What do a Finnish HVAC company and a set of American car dealerships have in common? Both have been doing a poor job running their computer systems and, as a result, both experienced a series of four embarrassing threat management blunders.

In my latest post for IBM’s SecurityIntelligence blog, I describe these two incidents in more detail. They point out easily fixable threat management mistakes. As a result of weak security, several apartment buildings went without heat and millions of customers and employees of car dealerships had their data stolen. But both consequences are preventable, especially with the benefit of hindsight.

DDoS attacks are on the rise, and one of the reasons is the plethora of service providers that make it easy to mount your attacks, especially if you are a lazy or inexperienced criminal. A blog post this past summer says, “potential hackers do not have to know the first thing about conducting a DDoS attack. They can simply purchase attack services to carry one out for them. Today, attackers are now abandoning GUI and script tools and opting to pay for attack services.” It is a big growth industry.

The high demand for DDoS services makes it a very profitable business and can generate thousands of dollars a week for these criminal operators.

Sadly, there are dozens if not hundreds of these booter or stresser services, as they are known. The latter name comes from the fact that they hide behind a legitimate service of testing out the resilience of your network connections and webservers. Yeah, you could say that. But they are really illegal. They have one big advantage, in that they automatically can obscure the identity of the attacker, since their websites proxy the attack origin. For the ultimate in configurability, they offer multiple attack vectors and protocols, such as DNS or NTP-based attacks. You can target particular websites via geolocation and automatically skip VPNs.

Some security researchers have found that rental fees for DDoS service providers can range from $15 to $40 a month to produce from 15 to 200 Gbps attacks, and they even come with 24×7 email support too. One hacker even posted a screencast video that rates one hacker’s top five stressor tools, giving you a matter-of-fact demo like they were showing you some Excel feature. It was quickly removed from YouTube.

Brian Krebs, whose server was the subject of one such attack, delves further into this strange world. Like any DDoS attack, the idea is that they can leverage a botnet army to clog up your website with requests, so that the regular folks can’t get any bandwidth and access your site.

Krebs’ research shows that the criminal providers make use of one shady domain registrar called namecentral.com. Ordinarily, as Krebs points out, most registrars have thousands or millions of domains, and certainly some are bad apples. But namecentral has been used to register just 38 domains – ever. Most of these are bad guys, such as the registrar for the vDOS operation that was at the center of the attack on Krebs. Krebs gets the 19 year-old owner of the service to exchange emails with him, and of course the owner plays the innocent.

What is interesting about namecentral is they are also in the business of selling DDoS protection services against the very DDoS attack providers that make use of the same registrar. “In other words, a classic protection racket,” as Krebs says in his post. Not only is this the case, but selling these mitigation services also preventst heir competition from taking their DDoS efforts offline with another DDoS attack on their own servers. Nice.

Certainly, DDoS attackers getting better at harnessing more and more bandwidth to bring down their targets. Sadly, these booter and stressor services are here to stay, and will only get more potent.

The Internet of Things (IoT) has been in the news lately for facilitating numerous DDoS exploits across the planet. A global non-profit think tank called the Online Trust Alliance (OTA) has published a paper entitled IoT, a vision for the future. It outlines how the IoT can grow and thrive, especially given that “users’ confidence that their data is secure and private is at an all-time low.”

You can read my latest post for iBoss’ blog here.

Bug bounties have become more popular, but that isn’t surprising given they have been around for more than a generation. The first bug bounty hunting program originated with computer science professor Don Knuth decades ago. It was for reporting errors in his classic book series the Art of Computer Programming, and in catching bugs in several of his landmark software applications. Since then, many vendors such as Google and Facebook have been running programs and there are others that handle submissions and payouts, set the rules for participation, and generally keep track of all the administration for the program.

You can read my post on the iBoss blog here. 

If you run your own small business network, chances are your security could be better. Consider these two news stories that I posted this week on my Inside Security newsletter:

ITEM #1: A group of hackers shut down the heating system on a block of apartments in Finland last month. The issue was a lack of any firewall protecting the HVAC unit, which was controlled by a computer that had a public IP address. You can bet now they have one to protect their systems.

