Monthly Archives: February 2014

Crap hospital databases next goldmine for cyber-crooks, say Microsoft’s botnet slayers

Your medical files are worth big bucks to fraudsters RSA 2014   The low levels of security in healthcare IT systems, and the high value of its data, is going to make the sector the next big target for scammers, according to the Microsoft-backed team that takes down botnets.…

Read this article:
Crap hospital databases next goldmine for cyber-crooks, say Microsoft’s botnet slayers

The rise of UDP-based DDoS attacks

The DDoS war is ramping up with the use of network time protocol (NTP) amplification to paralyse, not just individual organisation’s networks, but potentially large proportions of general internet traffic. The largest ever DDoS attack to date with a DNS amplification hit the anti-spam company, Spamhaus last year. This attack reached 300 Gbps, taking Spamhaus offline and also affecting the DDoS mitigation firm, CloudFare. With the volume of traffic that was going through peering exchanges and transit providers, the attack also slowed down internet traffic for everyone else. However, in the last couple of months these UDP amplification attacks seem to have moved on to NTP, taking advantage of an exploit available in older, unpatched NTP systems. These servers are usually used for time synchronisation and utilise the UDP protocol on port 123. Like DNS, they will respond to commands issued by any client to query certain information, unless they are properly secured. These attack styles are not new, but their historically infrequent usage and the potential for mass disruption means they warrant more attention. Coverage of these attack styles in both industry and mainstream press is to be welcomed in my opinion, because these attacks are relatively defensible and coverage will hopefully get more administrators to secure or patch their NTP servers. What is all the fuss about? DNS amplification attacks ramp up the power of a botnet when targeting a victim. The basic technique of a DNS amplification attack is to spoof the IP address of the intended target and send a request for large DNS zone files to any number of open recursive DNS servers. The DNS server then responds to the request, sending the large DNS zone answer to the attack target rather than the attacker, because the source IP was spoofed. The DNS amplification attack on Spamhaus saw request data (the data the attacker sent to the DNS servers) of roughly 36 bytes in length, while the response data (the data from the DNS server to the attack target) was around 3000 bytes, meaning the attackers increased the bandwidth used by 100x. Not only is that a large increase in attack bandwidth, but these packets from the DNS servers arrive at the target in a fragmented state due to their large size and have to be reassembled, which ties up the routing resources as well. NTP amplification attacks work by spoofing the IP of the attack target and sending a ’monlist’ command request to the NTP servers. This command will return the IP addresses of the last 600 clients that have used the NTP server to synchronise time. By issuing this command a small request packet can trigger much larger UDP response packets containing active IP addresses and other data. The volume of the response data is related to the number of clients that communicate with any particular NTP server. This means that a single request which consists of a single 64-byte UDP packet can be increased to 100 responses each, which contain the last 600 client IP addresses that have synchronised with the server. Each of those 100 responses will be a UDP packet of around 482 bytes which gives the attacker a bandwidth amplification of around 700x [482 bytes x 100 responses = 48200 bytes / 64 bytes = 753.125]. With this level of amplification available and several popular DDoS attack tools already including a module for abusing ’monlist’ we could be on for a new record in DDoS attack size this year unless the vulnerabilities are patched soon. For example, if DNS amplification created a 300 Gbps, then NTP amplification means we could potentially see a 2.1 Tbps (21,000 Gbps) attack. There is no network that could absorb an attack of that size; it would have an enormous knock-on effect on general Internet traffic as the Spamhaus attack did with peering points, transit providers and content delivery networks being overloaded. This isn’t to say that DNS and NTP are the only amplification attack methods. There are other amplification and reflection-style tactics as well and, while not as popular as more tried-and-true DDoS methods, they represent a real threat if you are not prepared for them. Fixing the problem The easiest way to fix this and remove your NTP servers from being an attack vector for a DDoS is to update your NTP servers to version 4.2.7 which removes the ‘monlist’ command. Otherwise you can disable query within your NTP server via a configuration change: nano /etc/ntp.conf [Your configuration file might be located elsewhere] #Restrict general access to this device Restrict default ignore Restrict xxx.xxx.xxx.xxx mask 255.255.255.255 nomodify notrap Noquery This change will prevent your NTP server from being used to launch DDoS attacks against other networks, but an update to the latest version is still recommended. Conclusion DDoS attacks have been around in one form or another since the very beginnings of the internet, but the motivations, as well as the scale of these attacks seem to have grown significantly. In the early days it was just extortion; a hacker would ask for payment to stop the attacks. Nowadays, some businesses may pay for competitors to be attacked, as a few hours offline could be worth millions. You also have DDoS being used as a method of political activism by groups such as Anonymous, as well as the potential for a government to use DDoS to disrupt another country’s infrastructure. Systems administrators need to ensure their systems are reviewed regularly for patches and known vulnerabilities. If systems are left unpatched then at best you can be used as a vector to attack another network or organisation, but at worst those vulnerabilities could be exploited to take your systems offline or steal your data. Source: http://blogs.techworld.com/industry-insight/2014/02/the-rise-of-udp-based-ddos-attacks/index.htm

