Monthly Archives: August 2013

Bank man: System’s down, let’s have coffee. Oh SNAP, where’s all the CASH?

Hackers use DDoSes to distract staffers… while nicking MILLIONS Cybercrooks are running distributed denial of service attacks as a smokescreen to distract bank security staff while they plunder online banking systems, according to a researcher.…

Read the original:
Bank man: System’s down, let’s have coffee. Oh SNAP, where’s all the CASH?

DDoS Attacks Strike Three Banks

Izz ad-Din al-Qassam Cyber Fighters’ so-called Phase 4 of distributed-denial-of-service attacks against major U.S. banks hasn’t stalled, it’s just been ineffective at disrupting online availability, security experts say The latest attacks have been sporadic and seemingly less targeted. U.S. banking institutions, which have been under attack since September 2012, have adapted their defenses, making their online-banking sites hard to take down, experts say. But Brobot , the botnet used by al-Qassam Cyber Fighters, is still active; it targeted banking institutions as recently as last week, says John LaCour, CEO of cybersecurity and intelligence firm PhishLabs. “PhishLabs can confirm that we detected QCF [Qassam Cyber Fighters] related DDoS attacks on Wednesday [Aug. 14] and Thursday [Aug. 15],” LaCour says. “Three large banks were attacked that we have seen targeted previously.” LaCour would not name the banks that were hit. He did say, however, attacks last week were linked to Brobot, and that Brobot still appears to be controlled by al-Qassam. Experts say they don’t feel Brobot has been leased out for hire, and that al-Qassam is still the group using the botnet against banks. Disruptions at 2 Banks JPMorgan Chase and Citigroup suffered intermittent online disruptions last week, according to Fox Business . Neither one of those banking institutions responded to Information Security Media Group’s request for comment. But according to tweets posted last week, Chase and Citi both acknowledged suffering site issues Aug. 15. “We’re experiencing issues with our website and Chase mobile,” Chase tweeted. “We apologize for the inconvenience. Please stay tuned for updates.” In its tweet, Citi said: “We are aware of system issues at this time. We are working to get the issue resolved.” Keynote, an online and mobile cloud testing and traffic monitoring provider, confirms both banks’ online banking sites did experience intermittent issues Aug. 15. But the cause of those online interruptions is not known, says Keynote’s Aaron Rudger. “The Chase banking website appears to have been unavailable from 8:55 a.m. ET until 10:21 a.m. ET,” he says. “Our monitoring agents reported DNS [Domain Naming System] lookup errors throughout that period, across the U.S.” DNS is the system that translates a website’s name, such as www.chase.com, into an Internet protocol address that’s assigned to a Web server for that site, Rudger explains. “Our monitoring agents did observe only a very small number of errors trying to download the Citibank homepage, starting at 12:52 p.m. ET,” he adds. “But that only lasted until 1:09 p.m. ET.” But other experts who asked to remain anonymous say the outage at Citi was not linked to Brobot; it was an internal technical issue. What’s Next for Brobot? Because attacks against banks are increasingly ineffective, some question what’s next for Brobot. Rodney Joffe, senior technologist at DDoS-mitigation provider Neustar, believes the attacks against banks are nearing an end. What’s next is anyone’s guess, he adds. But Joffe and others have suggested Brobot will likely soon be used to target other industries, especially those impacting critical infrastructure. The attackers will take aim at other targets to avoid admitting their campaign has been a failure, some suggest. “We’ll start to see disruptions that cause a little more fear in the U.S. public,” Joffe says. “We have heard about the compromise of water systems in small towns. I wouldn’t be surprised if we really start to see attacks like that.” Source: http://www.bankinfosecurity.com/ddos-attacks-strike-three-banks-a-6006

