Tag Archives: copyright

7 Security Trends to Expect in 2014

Computer systems, in many peoples’ eyes, are there to be hacked — and that means fraudsters are always working on new ways to exploit vulnerabilities. So what does 2014 have in store? Here are seven security predictions for the New Year. DDoS Attacks Get Sneaky DDoS attackers will go from simple volumetric attacks to ones which take advantage of a site’s specific performance characteristics. That’s the prediction of security researchers at Neohapsis, a security and risk management consulting company. DDoS attacks that intelligently target bottlenecks in performance, such as pages with a high server load (like database writes) or specific network bottlenecks (like login and session management), can magnify the impact over attacks which are simply volume-based and request the homepage of a site. So it’s likely that we will begin to see the spread of tools which profile specific targets. The result? DDoS attacks that have more impact, and involve less network traffic, than the ones enterprises have become accustomed to mitigating against. Insider Threats Remain Major Security Problem According to a CyberSecurity Watch survey insiders were found to be the cause in 21 percent of security breaches, and a further 21 percent may have been due to the actions of insiders. More than half of respondents to another recent survey said it’s more difficult today to detect and prevent insider attacks than it was in 2011, and 53 percent were increasing their security budgets in response to insider threats. While a significant number of breaches are caused by malicious or disgruntled employees – or former employees – many are caused by well-meaning employees who are simply trying to do their job. BYOD programs and file sharing and collaboration services like Dropbox mean that it will be harder than ever to keep corporate data under corporate control in the face of these well-meaning but irresponsible employees. Defending against insider threats requires a multi-layered use of technological controls, including system-wide use of data encryption and establishment of policies stressing prevention of data loss. Security Worries Drive Cloud Consolidation Organizations will look to buy more solutions from a single vendor and demand greater integration between solutions to automate security, according to Eric Chiu, president of HyTrust, a cloud security company. The fact that securing cloud environments is very different from securing traditional physical environments will drive greater consolidation in the market, he says. Legacy Systems Cause More Security Headaches The spate of IT failures in banks and other high profile companies highlights a simple fact: Many of them are running legacy systems which are so old and out of date that they are becoming almost impossible to maintain. That’s because there are few people with the skills and expert knowledge that would be needed to run them securely – even if they were updated to eliminate know vulnerabilities, which they frequently are not. They often aren’t updated because no-one knows what impact that would have. It’s inevitable that we’ll see hackers going after such systems, exploiting vulnerabilities that can’t easily be fixed. Encryption Will Be Revisited In the wake of revelations about the NSA, many companies are realizing that encryption many be the only thing that is protecting their data, and it may not be as strong as they imagined. What’s more, if hackers are led to believe there is a weakness in a particular system – either accidental or intentional – they will pound on it until they find it. As a result, many companies will look to improve the way they use encryption. Look for particular attention to be paid to cryptographic block modes like CBC and OFB, and authenticated modes like EAX, CCM and GCM, advise the experts at Neohapsis. In addition to the encryption methods themselves, look for insights and innovations around key management and forward security. ‘Stuxnets’ Become More Common State-sponsored malware like Stuxnet – which is widely attributed to the United States, Israel or both – has proved to be far more sophisticated and effective than anything that a couple of hackers can develop. Expect more of this type of malware from the likes of China, Russia, Iran, India, Brazil and Pakistan. It’s probably already out there, even if it hasn’t yet been detected. 2014 could be the year that its prevalence becomes apparent. Bitcoin Drives New Malware The Bitcoin virtual currency is growing in popularity with legitimate businesses, and that’s likely to continue. That’s because Bitcoin payments offer significant attractions: They are quick and cheap, and there is no possibility of a chargeback. But Bitcoin wallets make attractive targets for criminals, because stolen coins can be cashed out instantly, without a middleman or launderer taking a cut. And many Bitcoin users are relatively unsophisticated, protecting their wallets with very little security. So expect Trojans and other malware that specifically look for and target Bitcoin stashes, as well as ransomware that demands Bitcoins in return for decrypting data. Source: http://www.esecurityplanet.com/network-security/7-security-trends-to-expect-in-2014.html