ITEM #2: An auto dealership CRM used by more than 100 dealers has leaked their customers’ and employees’ data online, mainly because their backups were all unencrypted and accessible to hackers.

I recently spent some time hardening my network doing three simple tasks. All of them can be accomplished in under an hour, if you have some basic knowledge and skills, and if you are careful at following the various instructions and interpreting the results. Nevertheless, it took me a lot longer: either because of my own stupidity or sunspots or whatever.

The three tasks are to harden your WordPress installation, scan your ports, and add a basic level of security to your email domain.

WordPress hardening

There are two basic ways to run a WordPress blog: one is by using your own server and the other is by using the free hosting service and having a server at YourDomain.Wordpress.com. I have used both and get into the pros and cons here in a previous post. Assuming you have control over your own server, there are numerous sites that keep track of WordPress plugins and other vulnerabilities, we will just mention a few here:

• Securi maintains this site and they recently discuss a DDos attack on v4.5.3 and XSS and SQL injection attacks. It is always a good idea to stay current with WordPress versions.
• If you want some motivation about making your WP site more secure, you should read these suggestions from WPMUDEV. Some are easy to implement, others will take some time.
• This site has a description of a few vulnerabilities with detailed information on how they are compromised (they also have a free WP plug-in to protect your site). If you get into tracking vulnerabilities, they also have a bug-bounty program.
• And Network World has an article that goes into best practices about operating your WP site. You can also review many of these on the WordPress Codex that are more of a general security nature too.
• Finally, you should download the Wordfence plug-in and use it to protect your server. They also have on their site details about general security topics, including an article about how WP-based botnets get started. Their plug-in is free for basic services, and you can upgrade if you want more. I had some trouble when I first installed the plug-in and got to inadvertently test their support team, which was excellent. When I re-installed it, it worked fine.

Scan your ports

For many years I have been a big fan of Steve Gibson’s Shields Up port scanner. It is well worth using, because it is simple, free, and will take just a moment to look at your network router and see what open ports you have. The big limitation is that it only scans the first 1000 ports: that was fine years ago when the Internet was just a gleam in Al Gore’s eye, but now life has gotten more complex. I would also suggest using BullGuard scanner, which will scan more ports. When I did this on my Uverse-connected network, it found port 7547 open. I hadn’t seen this port before and found this mention on PC World, which has to do with the embedded webserver that is used to manage my Uverse DSL modem. There isn’t much you can do about it, unless you want to switch to a cable ISP connection.

Secure your email server

I have written extensively on using email encryption for your day-to-day emails, but there is another way to approach better email security and that is by adding an automatic digital signature to each outgoing email headers using a protocol called DKIM, which stands for Domain Keys Identified Mail. Most email hosting providers now support this protocol, Google’s help page starts here for their hosting services. DKIM is a lot like the public/private key infrastructure that PGP and others use to encrypt messages. You have your choice of key lengths (choose the longer and more secure 2048-bit keys if your provider supports them).

Google’s help pages are very explicit as to the steps you need to take. You basically need to do three tasks: first, you obtain a key from your email hosting provider. Then, you add a DNS entry for your domain provider (which is my case is my ISP). Then you want to take a few days and check to make sure that you did this correctly, using this verification service.

Good luck with securing your domain and servers. Feel free to share other simple tips here as well.

Here is a fascinating story of how one healthcare operation used a very simple method to heighten their HIPAA security. And the irony here is that they did it without buying any IT gear whatsoever. All it took was having the “HIPAA Sheriff.”

You can read my post in the iBoss blog today.

Windows Server 2016 became commercially available on Oct. 12, 2016. The new operating system includes a few noteworthy and important security features, such as a bare-bones Nano Server to reduce the potential attack surface, a more protected hypervisor that can run encrypted virtual disks, minimal administration to bring the principle of least privilege to remote PowerShell environments and more.

You can read my summary of these and other security features inmy post for IBM’s SecurityIntelligence blog here.