20-year-old Herts man slapped with two years’ stripey suntan time A Hertfordshire man has been jailed for two years after netting nearly £400,000 from the malware he wrote as a 15-year-old student.…
See more here:
Brit behind Titanium Stresser DDoS malware sent to chokey
Keeping your data secure is more important than ever, but it seems like there’s a new wide-scale data breach every other week. In this article, David Mytton discusses what developers can do to prepare for what’s fast becoming inevitable. Cyber security isn’t something that can be ignored anymore or treated as a luxury concern: recent cyber attacks in the UK have shown that no one is immune. The stats are worrying – in 2016, two thirds of large businesses had a cyber attack or breach, according to Government research. Accenture paints a bleaker picture suggesting that two thirds of companies globally face these attacks weekly, or even daily. According to the Government’s 2016 cyber security breaches survey, only a third of firms have cyber security policies in place and only 10% have an emergency plan. Given management isn’t handling the threat proactively, developers and operations specialists are increasingly having to take the initiative on matters of cybersecurity. This article covers some essential priorities developers should be aware of if they want their company to be prepared for attack. Know your plan There’s no predicting when a cyber attack might come, whether it be in the form of a DDoS, a virus, malware or phishing. It’s therefore important to be constantly vigilant, and prepared for incidents when they do occur. Senior leadership in your company should be proactive when laying out a plan in the event of an attack or other breach, however this might not always be the case. No matter what your position is within your company, there are preemptive actions you can take on a regular basis to ensure that you’re adequately prepared. If you’re in an Ops team, make sure you’re encouraging your team to test your backups regularly. There’s little use having backups if you’re unable to actually restore from them, as GitLab learned to their detriment earlier in the year. Use simulations and practice runs to ensure that everyone on your team knows what they’re doing, and have a checklist in place for yourself and your colleagues to make sure that nothing gets missed. For example, a DDoS attack may begin with a monitoring alert to let you know your application is slow. Your checklist would start with the initial diagnostics to pinpoint the cause, but as soon as you discover it is a DDoS attack then the security response plan should take over. If you happen to be on-call, make sure you’ve got all the tools you need to act promptly to handle the issue. This might involve letting your more senior colleagues know about the issue, as well as requesting appropriate assistance from your security vendors. Communication is always one of the deciding factors in whether a crisis can be contained effectively. As a developer or operations specialist, it’s important to be vocal with your managers about any lack of clarity in your plan, and ensure that there are clear lines of communication and responsibility so that, when the worst does occur, you and your colleagues feel clear to jump into action quickly. Remember your limits It might sound obvious, but it’s worth remembering: in a cyber attack or catastrophic incident, there is only so much you yourself can do. Too many developers and operations staff fall prey to a culture of being ‘superheroes’, encouraged (often through beer and pizza) to stay as late as they can and work as long as possible on fixes to particular issues. The truth is, humans make mistakes. Amazon’s recent AWS S3 outage is a good example: swathes of the internet were taken offline due to one typo. If you’re on-call while a cyber attack occurs there’s no denying you’re likely to work long hours at odd times of the day, and this can put a real strain on you, both mentally and physically. This strain can make it much harder for you to actually concentrate on what you’re doing, and no amount of careful contingency planning can compensate for that. At Server Density we’re keenly aware that employee health and well being is critical to maintaining business infrastructure, especially in the event of a crisis. That’s why we support movements like HumanOps, which promote a wider awareness of the importance of employee health, from the importance of taking regular breaks to ergonomic keyboards. All too often people working in IT forget that the most business-critical hardware they look after isn’t servers or routers, it’s the health and well being of the people on the front lines looking after these systems. Cyber attacks are stressful on everyone working in an organisation, and the IT teams take the brunt of the strain. However, with careful planning, clear lines of delegation and an appreciation of the importance of looking after each other’s health, developers and operations specialists should be able to weather the storm effectively and recover business assets effectively. Source: https://jaxenter.com/can-prepare-cyber-attack-133447.html
Read More:
How can you prepare for a cyber attack?
