Researchers have long bemoaned the insecurity of certain “security” cameras
. Ostensibly installed to deter and thwart intruders, many actually can be transformed into an arsenal that hackers use for Web warfare
The latest cause for concern: A vulnerability
that enables hackers to summon a firehose of network traffic from hundreds of thousands of such devices for “distributed denial of service” attacks
, also known as “DDoS” attacks, that aim to knock targets offline—sometimes just for kicks and giggles, other times until a victim pays ransom. In a report published Wednesday
, security researchers at “cloud” network firm Akamai called attention to the recently identified flavor of attack, warning that instances of it are likely to worsen, in coming weeks, in terms of severity and frequency.
“It’s just so easy to abuse,” says Chad Seaman, an Akamai engineer who worked on the report. “We know there’s an active marketplace for it where people are selling these [DDoS] services via stressors and booters,” industry jargon for hacking-for-hire, he says.
The new attack uses a novel method to achieve old aims. Previous victims of DDoS attacks include Github, the code collaboration site, which got hit with the largest ever recorded one
last year. In 2016, an attack targeting Dyn
, an Internet infrastructure firm, since absorbed by Oracle
, suffered a DDoS strike, leading to widespread Internet outages.
How it works
This is a new type of digital cudgel. Observed since May
, the attack involves misuse of a device-pinpointing protocol—called “web services dynamic discovery
,” or “WS-Discovery”—which helps identify the whereabouts of machines on a network. PCs running Windows Vista software, or later versions of Microsoft’s operating system, come equipped with the technology, as do HP
printers since 2008.
Many makers of closed-circuit television cameras, or CCTV cameras, use the protocol to allow them easily to establish connections on customers’ networks. Chinese manufacturers Hikvision and Dahua, and Brazil’s Intelbras, are among the makers of camera models vulnerable to exploitation, Seaman says.
When the devices, intended to remain on local area networks, become exposed to the public Internet, perhaps unintentionally through misconfigurations, that’s when problems arise. Hackers can send signals to vulnerable devices, provoking outsized responses, and then redirect the resulting data at targets, overwhelming them.
Because most makers of these security cameras have no way to update their products remotely, fixing the issue is complicated.
What’s so bad about the new attack
The new attack is troubling because it is unusually powerful and, moreover, it can tap the collective power of many exploitable devices.
In this case, one byte of inbound traffic, when routed to a vulnerable device, can generate 153 bytes of firepower directed toward a target of attackers’ choice. This “reflective” DDoS attack, so called because it reflects from a vulnerable device to another target, acts like a lever, amplifying small forces into far larger ones.
Compared to a list of other top DDoS methods
published by US-CERT, a cybersecurity-focused subdivision of the U.S. Department of Homeland Security, this new method ranks fourth overall in relative strength.
,” the most powerful DDoS method known, can amplify the strength of attacks by tens of thousands. “NTP,” the No. 2 method, can multiply the force of attacks by more than 500. One of the most popular DDoS approaches, called “LDAP,” is weaker, magnifying attacks by about 50-times.
Scanning the Internet for devices vulnerable to “LDAP” hacking using Shadowserver
, a search tool provided by a nonprofit security group of the same name, reveals nearly 15,000 devices ready for abuse. For WS-Discovery, the newly discovered attack method, more than 800,000 vulnerable devices appear to be open to abuse.
The size of that arsenal, plus the strength of the attack, worries security researchers. “What we’re really seeing here is that this has the potential to hit as hard, or harder [than LDAP attacks], but with a much larger pool” of vulnerable devices, Seaman says.
“That’s the point we’re trying to make here,” Seaman adds. “There’s a new kid on the block and you need to be aware of it because, chances are, it will be used against you in the near future.”
Hardik Modi, head of threat intelligence at NetScout, a cybersecurity firm that observed an early instance of the attack
earlier this year, says his team has seen roughly 1,000 attacks using the method over the past three months. The issue “appears powerful and might yet grow legs,” he says.
What can be done about it
Perhaps the best way to fix this problem—not to mention, past, present, and future “botnet” threats—would be for device manufacturers to add an auto-update capability to their products. Then, as issues arise (as they inevitably do), companies can push out patches.
That’s not likely to happen anytime soon—and even if it does, there are still too many vulnerable devices already in circulation. Something else that could help: Manufacturers designing their products correctly, restricting devices’ responses to data packets originating only from trusted sources on local networks, rather than from anywhere online.
As word of this new kind of attack spreads, security-minded groups will likely look to persuade businesses and consumers in possession of vulnerable devices to update them (for the technically minded, that means blocking communications to “port 3702”). They may also recommend applying firewalls, or removing devices from the public Internet entirely. Ultimately, if the problem gets out of hand, Internet Service Providers could be drawn in, blocking suspicious traffic.
