Monthly Archives: October 2012

More Banks Come Under Denial-of-Service Attack

Capital One and SunTrust came under attack this week using denial-of-service techniques that are evading defenses meant to blunt such attacks. Capitol One and SunTrust Banks have become the latest targets of hackers who have leveled attacks at U.S. financial institutions in alleged retaliation for the posting of a movie on YouTube that has offended some Muslims. On Oct. 8, a group calling itself the Izz ad-Din al-Qassam Cyber Fighters posted a message on Pastebin stating that Capital One, SunTrust Banks and Regions Financial would each suffer an eight-hour attack starting with Capital One the next day. Even with the advanced warning, the financial institutions suffered outages, with Capital One’s site frequently inaccessible during the eight-hour period. “Some Capital One customers experienced intermittent online access due to a large volume of traffic going to the Website and servers,” the bank said in a statement posted to its Web site. ”Other banks have experienced similar issues in recent weeks due to targeted efforts designed to flood online systems, also known as a distributed denial-of-service attack.” On Oct. 10, SunTrust Banks suffered some performance issues, as did Regions Financial the next day, according to media reports. The attacks are the latest data floods in a campaign that started in mid-September. Under the name “Operation Ababil,” a group of alleged Iranian protestors called for supporters to attack the Bank of America, JPMorgan, Citigroup and Wells Fargo. Yet the crowd-sourced hacktivism effort caused little damage. Instead, a second attack coming from hundreds—or at most, thousands—of compromised servers made up the most effective part of the data flood. Using compromised servers and customized malware, the attackers have hit targeted sites with between 70G bps and 100G bps of peak traffic, according to experts. The attacks—launched from servers used to publish corporate Websites and blogs but running vulnerable content management software—sent packets of data crafted to evade typical defenses, even those specifically designed to curtail denial-of-service (DoS) attacks. “They had far fewer machines involved and with much larger bandwidth,” Dan Holden, director of security for network-protection firm Arbor Networks, said of the earlier attacks. “These are Web or hosting servers that have been compromised and are obviously poorly administered.” Typical defenses against distributed denial-of-service attacks attempt to minimize the impact of an attack by intercepting the request as far away from the target Website as possible. By blocking attacks in other networks, the customer is not impacted by a massive influx of data. However, the latest attacks are using evasion techniques to get around standard denial-of-service defenses, said Phil Lerner, vice president of technology at security firm Stonesoft. By crafting the data to look like valid encrypted Web requests, the network packets are allowed to get through to the customers’ own computers to decipher the information. Even if that system blocks the request as invalid, the avalanche of data buries the computer, which can’t keep up. “DDoS [distributed denial-of-service] mitigation is not a cure-all,” Learner said. “You don’t have enough protocol decoding capabilities, and you are only doing partial defenses, or none at all, on the evasion detection.” Companies need to adopt security defenses that handle such evasion techniques, he said. In July, a researcher at cloud-security firm Qualys demonstrated that evasion techniques can cause problems for Web application firewalls (WAFs) as well. A variety of tricks, sometimes just adding a single character, could bypass the security offered by WAFs, according to the research. Source: http://www.eweek.com/security/more-banks-come-under-denial-of-service-attack/