View article:
7 Security Trends to Expect in 2014

DDoS attacks lead to 18 percent of data center outages

Maintaining top-of-the-line server performance is a delicate balancing act between power consumption, user accessibility and a variety of other factors both physical and abstract that can affect how well employees do their jobs or how quickly and effectively IT-related tasks are accomplished. Yet in many cases, even the most stringent attempts to keep the data center operating without issue can run afoul due to external forces. In the past, distributed-denial-of-service (DDoS) attacks were a small fraction of the reasons that businesses experienced outages in their IT infrastructure. However, recent findings from the Ponemon Institute reveal that they now account for 18 percent of these problems. This is up from only 2 percent in 2010, when Ponemon last studied the phenomenon. Data centers get caught in the cross-fire Often enough, these attacks are not even targeting data centers, 451 Research analyst Eric Hanselman told Network Computing. Rather, hackers are attempting to shut down the applications hosted in the IT infrastructure, and the servers become collateral damage in the process. Furthermore, due to the heightened sophistication of DDoS attacks, which are now both faster and more effective due to the amount of traffic that can be generated, these assaults are even harder to stop or recover from than ever. “It appears that these attacks are much more frequent and more difficult to contain than other root causes of data center outages,” Larry Ponemon, founder of the privacy and security think tank that bears his name, said in an email interview with Network Computing. Preventative measures begin with server monitoring Due to the problems associated with these attacks, decision-makers should try and stop them as early as possible. Noticing suspicious activity before it causes an outage can help immensely, but that requires businesses to implement server monitoring tools that can notice suspicious activity such as an uptick in traffic. “The most surprising factor was the lack of readiness or preparedness of companies,” Ponemon told Network Computing. “In general, we found several companies completely unprepared to deal with this type of outage event.” The high cost of a DDoS-based outage Those companies that fail to prevent or ready themselves for a DDoS-based outage may find themselves paying $822,000 on average to deal with the problem, second only to the average cost of outages caused by equipment failure ($959,000), according to Network Computing. This is more than double the expense of dealing with problems originating with human error, which typically only amount to $380,000. These costs relate to lost work time, reduced revenue and the repairs themselves, though overall business disruption amounts to 80 percent of the expenses. While an outage may not be quite as expensive to a smaller business, one could cause relatively similar amounts of damage, and all companies should be ready to quickly get back on their feet after these types of incidents. “The cost of unplanned downtime – whether it is the entire data center or one rack of servers – can be a huge unplanned cost for most organizations,” Ponemon told Network Computing. While Ponemon noted that businesses should expect a data center outage at some point, companies should still strive to minimize the possibility of a breach or attack. Putting in the proper safeguards and having a robust disaster recovery plan in place can reduce the amount of time that servers spend out of service. By implementing the right tools to notice and stop suspicious activity that may be the result of a DDoS attack, decision-makers may also potentially prevent about one-fifth of possible outage causes. Source: http://copperegg.com/ddos-attacks-lead-to-18-percent-of-data-center-outages/

