Code sharing site GitHub has been fending off large distributed denial of service (DDoS) attacks for two days now, with the site repeatedly taken offline. The attacks started at around 8pm yesterday, when a “large scale DDoS attack” hit. It didn’t last long as GitHub was back online less than an hour later. GitHub downed by DDoSers again But today problems emerged again. From 10.30am, another DDoS has taken GitHub down. “We’re doing everything we can to restore normal service as soon as possible,” a GitHub spokesperson told TechWeekEurope . GitHub has been keeping users updated on its status page. “We’re simultaneously working on deflecting the attack and restoring affected services,” read a post at 11.17am. “We’re working to re-establish connectivity after the attack disrupted our primary internet transit links,” another post from 11.48am read. The site was functioning at 12pm today, but there was no update on the status page. The site has been battered by DDoS attacks throughout this year. In August, a “very large” strike was reported and it was hit twice in two days in March. Source: http://www.techweekeurope.co.uk/news/github-ddos-attacks-128704
Tag Archives: latest
WordPress Site Hacks Continue
WordPress installations sporting known vulnerabilities continue to be compromised by hackers and turned into distributed denial of service (DDoS) launch pads. That warning was sounded last week after IT professional Steven Veldkamp shared an intrusion prevention system (IPS) log with Hacker News , which found that a single 26-second DDoS attack against a site run by Veldkamp was launched from 569 different WordPress blogs. Those blogs appear to have been compromised by attackers, since they comprised everything from a “mercury science and policy” blog at the Massachusetts Institute of Technology (which as of press time remained offline) and a National Endowment for the Arts blog to WordPress sites run by Pennsylvania State University and Stevens Institute of Technology. “The key aspect to note here is the number of compromised WordPress servers,” said Stephen Gates, chief security evangelist at DDoS defense firm Corero Network Security, via email. “It’s a simple mathematical equation — attackers are looking to infect servers sitting in hosting environments with each server easily capable of generating 1 Gbps of attack traffic. It is quite easy to generate extremely high volumes and varieties of attack traffic by compromising just a few WordPress servers.” Once WordPress servers get compromised, attackers can use them for a variety of purposes, such as attacking U.S. financial institutions. “From volumetric attacks that melt down firewalls to the ‘low and slow attacks’ that sneak through firewalls undetected — the list is really endless,” Gates said. WordPress blogs, of course, are easy to provision and host. But that ease of installation — and use — means that such software is often run outside the purview of IT provisioning and oversight. Furthermore, many WordPress administrators fail to keep their software updated or follow security best practices, such as choosing unique usernames and strong passwords for WordPress admin accounts. As a result, numerous WordPress sites sporting known vulnerabilities — or “admin” as the admin account name — remain sitting ducks for automated attacks. Indeed, malware is often used to automatically find and exploit vulnerable WordPress installations. In August, Matthew Bing, an Arbor Security Engineering & Response Team (ASERT) research analyst, noted that the Fort Disco malware — first discovered in April 2013 — was being used to target known vulnerabilities in content management systems, backed by six command-and-control servers that were running a botnet comprised of more than 25,000 Windows PCs. “To date, over 6,000 Joomla, WordPress and Datalife Engine installations have been the victims of password guessing,” he said in a blog post. How widespread is the problem of exploitable WordPress software? According to a study conducted by EnableSecurity CEO Sandro Gauci, the list of the one million most trafficked websites — per the Alexa index — includes 40,000 WordPress sites. But 70% of those sites are running a version of WordPress with known vulnerabilities. Those statistics were relayed last week by WordPress security expert Robert Abela, who studied data that EnableSecurity’s Gauci compiled over a four-day period in the middle of September, immediately following the September 11 release of WordPress 3.6.1, which remains the latest version. In a blog post, Abela reported that of the 42,106 WordPress sites from the Alexa index identified, 19% had already been updated to the new version, while 31% of sites were still running the previous version (3.6). But the remaining 51% of cataloged WordPress sites ran one of 72 other versions, with 2% of all cataloged sites still running version 2.x, which dates from 2007 and earlier. Needless to say, many historical WordPress updates have included patches for exploitable vulnerabilities. For example, the latest version of WordPress — 3.6.1 — patched a known vulnerability in version 3.6 that would have allowed an attacker to remotely execute code. Previous versions of WordPress have also sported a number of known bugs, including version 3.5.1 (8 vulnerabilities), 3.4.2 (12 vulnerabilities) and 3.3.1 (24 vulnerabilities). All of this adds up to numerous WordPress sites that can be relatively easily hacked, based on a review of the top 10 most-seen versions of WordPress seen among the more than 40,000 counted by Gauci. “At least 30,823 WordPress websites out of 42,106 are vulnerable to exploitable vulnerabilities,” said Abela. “This means that 73.2% of the most popular WordPress installations are vulnerable to vulnerabilities which can be detected using free automated tools. Considering the number of vulnerable WordPress installations out there, and the popularity of such websites, we are still surprised … most of them haven’t been hacked yet.” Source: http://www.informationweek.com/security/attacks/wordpress-site-hacks-continue/240162060