Read more here:
The rise of UDP-based DDoS attacks

Cyber attacks ready to lay siege to 2014 World Cup

Brazilian hackers have issued threats to disrupt this summer’s FIFA World Cup and there are worries that the telecommunications infrastructure won’t be able to cope with the attacks. Reuters spoke to hacking groups headquartered in Brazil that are planning to attack the event due to the global exposure it will give them and they are confident of bringing down some of the largest sites involved with the tournament. “We are already making plans,” said an alleged hacker who goes by the name Eduarda Dioratto. “I don’t think there is much they can do to stop us.” Distributed denial of service [DDoS] attacks are reportedly the weapon of choice for Brazil’s hackers to target sites operated by FIFA and the Brazilian government as well as other sponsors and organisers.   “The attacks will be directed against official websites and those of companies sponsoring the Cup,” a hacker known as Che Commodore told Reuters over Skype.Some of the problems that could be exploited include overstrained networks, widespread use of pirated programming and little care taken to invest in online security. The same report also states that one of the “world’s most sophisticated cyber criminal communities” already operates in the country and it has already started to scupper ticket sales through phishing. “It’s not a question of whether the Cup will be targeted, but when,” said William Beer, a cybersecurity expert with the consultancy firm Alvarez & Marsal. “So resilience and response become extremely important.” FIFA has yet to comment on the issue and the country itself is confident that it is at least some way prepared for any attacks that are launched. “It would be reckless for any nation to say it’s 100 percent prepared for a threat,” said General José Carlos dos Santos, the head of the cyber command for Brazil’s army. “But Brazil is prepared to respond to the most likely cyber threats.” During the Confederations Cup 2013, the traditional dress rehearsal for the World Cup, the cyber command stopped over 300 cyber attacks and dos Santos added that the number will be “much higher” during the tournament proper. Source: http://www.itproportal.com/2014/02/26/cyber-attacks-ready-to-lay-siege-to-2014-world-cup/#ixzz2uZ9neK9Q

