Tag Archives: defend against ddos

Security blogger Graham Cluley’s website suffers DDoS attack

A distributed denial-of-service attack (DDoS) is a cheap but effective way to take out your target’s website by flooding it with so much traffic that the web server becomes overwhelmed and the website crashes. There are those who use DDoS attacks as a kind of online protest, such as hacktivist groups like Anonymous. Then there are those who do it to “amuse” themselves, like the Lizard Squad who took out Playstation and Xbox servers on Christmas Day last year. And then there are other DDoS attacks that come from cybercriminals who don’t care about politics or hijinks – they just want money. Recently a cybergang calling itself the Armada Collective has been attempting to extort money from victims by threatening DDoS attacks unless a ransom is paid in bitcoins. One Swiss company, the encrypted webmail provider ProtonMail, recently paid $6000 in bitcoins after receiving a ransom from the Armada Collective, it said. The site was still DDoSed. And now, the latest site to fall victim to a DDoS attack is that of former Naked Security writer Graham Cluley. We don’t know why Graham was targeted, but on Twitter he noted that he didn’t receive a ransom demand, so it must have been “personal.” Unfortunately, it doesn’t take much skill to launch this kind of attack. Anybody with a little bit of money and the will to wreak havoc can launch DDoS attacks with simple DDoS-for-hire web tools that harness armies of zombified computers to bombard your website with thousands or millions of illegitimate web requests. DDoS attacks are simple but destructive – if your website goes down for any period of time, your customers can’t get through and you end up losing new sales, losing customers, or missing out on ad revenue, depending on what your website’s purpose is. In Graham’s article about how ProtonMail initially caved to the extortion demands, but then had a change of heart, Graham wrote something very sensible about how we should treat extortionists, blackmailers and ransom-takers: No-one should ever pay internet extortionists. For those who receive a ransom demand, it might seem like a few thousand dollars is a fair price to pay when your customers are complaining they can’t access your services, and your business is hurting. But if we pay the extortionists’ demands, that will only give them more reason to do it again. Source: http://www.mysec.hu/magazin/kuelfoeldi-hirek/20413-security-blogger-graham-cluley-s-website-suffers-ddos-attack

Continue reading here:
Security blogger Graham Cluley’s website suffers DDoS attack

FastMail the latest victim of a sustained DDoS offensive

FastMail has been subjected to a number of distributed denial of service (DDoS) attacks, the premium email provider has revealed. The Australian-based company said that the cyber offensive first took place in the early hours of November 8th, which took some of its services offline. In response it immediately “enabled mitigation strategies”, which proved successful in bringing the DDoS attack to an end. However, the following day, at around the same time, the cybercriminal once again launched another onslaught. This second-round of attacks came with a ransom demand, which threatened FastMail with more chaos if it didn’t hand over 20 Bitcoins (worth approximately £7,500). The company said that it does not respond to attempts of extortion and will not bow to pressure from the cybercriminal. “Over the last week, several email providers, including Runbox, Zoho, Hushmail and ProtonMail have been hit by large scale DDoS attacks, accompanied by an extortion demand from the attacker to stop,” FastMail outlined. “The goal of the attacker is clearly to extort money in the hope that the services will not be prepared to deal with the disruption. “With one exception, where ProtonMail paid the criminals and was still attacked, we do not believe the extortion attempts have been successful, and we fully intend to stand up to such criminal behaviour ourselves.” The company says that it is actively working to keep its services running as best as possible and that it has utilized knowledge gained from past DDoS attacks to help it react to numerous situations. The attack on ProtonMail is one of the most high-profile cases of 2015, which the encrypted email provider has described as the “largest and most extensive cyberattack in Switzerland”. A DDoS attack is when numerous computers make repeated requests for information to one computer or device. This has the effect of ‘overwhelming’ a computer or device’s ability to deal with the requests, resulting in it slowing down or crashing. Source: http://www.welivesecurity.com/2015/11/12/fastmail-latest-victim-sustained-ddos-offensive/