Seaman already sees hackers developing and posting tools related to the attack online. Because of that, he says you can expect an uptick in these kinds of attacks soon.
“Once open source tools pop up, that means even not very technical users can begin to build their lists of vulnerable boxes and leverage them for attacks,” he says. * More Details Here
By now you’ve read the first question and answer session
but still want to know more. Yes, I’ve done some research, I want to buy some funds, but…how exactly do I find what I’m looking for?
Unfortunately there isn’t a free, easy searchable list of all funds.
There are literally thousands of funds available for sale in the UK: https://www.fca.org.uk/firms/authorised-recognised-funds
- and you aren’t limited to buying just those!
There are companies that can help though, who offer easier interfaces.
A large provider of funds might also have an easy searchable list on their own website, or your broker might be helpful in helping you track one down. Doesn’t everything you can invest in have its own serial number?
If you’re referring to ISINs - International Securities Identification Numbers
- then, mostly yes, but you still need to know what you want in advance! What if I want to buy something that isn’t based in the UK?
First, you need to see if you or your broker can actually get it.
Then, it’s just a matter of placing an order. What should I look for then? They won’t be called the same things, right?
Of course. If you’re buying in the EU, you might see things called SICAVs - that is ICVC translated into Romance languages. ICVC?
You read the first FAQ
right? Romance languages? An Indo-European language family that evolved from Vulgar Latin in the 6th to 9th centuries. Right. So, ICVCs in Europe pretty much the same as the UK. What about the US?
A mutual fund is one registered with the Securities and Exchange Commission.
They even have their own Q&A about funds. https://www.sec.gov/reportspubs/investor-publications/investorpubsinwsmfhtm.html Ok, I’ve found a fund I want to invest in. Now what?
You should look at the documentation that a fund provides - if it’s reputable and regulated by a competent authority, then it should provide at least something tell you about it.
If you’re a retail investor in the UK, this is where UCITS and NURS comes into play. UCITS?
Really? Just kidding. I have the fund documents now - what’s the difference between all of them?
It depends on what fund you are buying.
The FCA has specific rules about what information needs to be provided to each type of client. As a retail client, that means quite a lot of information in as simplified form as is reasonably possible.
The things you’ll most often encounter are:
- A factsheet
- A “Key Investor Information Document” (KIID)
- A “Prospectus” - simplified or otherwise
If you invest in a UCITS the fund itself must by law (in the UCITS regulations) provide a KIID or a simplified prospectus, under the FCA handbook: https://www.handbook.fca.org.uk/handbook/COBS/14/2.html
Both a KIID and a Prospectus are supposed to give information in a standardised format so you can compare them with other UCITS funds.
A factsheet, on the other hand, is up to the fund itself - it has to be clear though, but is up to the fund manager how they want to present it. So, what’s the difference between a prospectus and a factsheet
A prospectus is usually prepared on the company - ICVC level. It is quite complicated and the same for, say, a prospectus for an IPO. Only losers like me read these in full - and the unfortunate trainee lawyers who have to draft them.
For example, here’s sub-favourite Vanguard Lifestrategy Funds ICVC’s
full prospectus - 79 pages long. It will tell you things such as all about the legal incorporation of the company, depositary, securities lending policies, etc. etc.
The factsheet for one of the sub-funds (e.g. Lifestrategy 100
) is only 2 pages long - and is updated much more frequently, because it contains details about the size of the fund, what it’s invested in, the ISIN and other identifiers, etc.
You probably want to look at the factsheet more than the prospectus! What about the KIID?
This is another regulatory document you need to read in conjunction with the factsheet - it contains, in no more than two pages:
- objectives and investment policy
- risk and reward profile
- past performance in a standard format
- practical information such as contact details
You should always look at the KIID for a UCITS, as well as the factsheet - you can tell it’s regulatory because it’s in black and white. I see this 1-7 risk scale on a KIID quite a lot - are they all the same? In theory yes - the 1-7 risk scale is technically called the “Synthetic Risk and Reward Indicator” - and its calculation is prescribed by the European Securities and Markets Authority.
It is developed by the Committee of European Securities Regulators and is based on the volatility of the fund, specifically:
The SRRI should be based on the volatility of the returns (past performances) of the fund; these shall be the weekly past returns of the fund or, if this is not possible because of the limited NAV calculation frequency, the monthly returns of the fund.
In the cases where there is no past performance (or limited), it is based on benchmarks and models approved by regulators. Can a fund ignore what it says in the KIID, like the investment objective?
In theory no - see q_pop’s answer
Officially, no. Unofficially, the IA (formerly IMA) and regulators have been very slow to bite when funds break their objectives. The most serious "punishment" funds suffer is being kicked out from their preferred sector. What about a NURS? They don’t have to provide a KIID, but they still usually have to provide something called a NURS-KII
: which is basically the same but with a bit more flexibility (to reflect the fact they can invest in more complex things than UCITS). And a QIS?