Read More:
Cyber attacks ready to lay siege to 2014 World Cup

Bitly faces complete shutdown of services due to DDoS attack

Online URL shortening services provided by Bitly are down due to a DDoS attack and engineers were trying to solve the issues at the time of publishing Online URL shortening service provided by Bitly was under a major DDoS (distributed denial-of-service attack) on Wednesday. The website states the problem on a banner on their site and a tweet was put out by the company that its services would be restored eventually. Bitly’s internal team of engineers are working on fixing the problem. We are currently working to mitigate a DDoS attack. Some of our site may be unavailable, but we’re working to restore full functionality. — Bitly (@Bitly) February 26, 2014 Services to the links was resumed a little later, however damage from the attack was still being worked on at the time of publishing this article. Bitly, informs on their website, “All links are working after mitigating an earlier DDOS attack. Some link metrics may still be delayed.” Update: All links are working after mitigating an earlier DDOS attack. Some link metrics may still be delayed. — Bitly (@Bitly) February 26, 2014   What is DDoS attack?  – Distributed denial-of-service (DDoS) attack is an attempt to make a machine or network resource unavailable to its intended users. – Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of efforts to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet. – As clarification, DDoS (Distributed Denial of Service) attacks are sent by two or more persons, or bots. – DoS (Denial of Service) attacks are sent by one person or system.   The company Bitly, Inc. was established in 2008 and is privately held and based in New York City. Bitly shortens more than one billion links per month, for use in social networking, SMS, and email services and is relied for accuracy and reliability. No doubt, this caused some what of a furor online with people even going so far as to refer to this attack as the ‘death of the internet’. #bitly is down. The internet is dying — iwyg (@_iwyg_) February 26, 2014 Why are so many #Bitly links failing to open today?? What’s up @hootsuite ?? — Slaweezy (@Slaweezy) February 26, 2014 On no #bitly is down and I haven’t had my fix of web based stats yet for the day #marketingbreakdown — Steve Scheja-Terry (@Von_Steve) February 26, 2014 The web is collapsing! #bitly is down! — Ben R. Hodges (@BenHodgesH2O) February 26, 2014

View article:
Bitly faces complete shutdown of services due to DDoS attack

Theresa May Home Office website DDoS attack: Man charged

A man is being charged with attacking websites belonging to the Home Office and the Home Secretary Theresa May. Mark Lynden Johnson, 43, from Stoke-on-Trent, is being charged with encouraging or assisting an offence under the Computer Misuse Act. He is due to appear at Birmingham Magistrates’ Court on 12 March. Both websites were taken offline during attacks between 15 and 18 June 2012, the Crown Prosecution Service (CPS) said. The websites were subjected to a Distributed Denial Of Service attack, also known as a DDoS attack, which prevented visitors accessing them, a CPS spokesperson said. A DDoS attack floods a webserver with so many requests that it can no longer respond to legitimate users. Source: http://www.bbc.co.uk/news/uk-england-stoke-staffordshire-26341874

Continue reading here:
Theresa May Home Office website DDoS attack: Man charged

Pony up: Botnet succesfully targets Bitcoin

Password-lifting network converted to cryptocoin-thievery Another $US200,000-plus worth of Bitcoins has been lifted, according to Trustwave, which has identified a new Pony botnet targeting crypto-currencies.…

See the original article here:
Pony up: Botnet succesfully targets Bitcoin

Apple Daily in Hong Kong and Taiwan hit by DDoS attack

Apple Daily said its websites for both Hong Kong and Taiwan were hit by DDoS attacks on Saturday. IP addresses reveal that attacks originated from China, Russia, and France, according to Michael Yung, CIO of Next Media, the parent company of Apple Daily. Starting 1pm on Saturday, traffic to the Next Media website became increasingly huge that access to Apple Daily and other contents of the firm was significantly slow, Yung said, adding that audiences could only view text content via the newspaper’s mobile app. The firm’s website was restored at 6pm after several hours of fixing, Next Media said. According to Yung, small-scale attacks to the Next Media website are frequent but much more severe ones come before the June 4 commemoration and July 1 protest every year. Next Media said the attack is an act of harming freedom of press and but that won’t stop the organization from defending it. While Anonymous reportedly confirms that the attack came from the mainland Chinese government, Next Media said the identity of the attacker remains unknown at the moment because IP addresses identified could be fake. There’s also speculation that the attack’s related to Sunday’s “Free Speech, Free Hong Kong” protest organized by the Hong Kong Journalists Association. The protest is a response to recent moves that are seen as compromising editorial independence and freedom of speech. Of late, Commercial Radio fired its outspoken host Li Wei Ling while Chinese-language newspaper Ming Pao replaced its existing chief editor with a Malaysian journalist who’s not known to the local community and media industry. Source: http://news.idg.no/cw/art.cfm?id=F7551BB6-DF9A-6D69-EBD70AD566B9147F