Read More:
WordPress Site Hacks Continue
The latest on major DDoS and phishing attacks, and more
An analyst has confirmed that several, unnamed financial institutions have suffered losses in the “millions” owing to distributed denial-of-service (DDoS) attacks. According to Avivah Litan , VP and distinguished analyst at research firm Gartner , three U.S. banks were hit by short-lived DDoS attacks in recent months after fraudsters targeted a wire payment switch, a central wire system at banks, to transfer funds. » A phishing attack enabled hackers to modify the DNS records for several domains of media sites, including those run by The New York Times , Twitter and the Huffington Post U.K. Investigations revealed that the companies were not even the ones targeted by the attackers, who claimed to be the Syrian Electronic Army , a band of pro-Assad hacktivists responsible for a number of IT takedowns in recent months. In order to commandeer the major media sites, intruders compromised a reseller account that had access to the IT systems of Melbourne IT , an Australian registrar, and targeted an employee using an emailed spear phishing ruse. » The PCI Security Standards Council gave merchants a first look at changes to its credit card data and payment application security guidelines that could be introduced later this year. In mid-August, the council released the “3.0 Change Highlights” document, a preview to the updated PCI Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA DSS), which are set to be published Nov. 7. Expected changes in version 3.0 include a new requirement that merchants draw up a current diagram showing how cardholder data flows through organizations’ systems, and added guidance on protecting point-of-sale (POS) terminals from attacks, as well as educational explanations of why the 12 core security requirements have been included in the standard. » Saboteurs have introduced a rare breed of banking trojan capable of infecting Linux users. The malware, called Hand of Thief, is being sold on Russian underground forums and will soon offer a “full-blown” suite of malicious features, making it comparable to other major, commercially available financial malware, RSA researchers discovered. Hand of Thief’s price tag could reach $3,000 once criminals add a suite of web injections to its existing form grabber and backdoor infection vectors. » Around 14,000 former and present employees at the U.S. Department of Energy (DOE) had their personally identifiable information (PII) accessed by an unauthorized party who gained access to the agency’s network. The breach, which may have happened in late July, did not impact classified data, the DOE revealed. But, the incident could mean that sensitive data linkable to an individual was exposed. » In late August, the National Institute of Standards and Technology (NIST) released a preliminary draft framework in support of President Obama ‘s executive order, “Improving Critical Infrastructure Cybersecurity.” Earlier in August, NIST also released revisions to two of its security-related manuals, the first amendments since NIST released them in 2005, reflecting evolving malware threats and the trend of organizations using automated patch management. » Errata : Our apologies to Steve Lee , who we quoted in an insider threats story in August, for erroneously placing the office of his company, Steve Lee and Associates, in Texas, rather than Los Angeles. Source: http://www.scmagazine.com/news-briefs-the-latest-on-major-ddos-and-phishing-attacks-and-more/article/311635/
See more here:
The latest on major DDoS and phishing attacks, and more
Schoolboy arrested over Spamhaus DDoS, world’s biggest cyber attack
In March 2013, a distributed denial of service (DDoS) attack of unprecedented ferocity was launched against the servers of Spamhaus, an international non-profit dedicated to battling spam. A DDoS is an attack wherein the servers of a targeted online service are slowed to a crawl with loads of pointless email or file uploads that clog up their processing ability. The March Spamhaus attack peaked at 300 gigabits per second, Spamhaus CEO Steve Linford told the BBC at the time – the largest ever recorded, with enough force to cause worldwide disruption of the internet. In April, one suspect was arrested in Spain. Now, it’s come to light, another suspect was also secretly arrested in April – this one being a London schoolboy. The 16-year-old was arrested as part of an international dragnet against a suspected organised crime gang, reports the London Evening Standard. Detectives from the National Cyber Crime Unit detained the unnamed teenager at his home in southwest London. The newspaper quotes a briefing document on the British investigation, codenamed Operation Rashlike, about the arrest: The suspect was found with his computer systems open and logged on to various virtual systems and forums. The subject has a significant amount of money flowing through his bank account. Financial investigators are in the process of restraining monies. Officers seized his computers and mobile devices. The boy’s arrest, by detectives from the National