Continued here:
DDoS Attacks Strike Three Banks

DOSarrest begins Offering Vulnerability Testing and Optimization

VANCOUVER, BRITISH COLUMBIA–(Marketwired – Aug. 14, 2013) – DOSarrest Internet Security announced today that it will begin offering a website Vulnerability Testing and Optimization ( VTO ) service. The services is a comprehensive test that will intelligently crawl a website and find any vulnerabilities in the site’s coding, as well as analyze the structure of the website to see what can be optimized for better performance, all for a safer and better web experience for your visitors. The Vulnerability portion of the scan is able to analyze web code while it is being executed, even for a very large site with dynamic pages, and test with the most advanced SQL Injection and Cross Site Scripting (XSS) analyzers. A report is provided at the end that details all identified security breaches and the line of code that is the culprit as well as how to fix it. A secondary Optimization scan is executed again on all pages within a website, applying best practice rule sets which identify what elements and design structure can be optimized, and how to do it. A DOSarrest security specialist will walk the customer through the report and retest if necessary. “Our customers have come to greatly appreciate our efforts, to not only protect them from DDoS attacks, but to also assist their IT operations in securing their web servers in house “, says Jag Bains, CTO of DOSarrest. Bains, goes on to state “We’re able to leverage our experience and expertise to provide our customers a framework for securing their operations. With web application hacking on the rise, the VTO service is taking our customer partnerships to another level.” More information on this service can be found at: http://www.dosarrest.com/en/vulnerability-testing.html . About DOSarrest Internet Security: DOSarrest founded in 2007 in Vancouver, BC, Canada is one of only a couple of companies worldwide to specialize in only cloud based DDoS protection services. Their global client base includes mission critical ecommerce websites in a wide range of business segments including financial, health, media, education and government. Their innovative systems, software and exceptional service has been leading edge for over 6 years now.

More here:
DOSarrest begins Offering Vulnerability Testing and Optimization

UCAS under DDoS attack

Ucas has been the victim of a hacking attempt, when its website was the target of a denial of service attack. The site was unavailable late on 14 August, the day before thousands of A-level students were due to receive their results across the country. A spokesperson for Ucas said: “The UCAS website suffered a sustained, criminal ‘denial of service’ attack. The site was down for an hour and then restored fully. No personal information was compromised. Confirmation and Clearing went ahead as normal. The attack originated in the Asia Pacific region and the police have been informed.” The chief executive of Ucas, Mary Curnock Cook, speaking to the Huffington Post, said staff were ‘pretty upset’ at the attempt. “The incident was contained very, very quickly and no personal data was released to anybody.” As of yesterday evening, over one million students had logged into Track. Ucas placed nearly double the number of students through clearing this year, in comparison with numbers from last year. 7,970 students had found a place through clearing, compared with 4,180 last year. The attempt to wreck the system was stopped, thanks to new technology that Ucas have installed in their software. Cumock Cook said: “This year we have made a step-change in our technology arrangements and most of our critical services are deployed in the cloud, which gives us massive resilience.” Source: http://www.independent.co.uk/student/news/ucas-hacked-ahead-of-alevel-results-8770993.html

Link:
UCAS under DDoS attack

GitHub code repository rocked by ‘very large DDoS’ attack

Second attack this month sees hackers git GitHub San Francisco–based GitHub, the online repository popular among software developers, suffered a major service outage on Thursday morning due to what it characterizes as a “very large DDoS attack.”… Learn how to leverage change for better IT And win a top of the range HP Spectre Ultrabook courtesy of HP and The Register! Click here to enter!

