MORE INFO. Limited edition 7" picture disc featuring two brand new tracks from Against Me! "Stabitha Christie"/"First High Of The Morning". Senior US Official Claimed the FCC Got 'Hacked' After Security Professionals Found No Proof. A senior US official has admitted to being the source behind a claim that the FCC was “hacked” in 2. Internally, however, the agency’s security team had assessed there was no evidence of a malicious intrusion. Dr. David Bray, who was the FCC’s chief information officer until last month, spoke privately with a reporter at Motherboard roughly a week after the FCC’s public comment website—known as the Electronic Comment Filing System (ECFS)—locked up after comedian John Oliver, host of HBO’s Last Week Tonight, directed his audience to flood the FCC with comments supporting net neutrality. Bray told the reporter that the agency had been the target of a “malicious attack.”Bray was also the first US official to announce that the FCC had been attacked this year, too, after Oliver asked his audience once again to submit pro- net neutrality comments using the ECFS. Afterwards, the system became inaccessible on and off for roughly eight hours beginning the night of May 7, 2. The FCC’s decision to withhold detailed analysis of the attack has prompted skepticism from reporters and the public at large. Multiple FCC sources—including one with direct knowledge of the agency’s security operations—tell Gizmodo that, in June 2. In the wake of Oliver’s net neutrality segment, the agency’s Network Security Operations Center (NSOC) pored over data collected by various logs. But it was unable to locate any proof to support Bray’s claim that a malicious attacker was responsible for the comment system’s failure. Drawing from the statements of a senior FCC official (Bray), Motherboard described on June 1. ECFS, a legacy system that had received few upgrades since its Clinton- era rollout.
The ECFS was initially designed for lawyers and other knowledgeable sources to provide feedback on pending FCC regulations; but in a new era of digital civic engagement, the system became the principal tool for aggregating comments from the public about proposed rules to gut net neutrality. Motherboard described a “malicious” attack carried out against the FCC, attributing the tip to a high- level agency source: The agency had been “hacked” by “unknown digital assailants” using what was described as “database Denial of Service tactics.” It was an “onslaught,” the site said. Motherboard’s source was so well placed, in fact, the author wrote confidently that the FCC itself had “confirmed” the news. The claim was supported by a second source as well, who had used words like “exploited” and “assaulted” to describe the incident.)“It was never the official position of the FCC that it was a DDo. S attack.” But the tip was apparently based on the assumptions of the senior US official whose opinion did not comport with the findings of his agency’s security professionals.“We couldn’t find any evidence of the attack,” said a former security contractor, who spoke on condition of anonymity to discuss their work at the agency. We never took any remediation or mitigation steps with regard to security. There was no attack.”The FCC’s press office was quick to refute reports that “scripts or automated bots” were responsible for the comment system’s troubles. If anything, a high volume of traffic caused the collapse,” a reporter for Engadget wrote after speaking with the agency’s spokesperson. We stand by our story,” Motherboard’s editor in chief tweeted in response, saying that a “high- level FCC source” had described a “malicious attack.” (Motherboard confirmed last week that its source—whom Gizmodo has confirmed was Bray—used that term explicitly.)“It was never the official position of the FCC that it was a DDo. S attack,” Gigi Sohn, former counselor to then- Chairman Tom Wheeler, told Gizmodo. Yet, Bray “did not deny and there was never any doubt that he talked to Motherboard,” she said.“My goal was to communicate on background that the commenting system had experienced abnormal ‘dead record locks’ and [had] not crashed from high comment volume,” Bray told Gizmodo on Saturday. Multiple events were happening and the abnormal activity observed raised concerns that this was a form of malicious attack to tie up the system.”“When pressed on the term ‘hack,’ I emphasized the system was not compromised,” he said, despite having given Motherboard a green light to use of word “hacked,” which appeared in its headline. Bray was interviewed later that year by Tech. Republic and the Washington Post about ongoing efforts to revamp the FCC’s aging IT infrastructure. He never refers to a cyberattack crippling the ECFS. Dead- locked records. In its official statement, the agency said in that a byproduct of receiving such a high volume of comments is what’s known as a “dead record lock,” whereby the ECFS’s database was overwhelmed in June 2. This created difficulty for people trying to submit and search for filed comments,” it said. But the agency made no mention of any malicious activity. Moreover, a “dead record lock” is not itself indicative of an attack. When overwhelmed, database systems are designed to initiate a “record lock” to preserve its integrity—i. While in this state, the ECFS would be unable to accept new comments, which is what happened on June 2, 2. Last Week Tonight net neutrality segment. Following the segment, the security operations center reviewed data collected in the FCC’s system logs, in its intrusion detection system, and from the multiple web and appliance- based firewalls from which logs were aggregated into a security information event manager, or SIEM. Mc. Afee. The security team came up empty handed. The former security contractor told Gizmodo that the presence of any automated bots or scripted activity would have been detected through the use of meta- data analysis. The millisecond latency of requests coming from the same IP source or session ID would have been a dead give away. Request activity faster than 1. No abnormalities were detected, however. The source described how an attack on the ECFS could have taken advantage of the record- lock procedure to force the system to freeze. A bot could have been engineered to flood the ECFS with comments attributed to hundreds or thousands of fictitious or stolen identities. Immediately after the comments were filed, the bot would’ve then sent a request to view the comment before the system had sufficient time to actually create the record. A flood of these requests would’ve inevitably overwhelmed the system.“I checked for evidence of the theoretical attack above at the FCC in 2. Instead, the logs showed a high volume of commenters requesting access to the FCC web page that by default shows a list of newly submitted comments, what the source described as “normal intended use of the website which is in no way malicious.”Weakness in the FCC codebase. After the record lock, the security team and the agency’s contracted developers discovered a weakness in the ECFS’s Sybase software, which was outdated by more than a decade. A “weakness” is viewed as being less threatening than a “vulnerability” exploitable by hackers.) The software was, essentially, not configured to update new database rows properly, which created an inefficient procedure for adding new comments. This caused the system to lock up just after Oliver directed his viewers to to swarm the FCC’s site. The development team documented the discovery in an application called Jenkins—the management system used to test and track updates to the FCC’s entire codebase.“The security team was in agreement that this event was not an attack,” the former contractor said. The security team produced no report suggesting it was an attack. The security team could not identify any records or evidence to indicate this type of attack occurred as described by Bray. The security team did not provide Bray with access to any security systems or logs that he might have performed his own independent analysis to come to this conclusion.”His position as chief information officer notwithstanding, Bray’s access to security logs were restricted, the source said, under the principle of least authority—you only give people access to systems necessary to perform their job. If there was a security threat, Bray would have had to have relied on the security team to provide proof. When Bray reached out on June 3, 2.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
November 2017
Categories |