A large DDoS incident hit the Internet last Friday, taking down several US news, entertainment and business websites including Netflix, Twitter, Spotify, The New York Times, Facebook and Tumblr. Domain name system manager Dyn reported that it was ‘monitoring and mitigating’ DDoS attacks against its infrastructure throughout the day, with fallout mainly affecting sites across the US East coast. The significance of the incident wasn’t only in its size but its source, with the DDoS emanating from a botnet propped up by thousands of seemingly innocuous devices such as CCTV video cameras, baby monitors and digital video recorders. The malware used to conduct the attack, Mirai, is the same as that launched against Brian Kreb’s website in September—a fairly unsurprising development after the malicious source code was recently made available online. Chinese manufacturer XiongMai Technologies has actually recalled several of its products sold in the US, mostly webcams, in light of their security vulnerabilities that were leveraged to execute the DDoS attack. In a small silver lining, Friday’s Internet takedown has served to focus attention on the need to secure the ever-growing Internet of Things.
After reports surfaced earlier this month of Yahoo secretly scanning millions of customer emails on behalf of US intelligence services, people are still scrambling to clarify if that was actually the case. This week, Yahoo’s general counsel sent a letter to the US Director of National Intelligence, James Clapper, urging for clarification on the supposed secret directive issues by the government, arguing that ‘transparency is critical to ensure accountability’. On the same day, the American Civil Liberties Union filed a motion with the Foreign Intelligence Surveillance Court for the release of classified records relating to any ‘novel or significant interpretations of law’ between 9/11 and the passage of USA Freedom Act in June 2015. Until the government makes a definitive statement on the legitimacy of those claims, rumours and speculation will continue to hurt Yahoo’s impending acquisition by Verizon.
The future looks worse for NSA contractor Harold Martin, arrested last month for the unauthorised removal of ‘an astonishing quantity’ of classified government data over the last 20 years. Initial reports concluded that Martin was more likely a digital hoarder than a leaker, however, the latest filing in his case states ‘the government anticipates that the charges will include violations of the Espionage Act’. The government refers to a breach of 18 US Code 793 of the Act, namely the gathering, transmitting or losing of information to be used ‘to the injury of the United States, or to the advantage of any foreign nation,’ and those heightened charges will likely mean more severe sentencing. While no solid connection has been found between Martin and the Shadow Brokers’ online auction of NSA hacking tools, he reportedly remains the prime suspect.
Amnesty International has released a new report scoring technology companies on how well they fulfil their human rights responsibilities when it comes to encryption and an individual’s right to privacy. The report provides a ‘message privacy ranking’ of 11 companies based on multiple criteria including whether the company provides default end-to-end encryption, if it has an active dialogue with customers on threats to their privacy, and its level of transparency in terms of government requests for access to personal data. Facebook, Apple and Telegram came in as the top three, while Snapchat, Blackberry and Tencent have been named and shamed, with each scraping together less than 30 points out of a possible 100.
Yesterday was a tough day for those involved in the August #censusfail with their appearance before a Senate hearing. Witnesses program IBM, the Australian Bureau of Statistics, the Special Advisor to the Prime Minister on Cyber Security and the Australian Privacy Foundation were grilled by the Senate Economics References Committee over responsibility for the national debacle—you can check out a detailed breakdown of the day’s blame game discussions here. It’s now up to the Prime Minister to determine ‘which heads will roll and when’.
Finishing on a positive note, it’s been a good week for cybersecurity collaboration between private sector and educators. The National University of Singapore has teamed up with Singtel to establish a new US$30.8 million cybersecurity lab that will focus on the development of cybersecurity tools. The partnership between the University of New South Wales and the Commonwealth Bank is also growing, with the creation of a new cyber engineering lab intended to address the ‘alarming shortfall of in-demand cyber security graduates in Australia’. The Center for Strategic and International Studies has also just published a new report on the global shortage of cyber skills, titled Recruiting and Retaining Cybersecurity Ninjas. The report explores ways organisations can solve their human resources problem in order to ‘build and keep a critical mass of high-end specialists’, so take notes!