See original article:
FastMail the latest victim of a sustained DDoS offensive

ProtonMail comes back online, shores up DDoS defenses

ProtonMail, the Switzerland-based encrypted email service, has found its footing again after a wild ride over the past week. The free service has said it was hit by two different groups using distributed denial-of-service attacks (DDoS) that took it offline. Now it has partnered with Radware, which offered its DDoS mitigation service for a “reasonable price,” allowing service to resume, ProtonMail wrote in a blog post on Tuesday. “The attackers hoped to destroy our community, but this attack has only served to bring us all together, united by a common cause and vision for the future,” the company wrote. The first group of attackers, which call themselves the Armada Collective, asked ProtonMail for a ransom in bitcoin before launching attacks early on Nov. 4. The Swiss Governmental Computer Emergency Response Team warned in September about blackmail attempts by the Armada Collective. They tend to launch a demo attack while demanding 10 or 20 bitcoins, and larger attacks follow if the ransom isn’t paid. Controversially, ProtonMail paid the ransom. The company wrote in a blog post that it was under pressure from other companies to pay it in order to stop the attacks. However, ProtonMail later edited the blog post, writing that paying “was clearly a wrong decision so let us be clear to all future attackers – ProtonMail will never pay another ransom.” The second group’s attack on ProtonMail had wide-ranging effects on its service providers and other companies, which also were knocked offline. The 100Gbps-attack brought down ProtonMail’s ISP, including the ISP’s routers and data center. ProtonMail suspected that the second group might be state-sponsored hackers because of the severe damage inflicted. Bizarrely, the Armada Collective told ProtonMail it wasn’t responsible for the second set of attacks. By Sunday, ProtonMail began recovering. An ISP, IP-Max, set up a direct link from ProtonMail’s data center to a major Internet connection point in Zurich in less than a day, it wrote. Level 3 Communications lent a hand with IP transit. An appeal for donations to put in better protections against DDoS has netted $50,000 so far as well. ProtonMail’s service is free, but eventually it plans to introduce paid-for premium options. ProtonMail is now using Radware’s DefensePipe, a cloud-based service. Other companies, ProtonMail said, offered their services but “attempted to charge us exorbitant amounts.” ProtonMail offers a full, end-to-end encrypted email service and has more than 500,000 users. Although it has been possible to encrypt email for decades, interest has increased since documents leaked by former U.S. National Security Agency contractor Edward Snowden showed massive data-collection operations by western spy agencies. Source: http://www.pcworld.com/article/3004157/protonmail-comes-back-online-shores-up-ddos-defenses.html

See original article:
ProtonMail comes back online, shores up DDoS defenses

A server was DDoS-ed for 320 hours straight

Kaspersky Lab has released a new report on the evolution of distributed denial of service (DDoS) and it shows some interesting figures, including the fact that a server was targeted for 320 hours straight. The Kaspersky DDoS Intelligence Report Q3 2015 is based on the constant monitoring of botnets and observing new techniques utilised by cybercriminals. It shows that DDoS attacks remain highly localised, with 91.6 per cent of the victims’ resources are located in only ten countries around the world, although Kaspersky Lab has recorded DDoS attacks targeting servers in 79 countries total. DDoS attacks are highly likely to originate from the same countries, the security firm understands, adding that China, USA and South Korea are the highest rating countries in both sources of attack and sources of targets. According to the report, more than 90 per cent of all attacks observed in the third quarter lasted less than 24 hours, but the number of attacks lasting over 150 hours has grown significantly. At the same time, there was this one server that was hit extremely hard – 22 times. It is located in The Netherlands. Kaspersky says that even cyber-crooks go on vacation, after realising that August is the quietest month of the quarter. Linux-based botnets are significant, and account for up to 45.6 per cent of all attacks recorded by Kaspersky Lab. The main reasons for this include poor protection and higher bandwidth capacity. Looking at who the most frequent victims are, banks stand out the most, being frequent targets for complex attacks and ransom demands. Source: http://www.itproportal.com/2015/11/04/a-server-was-ddos-ed-for-320-hours-straight/