Cyber Crime Unit, followed an international police operation against those suspected of carrying out the massive cyber attack, which slowed down the internet worldwide. The briefing document says that the DDoS affected services that included the London Internet Exchange. The boy has been released on bail until later this year, the London Evening Standard reports. The arrest follows close on the heels of two other London-based arrests resulting from international cyber-policing: Last week’s arrest of eight men in connection with a £1.3 million ($2.08 million) bank heist carried out with a remote-control device they had the brass to plug into a Barclays branch computer, and The arrest of 12 men in connection with a scheme to boobytrap computers at Santander, one of the UK’s largest banks, by rigging the same type of remote-control device found in Barclays – devices that enable remote bank robbery. Truly, the UK isn’t fooling around when it comes to cybercrime – a fact it’s making clear with the robust work of the National Cyber Crime Unit, which itself will soon be rolled into the even more cybercrime-comprehensive arms of the National Crime Agency. The National Crime Agency, due to launch 7 October, is going to comprise a number of distinct divisions: Organised Crime, Border Policing, Economic Crime, and the Child Exploitation and Online Protection Centre, on top of also housing the National Cyber Crime Unit. If the recent arrests are any indication, it would seem that the UK’s on the right track with cyber crime. May cyber crooks, both the seasoned and the schoolboys, take heed. Source: http://nakedsecurity.sophos.com/2013/09/27/schoolboy-arrested-over-spamhaus-ddos-worlds-biggest-cyber-attack/
See the article here:
Schoolboy arrested over Spamhaus DDoS, world’s biggest cyber attack
Distributed Denial-of-Service Attacks and Midsize Firms
A distributed denial-of-service (DDoS) attack occurs every two minutes, and the number of victims that suffered from more than one attack has risen substantially, according to a new report released by security firm NSFOCUS in SecurityWeek. These attacks are not just high profile any longer, and that is a wake-up call to midsize firms, which are a key target for hackers for many reasons. DDoS Too Often NSFOCUS’s research found that 1.29 DDoS attacks strike somewhere online every two minutes. More than 90 percent of the attacks last less than half an hour. NSFOCUS ascertained that attacks generally remained short and did not go past the rate of 50 Mbps. The number of victims suffering more than one DDoS attack went up 30 percent in just a year, rising to 70 percent. Victims who suffered from only one attack went down from 51 percent last year to 31 percent this year. Interestingly, the study found that hacktivism was the key driver behind more than 91 percent of attacks. Also, online gaming communities and financial services are often targets. What Fuels It The survey also found that a lack of sufficient security, including poor passwords, has fueled the success of DDoS attacks. IT professionals at midsize firms have DDoS attacks on their radar screens since reports in the past few years have shown that the attacks are not just for high-profile purposes. Easily executed attacks that can do the most damage are ideal for today’s cybercriminals; that means midsize firms are at risk. Midsize firms are constantly concerned about having sufficient resources, personnel, money and time to remain competitive, so security must be a top priority for IT professionals, and those who work with third-party data centers should inquire what kind of DDoS protection is provided. Those that manage their own data centers must take the right precautions against botnets and application-layer DDoS attacks on the premises of the network. Also, by working with trusted and experienced security vendors, midsize firms can bring their own security to the next level. When all is said and done, firewalls no longer provide enough protection. A Worthy Investment Distributed denial-of-service attacks are growing, and midsize companies are falling victim. Cybercriminals know that they can successfully hit a lot of growing firms at once and make easy money. They know that some midsize firms do not take security seriously because it might be too costly or time-consuming to consider. In the end, the unprepared midsize firm loses resources, time and money to the costly consequences of a DDoS attack. IT professionals must prioritize security to maintain their company’s competitive edge. Source: http://midsizeinsider.com/en-us/article/distributed-denial-of-service-attacks-an
Originally posted here:
Distributed Denial-of-Service Attacks and Midsize Firms
London schoolboy secretly arrested over ‘world’s biggest cyber attack’
