Weekly podcast: Memcached DDoS attacks, Equifax (once again) and Alexa

This week, we discuss the biggest distributed denial-of-service attacks on record, another 2.4 million people affected by the Equifax data breach, and Alexa’s sense of humour.

Hello and welcome to the IT Governance podcast for Friday, 9 March 2018. Here are this week’s stories.

Last Wednesday, GitHub was hit by the biggest distributed denial-of-service (or DDoS) attack on record, which peaked at 1.35 terabits per second (Tbps) and knocked the popular code repository offline for about nine minutes in total. (For reference, the 2016 DDoS attack on the managed DNS service provider Dyn peaked at about 1.2 Tbps.) Sam Kottler, GitHub’s site reliability engineering manager, reassured users on 1 March that “at no point was the confidentiality or integrity of [their] data at risk”.

The new record didn’t stand for long, however. This week, Arbor Networks confirmed a 1.7 Tbps attack on an unnamed US target. Both attacks relied on an increasingly popular attack vector: exploiting publicly accessible memcached instances with UDP support.

An Akamai blog explained that memcached is “meant to cache data and reduce strain on heavier data stores […] and is only intended to be used on systems that are not exposed to the Internet”. The protocol requires no authentication, so when it “is added to the ability to spoof IP addresses of UDP traffic, [it] can be easily abused”.

To make matters worse, “attackers can influence the amplification factor for a given node by inserting records into the open server”, enabling them to launch very large attacks by effectively amplifying their bandwidth.

Cloudflare explains that: “The general idea behind all amplification attacks is the same. An IP-spoofing capable attacker sends forged requests to a vulnerable UDP server. The UDP server, not knowing the request is forged, politely prepares the response. The problem happens when thousands of responses are delivered to an unsuspecting target host, overwhelming its resources – most typically the network itself.”

Affected organisations are advised that the main defence against memcached attacks is to not expose memcached servers to the Internet. According to Akamai, there are “currently more than 50,000 known vulnerable systems exposed”.

It says: “Blocking port 11211 is a starting point for defenses and will prevent systems on your network from being used as reflectors. Configuring mitigation controls, like port blocking, can allow for this traffic to be handled quickly and efficiently. […] However, relying on remote systems administrators to remove their servers from the Internet is not a solution likely to see immediate results”, so organisations “should plan accordingly”.

Just when it seemed we’d heard all there was to hear about the Equifax breach comes more bad news for the credit reporting organisation. It transpires that a further 2.4 million US consumers were affected by the incident, bringing the total number of victims to 147.9 million.

Equifax’s interim CEO, Paulino do Rego Barros Jr, said: “This is not about newly discovered stolen data. It’s about sifting through the previously identified stolen data, analyzing other information in our databases that was not taken by the attackers, and making connections that enabled us to identify additional individuals.”

“We continue to take broad measures to identify, inform, and protect consumers who may have been affected by this cyberattack,” he added. “We are committed to regaining the trust of consumers, improving transparency, and enhancing security across our network.”

Although it’s inevitable that the investigation into the incident will take time, especially given its scale, lawmakers remain disgruntled about Equifax’s response. Democratic Senator Elizabeth Warren of Massachusetts tweeted: “I spent 5 months investigating the #EquifaxBreach, and found the company failed to disclose the full extent of the hack. Today, @Equifax acknowledged that 2.4 million MORE people were affected than initially reported.”

She added: “.@Equifax can’t be trusted. Their mistakes allowed the breach to happen, their response has been a failure, and they still can’t level with the public. Enough is enough. We have to start holding the credit reporting industry accountable.”

Senator Warren then urged the upper house to pass a bill “that would impose massive, mandatory penalties when companies like @Equifax expose millions of Americans’ personal information”.

Finally, Amazon’s Alexa voice assistant has been unsettling some users by randomly laughing. Somewhat unsurprisingly, many Twitter users have drawn comparisons with HAL 9000 refusing to open the pod bay doors in 2001: A Space Odyssey. “I’m sorry, Dave. I’m afraid I can’t do that.”

An Amazon representative said the company was aware of the problem and was working to fix it. “In rare circumstances,” they said, “Alexa can mistakenly hear the phrase ‘Alexa, laugh.’ We are changing that phrase to be ‘Alexa, can you laugh?’ which is less likely to have false positives, and we are disabling the short utterance ‘Alexa, laugh.’ We are also changing Alexa’s response from simply laughter to ‘Sure, I can laugh’ followed by laughter.”

Well, that’ll do for this week. Until next time you can keep up with the latest information security news on our blog.

Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.