Read the article:
A server was DDoS-ed for 320 hours straight

IPv6 And The Growing DDoS Danger

IPv6 and the Internet of Things have arrived — and with them an enormous potential expansion for distributed denial-of-service (DDoS) attacks. The number of connected devices is growing exponentially, with one billion new IoT devices expected to ship this year alone. As such, IPv4 addresses have been exhausted, but IPv6 is on deck to address this concern. The new system allows for 2^128 IP addresses (in comparison, IPv4 only carried 2^32 possible IP addresses). So everything is fine, right? Sadly, no. While IPv6 will certainly aid in accommodating the growth of new connected phenomena, such as the Internet of Things (IoT), adoption at the moment is slow. And because IPv6 occupies such a relatively small space, Internet security implementations that take it into full consideration are also lagging. This leaves a lot of networks vulnerable to distributed denial of service (DDoS) attacks. DDoS attacks occur when Internet hackers use infected hosts to control connected devices remotely and make unwilling devices (bots) send malicious traffic to their target of choice. The target organizations are flooded with traffic, thus restricting or disabling service for legitimate traffic, or crashing the victim network. The most recent Verizon Data Breach Investigations Report noted: “Distributed denial-of-service attacks got worse again this year with our reporting partners logging double the number of incidents from last year…We saw a significant jump in…attacks [that] rely on improperly secured services, such as Network Time Protocol (NTP), Domain Name System (DNS), and Simple Service Discovery Protocol (SSDP), which make it possible for attackers to spoof source IP addresses, send out a bazillion tiny request packets, and have the services inundate an unwitting target with the equivalent number of much larger payload replies.” While most DDoS attacks do not, at present, involve IPv6, both the number and size of these attacks are rising, and IPv6 brings with it particular vulnerabilities. According to a recent CNET article: “First, with the relatively immature network infrastructure, many network operators don’t have the ability to scrutinize network traffic well enough to distinguish DDoS attacks from benign traffic. Second, gateways that link IPv4 and IPv6 must store lots of ‘state’ information about the network traffic they handle, and that essentially makes them more brittle.” The Internet of Things is also adding to the threat, according to an InfoSec Institute report “Internet of Things: How Much are We Exposed to Cyber Threats? The report, published earlier this year, cited the possibility of cyber criminals stealing sensitive information by hacking or compromising IoT devices to run cyberattacks against third-party entities using routers, SOHO devices or SmartTVs. “IoT devices manage a huge quantity of information, they are capillary distributed in every industry,” the report noted, “and, unfortunately, their current level of security is still low.” And therein lies the nightmare scenario. We now have IPv6, accompanied by immature visibility tools; gateways between IPv4 and IPv6 that are brittle and precarious; and the unprecedented proliferation of relatively unsecure IoT devices, replete with those brand-spanking-new IPv6 vulnerabilities, all creating ubiquitous potential fuel for botnets. The reality is precisely as desperate as it sounds. The best course of action to prepare for an onslaught of DDoS attacks exploiting IoT and IPv6 adoption is to ensure that your enterprise network security system can support the many connections from so many more connected devices. Also ensure the IPv6 support is on par with the IPv4-based feature set. Most attacks are carried out over IPv4, and by shifting over to IPv6, the attacker could bypass the defenses that only inspect IPv4 traffic. Meanwhile, IPv6-specific attack vectors have been reported IPv6 and the IoT have arrived, and with them comes an enormous expansion in DDoS attack potential. Source: http://www.darkreading.com/attacks-breaches/ipv6-and-the-growing-ddos-danger/a/d-id/1322942