Taken from:
GitHub code repository rocked by ‘very large DDoS’ attack

Police nab alleged DDoS extortion gang at Heathrow Airport

Two Polish men were arrested at Heathrow Airport earlier this week in connection with an alleged DDoS extortion attack on a Manchester-based business, news sources have reported. Details are light but it is known that a website connected to the business was brought down during the attack, which happened at an unspecified time before the 7 August arrests. “This investigation centres on an allegation that the on-line company was blackmailed,” said Detective Inspector Chris Mossop, of Greater Manchester Police’s Serious Crime Division “As part of this blackmail attempt, one of the company’s websites was made temporarily unavailable by the offenders,” he added. “Denial of service attacks have become increasingly common offences in recent years and can have a devastating effect on the victim’s on-line business or presence.” The investigation continued in several countries, including the UK, the US and Poland, police said. Although such cases rarely come to light, cyber-extortion has flourished in the last decade. In almost every case, DDoS is the weapon of choice.  These days, small and medium-size businesses are the usual target because they are far less likely to have DDoS mitigation in place to defend themselves. The other less common technique involves attackers stealing data and threatening to release it unless a ransom is paid. An example of this type of attack came to light last year when a Belgian bank was blackmailed by hackers. Last December, hackers tried to extort $4,000 AUS (£2,600) from a medical centre in Australia after breaching its network and encrypting its customer database. A recent survey suggested that one in five UK businesses had been affected by DDoS attacks during 2012. Source: http://news.techworld.com/security/3463285/police-nab-alleged-ddos-extortion-gang-at-heathrow-airport/

Read the article:
Police nab alleged DDoS extortion gang at Heathrow Airport

Analysis: Who’s Really Behind DDoS?

