ITsecurity
twitter facebook rss

Does DOS extortion break the security risk management rule?

We are exhorted to bring risk management principles into the infosecurity practice. In classic risk management we can accept, mitigate or transfer risk. In infosec, this roughly translates to doing nothing, using security practices and systems for defence, or employing a third party security services provider (SSP) to provide protection for us. It is in the mitigation area that risk management skills are expected to provide more realistic security by using risk analysis to determine realistic security spend and location.

But can this be applied to DOS?

In recent days the RSS/news aggregator Feedly has suffered a serious DOS attack that took it out for several days. A basic history of this attack can be found in the Feedly blog:

June 11
2:04am PST – Criminals are attacking feedly with a distributed denial of service attack (DDoS). The attacker is trying to extort us money to make it stop. We refused to give in and are working with our network providers to mitigate the attack as best as we can…

15:07pm PST: We have neutralized DDoS attack that began at 2:04am PST last night…

June 12
7:26am PST: We are currently being targeted by a second DDoS attack and are working with our service providers to mitigate the issue.

10:17am PST: The criminals have launched their second wave of DDoS attacks this morning. The ops team has reviewed the attacks and is working on building a second line of defense to neutralize this new attack.

June 13
3:30am PST The criminals have launched their third wave this morning. We are looking into it.

4:15am PST: Partially neutralized. You can access feedly from the US. We are working on enabling access from the rest of the world.

It was many hours before service was renewed in the UK – so for three days a web service with millions of users was unable to operate because of criminal activity.

This is pretty much all we know so far, although it would appear that CloudFlare was brought in to help mitigate the attack (although it isn’t clear at what stage this happened). Most security pundits suggest that Feedly got it wrong to begin with, but right in its reaction. That is, it should have had adequate DOS defences in place to begin with; but that it did right in refusing to meet the criminals’ extortion demands.

Trey Ford, global security strategist at Rapid7, commented, “Feedly and Evernote [Evernote was simultaneously targeted, but recovered faster] are doing things right. Companies should take note of the positive user responses to their honest and upfront communications… From the outside, it appears that Evernote and Feedly are handling these events effectively and professionally.”

Graham CluleyIndependent security expert Graham Cluley is far more forthright:

I must admit I admire Feedly’s attitude. It’s right not to give in to the blackmailers who are essentially running an extortion racket, demanding that the cloud service pay up or be taken offline with their DDoS attack.

The danger of paying DDoS blackmailers is that you’re only encouraging them to attack you more, perhaps increasing their financial demands next time.
Feedly refuses to give in to blackmail demands, gets hit by DDoS attack

But is this correct? People who are blackmailed rarely go public if they pay up. So there is little evidence, one way or the other, about whether successful blackmailers come back for a second (or more) bite. My suspicion is that they do not – if such practice became public knowledge, extortion would soon destroy its own market.

The only specified sum I have come across is the lowly figure of $300 in an attempted extortion of Meetup earlier this year. Meetup’s co-founder and CEO Scott Heiferman received an email warning, “A competitor asked me to perform a DDoS attack on your website. I can stop the attack for $300 USD. Let me know if you are interested in my offer.”

Heiferman declined the offer, saying, “We believe this lowball amount is a trick to see if we are the kind of target who would pay. We believe if we pay, the criminals would simply demand much more.” Meetup was subsequently, and perhaps consequently, taken down by the attacker.

Sean Sullivan, a researcher with F-Secure, is one expert who doesn’t necessarily believe that the successful attacker will automatically return for more. “The $300 dollar extortion is probably equal to the fee the alleged competitor is currently paying to DDoS Meetup,” he told me at the time. “It’s simply business for the attacker, probably not a vast conspiracy designed to see if they’ll pay more. Perhaps the guy was hoping that Meetup would pay, and offer to pay for the information on which competitor hired him.”

Ilia Kolochenko

Ilia Kolochenko

Ilia Kolochenko, CEO at High-Tech Bridge, does not believe that a refusal to pay should be automatic in all cases. “Nowadays DDoS attacks are very common, but whether or not to pay a ransom should be decided on a case by case basis, as each case of cyber extortion is unique,” he told me by email. “Unfortunately, not much can be done to fully prevent large DDoS attacks, as it’s only the question who will invest more – the company into IT and security infrastructure or the hackers into a botnet.”

In other words, Kolochenko is advocating adherence to security best practices; that is, to use risk management principles to determine whether it would be better to pay up now and shore up defences for the future; or simply refuse to pay. Kolochenko and Sullivan are probably in the minority – Cluley’s standpoint has ascendency. The question, however, is whether standing on principle in this instance is simply bad business and bad security practice.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Submitted in: Kevin Townsend's opinions | Tags: , , , , , , , ,