View original post here:
More Banks Come Under Denial-of-Service Attack

U.S. banks warned of another Distributed Denial of Service ‘DDoS’ attack

Just as one type of attack against U.S. banks has subsided, the banks are being warned to get ready for another, called “Project Blitzkrieg,” aimed at online theft. Iran denies launching cyberattacks on U.S. banks The distributed-denial-of-service (DDoS) attacks that briefly disrupted the online services of a half-dozen major financial institutions late last month — Wells Fargo, U.S. Bancorp, PNC Financial Services Group, Citigroup, Bank of America and JPMorgan Chase — ended abruptly about two weeks ago, even though the group that claimed credit for them had threatened to continue them. Izz al-Din al-Qassam Cyber Fighters, the military wing of Hamas, the Islamic party that governs the Gaza Strip, had said in a Pastebin message that the attacks would continue until a trailer of the independent film “Innocence of Muslims,” which they said insults the prophet Mohammed, was taken off the Internet. But now, says a blog post by Mor Ahuvia, cybercrime communication specialist at security firm RSA, another wave of attacks is looming, this one aimed at stealing big money. “A cyber gang has recently communicated its plans to launch a Trojan attack spree on 30 American banks as part of a large-scale orchestrated crimeware campaign,” Ahuvia wrote. “Planned for this fall, the blitzkrieg-like series of Trojan attacks is set to be carried out by approximately 100 botmasters. RSA believes this is the making of the most substantial organized banking-Trojan operation seen to date.” RSA said the gang leadership appears to come from Russia, and plans to use a “Gozi-like Trojan” that RSA is calling Gozi Prinimalka. Prinimalka is derived from the Russian word meaning “to receive.” “According to underground chatter, the gang plans to deploy the Trojan in an effort to complete fraudulent wire transfers via Man-In-The-Middle (MiTM) manual session-hijacking scenarios,” Ahuvia wrote. “If successfully launched, the full force of this mega heist may only be felt by targeted banks in a month or two. The spree’s longevity, in turn, will depend on how fast banks and their security teams implement countermeasures against the heretofore-secret banking-Trojan,” she wrote. Brian Krebs, who writes the blog KrebsonSecurity, said in a recent post that the RSA analysis “seemed to merely scratch the surface of a larger enterprise that speaks volumes about why online attacks are becoming bolder and more brash toward Western targets.” But he also said this particular threat could be a hoax — that there is some suspicion in the cybercrime world that it could be a sting operation by Russian law enforcement, since the announcement has been so public. Krebs said the threat appears to be coming from a series of posts on Underweb forums by a Russian hacker nicknamed “vorVzakone.” His name translates to “thief-in-law,” which Krebs said, “in Russia and Eastern Europe refers to an entire subculture of elite criminal gangs that operate beyond the reach of traditional law enforcement. The term is sometimes also used to refer to a single criminal kingpin.” Krebs said vorVzakone called the campaign “Project Blitzkrieg,” and according to a translation of one of his messages, said he hopes to recruit 100 botmasters to take advantage of authentication weaknesses in U.S. bank systems before they can improve their protection. The botmasters would have to qualify with an online interview and be trained, and would then get to share in the profits. In vorVzakone’s message, he said: “The development of the system took 4 years of daily work and around $500.000 was spent. Since 2008 by using this product not less than $5m was transferred just by one team.” Jason Healey of the Atlantic Council, a cybercrime expert and former White House security official, said it sounds to him like the group is “trying to be the Russian online equivalent of Ocean’s Eleven — call it Ocean’s Odinnadsat’ — or a group that wants to be seen in that light. They can get some cool points, either way.” Most security experts say the financial sector is the best prepared of any in the U.S. to deal with direct attacks. But these attacks will, of course, not be aimed directly at the banks, but at their customers. And vorVzakone also wrote that the operation will flood cyberheist victim phone lines while the victims are being robbed, in an effort to prevent account holders from receiving confirmation calls or text messages from their banks.” In an interview, Brian Krebs said cyber thieves, “almost always target the line of least resistance, and that is the customer. That doesn’t excuse the banks from their obligation to be constantly upgrading their defenses against such attacks. There are thousands of financial institutions in the U.S. and many of them are woefully behind in updating their customer-facing security measures.” He noted that banking law does not protect commercial and business customers at the same level as individual customers, and said banks need to do much better at flagging abnormal transaction behavior, such as, “a sudden addition of many new employees to an organization’s payroll, particularly if those people are spread all over the country geographically.” “You’d be amazed at how many times a month some bank lets this happen, and with disastrous results,” Krebs said. Still, if vorVzakone and his presumed colleagues are serious about their plan, why broadcast it so blatantly? Is that an indication that the whole thing may be a fraud? Krebs said there is reason for skepticism, noting in his blog post that vorVzakone even posted a homemade movie on YouTube, in which he. “introduces himself as ‘Sergey,’ the stocky bald guy in the sunglasses. He also introduces a hacker who needs little introduction in the Russian underground — a well-known individual who used the nickname ‘NSD.’” Krebs then quotes one Russian expert saying vorVzakone’s “language and demeanor is that of street corner drug dealer or a night club bouncer,” not someone who can organize and run a sophisticated cyberheist operation. Krebs himself is not quite as harsh, but said such projects “are announced all the time on the underground, but usually they are in fairly closed, secretive forums. The forums on which this project was announced were moderately secret, but it’s fairly unusual for miscreants to create YouTube videos of such projects and to promote them so openly.” Healey said the public bragging is a mistake. “To succeed with a Trojan, you want it to be somewhat secret with few people involved,” he said. “The few who are involved should be well known and trustworthy. That is the opposite of what Ocean’s Odinnadsat’ has done.” He said that and the fact that they are recruiting people who may be unknown to them “makes it more likely that the intel and threat companies, and law enforcement, can get the code beforehand.” Another problem that could undermine the operation is simple organizational weaknesses. “My sense is that such a project would require a decent amount of operational cohesion and security, and cooperation,” Krebs said. “From what I’ve seen of the underground, the more people you involve in a scheme, the more likely it is to fall apart.” But he said whether this threat is real or not, the need for protection is crucial. The best way for customers to avoid theft is to prevent their computer from being infected. “The trouble is,” Krebs said. “It’s becoming increasingly difficult to tell when a system is or is not infected. That’s why I advocate the use of a Live CD approach to online banking. That way, even if the underlying hard drive is infected with a remote-access, password stealing Trojan like Gozi, your online banking session is protected.” Source: http://www.networkworld.com/news/2012/101012-us-banks-warned-of-another-263227.html?page=1

