Hackers Used New Weapons to Disrupt Major Websites Across U.S.

SAN FRANCISCO — Major websites were inaccessible to people across wide swaths of the United States on Friday after a company that manages crucial parts of the internet’s infrastructure said it was under attack.

Users reported sporadic problems reaching several websites, including Twitter, Netflix, Spotify, Airbnb, Reddit, Etsy, SoundCloud and The New York Times.

The company, Dyn, whose servers monitor and reroute internet traffic, said it began experiencing what security experts called a distributed denial-of-service attack just after 7 a.m. Reports that many sites were inaccessible started on the East Coast, but spread westward in three waves as the day wore on and into the evening.

And in a troubling development, the attack appears to have relied on hundreds of thousands of internet-connected devices like cameras, baby monitors and home routers that have been infected — without their owners’ knowledge — with software that allows hackers to command them to flood a target with overwhelming traffic.


A spokeswoman said the Federal Bureau of Investigation and the Department of Homeland Security were looking into the incident and all potential causes, including criminal activity and a nation-state attack.

Kyle York, Dyn’s chief strategist, said his company and others that host the core parts of the internet’s infrastructure were targets for a growing number of more powerful attacks.

“The number and types of attacks, the duration of attacks and the complexity of these attacks are all on the rise,” Mr. York said.

Security researchers have long warned that the increasing number of devices being hooked up to the internet, the so-called Internet of Things, would present an enormous security issue. And the assault on Friday, security researchers say, is only a glimpse of how those devices can be used for online attacks.

Dyn, based in Manchester, N.H., said it had fended off the assault by 9:30 a.m. But by 11:52 a.m., Dyn said it was again under attack. After fending off the second wave of attacks, Dyn said at 5 p.m. that it was again facing a flood of traffic.

A distributed denial-of-service attack, or DDoS, occurs when hackers flood the servers that run a target’s site with internet traffic until it stumbles or collapses under the load. Such attacks are common, but there is evidence that they are becoming more powerful, more sophisticated and increasingly aimed at core internet infrastructure providers.

Going after companies like Dyn can cause far more damage than aiming at a single website.

Dyn is one of many outfits that host the Domain Name System, or DNS, which functions as a switchboard for the internet. The DNS translates user-friendly web addresses like fbi.gov into numerical addresses that allow computers to speak to one another. Without the DNS servers operated by internet service providers, the internet could not operate.

In this case, the attack was aimed at the Dyn infrastructure that supports internet connections. While the attack did not affect the websites themselves, it blocked or slowed users trying to gain access to those sites.

Mr. York, the Dyn strategist, said in an interview during a lull in the attacks that the assaults on its servers were complex.

“This was not your everyday DDoS attack,” Mr. York said. “The nature and source of the attack is still under investigation.”

Later in the day, Dave Allen, the general counsel at Dyn, said tens of millions of internet addresses, or so-called I.P. addresses, were being used to send a fire hose of internet traffic at the company’s servers. He confirmed that a large portion of that traffic was coming from internet-connected devices that had been co-opted by type of malware, called Mirai.

Dale Drew, chief security officer at Level 3, an internet service provider, found evidence that roughly 10 percent of all devices co-opted by Mirai were being used to attack Dyn’s servers. Just one week ago, Level 3 found that 493,000 devices had been infected with Mirai malware, nearly double the number infected last month.

Mr. Allen added that Dyn was collaborating with law enforcement and other internet service providers to deal with the attacks.

In a recent report, Verisign, a registrar for many internet sites that has a unique perspective into this type of attack activity, reported a 75 percent increase in such attacks from April through June of this year, compared with the same period last year.

The attacks were not only more frequent, they were bigger and more sophisticated. The typical attack more than doubled in size. What is more, the attackers were simultaneously using different methods to attack the company’s servers, making them harder to stop.

The most frequent targets were businesses that provide internet infrastructure services like Dyn.

“DNS has often been neglected in terms of its security and availability,” Richard Meeus, vice president for technology at Nsfocus, a network security firm, wrote in an email. “It is treated as if it will always be there in the same way that water comes out of the tap.”

Last month, Bruce Schneier, a security expert and blogger, wrote on the Lawfare blog that someone had been probing the defenses of companies that run crucial pieces of the internet.