Now you’re playing with the big boys and you don’t get as much (or any) handholding - you’ll still get a basic amount of critical information, but not much more. Good luck!
Don’t end up like these guys: https://www.bloomberg.com/features/2016-goldman-sachs-libya/ I heard something about the RDR and Clean Share Classes?
The Retail Distribution Review was an initiative by the Financial Conduct Authority to try and force greater transparency about charges - specifically how much brokers and advisers got in commissions from fees.
Before the RDR, some classes of shares in funds had a higher charges than others - and part of those charges went to the brokeadviser.
After the RDR, that was no longer allowed (essentially) - the annual management charge was “unbundled”. That is a “clean share class”. https://www.fca.org.uk/publication/finalised-guidance/fg14-04.pdf
These days you’ll invariably end up buying the “unbundled”/“clean” share class. I’ve chosen my fund, but how does it work, exactly, when I buy?
Exactly depends on what fund you’ve bought and how you bought it.
If you tell your broker to get you a share of something that’s exchange traded, they will go out and try and find someone who is selling it for the price you set or better (a limit order) - friends don’t let friends place market orders - if someone is willing to make that exchange, then all you have to do is wait for the trade to be settled (your ownership is official at that point) and there you go. Wait, what’s settled?
I thought you only wanted to know about funds - settlement is about exchanging the consideration involved in a transaction, or to fulfil contractual obligations. Ok, carry on
If you are buying a normal ICVC, then if you bought it from your broker, it depends whether they’ve already bought a load of shares in the ICVC and are reselling them to you, or whether they need to go and place your order with the company.
In any case, eventually your money reaches the fund.
They decide to quote you a price - which we covered in the first question and answer session.
If you’re happy with that, then now you have a share (or fractional share) in the fund and the fund managers have your money.
Their own investment criteria means they have to do something with that cash. They are just like any other company: they will use their own brokers to buy and sell fund assets in the name of the fund. That’s it?
That is basically it - but many funds will employ other strategies to measure and control risks, cut costs or try and make money to hit their targets by lending out securities. What do you mean lending out securities?
Many funds engage in what’s called securities lending. You may have heard of shorting - where investors borrow assets to sell hoping the price drops so they can buy them back, as they have to give them back eventually.
Where do these assets come from? Big funds with lots of assets that just sit there. Vanguard and Blackrock, two of the biggest fund managers in the world, own 12% of the US stock market.
Most funds do it - yes, even sub-favourite Vanguard
- and you can find their policy in the prospectus you didn’t read. Isn’t that risky?
It’s risky in that there is non-zero risk, yes. However, counterparts need to put up collateral, in even in the last financial crisis where Lehman defaulted, most funds were able to liquidate the collateral and repurchase the missing securities themselves without any cost to them.
Here’s Blackrock’s take on the matter: https://www.blackrock.com/corporate/en-at/literature/whitepapebalancing-risks-and-rewards-may-2012.pdf
Of course, they might be a bit biased as they make money off it - or these days, do it to push down the OCF on funds to attract new money. What about controlling risks?
As there’s all sorts of things a fund can invest in, there are also all sorts of risks out there that a fund, or its investors, might not want to get take on board when making their investment.
There is usually a whole department at any financial institution which manages internal risk - whether that’s counterparty risk, compliance risk, operational risk etc.
We’re going to talk about risks in the portfolio rather than all of those.
How you manage your risk depends on what you are investing in and what risks you want to hedge out.
- for a credit fund, you might want to hedge default risk or interest rate movement
- maybe you’re managing a defined benefit pension fund and you need to hedge out inflation
- foreign exchange movement
- you’re investing in airlines or aircraft and you want to hedge out jet fuel costs
Really you’re switching out something uncertain for something fixed (maybe it’s for your internal profit models) - and paying for that.
Sometimes you want to swap out something fixed for something uncertain!
To do this, you use derivatives. Deriva-what?
Derivatives - they are instruments whose value is derived
from another asset.
Without going into too much detail, legally they are structured as contracts (usually from a large template such as the ISDA Master Agreement
) and you are just betting between parties (called the counterparts).
You may have encountered them:
are all types of derivative.
You can pretty much invent any bet or insurance you want and it can be turned into a derivative. You can even make derivatives based on other derivatives.
All you need is someone willing to take the other side of that bet - that’s why people who come up with the prices and accurately model how they’ll behave if x,y,z happens, get paid the big bucks (quants
). So if something is in a different currency, it’s using derivatives?
No - but you can use derivatives if you want to limit the impact on performance of the fund due to foreign exchange movements: we call those “hedged” funds. Wait, so a hedge fund is just a fund that uses derivatives?
No - a hedge fund is something different!
fund, is one where something, usually currency risk, is hedged.
Funds offer those to investors because some investors are concerned about the volatility of their currency when making international investments.