Visit site:
IPv6 And The Growing DDoS Danger

Hackers infect MySQL servers with malware for DDoS attacks

Hackers are exploiting SQL injection flaws to infect MySQL database servers with a malware program that’s used to launch distributed denial-of-service (DDoS) attacks. Security researchers from Symantec found MySQL servers in different countries infected with a malware program dubbed Chikdos that has variants for both Windows and Linux. Don’t count on your ‘plain vanilla’ resume to get you noticed – your resume needs a personal flavor to This Trojan is not new and was first documented in 2013 by incident responders from the Polish Computer Emergency Response Team (CERT.PL). At that time the malware was being installed on servers after using brute-force dictionary attacks to guess SSH (Secure Shell) login credentials. However, the new attacks observed by Symantec abuse the user-defined function (UDF) capability of the MySQL database engine. UDF allows developers to extend the functionality of MySQL with compiled code. Symantec believes that attackers exploit SQL injection vulnerabilities in order to inject malicious UDF code in databases. They then use the DUMP SQL command to save the injected code as a library file that is later executed by the MySQL process. The malicious UDF code downloads and installs the Chikdos Trojan, which allows attackers to abuse the server’s bandwidth for DDoS attacks. The Symantec researchers found MySQL servers infected with Chikdos in many countries, including India, China, Brazil, Netherlands, the U.S., South Korea, Mexico, Canada, Italy, Malaysia, Nigeria and Turkey. The largest concentrations were in India and China, 25 and 15 percent respectively. During their analysis the researchers saw the servers being used to launch DDoS attacks against a U.S. hosting provider and a Chinese IP address. The reason for targeting MySQL servers is likely because their bandwidth is considerably larger than that of regular PCs, making them more suitable for large DDoS campaigns, the Symantec researchers said in a blog post. To prevent such attacks, website owners should avoid running SQL servers with administrative privileges and should follow best programming practices for mitigating SQL injection vulnerabilities, they said. Source: http://social-media-news.com/link/907984_hackers-infect-mysql-servers-with-malware-for-ddos-attacks

Read this article:
Hackers infect MySQL servers with malware for DDoS attacks

TalkTalk hack: 15-year-old boy arrested in Northern Ireland over DDoS attack

News stunned security experts who had assumed that Isis terrorists or major country had been behind the breach A boy of 15 has been arrested and questioned on suspicion of being the mastermind behind the TalkTalk data theft cyber attack. A team from Scotland Yard’s Cyber Crime Unit joined Police Service of Northern Ireland officers as they raided the teenager’s home in County Antrim. The boy was arrested on suspicion of Computer Misuse Act offences and taken to a nearby police station. News of the suspect’s age stunned security experts who had assumed that a group of Isis terrorists or a country such as Russia had been behind the massive breach. IT insiders said it would be a “gamechanger” if proven that a teenager operating from his bedroom could bring a global company to its knees. The Met said the property was being searched and inquiries by CCU detectives, the PSNI’s Cyber Crime Centre and the National Crime Agency are continuing. A spokesman said on Monday night: “An arrest has been made in connection with the investigation into alleged data theft from the TalkTalk website. At approximately 4.20pm, officers from the Police Service of Northern Ireland (PSNI), working with detectives from the Metropolitan Police Cyber Crime Unit, executed a search warrant at an address in County Antrim, Northern Ireland. The phone and broadband provider, which has four million customers, initially said last week that the “sustained” attack was a DDoS, a distributed denial of service attack where a website is bombarded with waves of traffic. When experts pointed out a DDoS attack would not explain the loss of data TalkTalk later indicated it had been hit by an attack known as an SQL injection – a technique where hackers gain access to a database by entering instructions in a web form. IT security experts had already expressed surprise at how a company the size of TalkTalk was still vulnerable to the method, as it is a well-known type of attack and there are relatively simple ways of defending against it. The company has been heavily criticised for its handling of the cyber attack – the third it has suffered in the last eight months, with incidents in August and February resulting in customers’ data being stolen. Following last week’s breach TalkTalk admitted that customers’ bank account and sort code details may have been accessed as some customers said money has gone missing from their accounts. TalkTalk said there is currently no evidence that customers’ bank accounts have been affected but it does not know how much customer information was encrypted. The company said it would contact all current customers and that an unknown number of previous customers may also be at risk. TalkTalk’s chief executive Dido Harding said last week the firm had received a ransom demand from someone claiming to be behind the cyber attack. Jesse Norman, chair of the Culture, Media and Sport Select Committee, is leading an inquiry into the alleged data breach. Cyber Security Minister Ed Vaizey had earlier told MPs that companies could face bigger fines for failing to protect customer data from such attacks. He said the Information Commissioner’s Office can already levy “significant fines” but told the Commons he was “open to suggestions” about how the situation could be “improved”. TalkTalk is facing a maximum fine of £500,000 but the SNP’s John Nicolson said the prospect was “clearly not terrifying” for a company with an annual revenue of £1.8 billion a year. Shares in the telecoms company fell more than 12 per cent on Monday extending its losses from last week when news of the attack first emerged. A statement from Talk Talk said: “We know this has been a worrying time for customers and we are grateful for the swift response and hard work of the police. We will continue to assist with the ongoing investigation. “In the meantime, we advise customers to visit [our website] for updates and information regarding this incident.” Source: http://www.independent.co.uk/news/uk/home-news/talktalk-hack-boy-15-arrested-in-northern-ireland-over-attack-a6709831.html