Continue reading here:
U.S. banks warned of another Distributed Denial of Service ‘DDoS’ attack

Proxy service users download malware, unknowingly join botnet

In yet another example of if-it's-too-good-to-be-true-it-probably-isn't, hundreds of thousands of users signing up for a cheap and supposedly legitimate proxy service have ended up downloading malware…

Taken from:
Proxy service users download malware, unknowingly join botnet

Expert’s Warning: More Distributed Denial of Service ‘DDoS’ attacks Coming At You

Brace yourself: more distributed denial of service (DDoS) attacks are coming at financial institutions, predicted Scott Hammack, CEO of Hollywood, Fla.-based Prolexic Technologies, a leader in helping big business defend itself against DDoS. “Absolutely, we will see more attacks on banks,” said Hammack in an interview. He traced the current wave of attacks – which have crippled the websites of money center banks including Bank of America and JP Morgan Chase – to probes that began in January. “The attackers did several months of reconnaissance, probing websites for vulnerabilities,” said Hammack. The core DDoS method is to overwhelm a website with a flood of extraneous data. There is so much data coming in that legitimate requests simply cannot be handled. The current attackers, Hammack suggested, come at this with enormous skill, sophistication and funding. He indicated he had no guess about the possible end game or what the objectives of the attackers might be beyond highlighting the vulnerabilities of big banks to attacks. He indicated that the attackers – or people close to them – have frequently posted notices of what institutions they have taken down on Pastebin, a website believed to be frequented by members of the hacker and cyber-criminal community. According to Hammack, the attackers have used the itsoknoproblembro DDoS tool kit and they have come to the battle with deep knowledge of the classic anti DDoS mitigation schemes. Since they know how financial institutions protect themselves at first sight of DDoS, they also know how to maneuver around those protections, said Hammack. Hammack warned: “This is sophisticated in the way Stuxnet was.” Stuxnet’s authorship is unknown, but some have said it was approved by the White House and involved high level cyber security experts from the U.S. and Israel. It specifically targeted Iran’s nuclear program. So far, no credit unions are known to have been targeted in the present wave of DDoS attacks. However, Hammack indicated that in his opinion only the very largest banks are currently prepared to deal with this attack. “A lot of smaller financial institutions have no protection,” he said. “If they get hit they will be out for days.” Source: http://www.cutimes.com/2012/10/01/experts-warning-more-denial-of-service-attacks-com?ref=hp