“These probes take the form of precisely calibrated attacks designed to determine exactly how well the companies can defend themselves, and what would be required to take them down,” Mr. Schneier wrote. “We don’t know who is doing this, but it feels like a large nation-state. China and Russia would be my first guesses.”

It is too early to determine who was behind Friday’s attacks, but it is this type of attack that has election officials concerned. They are worried that an attack could keep citizens from submitting votes.

Thirty-one states and the District of Columbia allow internet voting for overseas military and civilians. Alaska allows any Alaskan citizen to do so. Barbara Simons, the co-author of the book “Broken Ballots: Will Your Vote Count?” and a member of the board of advisers to the Election Assistance Commission, the federal body that oversees voting technology standards, said she had been losing sleep over just this prospect.

“A DDoS attack could certainly impact these votes and make a big difference in swing states,” Dr. Simons said on Friday. “This is a strong argument for why we should not allow voters to send their voted ballots over the internet.”

This month the director of national intelligence, James Clapper, and the Department of Homeland Security accused Russia of hacking the Democratic National Committee, apparently in an effort to affect the presidential election. There has been speculation about whether President Obama has ordered the National Security Agency to conduct a retaliatory attack and the potential backlash this might cause from Russia.

Gillian M. Christensen, deputy press secretary for the Department of Homeland Security, said the agency was investigating “all potential causes” of the attack.

Vice President Joseph R. Biden Jr. said on the NBC News program “Meet the Press” this month that the United States was prepared to respond to Russia’s election attacks in kind. “We’re sending a message,” Mr. Biden said. “We have the capacity to do it.”

But technology providers in the United States could suffer blowback. As Dyn fell under recurring attacks on Friday, Mr. York, the chief strategist, said such assaults were the reason so many companies are pushing at least parts of their infrastructure to cloud computing networks, to decentralize their systems and make them harder to attack.

“It’s a total wild, wild west out there,” Mr. York said.

Erin McCann contributed reporting from New York.

Read More >>

Read More

Is There Any Particular Reason For China To Stop Cyberscrewing the US?

The massive data breach of a US government server originating from China might make for awkward conversation between President Obama and Chinese President Xi Jinping during his visit to Washington this week. But as pissed off as Obama might be, his options for fending off future Chinese hacking may be limited to incoherent mumbling and impassioned gesturing.

In July, the US Office of Personnel Management (OPM) announced it was the target of a yearlong data breach that was the largest of its kind in US government history. The records of more than 20 million people were compromised, including highly sensitive security clearance background information. Media reports citing unnamed government officials indicated the attacks originated in China, but whether the attackers had the support of the Chinese government is unclear. Though the stolen information has not shown up for sale in dark corners of the internet, reports indicate China may be compiling OPM and other stolen data into a database of US federal employees for further espionage potential, according to current and former intelligence officials.

Related: Hacks Bring Down US Background Check System — But the Worst Is Yet to Come

China's alleged cyber intrusions are not limited to traditional espionage. They also target the private sector and commercial secrets -- an issue the House and Senate leadership warned President Barack Obama about in a letter this week.

Most countries make a distinction between political and economic espionage, with the former tacitly accepted as something all nations do, while the latter is not viewed as an acceptable government activity. The Chinese government tends to conflate the two, which makes a certain amount of sense given the intimate relationship between government and private industry in China. Despite high-profile breaches like the OPM hack, the US is most concerned about halting China's economic espionage activities.

"This isn't a mild irritation, it's an economic and national security concern to the United States," National Security Advisor Susan Rice said during an address at George Washington University Monday. "Cyber-enabled espionage that targets personal and corporate information for the economic gain of businesses undermines our long-term economic cooperation, and it needs to stop."

Xi repeated what has become China's standard answer to US accusations: "China takes cybersecurity very seriously," he said. "China is also a victim of hacking. The Chinese government does not engage in theft of commercial secrets in any form, nor does it encourage or support Chinese companies to engage in such practices in any way." China has in the past expanded on these denials, citing its lack of control over independent actors — so-called "patriotic hackers" — and unsanctioned activities by local governments far from Beijing.

