Monthly Archives: September 2013

DDoS: The Need for Updated Defenses Lessons Learned from a Year of Attacks Against Banks

In the wake of a year of attacks waged against banking institutions by Izz ad-Din al-Qassam Cyber Fighters, the FS-ISAC’s Bill Nelson and the ABA’s Doug Johnson say the need to regularly update DDoS preparedness is a critical lesson learned. As the one-year anniversary of the start of the hacktivists’ distributed-denial-of-service attacks against U.S. banks approaches, banks need to avoid complacency and leverage new mitigation tools to ensure protection against any DDoS attack from any group, the two experts say. By taking advantage of cyber-intelligence and DDoS mitigation toolkits provided by the Financial Services Information Sharing and Analysis Center and others, banking institutions of all sizes can help prevent online outages and mimimize risk for fraud , says Nelson, who heads the FS-ISAC in the U.S. FS-ISAC’s DDoS toolkit, which has been updated three times in the last year, is available to all institutions, not just FS-ISAC members. “We’ve worked to get this out to associations and third-party banking service providers, which really have a very important role as far as DDoS,” Nelson says in an interview with Information Security Media Group. “The Web hosting environment can impact numerous institutions.” A DDoS preparedness plan should address hardware security risks, ensure sufficient bandwidth and outline collaboration with third-party service providers, Nelson says. “Setting up in advance, not just waiting to see your name on a Pastebin post, is critical,” he says. Johnson, who oversees risk management for the American Bankers Association, says institutions have to band together to ensure they have the right plans in place. “It does take that village to ensure the institutions are asking the right questions,” he says. “The threat environment is substantially different than it was before these attacks.” Beyond al-Qassam On Sept. 18, 2012, Izz ad-Din al-Qassam Cyber Fighters announced the launch of its first wave of attacks against U.S. institutions to protest a movie trailer deemed offensive to Muslims. These attacks have forever changed the way the online world approaches DDoS, Nelson says. “When we realized this DDoS attack was different … we realized quickly that we needed to stand up and create an incident response team,” he says. “The reaction was really effective, and it proved how effective information sharing could be.” But Johnson says one lesson the industry has learned over the last year is that DDoS is not just about hacktivism, and banking institutions need to be concerned about attacks from any number of players. “It’s about the broad number of DDoS attacks that the industry is suffering [attacks] from a variety of parties,” he says. For community banks, the greatest concern is not online disruption, but the threat of DDoS attacks being waged to mask fraud, Johnson says. Source: http://www.bankinfosecurity.com/interviews/ddos-need-for-updated-defenses-i-2059

Read the original:
DDoS: The Need for Updated Defenses Lessons Learned from a Year of Attacks Against Banks

Threat of the Week: Sept. 11 Quiet But DDoS On The Rise (Again)