See the article here:
DDoS attacks lead to 18 percent of data center outages

The Year DDoS Got Real for CUs

Before 2013, Distributed Denial of Service attacks seemed to many credit union executives as something the other guys worried about. The prevailing attitude was: We’re not on anyone’s radar. We aren’t on anyone’s enemies list. Why worry? Then came January 2013 when the $1.6 billion University Federal Credit Union in Austin, Texas, and Patelco, the $4 billion Pleasanton, Calif. credit union, both acknowledged they had been knocked offline for some hours. Many big banks were taken down at the same time, in attacks claimed by al Qassam Cyberfighters, an organization that many allege is sponsored by the Iranian government. A month later, in February, both institutions were taken down another time, again in attacks claimed by al Qassam. Many banks also fell victim a second time. There were also dud DDoS attacks, such as a much-ballyhooed May 7 attack – which saw institutions fearfully running for cover from an attack said to be planned by OpUsa, a hacktivist group affiliated with Anonymous – but it amounted to nothing. As the year progressed, there were more reports of DDoS used as a diversionary tactic by criminals who sought to distract financial institution security staff with website attacks as they busied themselves perpetrating high-value wire thefts. There have been no such cases publicly linked to credit unions, but there are multiple cases linked to banks. How many credit unions have been taken down by DDoS? That number is unknown. Patelco and University were named in Internet postings by al Qassam, thus their attacks became public knowledge. The NCUA, for its part, requires credit unions that have been “significantly affected by DDoS” to notify the NCUA or their state regulators. When asked in October for the number of credit unions that had filed reports, the agency shared data showing two outages. But the regulator did not indicate that it believed that tally to be complete. CUNA Mutual, at the same time, indicated it had no count whatsoever of DDoS outages. No one really knows how many credit unions were attacked by DDoS in the year but one fact did seem to emerge. “DDoS has become a perennial, it is here to stay in the threats universe,” said Charles Burckmyer, president of Sage Data Security, a firm that claims several hundred financial institutions as clients. Just what is DDoS? The question is good, because the answer is tough to give. That’s because the format of DDoS shifted dramatically in 2013, said Rodney Joffe, senior technologist at Neustar, an Internet analytics company that also offers DDoS mitigation services. Early in the year, Joffe recalled, DDoS sought to wipe out victim websites by targeting them with huge volumes of traffic – generally assembled using resources stolen from zombie computer botnets where the machine owners have no clue their devices are digital slaves to criminals. So those targets – such as Patelco and UFCU – went down because they were overwhelmed. But DDoS attacks and mitigation strategies continually evolve, said Joffe. When one side jigs, the other responds. That showed up as many financial institutions signed up with third-party mitigation companies to provide emergency “pipe” – Internet bandwidth – to be able to deflect volume-based attacks. So the attackers switched to hitting victims with an avalanche of requests for services that had the effect of using the target computers to in effect tire themselves, noted Stephen Gates, chief security evangelist of Corero Network Security. A classic, for instance, is hitting a financial institution website with many requests for a password reset, probably for non-existent members, but the institution’s computer still is forced to go through so many motions it may become unavailable to genuine users. Pierluigi Stella, chief technology officer at security company Network Box USA, elaborated: “The (DDoS criminal’s) query is usually less than 100 bytes; the reply can be tens of thousands; so the hacker gets an amplification factor of 100. For each packet of 100 bytes the hacker sends out, you get hit by 10,000 bytes.” Multiply that by maybe several hundred queries per second and it is easy to see why this attack has proven so successful in 2013, suggested Stella. The cure, said experts, is to deploy tools that in effect scrub all data as it comes into the system. Bad data is sidelined, authentic data is passed through, and while that is easier to prescribe than it is to implement in practice, experts agreed that DDoS mitigation companies took large strides in 2013 towards building tools that in fact scrubbed incoming data with high success rates. The bad news: Nobody thinks today’s DDoS format will be tomorrow’s, and no one knows what criminals will unleash in the months ahead. Maybe the jackpot question is, how well protected are credit unions when it comes to fending off DDoS, especially as it morphs into different formats? Have they invested in state-of-the-art protections? Not very many have made those investments, said multiple experts contacted by Credit Union Times. Few credit unions will discuss their DDoS defenses on the record but off the record some have indicated that their defenses are thin. Many hope that their vendors – for Internet banking or their Internet service provider – have adequate protections in place to keep the credit union itself also protected. DDoS will remain part of the threats landscape, said multiple experts, mainly because it is effective, it is inexpensive, and it is increasingly easy to deploy. As long as it gets results, criminals will continue to use it, said Joffe. Nonetheless, he flatly predicted that we will not see more of the al Qassam-style, high-profile attacks that won headlines early in 2013. “Those attacks were politically motivated but they accomplished nothing,” said Joffe. Other experts agreed, pointing to changes in Iranian politics and a recent thawing in relationships with the United States. The upshot is that the al Qassam attacks may in fact be history, meaning there may not be more days when several dozen financial institutions are taken offline in a brazen show of Internet power. “But we will see more DDoS because it works,” said Joffe, and he specifically predicted more use of it as a diversion because if a security staff can be distracted for a half-day, that may be ample time for a wire transfer to move money out of the United States and through several hops into a destination country where funds are unlikely to be returned. Gartner analyst Avivah Litan – one of the experts who first reported the use of DDoS as a diversion – noted in an interview that good policy would be to “slow” wire transfers at times when the institution found itself under a DDoS attack. Her opinion is that simply slowing down transaction speed might sharply reduce losses. At least until the criminals figure out a new strategy – and that is a big takeaway from the 2013 DDoS saga. “This is an arms race that is no different from any other arm’s race,” said Joffe. “As we add defenses, the criminals alter their attacks and so it goes on.” The good guys win, said Joffe, by making it expensive for the criminals, such as disrupting their botnet zombie networks. “If we can make it more expensive for them than the rewards they get from their DDoS, we win,” said Joffe. “This will be survival of the fittest,” he warned. Source: http://www.cutimes.com/2013/12/18/the-year-ddos-got-real-for-cus?ref=hp