The Necurs botnet has, once again, begun pushing Locky ransomware on unsuspecting victims. The botnet, which flip-flops from sending penny stock pump-and-dump emails to booby-trapped files that lead to malware (usually Locky or Dridex), has been spotted slinging thousand upon thousand of emails in the last three or four days. “Talos has seen in excess of 35K emails in the last several hours associated with this newest wave of Locky,” Cisco Talos researchers noted on … More ?
Continued here:
Locky ransomware makes a comeback, courtesy of Necurs botnet
Flaws in the routers’ firmware could let hackers access configuration settings and execute remote commands. Linksys said it’s working on a patch. Linksys this week identified several vulnerabilities in its router firmware that allow hackers to bypass authentication and perform denial of service (DDoS) attacks. The company said it is working on a fix for the vulnerabilities, which were discovered by security researchers at IOActive in January and affect more than two dozen models of Linksys wireless routers in the WRT and EAxxx series. IOActive found 10 separate issues in the Linksys firmware, including high-risk vulnerabilities that could let hackers exploit routers using default credentials to log in, view router settings, and execute remote commands. “Two of the security issues we identified allow unauthenticated attackers to create a Denial-of-Service (DoS) condition on the router,” IOActive researcher Tao Sauvage wrote in a blog post. “By sending a few requests or abusing a specific API, the router becomes unresponsive and even reboots. The Admin is then unable to access the web admin interface and users are unable to connect until the attacker stops the DoS attack.” The vulnerabilities, which are similar to those found in many other Internet of Things (IoT) devices, are particularly worrisome because they could be used in future attacks of the sort that took large swaths of the internet offline for several hours last fall. Sauvage said that “11 percent of the active devices exposed were using default credentials, making them particularly susceptible to an attacker easily authenticating and potentially turning the routers into bots, similar to what happened in last year’s Mirai Denial of Service (DoS) attacks.” Linksys published a full list of the router models that are affected, and suggested that owners change the default password for their administrator account. The company said it is working to provide a firmware update for all of the affected models, but didn’t offer details on when it would be ready. Source: http://www.pcmag.com/news/353228/linksys-routers-vulnerable-to-ddos-attacks
View post:
Linksys Routers Vulnerable to DDoS Attack
“Brexit vote site may have been hacked” warned the headlines last week after a Commons select committee published its report into lessons learned from the EU referendum. The public administration and constitutional affairs committee (Pacac) said that the failure of the voter registration website, which suffered an outage as many people tried to sign to vote up at the last minute in 2016, “had indications of being a DDoS ‘attack’”. It said it “does not rule out the possibility that the crash may have been caused … using botnets”. In the same paragraph it mentioned Russia and China. It said it “is deeply concerned about these allegations about foreign interference”. With a general election just seven weeks away, how worried should we be about foreign interference this time round? Labour MP Paul Flynn, who sits on the Pacac, certainly thinks we should be worried – although closer inspection of the report finds that, beyond the headlines, there’s a startling lack of evidence for those particular fears. In reality, a DDoS – “distributed denial of service” – attack is the bombarding of a server with requests it can’t keep up with, causing it to fail. Not only is it not actually hacking at all, but it also looks rather similar to when a lot of people at once try to use a server that doesn’t have the capacity. Given the history of government IT projects, some might favour this more prosaic explanation of why the voter registration website went offline. And that’s just what the Cabinet Office did say: “It was due to a spike in users just before the registration deadline. There is no evidence to suggest malign intervention.” So perhaps we shouldn’t fear that kind of attack, but hacking elections takes many forms. The University of Oxford’s Internet Institute, found a huge number of Twitter bots posting pro-Leave propaganda in the run up to the EU referendum. At least, that was how it was widely reported. The actual reportreveals the researchers can’t directly identify bots – they just assume accounts that tweet a lot are automated – and admit “not all of these users or even the majority of them are bots”. But the accuracy, or inaccuracy, of the research aside, there’s a bigger issue. What the Oxford Internet Institute never says is that there’s no evidence bots tweeting actually affects