Read the original:
TalkTalk hack: 15-year-old boy arrested in Northern Ireland over DDoS attack

Thai govt website DDoSed as CAT customer data leaked

Faced with a wave of DDoS attacks, a horde of hackers claiming to be Anonymous and major data leaks from state-owned CAT Telecom all in protest of Thailand’s Single Gateway surveillance program, ICT Minister Uttama Savanayana took to Twitter to reassure people that everything was in order and that we had nothing to fear because we have regular data backups. Yes, apparently regular backups and standards in data storage are the answer to a hack and data leak. The tweet was up for most of the weekend before he deleted it to save himself further embarrassment. To recap, a group claiming to be Anonymous issued a statement in the wee hours of Thursday morning to attack the Thai Government and in particular CAT Telecom for refusing to back down on Single Gateway internet super censorship and surveillance project which, despite promises from the Prime Minister that it was just a clerical error never existed, is forging ahead full steam. Since then at various moments, hackers have managed to temporarily take down an obscure army internal accounting website, the ICT Ministry and CAT Telecom. The Anons also posted screenshots of what they claimed was CAT customer data with names blanked out, taunting the ICT Minister by asking what data standard allows for plaintext storage of passwords. CAT Telecom initially responded by saying the information posted was false and that the hackers only tried to infiltrate CAT’s dealer network and did so unsuccessfully at that. The Anons responded with more CAT customer data and a screenshot of a login in CAT’s CRM module. One would have thought that this would have caused the junta to think twice about centralizing everything but no. The ICT Minister had the stage in the weekly two-minutes of hate propaganda show, sorry, I meant Thailand Moves Forward propaganda show, in which he extolled the virtues of a single Geoment Service Chanel [sic] which called for even more centralization. Half the jokes were of using designer clothing to serve the people the other, well, let’s just say that geo in Thai is a anatomical word that would not befit the pages of this publication. So apparently not only he totally clueless as to what a modern day hack is (by saying that he had backup) but he cannot use a spell checker. By Sunday, CAT’s My 3G self-service portal was still down, though whether it was from the attack or if someone pulled the plug as a precaution was anyone’s guess. However, that hardly made the social media circles. Why? Well, because despite oodles of taxpayer cash (roughly $1 billion each for CAT and TOT for their 3G networks, plus who knows how much more to run the network), CAT and TOT have between them less than 100,000 subscribers, none of which bothered to check their balance or top up over the weekend, it seemed. Also noteworthy was how servers in CAT’s data center had their latency and jitter both jump but again, that could be a routing issue rather than someone installing deep-packet-inspection gear. But was the hack actually from a real Anon? Anonymous is more of a state of mind that a club with a for formal job interview and membership cards. Anyone can claim to be an Anon. Their key tenets are anti-surveillance and anti-censorship, both of which the Thai Single Gateway are aimed at imposing. One developer who did not want to be identified told TelecomAsia that the hacks on Thai government websites were simply too easy. He sent a screenshot with a page of .go.th sites with old, unpatched mysql servers that were ripe for taking over. His point being, a script kiddie noob could have carried out hacks on these government websites and it did not require the skills of a true Anon. Source: http://www.telecomasia.net/blog/content/thai-govt-website-ddosed-cat-customer-data-leaked DDoS? Well, considering that Thai government websites cannot even stand up to use on a busy day without crashing, again, that hardly requires serious firepower. The CAT data breach also happened about a month ago if the rumors in the underground are to be believed. Talking about the underground, none of my shadier contacts know who did it the attack. Considering the rather small size of the Thai hacking community, this is odd. To further throw doubt on everything, the F5 hackers dared me over Twitter to double check a phone number in the CAT data breach to see if the data was real or made up. I did call up the number and he had no clue about being hacked and said he was not a CAT customer. Not looking good for the hackers then. To be fair I did try to ask if he was working at the company he was listed as working for but the chap hung up on me first, obviously annoyed at my questions. But perhaps the number had been reused (the phone line application with CAT was way back in August 2014), perhaps he never got the phone line and had totally forgot about it. Or maybe it was made-up data and the hacker thought I would not call to fact-check. At this juncture, my gut feeling is leaning towards this entire episode being a honey trap to lure out dissenters and convince the undecided of the need to give up further liberties so that the government can protect us from Anonymous. If so, that has worked wonders. Then there is the separate matter of the 231 pages of leaked documents that are a headache just to try and read through. Who leaked them and why? It is a curious mix of army and MICT secret documents which begs the question, who would even have access to both sets of documents in the first place? Very few. But regardless as to whether this initial hack was real or staged, the matter of the Thailand’s Single Gateway has now reached the eyes of Anons the world over. One wonders if they are planning a real attack soon.