More:
The Year DDoS Got Real for CUs

Companies still ignore DDoS attacks

Just days after NatWest Bank suffered a debilitating DDoS attack, a new survey has revealed that most businesses are still unprepared for this kind of threat. Some companies are unprepared for DDoS attacks Just days after NatWest Bank suffered a debilitating DDoS attack, a new survey has revealed that most businesses are still unprepared for this kind of threat. More than half the respondents to a survey by Corero lack adequate distributed denial-of-service (DDoS) defence technology. The study also reveals a lack of DDoS defence planning on multiple levels: nearly half of businesses have no formal DDoS response plan, 54 percent have outdated or non-existent network maps, and around one in three lack any clear idea of their normal network traffic volume. Furthermore, the survey slates businesses for under-investing in their security infrastructures, with around 40 percent of respondents still relying on firewalls, while nearly 60 percent do not test their DDoS defences regularly with network and application-layer tests. However, experts warn that DDos attacks are escalating and say that they can cause not only business disruption but also loss of IP, significant brand damage and a loss of customer confidence. Mike Loginov, CEO and CISO at independent security consultancy Ascot Barclay Group, told SCMagazineUK.com that figures from his firm and others show sharply rising numbers of successful DDoS attacks, adding: “These attacks are not necessarily undertaken by the perpetrator with financial gain in mind. However, they still leave the targeted business suffering costly damage repairs, loss of business and an undermining of the organisation’s capability to defend itself. Many attacks go unreported for fear of brand damage.” Andrew Miller, CFO and COO at Corero, which carried out the latest survey, agreed the threat is growing but stressed that companies are still not doing enough to protect themselves. “These denial-of-service-attacks (DDoS) are increasing and becoming more complex, but we’re still not seeing companies increasing their vigilance, investment and planning,” he told SCMagazineUK.com. “Across the board companies really need a combination of infrastructure investment, but more importantly putting in place plans to be able to detect what’s traversing companies’ networks.” Loginov agreed: “Generally speaking, IT departments, as the report suggests, are just not geared up to defend organisations against what cyber security professionals these days consider rudimentary attacks.” Miller said companies need “hybrid DDoS and cloud protection” but added that currently only “a small percentage” of companies have these defences in place. “What we’re seeing the more proactive customers doing is deploying a combination of both on-premises technology to provide 24/7 protection from denial of service attacks, as well as cloud protection services to deal with the high-volume ‘fill the pipe’ network-layer DDoS attacks – a combination of solutions rather than a single solution.” These warnings come just days after NatWest Bank was hit by a DDoS attack that left customers unable to access their accounts online. The 6 December attack disrupted NatWest’s website for about an hour and briefly hit the websites of the other banks in the RBS Group – RBS and Ulster Bank. The attack was focused on disruption rather than accessing account details. But Miller said organisations need to “understand it’s not just inconvenience, we’re talking about some loss of IPR. In the case of RBS, it’s obviously a significant issue from a brand and customer satisfaction perspective”. Miller added: “Denial of service attacks are often used as a smokescreen, a way of initially gaining entry into IT systems through a brute force-type attack, then following on from that the more sophisticated attacks which are aimed either at stealing customer information or intellectual property. We’re seeing banks in the US we’re talking to subject to these types of attacks on a daily basis.” In a statement to journalists, Jag Bains, CTO of DOSarrest Internet Security , said: “The transparency shown by RBS in admitting that they failed to invest properly in their IT systems is a common refrain amongst many enterprises, large and small. While each organisation may have multiple reasons for failing to invest, they all share the same notion that they won’t be a target until they get attacked. “With DDoS tools becoming more advanced and pervasive, all IT operations should work under the premise that they will be attacked and plan accordingly. Every stack and layer within their purview should be reviewed and they should identify cost-effective cloud solutions for their DDoS which provides much better performance and mitigation than expensive hardware.” The DDoS attacks on RBS came in the same week as an unrelated major IT failure, which hit the Group’s online and mobile banking, ATMs and debit card payments. As SCMagazineUK.com reported, RBS, NatWest and Ulster Bank customers were unable to use their cards to draw cash or pay for goods or services. RBS CEO Ross McEwan branded the outage as “unacceptable” and blamed decades of failure to invest adequately in new technology. Source: http://www.scmagazineuk.com/companies-still-ignore-ddos-attacks/article/324844/

