 Cyber Scene -
Grid Lock, Here and There
Before discussing somewhat somber cyber-related issues developing or breaking over the prior month, let's look at the June "celebration of cyber" edition of ”Wired," in a sense a counterpoint to Roger McNamee's dour "Time Magazine" technology review, all of which is linked directly or indirectly to cybersecurity. "Wired's" Paul Ford launches "Why I (still) Love Tech: In defense of a difficult industry" to remind us why he is "proudshamed" (sic) of the growth of technology. His journey begins with the annual Davos global conference themes of 1996 "Sustaining Globalization" and 1997 "Building the Network Society" and their logical linkage. On a personal level, he envisions someone in his youth, unimaginably at that time predicting that he could carry "a few thousand Cray supercomputers in my pocket." He goes on to ask how one can change an industry that "just won't stop" and morphs in incredible ways, like U2's worldwide success leading to "Bono hanging out with Paul Wolfowitz." Surrealist, indeed. He reviews a day in his contemporary life and closes with "Proudshamed, yes, but I still love it ... down to the pixels and processors, and up to the buses and bridges ... but the miracle is over, and there is an unbelievable amount of work left for us to do."
And as to that work ...
Grid Lock, Here and There
In a dystopian world, things fall apart. Digital cyberattacks to the infrastructure, e.g., the systems directing the buses and toll booths for the NYC bridges Paul Ford discussed above, cripple an individual's daily life. Baltimore, MD, and Riviera Beach, FL, know this life. Beyond the press discussions of who has the digital "smoking gun" and who created it, Baltimore has been subjected to extortion costing $18M to repair the computer shutdowns impacting health alerts, real estate sales, water bills and other services, according to a series of articles by NYT's Scott Shane and Nicole Perlroth (NYT 25 May, 31 May). While portions of this group of, so far, attacks on Baltimore, Allentown PA and San Antonio TX may have been related to a lack of Microsoft patches (updates, updates!!), the attacks occurred. Riviera Beach, as reported by Patricia Mazzei (NYT 20 June) simply sent a Bitcoin "check" equivalent to $592,000 to cancel the ransomware attack which closed down the entire city computer system, starting with the policeman who opened an infected email.
Sanger and Perlroth go on to report separately (NYT 15 June) that National Security Advisor John Bolton on 11 June warned " ...Russia, or anybody else that's engaged in cyberoperations against us, 'You will pay a price." The article goes on to discuss digital land mines reportedly laid in Russia's power grid to return the favor. CYBERCOM Commander General Paul Nakasone is quoted as advocating the need to "defend forward." The return volley arrived on 17 June, with the Kremlin spokesman warned of an escalation of tension that may lead to a cyberwar, despite his confidence in Russia's capability to defend itself, per NYT's Ivan Nechepurenko (NYT 17 June).
“…the Terrible SWIFT Sword?”
In a discussion of an intermingling of trade and cyberwar, the "Economist" (6 June) addresses the vulnerability of interdependent tech supply chains. It opens in "Pinch Point" with a description of the mayhem in the literal wake of the earthquake that knocked out Japan. It points out that cataclysmic events--floods, fires, tsunamis, earthquakes (and more of them)--provide rude tests of the supply chain in a digital world. It transposes these events to a "geopolitical shock" linked to Cyber Scene's earlier discussions of Huawei and its 5G blacklisting by the US. Citing two US academics, Henry Farrell of George Washington University and Abraham Newman of Georgetown University, the "Economist" refers to the temptation of weaponizing interdependence. One option the US is reportedly considering is blacklisting countries who deal with Huawei from the SWIFT international banking/clearning network hosted in the US.
The "Economist" article also includes an informative chart entitled "Interdependence days" laying out a smartphone example of digital supply chain interdependence in a globalized world.
An aside from your author: "weaponizing trade" is becoming a ubiquitous term, but the use of economics as a tool of statecraft is not a new arrival to the strategic toolkit. The National War College (motto: "Strategy in war and peace") teaches the "DIME" approach (chapter IV page 13): diplomacy, information (to include intelligence), military might, and economic power. Note that several prominent military leaders --Generals Jim Mattis, Colin Powell, Dwight D. Eisenhower, and George C. Marshall himself, inter alia-- have underscored starting with the "diplomatic dime" instead of the "military dollar" to avoid General Powell's Pottery Barn rebranding: "you break it, you own it." General Marshall also invested in a version of "E." Japan and Germany remember; Afghanistan and Iraq not so much.
Back to the Future
Elections, Also Here and There
The European Union Commission's foreign policy and security arm determined that Russia and other, non-state, actors undermined the EU elections through disinformation to "suppress turnout and influence voter preferences," in the EU May 2019 elections, as reported by the NYT's Adam Satariano (14 June). Satariano continues, noting that many investigators, academics and advocacy groups had warned of this. They feared the Kremlin's spread of divisive content online "to inflame and stoke electorates all over the world."