Determining who's doing the hacking is also challenging. Denise Zheng, deputy director and senior fellow in the Strategic Technologies Program at the Center for Strategic and International Studies, said hackers "may wear a PLA [China's People's Liberation Army] hat during the day and black hat at night."

The question of how the US should respond remains tricky. Obama last week said the attacks were straining the US relationship with China, and "that we are prepared to some countervailing actions in order to get their attention."

Those actions may not necessarily take place online.

"We've made clear that we have other punitive measure available when we do see instances of cyber intrusion and cyber theft," Ben Rhodes, the deputy national security adviser, said yesterday in a conference call with reporters. "Sanctions remain a tool of the United States, and we would be prepared, if necessary, to pursue sanctions."

Related: Chinese Cyber Attacks Trigger US MIDLIFE Crisis


Follow Shannon Hayden on Twitter: @ShannonKHayden
Read More >>

Read More

Now the NSA is in your hard drive, says Kaspersky

Recently, it seems that you can’t go two days without finding out some new piece of information which somehow relates to the NSA’s spying program, and with every day that passes it becomes more and more clear that the scope of the program, and the abuse of privacy which it involves are of an incredible magnitude and inescapable pervasiveness.


Now, in yet another part of the elaborate plot that is the illegal NSA spying program, Moscow based firm Kaspersky has uncovered software hidden deep within the firmware of computers’ hard drives’ that is designed to spy on the user. According to Kaspersky, this method of espionage would allow the ‘sophisticated threat actor’ (which Kaspersky calls the ‘Equation group’)  to spy on PC’s worldwide, and may have been going on for as long as 15 years (since around 2001.)

In its report, Kaspersky (the firm that was responsible for breaking the Stuxnet story), discovered that the ‘Equation group’ has the ability to hide spyware in hard drives of important manufacturers such as Western Digital, Seagate, Toshiba, IBM, Micron Technology Inc and Samsung Electronics.

According to information released to Reuters, the Russian firm found evidence of this spyware in the hard drives of 30 nations, but found that these were most prolific in the hard drives of countries such as Iran, Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria.

Talking to Reuters about where the spyware was found to be most prolific, Kaspersky said,
‘The targets included government and military institutions, telecommunication companies, banks, energy companies, nuclear researchers, media, and Islamic activists’

Although NSA spokeswoman Vanee Vines refused to pass comment on the new revelations, a former NSA employee told Reuters that what Kaspersky had uncovered was indeed true, and that the NSA valued its ability to get spyware into sensitive locations as highly as it does viral spyware such as Stuxnet (a worm computer virus the NSA used to mount a cyber attack on Iran’s nuclear power plant.)

Peter Swire, (a member of the US Review Group on Intelligence and Communications Technology) said that these new revelations about how the NSA carries out its espionage could have a seriously negative impact on diplomatic relations and trade agreements, and urged Obama’s administration to think hard about how they sought to proceed with their spy programs in the future, lest they face serious international backlash and loss of faith.

According to lead Kaspersky researcher Costin Raiu, putting spyware in the firmware of the hard drives is perfect for the NSA’s espionage efforts because,

‘The hardware will be able to infect the computer over and over’
Although spokespeople from both Seagate and Micron have made statements denying that they know anything about foreign code appearing in the firmware of their hard drives, Vincent Liu, a partner at Bishop Fox and former NSA analyst, explains that if a company wants to sell a product to the Pentagon they are asked to cooperate with security auditing for those products by handing over the source code,

‘They don’t admit it, but they do say, “We’re going to do an evaluation, we need the source code,”  It’s usually the NSA doing the evaluation, and it’s a pretty small leap to say they’re going to keep that source code.’

Although the link to the NSA is currently only circumstantial, according to Kaspersky’s report, the Equation group’s obvious links to Flame and Stuxnet make it almost inevitable that these hacks and spyware installations are coming from a position of wealth and authority that is unlikely to be anything but a large and well organized intelligence agency. In the report Kaspersky lays it out like this,

‘There are solid links indicating that the Equation group has interacted with other powerful groups, such as the Stuxnet and Flame operators–generally from a position of superiority. The Equation group had access to zero-days before they were used by Stuxnet and Flame, and at some point they shared exploits with others.’
 Read More >>

Read More