how anyone votes. Bots generally follow people – we’re all used to those suggestive female avatars in our notifications feeds – but people don’t really follow bots back. So when they push out propaganda, is there anyone there to see it? Of course, en masse, those bots can affect the trending topics. But getting “#Leave” trending is not the same as controlling the messaging around it, and Twitter’s algorithm explicitly tries to mitigate against such gaming of the system. And again there’s the question: who looks at tweets via the trending topics tab anyway (except perhaps journalists looking for something to pad out a listicle)? Fake news, the last of the unholy trinity, is a harder problem. We know it exists, and we know it gets in front of many people via social media sites like Facebook. We don’t really know how much it affects people and how much people see it for what it is – but the history of untrue stories in the tabloid press on topics like migration does lend weight to the idea that fake news can influence opinion. What is and isn’t fake news is a contested field. At one end of the spectrum, mainstream publications report inaccurate stories about flights full of Romanians and Bulgarians heading for the UK. At the other, teenagers in Macedonia run pro-Trump websites where the content is pure invention. Most would agree the latter is fake news, even if not the former. But this is a different problem to DDoS attacks or bot armies. The Macedonian teens aren’t ideologically driven by wanting Trump in the White House, they’re motivated by the advertising revenue their well-shared stories can earn. Even when fake news is created for propaganda rather than profit, there’s rarely a shadowy overlord pulling the strings – and bad reporting is some distance away from hacking the election. While there’s a strong case that foreign actors have tried to influence elections in other countries – such as the DNC hack in the US – we probably don’t need to worry unduly about cyberattacks swinging the UK election. Besides: why would a foreign state bother? We’ve already got a divided country struggling with its own future without any need for outside interference. Source: https://www.theguardian.com/technology/2017/apr/20/uk-general-election-2017-hacking-ddos-attacks-bots-fake-news
Engineers working on firmware updates Multiple models of Linksys Smart Wi-Fi Routers have vulnerabilities that might be exploited to create a botnet, security researchers at IOActive warn.…
See original article:
Flaws found in Linksys routers that could be used to create a botnet
The Hajime malware is competing with the Mirai malware to enslave some IoT devices Mirai — a notorious malware that’s been enslaving IoT devices — has competition. A rival piece of programming has been infecting some of the same easy-to-hack internet-of-things products, with a resiliency that surpasses Mirai, according to security researchers. “You can almost call it Mirai on steroids,” said Marshal Webb, CTO at BackConnect, a provider of services to protect against distributed denial-of-service (DDoS) attacks. Security researchers have dubbed the rival IoT malware Hajime, and since it was discovered more than six months ago, it’s been spreading unabated and creating a botnet. Webb estimates it’s infected about 100,000 devices across the globe. These botnets, or networks of enslaved computers, can be problematic. They’re often used to launch massive DDoS attacks that can take down websites or even disrupt the internet’s infrastructure. That’s how the Mirai malware grabbed headlines last October. A DDoS attackfrom a Mirai-created botnet targeted DNS provider Dyn, which shut down and slowed internet traffic across the U.S. Hajime was first discovered in the same month, when security researchers at Rapidity Networks were on the lookout for Mirai activity. What they found instead was something similar, but also more tenacious. Like Mirai, Hajime also scans the internet for poorly secured IoT devices like cameras, DVRs, and routers. It compromises them by trying different username and password combinations and then transferring a malicious program. However, Hajime doesn’t take orders from a command-and-control serverlike Mirai-infected devices do. Instead, it communicates over a peer-to-peernetwork built off protocols used in BitTorrent, resulting in a botnet that’s more decentralized — and harder to stop. “Hajime is much, much more advanced than Mirai,” Webb said. “It has a more effective way to do command and control.” Broadband providers have been chipping away at Mirai-created botnets, by blocking internet traffic to the command servers they communicate with. In the meantime, Hajime has continued to grow 24/7, enslaving some of the same devices. Its peer-to-peer nature means many of the infected devices can relay files or instructions to rest of the botnet, making it more resilient against any blocking efforts. Hajime infection attempts (blue) vs Mirai infection attempts (red), according to a honeypot from security researcher