The underlying performance of the fund is what really matters - something that performs well doesn’t perform intrinsically differently because another currency was used to buy it, only that its purchasing power in the currency you want to use changed.
However, the trick is that when you want to come and liquidate the fund and use the money - after all, money is eventually meant to be exchanged for goods and services - you might be exposed to a currency fluctuation at that point: that’s volatility you might not want.
You can pay to remove that volatility by hedging - either buying a fund that has a hedged share class (they will use derivatives to hedge the value of that share against the value of underlying fund assets), or you can hedge it yourself by buying your own derivative (like a currency option or forward). If you are going to ask about exchange rate movements though, don’t bother, as they are banned on this sub
So hedging is more about your risk tolerance - or speculation on currency, depending on your perspective. What’s a hedge fund then?
A hedge fund is meant to hedge against the markets as a whole - they are supposed to offer returns uncorrelated with anything else in your portfolio.
The term has expanded now more to refer to any kind of unregulated pool of capital managed to make maximum returns however possible.
For instance, as well as investing in assets, they also make use of various strategies such as:
- activist investing - taking stakes in public companies to force them to change their ways to make shareholders richer
- special situations funds - trading securities based on things like potential bankruptcy, takeover, M&A activity
- macro-economic theme strategies
- arbitrage of all types
- distressed investment - anything from turnaround specialists to vulture funds
- high-frequency trading
- black box strategies - where no one knows what happens but it makes money: see Renaissance Technologies
If you want to invest in these, you’ll need to have a lot of money, pretty much waive any consumer protection and pay a lot in fees.
You might be able to find a fund of hedge funds though, but trading costs and middleman fees are going to be expensive. I found these funds called Feeder funds, for hedge funds and some property funds. What’s the point of them?
It’s part of a distribution system called Master-Feeder. It’s a way of structuring your fund to that you can access a large pool of funding, but have lower compliance and administration costs.
Individual investors invest with the feeder funds, so the master fund which is actually doing the investment only has to deal with a few “clients”.
You usually see them in hedge funds and property funds because it allows you to very easily segregate clients based on things like their domicile or investor type (e.g. one can be for foreign investors only, one can be for retail clients, one for large institutions) - you can place more tailored restrictions on each type of client because that’s handled on the feeder fund level.
For instance, you see it with property a lot because property is quite illiquid - and can’t be held in a UCITS fund.
So, instead of a fund having to hold cash on hand at all times just in case people want to redeem, you can have your master fund allowing redemptions say, once a year, but your feeder funds allowing more frequent redemption. Your institutional clients might be happy with a less frequent redemption calendar, so they can go in a different fund - the master fund doesn’t have to deal with these problems and can put more of its assets to investment. What about EIS/SEIS funds?
EIS (Enterprise Investment Scheme) and SEIS (Seed Enterprise Investment Scheme) are two tax-relief schemes.
When you invest in EIS/SEIS eligible companies, you get a certificate from that company in respect of your investment which you can then use on your Self Assessment to reduce either an income tax and/or capital gains tax bill.
So, when we talk about EIS/SEIS funds, the tax-treatment applies to the individual companies those funds invest in. The fund invests its money, then arranges for EIS/SEIS certificates to be issued to its shareholders, who then claim the tax treatment. And VCT?
A VCT - Venture Capital Trust - is a closed-ended fund, like a normal investment trust.
They must be publicly listed - they then invest in unlisted companies. The fund prospectus and factsheets will tell you what kind of companies they invest in.
So, it’s the same as buying a share on an exchange for your portfolio.
It’s just that investments into these shares also qualify for tax relief via Self Assessment again. What about SITR funds?
Social Investment Tax Relief funds work in the same way as EIS/SEIS funds at the moment. You join the fund, the fund invests, you get the certificate. Ok. I think I get it a bit more - but I can’t buy the fund into my ISA or SIPP, but I can normally: what gives?
ISAs and SIPPs have legal rules about what type of investments you can put into them. For instance, QIS funds can’t be put in an ISA.
The more exotic, the less likely it can go into an ISA. SIPPs have broader rules but there are still rules.
Check with your broker - what’s legally permitted might not be permitted by your broker, as a broker must manage an ISA and pensions need a trustee (and you generally won’t be your own pension trustee unless you really, really want to). Pension trustee?
That’s for someone else’s FAQ! Happy Investing!
So last week, my sister's puppy bit the wire going from the antenna to the router. We had it fixed yesterday but since then, my PC has been acting weird. It sitrs right under the router had it's the only device in our house connected to it via a wire, all others are wireless. However, only my PC has been experiencing horrendous spikes in data transfer. The graph in task manager looks more like a plain with occasional mountain ranges.
Dad, who is a technician, said he doesn't know what is causing it. Does anybody here know? Could it just be a faulty wire?