Continued here:
Apple Daily in Hong Kong and Taiwan hit by DDoS attack

Next generation anti-DDoS appliances from Huawei

Huawei announced the launch of its next-generation anti-DDoS solution at RSA Conference 2014. Huawei's AntiDDoS8000 Series offers industry leading security capabilities, including 1Tbps performanc…

Continue Reading:
Next generation anti-DDoS appliances from Huawei

Cyber attacks: preventing disruption to your website

 One of the largest ever cyber attacks took place this month and it has been cited that it was the shape of things to come.  But it is not all doom and gloom – there is plenty that businesses can do to prepare for the future. Start by thinking about the impact of your website being down for a day to three days and how it would affect current and prospective clients and the reputation of your brand.  Google  is usually the first port of call when checking out products and services, so chances are high that any disruption to your web experience won’t be favourably looked upon by prospects. Cyber criminals will often inject malware into legitimate websites with the goal of getting innocent users to click on it, which will automatically trigger a download and can lead to all sorts of problems for the user.  As the website owner, you may be completely unaware, but this is something that Google is cracking down on. If a website is spotted hosting malicious links, Google can blacklist it, meaning it will not show up in searches and it will temporarily remove it from the Google index, which badly affects SEO.  Browsers, such as Chrome, Firefox etc will also flag insecure or risky websites and that may scare away potential customers.  It may take weeks of effort to get removed from blacklists and re-indexed. If this wasn’t bad enough, the risk is actually two-fold.  There are some would-be attackers that will threaten to hold your website to ransom.  In this case, they will identify the holes in your website and blackmail you into paying them in order for them not to get your website blacklisted. The best way to avoid getting blacklisted, or indeed blackmailed, is to have the website checked for malware and other infections.  And it is also highly recommended to have your website scanned for known vulnerabilities. This will ensure that there are no “holes” that attackers can exploit to install malware or create watering holes for unsuspecting customers. Another issue to avoid falling victim to is a DDoS attack.  DDoS attacks bombard a website with so many external communication requests that it floods the system and overloads the server to such a point that it can no longer function, leaving the website paralysed and unable to transact business. Attacks of this nature are on the rise and it’s fair to predict that this year will be no exception to this trend.  The best start is to have a plan in place- whether it is a hardware solution  that takes days to install and requires a higher up-front cost; or a provider who offers DDoS protection services that can be up and running in as little as a few hours for a monthly cost. In addition, it’s worth noting that some good DDoS protection services will offer a caching component that will allow bursts of legitimate traffic to your website without negatively impacting on the server.  Because it will automatically balance the load coming in, it keeps the website available to handle large amounts of requests with no disruption to your user base. So, make sure you do your research when choosing the best option for your website. Bear in mind that, while you can get a protection service in an emergency situation, as with so many things, the best offense is a good defence, so businesses should make sure that they have a proactive DDoS solution in place to avoid disruption to your web presence. Top tips: 1) Run malware detection and anti-virus on your website to spot and clear any existing infections 2) Enlist the services of a vulnerability scanner to identify and fix any exploits in your website 3) Have proactive DDoS protection in place; either in the form of hardware or a managed service 4) Have load balancing in place to ensure your website can handle increases in transactions Source: http://www.itproportal.com/2014/02/21/cyber-attacks-preventing-disruption-your-website/

Read More:
Cyber attacks: preventing disruption to your website

Namecheap's DNS server hit with a "new type" of DDoS

Popular domain registrar and web hosting service Namecheap has been having trouble with an unexpected DDoS attack targeting 300 or so domains on two of their their DNS nameservers. “The sheer siz…

See more here:
Namecheap's DNS server hit with a "new type" of DDoS