Vesselin Bontchev. Who’s behind Hajime? Security researchers aren’t sure. Strangely, they haven’t observed the Hajime botnet launching any DDoS attacks — which is good news. A botnet of Hajime’s scope is probably capable of launching a massive one similar to what Mirai has done. “There’s been no attribution. Nobody has claimed it,” said Pascal Geenens, a security researcher at security vendor Radware. However, Hajime does continue to search the internet for vulnerable devices. Geenens’ own honeypot, a system that tracks botnet activity, has been inundated with infection attempts from Hajime-controlled devices, he said. So the ultimate purpose of this botnet remains unknown. But one scenario is it’ll be used for cybercrime to launch DDoS attacks for extortion purposes or to engage in financial fraud. “It’s a big threat forming,” Geenens said. “At some point, it can be used for something dangerous.” It’s also possible Hajime might be a research project. Or in a possible twist, maybe it’s a vigilante security expert out to disrupt Mirai. So far, Hajime appears to be more widespread than Mirai, said Vesselin Bontchev, a security expert at Bulgaria’s National Laboratory of Computer Virology. However, there’s another key difference between the two malware. Hajime has been found infecting a smaller pool of IoT devices using ARM chip architecture. That contrasts from Mirai, which saw its source code publicly released in late September. Since then, copycat hackers have taken the code and upgraded the malware. Vesselin has found Mirai strains infecting IoT products that use ARM, MIPS, x86, and six other platforms. That means the clash between the two malware doesn’t completely overlap. Nevertheless, Hajime has stifled some of Mirai’s expansion. “There’s definitely an ongoing territorial conflict,” said Allison Nixon, director of security research at Flashpoint. To stop the malware, security researchers say it’s best to tackle the problem at its root, by patching the vulnerable IoT devices. But that will take time and, in other cases, it might not even be possible. Some IoT vendors have released security patches for their products to prevent malware infections, but many others have not, Nixon said. That means Hajime and Mirai will probably stick around for a long time, unless those devices are retired. “It will keep going,” Nixon said. “Even if there’s a power outage, [the malware] will just be back and re-infect the devices. It’s never going to stop.” Source: http://www.itworld.com/article/3190181/security/iot-malware-clashes-in-a-botnet-territory-battle.html
Continue reading here:
IoT malware clashes in a botnet territory battle
Security researchers discovered a new reflection attack method using CLDAP that can be used to generate destructive but efficient DDoS campaigns. DDoS campaigns have been growing to enormous sizes and a new method of abusing CLDAP for reflection attacks could allow malicious actors to generate large amounts of DDoS traffic using fewer devices. Jose Arteaga and Wilber Majia, threat researchers for Akamai, identified attacks in the wild that used the Connection-less Lightweight Directory Access Protocol(CLDAP) to perform dangerous reflection attacks. “Since October 2016, Akamai has detected and mitigated a total of 50 CLDAP reflection attacks. Of those 50 attack events, 33 were single vector attacks using CLDAP reflection exclusively,” Arteaga and Majia wrote. “While the gaming industry is typically the most targeted industry for [DDoS] attacks, observed CLDAP attacks have mostly been targeting the software and technology industry along with six other industries.” The CLDAP reflection attack method was first discovered in October 2016 by Corero and at the time it was estimated to be capable of amplifying the initial response to 46 to 55 times the size, meaning far more efficient reflection attacks using fewer sources. The largest attack recorded by Akamai using CLDAP reflection as the sole vector saw one payload of 52 bytes amplified to as much as 70 times the attack data payload (3,662 bytes) and a peak bandwidth of 24Gbps and 2 million packets per second. This is much smaller than the peak bandwidths of more than 1Tbps seen with Mirai, but Jake Williams, founder of consulting firm Rendition InfoSec LLC in Augusta, Ga., said this amplification factor can allow “a user with low bandwidth [to] DDoS an organization with much higher bandwidth.” “CLDAP, like DNS DDoS, is an amplification DDoS. The attacker has relatively limited bandwidth. By sending a small message to the server and spoofing the source, the server responds to the victim with a much larger response,” Williams told SearchSecurity. “You can only effectively spoof the source of connectionless protocols, so CLDAP is obviously at risk.” Arteaga and Majia said enterprises could limit these kinds of reflection attacks fairly easily by blocking specific ports. “Similarly to many other reflection and amplification attack vectors, this is one that would not be possible if proper ingress filtering was