September 11 came, it went and despite the FBI warning to credit unions to be ready for a bump in hostile activities on that anniversary date, multiple experts said they saw absolutely no traffic increase. But they also had worrisome news: There has been a sharp rise in low-grade Distributed Denial of Service (DDoS) attacks aimed at financial institutions, often in association with attempted fraud, but sometimes apparently simply an angry act by a rejected loan applicant or a terminated employee. First, the 9/11 news: “Nothing unusual happened on September 11. The reason there is nothing to report is that the volume is the same as the day before,” said Ashley Stephenson, CEO of Corero, a Hudson, Mass.-based DDoS mitigation firm. “Every day there are attacks.” Chris Novak of the Verizon Risk Team said likewise: “We saw no spike in activity on 9/11.” Rich Bolstridge, a DDoS expert with Cambridge, Mass-based network traffic firm Akamai, made it three: “We saw no increase in activity on September 11. We had expected to see activity. But it was very quiet.” The big DDoS guns fired by al Qassam and other actors usually said to be connected to nation states in the Middle East may not have been out on 9/11, but the bad news is the jump in low-grade attacks that may be small compared to the giant attacks unleashed by al Qassam are plenty large enough to knock an unprepared credit union off line and, said the experts, most credit unions remain unprepared to adequately deflect DDoS assaults of just about any magnitude. “We are surprised how naive CUs are about DDoS,” said Kirk Drake, CEO of Hagerstown, Md.-based CUSO Ongoing Operations. “They don’t realize how easy it has become for just about anyone to aim DDoS at a target.” That is the rub, Terrence Gareau, principal research scientist for DDoS mitigation firm Prolexic in Hollywood, Fla., explained: “There is a very low barrier to entry for DDoS. We are talking $5 that will buy you 600 seconds of DDoS.” That may only be 10 minutes, but the plunger who can come up with $50 could put a credit union down for an afternoon. A chilling factoid via a report from Santa Clara, Calif.-based NSFOCUS, a DDoS mitigation firm: “Based on traffic analysis, there are 1.29 DDoS attacks occurring worldwide every two minutes, on average.” The company added, “Most attacks are short and small. The report found that 93.2% of DDoS attacks were less than 30 minutes in duration and 80.1% did not surpass a traffic rate of 50 Mbps.” By contrast, the data throughput in al Qassam attacks has sometimes exceeded 45 Gbps, meaning it is vastly larger. Van Abernethy, an NSFOCUS spokesperson, elaborated, “The main news – the press focuses on the big DDoS – but the reality is that unreported DDoS goes on all the time. There are a lot of small attacks.” And then it gets worse still: “Small attacks are often accompanied by data exfiltration attempts, especially at financial institutions,” said Abernethy. Verizon’s Novak agreed: “We are seeing where DDoS is used to distract a medium-size financial institution. While they are busy fighting off the DDoS. they don’t see that terabytes of data just walked out the door. That’s scary.” A similar warning was issued a few weeks ago by respected Gartner analyst Avivah Litan who said she knew of three instances where DDoS was used to distract financial institution security as fraud was committed. She declined to offer specific details. At CUNA Mutual, risk expert Ken Otsuka said that in the past year one loss associated with a DDoS attack had been filed. He also offered no specifics. Add it up, however, and the situation is grim. DDoS as a service – available for hire by those with a grudge or with criminal intent – is increasingly available, it is cheap, and at least some providers happily accept Bitcoin, the virtual currency with some anonymity built in. Importantly, just about no technical skill is required, just a few dollars and a willingness to name a target. On the credit union front, the sense among experts is that the largest institutions – perhaps the top 25 or 50 – may have credible DDoS mitigation tools in place. As for the many thousands of others, the collective opinion is that probably most are unprotected. That could paint an attractive bull’s-eye for crooks. “There’s a trend where we see attacks going down market,” said Novak, “where the criminals are attacking smaller financial institutions because they don’t have the same defenses as the big banks.” Source: http://www.cutimes.com/2013/09/13/threat-of-the-week-sept-11-quiet-but-ddos-on-the-r

Read the article:
Threat of the Week: Sept. 11 Quiet But DDoS On The Rise (Again)