A London schoolboy has been secretly arrested over the “world’s biggest cyber attack” as part of an international swoop against a suspected organised crime gang. The 16-year-old was detained by detectives at his home in south-west London after “significant sums of money” were found to be “flowing through his bank account”. He was also logged on to what officials say were “various virtual systems and forums” and had his computers and mobiles seized as officers worked through the night to secure potential evidence. The boy’s arrest, by detectives from the National Cyber Crime Unit, followed an international police operation against those suspected of carrying out a cyber attack so large that it slowed down the internet. The “distributed denial of service” or “DDoS” attack was directed at the Dutch anti-spam group Spamhaus which patrols the web to stop prolific spammers filling inboxes with adverts for counterfeit Viagra, bogus weight-loss pills and other illegal products. Details of the arrest, which happened in April, had been kept secret, but have been disclosed to the Evening Standard ahead of the formation of the Government’s new National Crime Agency. It will take over the National Cyber Crime Unit as part of a drive against offending carried out over the internet, now seen as one of the most serious crime-fighting challenges. More than half of the 4,000 officers who will form the new agency next month will be trained in combating cyber crime. The arrest of the London schoolboy, whose identity has not been disclosed, came during a series of coordinated raids with international police forces. Others detained included a 35-year-old Dutchman living in Spain. A briefing document seen by this newspaper on the British investigation, codenamed Operation Rashlike, states that the attack was the “largest DDoS attack ever seen” and that it had a “worldwide impact” on internet exchanges. The document says services affected included the London Internet Exchange and that although the impact was eventually “mitigated” it managed to cause “worldwide disruption of the functionality” of the internet. Giving details of the schoolboy’s alleged involvement, the briefing note states: “The suspect was found with his computer systems open and logged on to various virtual systems and forums. The subject has a significant amount of money flowing through his bank account. Financial investigators are in the process of restraining monies.” The boy has been released on bail until later this year. The disclosure of his arrest follows two cyber attacks on banks. Four men have appeared in court over the first, involving an alleged plot to take over Santander computers by fitting a device during maintenance work. Another eight were arrested over a £1.3?million theft by a gang who took control of a Barclays computer. Meanwhile, security minister James Brokenshire said the creation National Crime Agency would bolster efforts to combat organised criminals operating on the internet and ensure that “cyber gangsters” were left with no hiding place. “The new National Crime Agency’s Cyber Crime Unit will pursue the organised crime gangs behind the online crimes that blight people’s lives and cost the economy millions,” he added. Source: http://www.standard.co.uk/news/crime/london-schoolboy-secretly-arrested-over-worlds-biggest-cyber-attack-8840766.html
Continue reading here:
London schoolboy secretly arrested over ‘world’s biggest cyber attack’
Lessons Learned From the Banking Industry DDoS Attacks: Good Advice Worth Heeding
Now that the banking industry has gone through four rounds of very public DDoS attacks, experts are looking at what happened to extract some “lessons learned” to turn this negative into a positive. Even if your business isn’t a financial institution, there’s good advice here that’s certainly worth heeding. Lesson One: No matter what industry or business you’re in, you need to have a plan in place to defend your business. DDoS attacks are not just hitting the banking industry. If your business has competitors that would benefit from your website being down, then you are vulnerable. Since it’s possible to buy DDoS as a service, anyone can launch an attack against you for as little as $10. Lesson Two: Don’t wait for an attack to put a solution in place to defend your company. Once an attack starts – and it could happen at any time – your organization’s website could be completely out of commission for an extended period. Why risk downtime when it’s easy enough to put a solution in place today? The solution could be on premise, in the cloud, or a hybrid combination. Lesson Three: Get a dedicated DDoS solution. Don’t count on traditional security devices like firewalls and IDS/IPS to protect your business because they just aren’t designed to handle modern DDoS attacks. When you choose a solution, consider that the volume level of attacks has been getting bigger, and the attacks have grown more sophisticated. Get a solution that meets today’s needs. Lesson Four: Create a detailed incident response plan. Know what to do if/when an attack occurs and assign tasks to specific people to avoid delays in responding. Lesson Five: If your organization is hit by an attack, closely monitor for indicators of compromise (IOCs). Many experts believe that DDoS attacks are smoke screens for fraud and other types of attacks that are designed to steal money or intellectual property. Lesson Six: Be willing to share information. DDoS attacks have been widespread and businesses, solution vendors and law enforcement agencies are better together than individually. If we look at what happened with the banking industry attacks, it got easier to defend against them once all types of organizations collaborated with each other to share intelligence, profiles of the attacks and mitigation strategies. Lesson Seven: This is more of a prediction than a lesson learned. Experts predict that critical infrastructure such as utilities, transportation systems, pipelines, the electrical grid, etc., will be targeted for DDoS attacks at some point. Attackers have the ability to target industrial controls as well as business websites. Administrators who control critical infrastructure need to re-read lessons one through six and take them to heart. Source: http://www.securitybistro.com/?p=8023
See original article:
Lessons Learned From the Banking Industry DDoS Attacks: Good Advice Worth Heeding
What’s Next for DDoS Attacks?