in place,” Arteaga and Majia wrote in a blog post. “Potential hosts are discovered using internet scans, and filtering User Datagram Protocol destination port 389, to eliminate the discovery of another potential host fueling attacks.” Williams agreed that ingress filtering would help and noted that “CLDAP was officially retired from being on the IETF standards track in 2003” but enterprises using Active Directory need to be aware of the threat. “Active Directory supports CLDAP and that’s probably the biggest reason you’ll see a CLDAP server exposed to the internet,” Williams said. “Another reason might be email directory services, though I suspect that is much less common.” Source: http://searchsecurity.techtarget.com/news/450416890/CLDAP-reflection-attacks-may-be-the-next-big-DDoS-technique
Read more here:
CLDAP reflection attacks may be the next big DDoS technique
Administrators of sites using the popular blogging platform WordPress face a new challenge: hackers are launching coordinated brute-force attacks on the administration panels of WordPress sites via unsecured home routers, according to a report on Bleeping Computer. Once they’ve gained access, the attackers can guess the password for the page and commandeer the account. The home routers are corralled into a network which disseminates the brute-force attack to thousands of IP addresses negotiating around firewalls and blacklists, the report stated. The flaw was detected by WordFence, a firm that offers a security plugin for the WordPress platform. The campaign is exploiting security bugs in the TR-069 router management protocol to highjack devices. Attackers gain entry by sending malicious requests to a router’s 7547 port. The miscreants behind the campaign are playing it low-key to avoid detection, attempting only a few guesses at passwords for each router. While the exact size of the botnet is unknown, WordFence reported that nearly seven percent of all the brute-force attacks on WordPress sites last month arrived from home routers with port 7547 exposed to the internet. The flaw is exacerbated by the fact that most home users lack the technical know-how to limit access to their router’s 7547 port. In some cases, the devices do not allow the shuttering of the port. A more practical solution is offered by WordFence: ISPs should filter out traffic on their network coming from the public internet that is targeting port 7547. “The routers we have identified that are attacking WordPress sites are suffering from a vulnerability that has been around since 2014 when CheckPoint disclosed it,” Mark Maunder, CEO of WordFence CEO, told SC Media on Wednesday. The specific vulnerability, he pointed out, is the “misfortune cookie” vulnerability. “ISPs have known about this vulnerability for some time and they have not updated the routers that have been hacked, leaving their customers vulnerable. So, this is not a case of an attacker continuously evolving a technique to infect routers. This is a case of opportunistic infection of a large number of devices that have a severe vulnerability that has been known about for some time, but has never been patched.” There are two attacks, Maunder told SC. The first is the router that is infected through the misfortune cookie exploit. The other is the attacks his firm is seeing on WordPress sites that are originating from infected ISP routers on home networks. “The routers appear to be running a vulnerable version of Allegro RomPager version 4.07,” Maunders said. “In CheckPoint’s original 2014 disclosure of this vulnerability they specifically note that 4.07 is the worst affected version of RomPager. So there is nothing new or innovative about this exploit, it is simply going after ISP routers that have a large and easy to hit target painted on them.” The real story here, said Maunder, is that a number of large ISPs, several of them state owned, have gone a few years without patching their customer routers and their customers and the online community are now paying the price. “Customer home networks are now exposed to attackers and the online community is seeing their websites attacked. I expect we will see several large DDoS attacks originating from these routers this year.” Source: https://www.scmagazine.com/hackers-attacking-wordpress-sites-via-home-routers/article/649992/
Follow this link:
Hackers attacking WordPress sites via home routers
Akamai researchers Jose Arteaga and Wilber Majia have identified a new Connection-less Lightweight Directory Access Protocol (CLDAP) reflection and amplification method. CLDAP query packet Akamai’s Security Intelligence Response Team (SIRT) has observed this attack vector producing DDoS attacks consistently exceeding 1 Gbps, comparable to DNS reflection attacks. CLDAP Unlike other reflection-based vectors, where compromised hosts may number in the millions, the observed CLDAP amplification factor has been able to produce significant attack bandwidth with significantly … More ?
More:
CLDAP reflection attacks generate up to 24 Gbps of traffic