Link:
Expert’s Warning: More Distributed Denial of Service ‘DDoS’ attacks Coming At You

Protection against DDoS and targeted attacks

Corero Network Security announced its First Line of Defense solution, which blocks L3-L7 DDoS and advanced targeted server attacks. Cyber criminals/terrorists have reached a level of complexity tha…

See the original post:
Protection against DDoS and targeted attacks

Rise in DDoS Attacks, Video Streaming, Over-The-Top Conte

NTT America, a wholly owned U.S. subsidiary of NTT Communications Corporation(NTT Com) and a Tier-1 global IP network services provider, today issued its biannual state of the industry assessment of key trends shaping the broadband and IP transit industry. Michael Wheeler, executive vice president, NTT Communications Global IP Network, NTT America, said preparing Latin America for increased broadband data consumption is a priority, especially as Brazil readies for the 2014 World Cup and 2016 Summer Olympics. Additionally, demand for real-time mobile content and the rise of sophisticated DDoS attacks are other key factors changing the Internet industry. Focus Increases on Developing Brazil’s Telecom Infrastructure as World Cup and Olympics Approach As Brazil prepares for the 2014 FIFA World Cup and 2016 Summer Olympic Games, the biggest hurdle facing the country is developing its telecommunications infrastructure to improve Internet access and bandwidth capacity, according to Wheeler. Telebrás, Brazil’s state-owned service provider, is investing upwards of $400 million dollars (BRL) in the next few years to steer growth and development. As a result, domestic and international carriers are crucial in supporting the Brazilian government to meet the cellular and Internet data needs. These World Cup and Olympic events will represent the first time video content will originate from Brazil and be streamed out in such large numbers globally. NTT Communications was recently awarded a contract by Telebrás as one of two international carriers that will enable São Paulo residents to connect to international markets through a high quality network. NTT Communications was selected due to its direct access to major markets around the world and Point of Presence (POP) location in São Paulo. “Consumption of mobile video and other forms of over-the-top content will continue to grow exponentially through 2016. While most users don’t realize how demanding these service requirements are on providers, new technologies will be the driving force for developing the next-generation Internet services in both wireless and wireline,” said Wheeler. “Successful service providers will have an established infrastructure of high bandwidth, next-generation equipment and industry expertise to manage dynamic content demands.” Video Streaming and Chatting on Mobile Devices Soars; Demands Greater Expectations of Carriers The number of devices connected to IP networks will be nearly three times as high as the global population in 2016, according to a recent report from Cisco. Driven in part by the increase in devices and the capabilities of those devices, the same report concludes that IP traffic per capita will be the equivalent of all movies ever made crossing global IP networks every three minutes in 2016. In terms of consumer Internet traffic categories, Cisco estimated mobile video consumption to grow 83 percent through 2016, and online gaming is estimated to grow by 46 percent by 2016. “This generational consumption shift in Internet-based activities is changing how carriers design networks to provide the best possible user experience,” said Wheeler. “While most don’t realize how demanding these services are on providers, new technologies will be the driving force for developing the next-generation Internet services. Successful service providers will have an established infrastructure of high bandwidth, next-generation equipment and industry expertise to manage dynamic content demands.” Given the increase in over-the-top (OTT) content, the optimal network architecture that is flexible in shaping bandwidth for content distribution and delivery worldwide are fundamental to containing costs. The services Tier-1 providers offer are key to providing high-quality bandwidth and capacity to support the demand for OTT content. NTT Communications’ high level of redundancy, industry leading uptime and extensive network of peering partners can help customers prepare for this growth. DDoS Attacks Grow, Posing a Constant Financial Threat to Online Businesses With more than 7,000 attacks reported daily worldwide, distributed denial of service (DDoS) threats continue to rise in number, size, frequency and complexity. The business costs associated with DDoS attacks are substantial for any online entity. As research from industry reports indicate, monetary losses from a DDoS attack can range from $90,000 to $6.5 million per hour. Despite the growing threats, protection and mitigation efforts of many global companies, government entities and advocacy groups remain inadequate and antiquated. As DDoS attacks become more sophisticated, proper mitigation is critical. Wheeler urges businesses to prioritize a contingency plan for DDoS attacks. When companies select their mitigation service provider, it is important to understand the level and type of security support provided. “While many DDoS mitigation services are entirely automated, and as attacks become more sophisticated, the need for expert human judgment and monitoring are a necessity in determining the legitimacy of traffic,” said Wheeler. “At NTT America, our US based Security and Abuse Team is working 24 hours a day, 7 days a week, assuring that online assets and network availability are aggressively protected.” For immediate DDoS protection against your eCommerce site click here . Source: http://www.dailyfinance.com/2012/10/03/ntt-america-addresses-top-internet-trends-rise-in-/