Now that Izz ad-Din al-Qassam Cyber Fighters has launched its fourth phase of distributed-denial-of-service attacks against U.S. banks, many observers are continuing to ask: Who’s behind this group, and what are the real motives? Is al-Qassam really an independent hacktivist group, as it claims? Does it have connections to a nation-state, such as Iran? Or does it have ties to organized crime? And is there a possibility that it has leased out its botnet to multiple groups? In this analysis, Information Security Media Group weighs the evidence. al-Qassam has been waging DDoS attacks against leading U.S. banking institutions and a handful of smaller ones since last September. The attacks, designed to disrupt online banking service, have, so far, proven to be more of a nuisance than a malicious threat. But the launch of this new phase, which was announced July 23, raises new questions about just who is behind Izz ad-Din al-Qassam The Group’s Message Since the beginning, al-Qassam has positioned itself as a group of hacktivists – independent attackers who are waging online war against U.S. banking institutions to make a social statement. The group claims the catalyst for the attacks is a movie trailer on YouTube that it deems offensive to Muslims. And because YouTube has not removed links to this trailer, as al-Qassam has asked, al-Qassam is focusing its attack energies on America’s core – it’s financial foundation. In an Oct. 23 post on the open forum Pastebin, al-Qassam restated its purpose, and noted that the attacks are not being waged to perpetrate fraud . “We have already stressed that the attacks launch only to prevent banking services temporarily throughout the day and there is no stealing or handling of money in our agenda,” the group states. “So if others have done such actions, we don’t assume any responsibility for it. Every day we are giving a compulsive break to all employees of one of the banks and its customers.” The post also takes issue with statements made in October by U.S. Defense Secretary Leon Panetta, who during a speech about cybersecurity noted that industries touching critical infrastructure were at risk. “Mr. Panetta has noted in his remarks to the potential cyberthreats such as attacking on power and water infrastructures, running off trains from the tracks and etc.,” the post states. “In our opinion, Panetta’s remarks are for distracting the public opinion and in support of the owners of the banks’ capital. … This is capitalism’s usual trick.” Then, in November, an alleged member of al-Qassam told ABC News that its attacks were not backed by anyone, nor were they connected to the August 2012 attack on Aramco, a Saudi oil firm, which involved the deletion of data from tens of thousands of computers. “No government or organization is supporting us, and we do not wait for any support as well,” the self-proclaimed al-Qassam member wrote in an e-mail, ABC News reported. “Do you think that the massive protests in the world are done with support? [In] the same manner [that] millions of Muslims in the world protested, hackers are also part of this protest” But many experts have questioned the protest motive and have expressed doubt that al-Qassam is what it says it is. Experts’ Views Financial fraud analyst Avivah Litan has repeatedly argued these attacks are actually being backed by a nation-state, namely Iran, not independent hacktivists. Others, such as Bill Wansley of the consultancy Booz Allen Hamilton, have shared similar opinions. “There are indications that it’s an Iranian group,” Wansley told BankInfoSecurity in late September 2012. “There are a lot of indicators it’s from that region of the world. But these hacktivist groups, frankly, can operate from a number of different locations and give the impression of being from one time zone when they’re really not. So it’s not conclusive. But there certainly have been some indicators, such as the use of Arabic names, Iranian names and the time zone [and the time of day when the first attacks struck] that would indicate something from that part of the world.” An unnamed source within the U.S. government quoted in the New York Times in May suggested Iran is backing attacks against the U.S. in retaliation for economic sanctions the U.S. has imposed on Iran. Many security experts, however, have been reluctant to attribute these attacks to any one type of actor. That’s because any attribution could only be based on circumstantial evidence in the online world, says Alan Brill, cybercrime investigator and senior managing director at investigations and risk-consulting firm Kroll. “You can’t accept crowd opinion for verified fact,” he says. “I think it’s still very difficult to attribute things like this, simply because the Internet was never designed to make that easy.” Although Brill admits he has not carefully reviewed the evidence linked to these attacks, he says attributing these types of attacks is challenged by attackers’ abilities to mask their points of origination with throw-away IP addresses and anonymous networks. “Unlike other forms of evidence, such as a fingerprint at a crime scene, which does not change, this stuff is just so fluid,” he says. “It’s very difficult to put all of the pieces together. And in the case of state actors, you’re not going to get a lot beyond circumstantial evidence.” Reviewing Patterns But what can the industry glean from the most recent attacks? Many experts say the more they learn about al-Qassam, the more confused they are. The group’s Pastebin announcements, attack schedules and breaks between attack campaigns have been inconsistent. Just as soon as the industry thinks it’s outlined a pattern, the pattern changes, as shown again in this fourth wave of attacks. Here, Information Security Media Group spells out some important factors. Are They Really Hacktivists? Support for the notion that al-Qassam is a hacktivist group stems from the fact that it claims itself to be one – and so far, no financial fraud or other type of data compromise has been linked to an al-Qassam attack. Banking regulators have warned of the potential for DDoS to be used as a mode of distraction for fraud to be perpetrated in the background But so far, no account compromises have been associated with al-Qassam attacks. The group claims it’s waging its attacks for social reasons – outrage over a YouTube video deemed offensive to Muslims. That purpose would suggest this is just a group of hacktivists out for attention. Is a Nation-State Involved? But none of the industry experts interviewed for this analysis believes that is truly the motive. Hacktivists typically want attention. “There’s usually some bragging about what was accomplished,” Wansley said last year. “That’s the typical pattern of some of the hacktivist groups.” While al-Qassam bragged on Pastebin in the early weeks of its attacks, the bragging has waned over time. Hacktivists also often name their targets in advance. Al-Qassam did this early on, but as the attacks became less effective, that stopped. During the second and third campaigns, al-Qassam took credit after the attacks. Now, most of that post-attack bragging has stopped as well. And experts note that these DDoS strikes have been hitting U.S. banking institutions for nearly a year; a hacktivist group would need substantial funding to run an attack campaign that long. That’s why many believe al-Qassam is actually a front for a nation-state, a criminal network – or even a mix of both. “In this case, there’s a group that has an Arabic name that has never been associated with cyber-activity at all,” Wansley noted. “[The name has] been associated with Hamas. And for them to, all of the sudden, become a hacktivist group is just really interesting. We’ve never seen that before. That doesn’t mean they’re not doing it, but it could also mean they’re being used as a cover for some other country or organization to do something.” The timing of this fourth phase further supports the notion that al-Qassam is actually a nation-state actor, Gartner’s Litan contends. The Iranian presidential election, as well as elections for regional posts, occurred June 14. Litan says the attacks were expected to lapse during the election, assuming that the Iranian government is actually funding the attacks. “We all knew they’d be back after the election,” she says. “Really, this is just business as expected.” Based on information she’s gathered from law enforcement and some of the attacked banks, Litan concludes: “We know it’s Iran because the attacks have been traced back to them, through the files, through the servers.” Is There a Criminal Connection? But could there be a criminal element involved? Many experts say a connection to organized crime is possible, because the attackers waging these long-term, extensive DDoS strikes are likely getting funding from a nefarious source. But are there clues al-Qassam is waging its attacks for a criminal purpose? Brobot, al-Qassam’s botnet, keeps growing, experts say. While the attacks waged by Brobot have been unsuccessful at causing any significant online outages during the third and fourth phases, al-Qassam has continued to increase the botnet’s size. Why? Some argue the purpose is to rent out Brobot for a profit – perhaps to cybercrime rings. And attacks linked to Brobot this campaign may support the notion that Brobot is now being used by more than just al-Qassam. During the afternoon hours of July 30, Brobot was used to attack merchant sites, seemingly as a coding test for the attacks that kicked off July 31, says Mike Smith of the cybersecurity firm Akamai, which has been tracking and mitigating DDoS activity linked to al-Qassam. The only commonality among the July 30 targets: They all have the word “Da Vinci” in their website URLs, Smith and others confirmed. “There was no connection to banking at all,” Smith says. Source: http://www.govinfosecurity.com/analysis-whos-really-behind-ddos-a-5966