Countering Attacks Hiding In Denial-Of-Service Smokescreens

Denial-of-service attacks have long been considered the blunt wooden club of online hazards, a multi-gigabit stream of shock and awe. Yet, increasingly the noisy attacks are being used to hide more subtle infiltrations of a target’s network. A number of financial institutions, for example, have been targeted by distributed denial-of-service (DDoS) attacks immediately following a wire transfer, according to security firms familiar with the cases. The attacks, generated by computers infected with the DirtJumper DDoS malware, attempt to disrupt any response to the fraudulent transfer of funds, which are usually in the six-figure dollar range, according to a report by Dell Secureworks published in April. “The analogy is signal jamming,” says Kevin Houle, director of threat intelligence for managed security provider Dell Secureworks. “To the extent that you can use the DDoS attack to do cause chaos electronically, to prevent access to particular systems during an attack, the tactic has proven successful.” While DirtJumper has focused on causing chaos immediately following money transfers, the technique could be generalized to other attack scenarios. A variation of the attack has been used by Iranian hacktivists groups to disrupt the online operations of U.S. financial institutions by hiding more subtle application-layer attacks within larger packet floods. And South Korean companies were flooded with data while malware deleted information on organizations’ servers. “Your goal is to sow confusion,” says Vann Abernethy, a senior product manager at NSFOCUS, a DDoS mitigation firm. “A DDoS attack is designed to get your IT department to run around like their hair is on fire.” In addition, noisy DDoS attacks could attract more attackers, says Terrence Gareau, principal security architect for Prolexic, a DDoS mitigation firm. A very public attack could convince other groups to attempt their own operations in the chaos, he says. “If it’s a very public attack, then there is a high probability that other opportunistic attackers could take part as well,” Gareau says. “Opportunistic criminals will say, wow they are under a DDoS attack, so lets look at the network and see what changes have been made.” Companies need to structure their response group to handle a large infrastructure attack, but not be blinded by the influx of alerts to their system. Like magicians, the goal of the attackers is to force the security staff to only pay attention to a distraction to keep them from discovering the actual trick. “You almost have to have a team that deals with the infrastructure attack, and a separate group that goes into hyper-vigilance to find any other attacks coming in,” says NSFOCUS’s Abernethy. A third-party provider, who can use intelligence from attacks on other customers to more quickly identify new attacks, can help eliminate much of the inbound attack traffic, dialing down the volume of alerts that the security team has to process. The level of alerts seen by a security team during a denial-of-service attacks can increase by an order of magnitude. Filtering them out at the edge of the Internet can greatly reduce the impact on a business’s network and employees. “If you don’t have to have all those alerts on your network, you can pay attention to what matters,” Prolexic’s Gareau says. “Using a third part mitigation provider can significantly reduce the noise.” Yet, attacks that use a variety of traffic and techniques in a short time period can cause problems for denial-of-service mitigation firms, says Lance James, head of intelligence for Vigilance, a threat information firm that is now part of Deloitte. “They are not perfect,” James says. “We still see major banks going down. But they do well against long period term DDoS attacks.” While DirtJumper, also known as Drive, is not the only botnet that is used for combined attacks, it a popular one. DirtJumper has a half dozen ways of attacking infrastructure, including flooding Web sites with GET requests and POST requests, targeting infrastructure with two types of IP floods, and using UDP packets to slow down networks. Source: http://www.darkreading.com/threat-intelligence/countering-attacks-hiding-in-denial-of-s/240161237

Continued here:
Countering Attacks Hiding In Denial-Of-Service Smokescreens

Federal DDoS Warnings Are Outdated

It’s always the same: Government cybersecurity experts learn of pending distributed denial of service attacks, especially around the anniversary of Sept. 11, and issue warning after warning after warning, as though security is something we can do on a “per-warning” basis. I really don’t understand this way of approaching security or why government agencies believe such warnings are helpful. I’m not saying we shouldn’t be warned — not at all. What I’m saying is that we shouldn’t wait for a warning before we do something about security. On Aug. 5, for instance, the FBI and the Financial Services and Information Sharing and Analysis Center issued a warning that the same groups behind the unsuccessful Operations USA and Operation Israel attacks in May were planning a new DDoS attack. Their recommendations leave me perplexed. For instance, they suggest: – Implement backup and recovery plans. Really? We’re supposed to wait for a warning on a 9/11 DDoS threat to know that we need to do this? We’re in serious trouble if that’s the case. – Scan and monitor emails for malware. Again, really? This is a recommendation? Is there truly anyone out there who still doesn’t do this? And, if there is, they deserve whatever happens to their network, I say. – Outline DDoS mitigation strategies. Finally, something a bit more relevant. I know for a fact that most companies aren’t putting much thought into DDoS defense strategy. Unfortunately, if you’re hosting a server with public access, you’ve no choice but to consider this with the utmost seriousness. Just how seriously, you ask? Well, that all depends on how much of your company’s livelihood hinges on that server. It’s an undeniable fact of our Internet life that these things will keep happening. No matter if it’s 9/11 or OpUSA or a private single hacker from Russia or China. They’ll continue to happen, and we all understand the need to be prepared. DDoS preparedness is accomplished as a strategy. It involves hardware, large bandwidth, ISP collaboration, remote redundancy and other possible strategies for defense and elusion. This isn’t anti-malware. You can’t create a signature or heuristic against DDoS. This is sheer brute force in that you win if you’re stronger, or if you’re the more elusive, so they can’t really get you. And that’s precisely why you need a strategy, and you need to plan it now. You can also purchase hardware — but make it part of a strategy. Don’t expect it to be the one and only thing you need to do to fend off a DDoS attack. Source: http://www.informationweek.com/government/security/federal-ddos-warnings-are-outdated/240161165