Read this article:
Rise in DDoS Attacks, Video Streaming, Over-The-Top Conte

New Bank Attacks Expected Today?

Is another wave of distributed denial of service attacks imminent? For the past two weeks, DDoS attacks that caused online outages at several major U.S. banks started on Tuesday mornings and ended by Friday afternoons, says Mike Smith, a senior security evangelist at Akamai Technologies, an Internet platform provider. Smith and other security experts are standing by to see if this week brings a third round of attacks. While they wait, these thought-leaders offer insights in response to these outstanding questions: Why were banks unable to stop the DDoS attacks from causing outages? What steps should banks and other organizations take now to prepare for additional attacks? Technology does play a role in thwarting such attacks, says Smith, who also blogged about the attacks. But a renewed focus on information sharing is the best investment an organization can make, he says. “Packet captures from the attack traffic we shared with our customers, for instance, allowed them to build IDS [intrusion detection system] signatures, so when they first start to receive that traffic, they can block it,” he says. Why Attacks Succeeded DDoS attacks are not new – they have been around since at least 2001. Simply defined, a DDoS attack usually involves an external party saturating a targeted website with traffic until the site’s servers are overloaded, ultimately rendering the site unable to respond and unavailable. This is what happened to the banks, whose customer-facing websites subsequently faced varying degrees of unavailability. Yet as Anton Chuvakin, a security analyst at Gartner, pointed out in May, DDoS attacks seem to have become a “forgotten area” of security – until the latest string of incidents. “Denial-of-service attacks, in general, cannot be stopped,” Chuvakin says. “If their entire network connection is full of traffic, nothing they do on their own will remove the flood.” The recent wave of attacks is unique for its scale, Smith says. The average online user in the United States and Western Europe uses about 1 megabyte per Internet node per second. “Even at the height of the Anonymous attacks, we saw traffic coming in from 7,000 or 8,000 people [at approximately 1 gigabyte per second] involved in attacks at any given time,” he says. “That’s a lot.” But in the most recent attacks, the traffic coming in was the equivalent to about 65 gigabytes per second, Smith says. “A typical DDoS attack waged by a hacktivist group looks much different than what we saw here,” he says. “You would expect less than 1 gbps [gigabyte per second] of attack traffic for the average hacktivist, and would expect peaks up to, maybe, 2 gbps.” Avivah Litan, fraud analyst at Gartner who blogged about the attacks, says, based on what she’s been told, the attacks together added up to 100 gigabytes of traffic. “The leading DDoS prevention software, more or less, stops working when the attacks get larger than 60-70 gigabytes,” Litan writes. “The major ISPs only have a few hundred gigabytes bandwidth for all their customers, and even if they added more on to that, the hacktivists could quickly and easily eat the additional bandwidth up.” Where Did Attacks Originate? Recent attacks have been attributed to Izz ad-Din al-Qassam. But this group, which in the past has been known to support Hamas, has not historically been affiliated with hacktivism, says Bill Wansley, a fraud expert at financial-services consultancy Booz Allen Hamilton. “All of the sudden, for them to become a hacktivist group, it’s just really interesting,” Wansley says. “We’ve never seen that before” (see More U.S. Banks Report Online Woes). Thus, determining, with any certainty, who or what is actually behind the attacks has proven difficult. “There are indications it’s an Iranian group,” Wansley says, based on the IP addresses linked to the attack and the timestamp of the attacks. These latest attacks are unlikely to be the product of traditional hacktivists, experts say, citing this evidence: The sheer number of hits seem too large to be waged by social or political hacktivists. “The volume of the traffic is far higher than