Sept. 18 marks the one-year anniversary of Izz ad-Din al-Qassam Cyber Fighters’ first announcement about distributed-denial-of-service attacks to be waged against the U.S. financial services industry This self-proclaimed hacktivist group, which U.S. government officials have suggested is being backed by the Iranian government, has for the last 12 months targeted the online banking platforms of nearly every top 100 U.S. banking institution. The group has claimed it’s attacking U.S. banks because of outrage over a YouTube movie trailer deemed offensive to Muslims. The group’s attacks against banks for the last several months have been unsuccessful at taking sites down. And its Phase 4 campaign is in a lull. Still, experts caution banking institutions against letting their guards down. And they warn that the government, media, healthcare and energy sectors could be among the next targets. That’s because banking institutions have enhanced their defenses, so other sectors are easier targets. Some experts, including McAfee Labs and Arbor Networks, expect that al-Qassam could join forces with the Syrian Electronic Army, a collective of attackers that supports Syrian President Bashar al-Assad, to attack a variety of U.S. websites. Experts urge organizations to update their DDoS defenses. Botnet Remains Strong Scott Hammack CEO of DDoS-mitigation provider Prolexic, says that despite the recent lull in al-Qassam’s attacks, there’s no indication that the group’s botnet, known as Brobot, is waning. “We have validated thousands of infected web servers that can potentially participate in future campaigns. We still don’t see the scale of the attacks we saw five months ago, but we are definitely seeing a lot of probing,” he says, which suggests more attacks are on the way. DDoS attacks over the last five months have not been as large, but that should not be misinterpreted to mean Brobot has been retired, Hammack says. “Maybe Iran, with their new leaders, are saying ‘Cool off a little bit.’ But the gun is still loaded. They still have the arsenal at their disposal; they just haven’t fired it in a while.” If al-Qassam were to unite with other cybergroups, such as the Syrian Electronic Army, it could mark a new era of cyberwarfare against the U.S., experts say. “We have to realize this is cyberterrorism,” says Ashley Stephenson, CEO of Corero Network Security. “The disruption, the publicity, the nuisance, the investment these banks have to make … the success of terrorism is not just the act itself, but the amount it costs the victims [for defenses],” he says. Banking institutions and those in other sectors have to continually enhance and update their DDoS defenses, he says, “so that no one needs to panic on the day of an attack” Training Ground al-Qassam’s attacks have served as a training ground for other attackers, says Dan Holden of DDoS-mitigation firm Arbor Networks. “In terms of DDoS in general, we will see more DNS amplification attacks. It’s not that difficult,” he says. A DNS amplification attack relies on a much larger list of DNS servers to amplify the attack. “The attackers are going to have to get better and bigger to take anyone down,” Holden says. That’s because DDoS defenses have improved across the board, although some industries, such as banking, are further along in their mitigation strategies than others, Holden explains. The real question about al-Qassam’s future is not how its attacks might be waged, but rather who will be the target, he says. Holden says he doesn’t see the attacks themselves changing; but the targets will change. “I would be surprised if they continue attacking the banks,” he says. “At this point, what is the point? Something’s got to change.” Cyber-attackers Unite? Because the Syrian Electronic Army and al-Qassam both have waged DDoS attacks to gain attention for their social and political causes, some experts expect them to join forces. While al-Qassam has focused on banks, the SEA’s primary targets have been media and government sites, according to McAfee Labs . Now, DDoS experts, including McAfee Labs, argue both groups have similar interests in taking down U.S. sites, and by joining forces, they could use Brobot for a renewed purpose. One industry expert, who asked not to be named, says the distinction between the SEA and al-Qassam has increasingly blurred. “Isn’t the Syrian Army likely the same guys as al-Qassam? And if you look at the geopolitical stuff, the two align,” this expert says. “They’re holding off attacks because they’re waiting to see what happens with Syria, frankly. And the banks are defending well, so they will move on to a new target. Besides, using the movie as an excuse for attacks is not effective or really being believed anymore.” “The Syrian Electronic Army has said quite clearly that if the U.S. does anything [as far as military strikes] they are coming after us,” Arbor Networks’ Holden says. “And if there is any sympathy