Read More:
Federal DDoS Warnings Are Outdated

Multiplayer games and DoS attacks

Prolexic, detailed the rampant problem of denial of service attacks within and from online gaming communities. The DDoS attacks, which can pack a powerful punch by the use of reflection and amplificat…

See the article here:
Multiplayer games and DoS attacks

C&C PHP script for staging DDoS attacks sold on underground forums

Earlier this year, US-CERT has deemed it important to release an alert about publicly accessible open recursive DNS servers that are increasingly being used in DNS amplification attacks – a very effec…

More here:
C&C PHP script for staging DDoS attacks sold on underground forums

9/11 DDoS Alert for Banks, Agencies

U.S. and Israeli government agencies and banking institutions should be on alert for a potential Sept. 11 wave of distributed-denial-of-service attacks launched by the same groups behind the unsuccessful Operation USA and Operation Israel attacks in May. That warning comes from cybersecurity experts and alerts issued by the Federal Bureau of Investigation and the Financial Services Information Sharing and Analysis Center. While OpUSA and OpIsrael, which were designed to take down websites operated by globally recognized brands and governmental agencies, were not successful, cybersecurity experts say the threat this time is genuine. The groups behind these attacks are now more organized, better equipped and trained, and more determined than they were the first time around, they say. The FBI, however, notes that the attacks are not expected to have a serious or significant impact. “It is thought that due to the fact that hackers will be relying on commercial tools to exploit known vulnerabilities, and not developing custom tools or exploits, that the skill levels are, at best rudimentary, and capable of causing only temporary disruptions of any of the targeted organizations,” the FBI alert states. Attack Alerts On Aug. 5, the FS-ISAC issued a warning to its membership about a new wave of DDoS attacks that could target U.S. banks. David Floreen, senior vice president of the Massachusetts Bankers Association , says the FBI, which issued a separate alert on Aug. 30, and the FS-ISAC asked banking associations to spread the word about the possibility of attacks. “The attacks are expected to occur in two phases,” notes the FBI alert. “Phase I will take place over a period of 10 days and target several commercial and government sites with DDoS attacks. … “Phase II is scheduled to take place on September 11, with a more widespread attack threatened, along with Web defacements.” The FBI recommends organizations: Implement data backup and recovery plans; Outline DDoS mitigation strategies; Scan and monitor e-mail attachments for malicious links or code; and Mirror and maintain images of critical systems files The FBI did not release its alert to the public, an FBI spokeswoman acknowledges. But in an effort to get the word out, the Massachusetts Bankers Association posted the FBI and FS-ISAC warnings on its site, Floreen says. The FS-ISAC alert names top-tier banks that are likely to be targeted during an upcoming attack. The list of potential attack targets includes the same 133 U.S. banking institutions named in the April 24 Anonymous post that appeared on Pastebin during the first OpUSA campaign, says financial fraud expert Al Pascual, an analyst with consultancy Javelin Strategy & Research. The FS-ISAC alert does not reference OpIsrael, but experts say OpUSA and OpIsrael are connected. Planning Attacks Gary Warner, a cyberthreat researcher at the University of Alabama at Birmingham who also works for the anti- phishing and anti- malware firm Malcovery, claims the hacktivist groups’ main focus, for now, is Israel. If attacks against Israeli targets are successful, then U.S. targets will be next, he warns. Since June, two hacktivist groups, AnonGhost and Mauritanian Attacker, have been building plans for OpIsrael Reborn, according to Warner’s research. So far, these groups have not been linked to new attacks planned for a sequel to OpUSA, Warner says. Both groups, however, were involved in OpIsrael and OpUSA, he notes. “As part of our process of watching the phishers who create counterfeit bank websites, we track where many of those criminals