestnut St., Philadelphia, Pennsylvania. Free.
  • Dec. 6. The 2017 Threatscape. 9 a.m. ET. Webinar by ISF Ltd. Free with registration.
  • Dec. 6. Storm on the Horizon — 2017 Threats Both Foreign and Familiar. 2 p.m. Webinar by OCD Tech. Free with registration.
  • Dec. 7. Insider Threats and Critical Infrastructure: Vulnerabilities and Protections. 10 a.m. ET. Webinar by @LKCyber. Free with registration.
  • Dec. 7. Weaponizing Data Science for Social Engineering: Automated E2E Spear Phishing. Webinar by ZeroFOX. Free with registration.
  • Dec. 7. Quantum Threats: The Next Undefended Frontier of Cybersecurity. 1 p.m. ET. Webinar by Isara Corporation. Free with registration.
  • Dec. 7. Trends in Email Fraud, and How to Prevent Enterprise-Facing Email Attacks. 2 p.m. ET. Webinar by Agari. Free with registration.
  • Dec. 8. Cybersecurity Trends — Security Analytics Is the Game Changer. 1 p.m. ET. Webinar by Interset. Free with registration.
  • Dec. 8. I Heart Security: Developing Enterprise Security Programs for Millennials. 5 p.m. ET. Webinar by NCC Group. Free with registration.
  • Dec. 12. How Cybersecurity, Technology and Risk Is Maturing the Role of the Modern CISO. 5 p.m. ET. Webinar by City of San Diego, California. Free with registration.
  • Dec. 13. You CAN Measure Your Cyber Security After All. 1 p.m. ET. Webinar by Allure Security Technology. Free with registration.
  • Jan. 12. FTC PrivacyCon. Constitution Center, 400 7th St. SW, Washington, D.C. Free.
  • Jan. 16. You CAN Measure Your Cyber Security After All. 1 p.m. ET. Webinar by Allure Security Technology. Free with registration.

$5 PoisonTap Tool Easily Breaks Into Locked PCs

Proving once again that you can do a lot of damage with a little investment and a lot of ingenuity, security researcher Samy Kamkar recently managed to take down a locked, password-protected computer armed with only a US$5 Raspberry Pi.

The low-tech cookie-siphoning intrusion is one of Kamkar’s simplest hacks ever. He previously has unlocked car doors, garages, wireless remote cameras and other devices, with MacGyver-like precision.

raspberry-pi-poisontap-samy-kamkar-hacking-tool

Kamkar’s latest hack, PoisonTap, uses a Raspberry Pi Zero, a micro SD card, and a micro USB cable or other device that emulates USB, including USB Armory or LAN Turtle.

Windows, OS X and Linux recognize PoisonTap as an Ethernet device, load it as a low-priority network device, and perform a DHCP request across it, even if the computer is locked or password-protected, Kamkar explained.

PoisonTap provides the computer with an IP address. However, the DHCP response tells the machine that the IPv4 space is part of PoisonTap’s local network, rather than a small subnet, he said.

If a Web browser is running in the background, one of the open pages will perform an HTTP request in the background, noted Kamkar. PoisonTap responds with a spoof, returning its own address, and the HTTP request hits the PoisonTap Web server.

When the node Web server gets the request, PoisonTap’s response is interpreted as HTML or JavaScript.

The attacker is able to hijack all Internet traffic from the machine and siphon and store HTTP cookies from the Web browser or the top 1,000,000 Alexa websites.

 Low-Cost Havoc

“The PoisonTap project is an extremely clever and creative attack that can have serious consequences,” said Mark Nunnikhoven, vice president for cloud research at Trend Micro.

“The code is public, and hardware required to run it is only a few dollars, which increases the risk to average users,” he told TechNewsWorld. “However, it still takes some effort for an attacker to steal the user’s data.”

For the device to work, the attacker needs physical access to the machine while a Web browser is running in the background, noted a Symantec researcher in comments provided to TechNewsWorld by spokesperson Jenn Foss.

The risk is lower when a machine has restricted physical access. The risk is higher when a machine is in the public domain, where anyone potentially has access to it — for example, at a sidewalk cafe.

Open Source Factor

It might be easier to build a solution to the hack, given that Kamkar’s attack was conducted over an open source language, suggested the Symantec researcher. “If someone slips a secret backdoor into an open source project, chances are someone will find it quickly. Often open source is quicker to address vulnerabilities as an open source community can be very large.”

In addition, if someone creates a tool and the source code is publicly available, anyone can read the code and develop proper protection for the future, the Symantec researcher pointed out.

“It’s certainly very creative work, and it shows just how many attack vectors exist that we’ve yet to really consider,” remarked Troy Hunt, Microsoft MVP-Developer Security.

“However, it also requires physical access — and once you get to that point, there’s a lot of avenues available to an attacker,” he told TechNewsWorld.

The use of HTTPS could have crippled this particular attack, Hunt noted, and we don’t normally think of that as being a defense against an adversary with physical access.