View article:
Companies still ignore DDoS attacks

$183,000 fine for man who joined Anonymous attack for ‘one minute’

Authorities in the US have shown their intolerance for so-called ‘hacktivism’ by sentencing a 38-year-old Wisconsin man to two years’ probation and an $183,000 fine for joined an online attack for just a single minute. Eric J. Rosol participated in a Distributed Denial of Service attack (DDoS) against the website for American multinational Koch Industries. DDoS attacks ‘take down’ websites by repeatedly loading them using automatic software. The attack was organised by the hacker group Anonymous and succeed in taking the website offline for only 15 minutes. Rosol pleaded guilty to one misdemeanour count of accessing a protect computer, and although both parties agree that the direct loss to Koch Industries (the second largest privately owned company in the US) was less than $5,000, because the corporation had hired a consulting group to protect its web territory for fees of $183,000 – this was the sum that Rosol must now pay. Koch Industries works in a number of industries including petroleum and manufacturing and reported revenues of $115 billion in 2013. The company is controlled by brothers Charles and David Koch (the world’s sixth and seventh richest men) who inherited it from their deceased father Fred C. Koch, the company’s founder. Koch Industries is often the subject of controversy in the US for its financial support of right-wing Tea Party and its opposition to the green energy industry. The brothers have also donated more than $120m to groups working to discredit climage change science. The DDoS attack which Rosol took part in was organized in opposition to Koch Industries’ reported weakening of trade unions. Source: http://www.independent.co.uk/life-style/gadgets-and-tech/183000-fine-for-man-who-joined-anonymous-attack-for-one-minute-8995609.html

View the original here:
$183,000 fine for man who joined Anonymous attack for ‘one minute’