Just days earlier (NYT 6 June), Nicole Perlroth and Matthew Rosenberg analyzed how the legal roadblocks are impeding US 2020 presidential candidates from accessing a wide range of cybersecurity assistance, some of it offered free of charge or discounted to all candidates, as this cybersecurity support is considered an "in-kind donation." The issue was addressed in early June when lawyers at the Federal Election Commission advised the Commission to deny a request from a Silicon Valley tech firm asking to provide services to all candidates at a discount. A US Senate bill to allow political parties to provide greater cybersecurity assistance to candidates stalled in the Senate when the majority leader declined to bring it to the floor for a vote. On the other hand, FBI Director Christopher Wray is cited as warning in April 2019 that Russian election interference continued to pose a significant counterintelligence threat and that 2016 and 2018 efforts were "a dress rehearsal for the big show in 2020." The article cites JPMorgan Chase Jamie Dimon as saying that the bank spends nearly $600M a year on security; Bank of America's CEO says his bank has a "blank check" for cybersecurity. Several additional cybersecurity experts reinforce this looming crisis and point out that the 2020 campaigns have neither the expertise nor the finances to deal with this nation state threat.
On the academic front, ... more ►
|
|
 SoS Musings - DNS Attacks
The Domain Name System (DNS) is a fundamental element of the Internet as it acts as a phone book that provides a distributed directory, mapping easily remembered hostnames such as www.cps-vo.org to their associated IP addresses. Domain names are translated to their numerical IP addresses, which are used by computers and network devices to locate and communicate with each other. DNS servers are responsible for matching domain names to their associated addresses. When a user types a domain name into their browser, the computer asks a DNS server what IP address matches with the requested domain name. Once the connection is made, the correct web page is retrieved. Requests are most likely being immediately sent to DNS servers provided by an Internet service provider (ISP). However, if a user is behind a router, that router may be used by the computer as a DNS server, which also forwards requests to an ISP’s default DNS servers. DNS information containing the domain name and IP address mapping is then stored in a local cache, improving the speed of connection as the DNS request phase can be skipped when that specific domain is requested again. Concerns arise as security was not considered in the design of DNS, allowing hackers to abuse weaknesses and vulnerabilities in the Internet system through a variety of different attacks. In 2018, findings of a survey conducted by EfficientIP, brought further attention to the growth of DNS attacks in regard to frequency and associated costs. According to the survey to which 1,000 IT managers in North America, Asia, and Europe responded, the average costs of DNS attacks increased by 57% from $456,000 in 2017 to $715,000 in 2018. In addition, organizations experienced an average of seven DNS attacks within this time frame. Proofpoint’s Domain Fraud Threats Report and IDC’s 2019 Global DNS Threat Report also reveal the increased launch and cost of DNS attacks. There has been a 34% increase in DNS attacks experienced by organizations as well as a 49% increase in the average cost of such attacks since 2018. Security professionals must continue to develop and follow best practices for securing DNS against attacks.
Security experts have cited a number of different DNS attacks which need to be further explored and prevented. There are many types of DNS attacks that are often cited as the most executed by hackers in attempt to infiltrate networks, perform phishing, disrupt responses to legitimate DNS requests, and more. These DNS attacks include DNS hijacking, DNS flood attack, distributed reflection denial of service (DRDoS), cache poisoning, DNS tunneling, and more. DNS hijacking refers to attacks in which DNS requests are intercepted and redirected to rogue or compromised DNS servers or domains through the modification of DNS records or the exploitation of vulnerabilities in the domain name registrar’s system. Hackers carry out DNS flood attacks, which are a type of distributed denial-of-service attack (DDoS), to disrupt DNS resolution for a targeted domain by flooding that domain’s DNS server with requests. Disruption to DNS resolution leads to the inability to respond to legitimate traffic. Another common DNS attack is DNS cache poisoning also known as DNS spoofing, which allows rerouting of traffic from real DNS servers to fake ones. Attackers perform DNS cache poisoning by sending forged DNS responses via a fraudulent DNS server, which are then cached by legitimate DNS servers, changing information in the servers pertaining to what IP address corresponds with a specific domain name. DNS cache poisoning can be used to send unsuspecting users to malicious phishing websites at which malware is spread. If attackers want to use DNS as a covert communication protocol or a way in which data can be exfiltrated from a network, they can perform DNS tunneling by inserting data from other programs inside DNS responses and queries. Through the performance of DNS tunneling, attackers can bypass network security technology such as firewalls to evade detection. Other attacks that have been highlighted by security experts are random subdomain attacks, phantom domain attacks, and NXDOMAIN attacks, and more.
Recent research and incidents of DNS attacks have brought further attention to the rising frequency, complexity, and severity of DNS attacks. Sea Turtle is a hacker group that was discovered to be targeting government organizations primarily located in the Middle East or North Africa, including intelligence agencies, ministries of foreign affairs, and more, in an espionage campaign to gain access to sensitive networks via the performance of DNS hijacking. The Sea Turtle DNS hijacking campaign hijacked the domains of 40 different organizations in 13 countries. A team of researchers discovered a new DNS cache-poisoning attack that targets the client-side DNS cache. The attack can be launched against Android, Ubuntu Linux, MacOS, and Windows to poison the DNS cache of these operating systems with malicious DNS mappings, allowing different users of a machine to visit the same domain that leads to an attacker-controlled web server. Gmail, Netflix, and Paypal users recently fell victim to DNS hijacking attacks. The users of these highly-popular online services were redirected to fake websites designed to trick them into providing their credentials to these sites as a result of the modification of DNS settings in compromised consumer routers.
Fidelis Cybersecurity highlighted the use of the DNS protocol by malware authors as ... more ► |
|
 Pub Crawl summarizes, by hard problems, sets of publications that have been peer reviewed and presented at SoS conferences or referenced in current work. The topics are chosen for their usefulness for current researchers. Select the topic name to view its description and links to the publications.
|
|
|
|
|
|