View article:
Thai govt website DDoSed as CAT customer data leaked

TalkTalk DDoS Attack: Website hit by ‘significant’ breach

Police are investigating a “significant and sustained cyber-attack” on the TalkTalk website, the UK company says. The phone and broadband provider, which has over four million UK customers, said banking details and personal information could have been accessed. TalkTalk said potentially all customers could be affected but it was too early to know what data had been stolen. The Metropolitan Police said no-one had been arrested over Wednesday’s attack but enquiries were ongoing. TalkTalk said in a statement that a criminal investigation had been launched on Thursday. It said there was a chance that some of the following customer data, not all of which was encrypted, had been accessed: Names and addresses Dates of birth Email addresses Telephone numbers TalkTalk account information Credit card and bank details In the wake of the news, the company’s share price dropped by 10% in the first few hours after the London stock exchange opened at 08:00 BST. Cyber security consultant and former Scotland Yard detective Adrian Culley told BBC Radio 4’s Today programme that a Russian Islamist group had posted online to claim responsibility for the attacks. He said hackers claiming to be a cyber-jihadi group had posted data which appeared to be TalkTalk customers’ private information – although he stressed their claim was yet to be verified or investigated. Dido Harding, chief executive of the TalkTalk group, told BBC News the authorities were investigating and she could not comment on the claims. Cyber-attacks on consumer companies happen with mounting frequency, but TalkTalk’s speedy decision to warn all of its customers that their vital data is at risk suggests that this one is very serious indeed. We are being told that this was what’s called a DDoS – a distributed denial of service attack – where a website is hit by waves of traffic so intense that it cannot cope. What is not clear is why this would result in the loss of data rather than just the site going down. One suggestion is that the DDoS was a means of distracting TalkTalk’s defence team while the criminals went about their work. I’m assured that TalkTalk customers’ details, including banking information, were all being held in the UK rather than in some overseas data centre. What is less clear is the extent to which that data was encrypted. For TalkTalk, the cost to its reputation is likely to be very serious. Now it is going to have to reassure its customers that its security practices are robust enough to regain their trust. The TalkTalk website was now secure again and TV, broadband, mobile and phone services had not been affected by the attack, she added. The sales website and the “My account” services are still down but the company hopes to restore them on Friday. Ms Harding added: “It’s too early to know exactly what data has been attacked and what has been stolen,” she said. “Potentially it could affect all of our customers, which is why we are contacting them all by email and we will also write to them as well.” However, customers have expressed their frustration with what is the third cyber-attack to affect TalkTalk over the past 12 months. Sara Jones, from East Sussex, said she found out about the breach in the news. “I have not received a single piece of correspondence. The level of information is lacking. And to think this is Get Safe Online Week! “TalkTalk’s online advice is not proportionate to what has happened. Telling customers to “keep an eye on accounts” just does not cut it in terms of advice.” Daniel Musgrove, from Powys, said he had been unable to get through to TalkTalk customer services. “They may not get a payment for my next bill if they don’t get this sorted,” he added. In August, the company revealed its mobile sales site had been targeted and personal data breached. And in February, TalkTalk customers were warned about scammers who had managed to steal thousands of account numbers and names. The biggest risk is that customers’ details have been stolen and criminals try to impersonate them Dido Harding, TalkTalk group chief executive Ms Harding said: “Unfortunately cybercrime is the crime of our generation. Can our defences be stronger? Absolutely. Can every company’s defences be stronger? “I’m a customer myself of Talk Talk, I’ve been a victim of this attack.” What should you do if you think you’re at risk? Report any unusual activity on your accounts to your bank and the UK’s national fraud and internet crime reporting centre Action Fraud on 0300 123 2040 or www.actionfraud.police.uk TalkTalk is advising customers to change their account password as soon as its website is back up and running – expected to be later on Friday – and any other accounts for which you use the same password Beware of scams: TalkTalk will not call or email customers asking for bank details or for you to download software to your computer, or send emails asking for you to provide your password TalkTalk said it had contacted the major banks asking them to look out for any suspicious activity on customers’ accounts. It added that every customer would be getting a year’s free credit monitoring. Ms Harding said: “The biggest risk is that customers’ details have been stolen and criminals try to impersonate them.” Professor Peter Sommer, an expert an cyber security, said TalkTalk’s rapid growth could be to blame for the breaches. “They are acquiring more customers and each of those customers wants to do more things and so they have to increase their capacity… but that’s an expensive exercise,” he told the BBC. Source: http://www.bbc.com/news/uk-34611857