what we normally see,” Smith says. During a typical hacktivist attack, variations in the site traffic are evident. “The attacks in this case were homogeneous, which is not typical,” Smith says. “The traffic looked the same.” And there wasn’t a lot of bragging going on after the attacks, either, which also is typical in a hacktivist event. “The attacks are unique and seem to have a different character than previous [hacktivist] attacks,” Wansley says. How Can Organizations Respond? Although U.S. banks have been the initial targets of the latest DDoS attacks, experts say all organizations should be on notice: They could be next. Gregory Nowak, a principal research analyst for the Information Security Forum, says security leaders need to realize that these incidents are ideological attacks against the U.S. “The attacks have nothing to do specifically with the activities of these banks – they were innocent bystanders,” Nowak says. “The message is: This can happen to any organization, and they need to consider [hacktivism response] as part of their risk management” (see Banks Under Attack: PR Missteps). So, what can organizations do to prepare? Litan says DDoS is not an issue any individual organization can control. “It’s a networking bandwidth and network security software issue,” she says. “Simply put, the DDoS prevention software can’t handle this large of an attack, in terms of the bandwidth it consumes.” Among the steps organizations can take: Protect default online pages or homepages. “This is the page most commonly attacked in a DDoS and can be easily protected with basic caching,” Smith says. Communicate with ISPs about suspicious traffic. “The [organization] has to work with its ISP, and potentially other ISPs, to see if the ISP can identify the traffic before it gets to the website and drop it earlier in its travels,” says Alex Horan of CORE Security, an online security firm that specializes in vulnerability assessment and testing. “But the [organization] doesn’t want to accidently drop legitimate traffic when doing that, so it has to be very cautious.” But organizations also must know the privacy limitations ISPs face when it comes to blocking or removing computers or users linked to attacks. “We need every ISP to be able to work together,” Horan says. “While this appears to be in the ISPs’ favor, most would be reluctant to do it, as it would mean they would have to inspect the packets sent by their customers, and it could very easily be seen as an invasion of privacy.” What’s Next? DDoS attacks occur on a daily basis, Smith notes. So Institutions and others need to focus on intrusion detection and DDoS attack identification. ISPs also should have mechanisms in place to block DDoS attacks. “That way, they limit an attack against one customer and limit the impact to their other customers,” Smith says. “The ISP is the conduit; they are at risk, and they know this. That’s why they also usually offer protective services.” If the ISP with which an institution works does offer protective services, banks and others should take advantage, Smith says. But if the ISP doesn’t offer protective services or does not have the ability to filter traffic, the institution can at least block traffic coming in from IP addresses identified as being connected to an attack. Information sharing between banking institutions and among institutions, ISPs, law enforcement and third-party vendors is critical. “The attackers will change,” Smith says. “Understanding how those attacks are changing is critical.” For now, however, experts are anxious to see if the wave of attacks that targeted banks the last two weeks will continue. “What does this week hold?” Smith asks. “We’ll soon know if the pattern will continue.” For immediate DDoS protection click here . Source: http://www.bankinfosecurity.com/new-bank-attacks-expected-today-a-5155/p-2

Continued here:
New Bank Attacks Expected Today?

DDoS attacks reach new level of sophistication

Prolexic Technologies warned of an escalating threat from unusually large and highly sophisticated DDoS attacks. The DDoS attacks have been launched in the last week using the so-called itsoknopr…

Continued here:
DDoS attacks reach new level of sophistication