for that, it’s a great excuse for QCF [al-Qassam Cyber Fighters] to repurpose and retool their botnet for something else. They could jump onboard there. This is the perfect excuse to change the story about attacking because of the video. This is the perfect cover.” If forces do unite, Holden says other critical infrastructure sectors, beyond banking, will likely be targeted, possibly defense contractors, rather than government itself. “I don’t foresee government being a target, but, instead, a weaker vertical,” Holden says. “If anything government-focused were to be attacked, I would think it would be government contractors that would be somehow associated with Syria.” Holden says e-commerce sites also could be prime targets. “[Those sites] are obviously related to capitalism, like the banks, and the money lost would be huge,” he says. “The impact would be very real, given how much commerce occurs over the Internet.” Media sites could be another target, Holden says. Regulatory Oversight Because of ongoing DDoS threats, more regulatory and legislative oversight related to how critical infrastructure industries address DDoS risks is likely on the way, says Corero’s Stephenson. “The attacks have heightened the need for guidance or legislation, whether that’s from the SEC [Securities and Exchange Commission] or an international agency like the European Commission,” he says. The need for more regulation and cross-industry collaboration has been highlighted by al-Qassam’s attacks, Stephenson adds. DDoS attacks have become a part of everyday business, and all sectors should be sharing threat intelligence, Stephenson says “One of the things I took away from this last year is that the banks really have learned a lot,” he says. “This type of cyberthreat is now business as usual. This is going to be a continuous threat and an ongoing risk of doing business online, and I don’t think we’re going to win here by keeping attack information secret.” The more organizations disclose about the attacks they suffer, the stronger defenses can be built, Stephenson says. “That’s where the vendors come in,” he says. “When they have an attack that is defeated, they can put the information together and pass that on to the authorities. A year ago, that wasn’t happening like it is today,” and there’s always room for improvement. Source: http://www.bankinfosecurity.com/whats-next-for-ddos-attacks-a-6074
DDoS: The Need for Updated Defenses Lessons Learned from a Year of Attacks Against Banks
In the wake of a year of attacks waged against banking institutions by Izz ad-Din al-Qassam Cyber Fighters, the FS-ISAC’s Bill Nelson and the ABA’s Doug Johnson say the need to regularly update DDoS preparedness is a critical lesson learned. As the one-year anniversary of the start of the hacktivists’ distributed-denial-of-service attacks against U.S. banks approaches, banks need to avoid complacency and leverage new mitigation tools to ensure protection against any DDoS attack from any group, the two experts say. By taking advantage of cyber-intelligence and DDoS mitigation toolkits provided by the Financial Services Information Sharing and Analysis Center and others, banking institutions of all sizes can help prevent online outages and mimimize risk for fraud , says Nelson, who heads the FS-ISAC in the U.S. FS-ISAC’s DDoS toolkit, which has been updated three times in the last year, is available to all institutions, not just FS-ISAC members. “We’ve worked to get this out to associations and third-party banking service providers, which really have a very important role as far as DDoS,” Nelson says in an interview with Information Security Media Group. “The Web hosting environment can impact numerous institutions.” A DDoS preparedness plan should address hardware security risks, ensure sufficient bandwidth and outline collaboration with third-party service providers, Nelson says. “Setting up in advance, not just waiting to see your name on a Pastebin post, is critical,” he says. Johnson, who oversees risk management for the American Bankers Association, says institutions have to band together to ensure they have the right plans in place. “It does take that village to ensure the institutions are asking the right questions,” he says. “The threat environment is substantially different than it was before these attacks.” Beyond al-Qassam On Sept. 18, 2012, Izz ad-Din al-Qassam Cyber Fighters announced the launch of its first wave of attacks against U.S. institutions to protest a movie trailer deemed offensive to Muslims. These attacks have forever changed the way the online world approaches DDoS, Nelson says. “When we realized this DDoS attack was different … we realized quickly that we needed to stand up and create an incident response team,” he says. “The reaction was really effective, and it proved how effective information sharing could be.” But Johnson says one lesson the industry has learned over the last year is that DDoS is not just about hacktivism, and banking institutions need to be concerned about attacks from any number of players. “It’s about the broad number of DDoS attacks that the industry is suffering [attacks] from a variety of parties,” he says. For community banks, the greatest concern is not online disruption, but the threat of DDoS attacks being waged to mask fraud, Johnson says. Source: http://www.bankinfosecurity.com/interviews/ddos-need-for-updated-defenses-i-2059