See the original post:
TalkTalk DDoS Attack: Website hit by ‘significant’ breach

Attackers hijack CCTV cameras to launch DDoS attacks

Default and weak credentials on embedded devices can lead to powerful botnets We’ve reached a point that security researchers have long warned is coming: Insecure embedded devices connected to the Internet are routinely being hacked and used in attacks. Want to add a bunch of users without going out of your mind? We show you how to do that, and more. The latest example is a distributed denial-of-service (DDoS) attack detected recently by security firm Imperva. It was a traditional HTTP flood aimed at overloading a resource on a cloud service, but the malicious requests came from surveillance cameras protecting businesses around the world instead of a typical computer botnet. The attack peaked at 20,000 requests per second and originated from around 900 closed-circuit television (CCTV) cameras running embedded versions of Linux and the BusyBox toolkit, researchers from Imperva’s Incapsula team said in a blog post Wednesday. When analyzing one of the hijacked cameras that happened to be located in a store close to the team’s office, the researchers found that it was infected with a variant of a known malware program designed for ARM versions of Linux that’s known as Bashlite, Lightaidra or GayFgt. While infecting computers with malware these days requires software exploits and social engineering, compromising the CCTV cameras that were used in this attack was very easy as they were all accessible over the Internet via Telnet or SSH with default or weak credentials. Insecure out-of-the-box configurations are a common issue in the embedded device world and have been for a long time. In 2013, an anonymous researcher hijacked 420,000 Internet-accessible embedded devices that had default or no login passwords and used them in an experiment to map the whole Internet. However, the problem is getting worse. The push by device manufacturers to connect things such as refrigerators or “smart” light bulbs to the Internet is largely done without consideration for security implications or an overhaul of outdated practices. As a result, the number of easily hackable embedded devices is growing fast. Shortly after the CCTV camera-based attack was mitigated, a separate DDoS attack was detected that originated from a botnet of network-attached storage (NAS) devices, the Imperva researchers said. “And yes, you guessed it, those were also compromised by brute-force dictionary attacks.” Source: http://www.computerworld.com/article/2996079/internet-of-things/attackers-hijack-cctv-cameras-to-launch-ddos-attacks.html

Continue Reading:
Attackers hijack CCTV cameras to launch DDoS attacks