hang out and what sorts of things they are discussing,” he says. “We became aware of OpIsrael Reborn while reviewing posts made by criminals who have been phishing U.S. banks and Internet companies.” Announcements for the new campaign began Sept. 2. But more posts were added on Facebook and in underground forums within the last week to recruit additional attackers, he says. “AnonGhost and Mauritanian Attacker have taken the time to build a strong coalition of hackers,” Warner says. “In that June release, there were no dates, no members and no targets announced.” Since that time, attackers have honed their targets, and they claim to have already compromised several government and banking sites in Israel, he says. On Sept. 11, they plan to publish information they’ve compromised from during those attacks, Warner adds. “They claim [on YouTube ] they are going to begin publishing the internal government documents of Israel,” he says. “The video also makes reference to the recent FBI claim that they have dismantled Anonymous.” Attackers are uniting this time out of anger over those claims made by the FBI as well as recent attacks waged against Islamic businesses believed to be backed by an Israeli hacktivist group, Warner explains. So why is this wave of attacks being taken more seriously than the first OpIsrael? The sheer number of attackers, their tools and the way the hacktivist groups have been building momentum through social networking sites such as Facebook has raised serious concern, Warner says. “They’ve been gathering tools since June 9, and training attackers on how do SQL and DDoS attacks,” he says. “It’s a SANS-quality training for hackers, and they’re prepping for wiping Israel off the [online] map.” On Sept. 9, two Israeli government websites were successfully taken offline for a period of time, Warner adds. “We did not see that success in OpIsrael or OpUSA,” he says. “If they pull this thing off against Israel, they will keep hitting others,” he says. No Attack Link to Al-Qassam Experts, including Warner, say Izz ad-Din al-Qassam Cyber Fighters , the self-proclaimed hacktivist group that’s been targeting U.S. banks since September 2012, does not appear to be involved in these most recent campaigns. And although U.S. banking institutions have built up strong online defenses over the last year to mitigate cyber-threats such as DDoS attacks, other sectors are far less prepared, Javelin’s Pascual says. “The lack of success that Izz ad-Din al-Qassam achieved during the fourth round of DDoS attacks was indicative of how well fortified U.S. banks have become,” Pascual says. But Rodney Joffe , senior technologist at DDoS-mitigation provider Neustar, says security professionals should be concerned that other attackers have learned lessons from al-Qassam’s strikes. “I don’t believe there is any connection between OpUSA and AQCF [al-Qassam Cyber Fighters],” he says. “However, the reason I think it is more worrying this time is because, as I have said over and over, the underground learned a lot of groundbreaking lessons from AQCF. … And this time around, they may be more successful.” Source: http://www.bankinfosecurity.com/911-ddos-alert-for-banks-agencies-a-6054

See the article here:
9/11 DDoS Alert for Banks, Agencies

Timing is an influential risk-factor for cyber attacks

There are several dates throughout the year that are notorious for wreaking havoc on businesses via DDoS attacks, data breaches and even malware or botnet assaults. According to Radware, there ar…

Read More:
Timing is an influential risk-factor for cyber attacks

Malware culprit fingered in mysterious Tor traffic spike

Spammy botnet got sneaky Security researchers believe they have identified the botnet responsible for a recent spike in traffic on the anonymizing Tor network, but the exact purpose of the malware remains unclear.…

Visit link:
Malware culprit fingered in mysterious Tor traffic spike

Android malware spotted hitching a ride on mobile botnet

Obad boy enlists an ally for Google spam splurge Kaspersky Lab has reported the first sighting of mobile malware (Android, of course) that piggybacks on the back of a separate mobile botnet and uses the resources of other malware once it’s installed.…

Read More:
Android malware spotted hitching a ride on mobile botnet