Introducing the DDDoSA: Disguised DDoS Attack

The Distributed Denial of Service (DDoS) attack is becoming the crowbar of the online criminal. In the past we have got rather used to DDoS attacks being one of the favoured approaches of hacktivists, with perhaps the Low Orbit Ion Cannon (LOIC) and later the High Orbit Ion Cannon (HOIC) as used by Anonymous to take down sites being the best known examples. However, recent evidence suggests that taking down a site is increasingly no longer the be all and end all of a DDoS attack, instead it’s just a means to a much more profitable end. A couple of weeks ago I reported how a Bitcoin bank robbery took place under the smokescreen of a DDoS attack. I’ve now learned that a DDoS attack on another Bitcoin-related site, the Bitcointalk.org online forum, could also have been implemented as a smokescreen tactic. Information Week reports the site was actually targeted for a password-stealing exercise with some 176,584 users login credentials at risk. Indeed, as TK Keanini (CTO at Lancope) points out there is an established marketplace out there selling the DDoS capability to anyone with the cash, and relatively little of it is needed to attack a smaller company, so the bad guys don’t even need a DDoS strike capability as a core competency any more. “It is almost always the case these days that DDoS attacks leverage blended methods, where the volumetric technique is included, but not the primary objective” Keanini says, adding “this is a sign of what is to come in 2014 as more adversaries just put together a multi faceted compostable attack and instead of having to have all this expertise in-house, they will be able to outsource via these marketplaces that sell these capabilities.” Jag Bains, CTO at DDoS mitigation experts DOSarrest says that his company has been seeing DDoS attacks sending huge amounts of traffic to a website to overwhelm key points in its infrastructure to send the security team scrambling to fight it off as something of a trend. “This serves as a distraction for the security personnel and aims to weaken the underlying infrastructure” Bains explains “once the security operations are no longer cohesive, criminals can use other methods to target intrusion prevention systems to get in and steal information”. All of which just goes to reinforce that maintaining the focus of core operations during a DDoS attack is an ever increasing problem for IT operations. “As DDoS continues to be used as part of a 1-2 punch in cybercrime and data theft attempts” Bains concludes “IT professionals have become stressed in keeping up with the ever increasing size and sophistication of DDoS attacks”. All of which can influence an organisation to resort to what you might call non-standard, or panicked, practices to deal with the ongoing attack. Things such as disabling their IDS platform for example. Things that further compromise the overall security of the network and enable the attackers to pull off the primary attack with ease.

More:
Introducing the DDDoSA: Disguised DDoS Attack

RBS hit by DDoS attack that takes down online services again

UK BANKING GROUP Royal Bank of Scotland (RBS) has been hit by a distributed denial of service (DDoS) attack that took down its online services for the second time this week. Earlier this week, RBS irked customers when an IT systems failure shut down its websites and caused its customers’ bank cards to fail. On Friday it admitted that it has been struck by a DDoS attack affecting its online services once again. RBS took to Twitter to reveal news of the DDoS attack. It said, “Due to a surge in internet traffic directed at the Natwest website, customers experienced difficulties accessing some of our sites today. “This deliberate surge of traffic is known as a distributed denial of service (DDoS) attack. We have taken action to restore affected sites. “At no time was there any risk to customers. We apologise for the inconvenience caused.” RBS has yet to comment further, so it’s still unclear which websites were downed in the attack, although the tweet suggested that the RBS, Natwest and Ulster Bank websites were all affected. It is also still unclear who was responsible for the DDoS attack. However, it seems that the problems have not reached as far as those experienced by RBS customers earlier this week, when an IT systems failure struck the entire banking group. Speaking about the system failure on Monday evening, RBS CEO Ross McEwan said on Tuesday, “Last night’s systems failure was unacceptable. Yesterday was a busy shopping day and far too many of our customers were let down, unable to make purchases and withdraw cash. “For decades, RBS failed to invest properly in its systems. We need to put our customers’ needs at the centre of all we do. It will take time, but we are investing heavily in building IT systems our customers can rely on. “I’m sorry for the inconvenience we caused our customers. We know we have to do better. I will be outlining plans in the New Year for making RBS the bank that our customers and the UK need it to be. This will include an outline of where we intend to invest for the future.” Source: http://www.theinquirer.net/inquirer/news/2317692/rbs-hit-by-ddos-attack-that-takes-down-online-services-again

View article:
RBS hit by DDoS attack that takes down online services again

Microsoft teams up with Feds, Interpol in ZeroAccess botnet zombie hunt

Just don’t bork our crim-busting honeypots again Microsoft has teamed up with the FBI to launch a renewed attempt to disrupt the operations of the infamous ZeroAccess botnet.…

View original post here:
Microsoft teams up with Feds, Interpol in ZeroAccess botnet zombie hunt