Read the original:
DDoS: The Need for Updated Defenses Lessons Learned from a Year of Attacks Against Banks
Countering Attacks Hiding In Denial-Of-Service Smokescreens
Denial-of-service attacks have long been considered the blunt wooden club of online hazards, a multi-gigabit stream of shock and awe. Yet, increasingly the noisy attacks are being used to hide more subtle infiltrations of a target’s network. A number of financial institutions, for example, have been targeted by distributed denial-of-service (DDoS) attacks immediately following a wire transfer, according to security firms familiar with the cases. The attacks, generated by computers infected with the DirtJumper DDoS malware, attempt to disrupt any response to the fraudulent transfer of funds, which are usually in the six-figure dollar range, according to a report by Dell Secureworks published in April. “The analogy is signal jamming,” says Kevin Houle, director of threat intelligence for managed security provider Dell Secureworks. “To the extent that you can use the DDoS attack to do cause chaos electronically, to prevent access to particular systems during an attack, the tactic has proven successful.” While DirtJumper has focused on causing chaos immediately following money transfers, the technique could be generalized to other attack scenarios. A variation of the attack has been used by Iranian hacktivists groups to disrupt the online operations of U.S. financial institutions by hiding more subtle application-layer attacks within larger packet floods. And South Korean companies were flooded with data while malware deleted information on organizations’ servers. “Your goal is to sow confusion,” says Vann Abernethy, a senior product manager at NSFOCUS, a DDoS mitigation firm. “A DDoS attack is designed to get your IT department to run around like their hair is on fire.” In addition, noisy DDoS attacks could attract more attackers, says Terrence Gareau, principal security architect for Prolexic, a DDoS mitigation firm. A very public attack could convince other groups to attempt their own operations in the chaos, he says. “If it’s a very public attack, then there is a high probability that other opportunistic attackers could take part as well,” Gareau says. “Opportunistic criminals will say, wow they are under a DDoS attack, so lets look at the network and see what changes have been made.” Companies need to structure their response group to handle a large infrastructure attack, but not be blinded by the influx of alerts to their system. Like magicians, the goal of the attackers is to force the security staff to only pay attention to a distraction to keep them from discovering the actual trick. “You almost have to have a team that deals with the infrastructure attack, and a separate group that goes into hyper-vigilance to find any other attacks coming in,” says NSFOCUS’s Abernethy. A third-party provider, who can use intelligence from attacks on other customers to more quickly identify new attacks, can help eliminate much of the inbound attack traffic, dialing down the volume of alerts that the security team has to process. The level of alerts seen by a security team during a denial-of-service attacks can increase by an order of magnitude. Filtering them out at the edge of the Internet can greatly reduce the impact on a business’s network and employees. “If you don’t have to have all those alerts on your network, you can pay attention to what matters,” Prolexic’s Gareau says. “Using a third part mitigation provider can significantly reduce the noise.” Yet, attacks that use a variety of traffic and techniques in a short time period can cause problems for denial-of-service mitigation firms, says Lance James, head of intelligence for Vigilance, a threat information firm that is now part of Deloitte. “They are not perfect,” James says. “We still see major banks going down. But they do well against long period term DDoS attacks.” While DirtJumper, also known as Drive, is not the only botnet that is used for combined attacks, it a popular one. DirtJumper has a half dozen ways of attacking infrastructure, including flooding Web sites with GET requests and POST requests, targeting infrastructure with two types of IP floods, and using UDP packets to slow down networks. Source: http://www.darkreading.com/threat-intelligence/countering-attacks-hiding-in-denial-of-s/240161237
Continued here:
Countering Attacks Hiding In Denial-Of-Service Smokescreens