View article:
Analysis: Who’s Really Behind DDoS?

5 Steps to Prepare for a DDOS Attack

As more people are realizing that in today’s cyber climate Distributed Denial of Service (DDoS) attacks are a matter of when, not if, the most common question I get asked is “What can I do to prepare?” I like to break it down into 5 key steps enterprises can take now to be prepared for a future attack: 1. Centralize Data Gathering and Understand Trends This is true across all security topics, but the last thing you want to be is blind when a DDoS attack hits. Generally the DDoS attack timeline goes something like this for the head of network operations: – 9:00 am – your monitoring system starts lighting up like a Christmas tree and your phone is blowing up with SMS alerts saying “the site is down.” – 9:01 am – your CEO calls you screaming “why is the site down?!?!?!?!” Hopefully, you can answer that question, but without proper metrics and data gathering you can’t possibly hope to identify the root cause. It could be a network circuit down, data center failure, DDoS attack, etc. With proper data gathering and monitoring in place, you can quickly identify a DDoS attack as the cause, and you can start the process of getting the website back up and running. It’s critical to identify the cause early as DDoS attacks can be quite complex and the sooner you jump on identification and remediation, the sooner the site will be back up. At minimum, the metrics you should gather include: Inbound and outbound bandwidth on all of your network circuits, peering connections, etc. Server metrics: CPU load, network and disk I/O, memory, etc. Top talkers: top sources and destinations of traffic by IP and port. If you are running a web site, you need to understand items like top URLs being requested (vs. the top URLs usually being requested), top HTTP headers, HTTP vs. HTTPS traffic ratios etc. All of these metrics (and there are many more I didn’t cover) should then be sent to a central logging and correlation system so you can view and compare them from a single viewpoint. This helps you spot trends and quickly identify the sources and method of the attack. This is especially important when it’s a very complex attack where it might not be an obvious issue (e.g. it’s easy to see when your network bandwidth is saturated, but when it’s a botnet simulating clicking the “Add to Cart” button to overwhelm your database resources, that isn’t as easy to spot; especially if you are trying to piece data from many disparate systems). 2. Define a Clear Escalation Path Now that you have determined it really is a DDoS attack, what next? Do you know who to call to get your service back up and running? What tools do you have in place to block the malicious traffic? If you have purchased DDoS protection (very smart!), how do you get the system fired up? These are key questions that should be written down and answered BEFORE the attack hits. During an attack people are rarely calm and it’s no fun trying to figure out an escalation path in the middle of the craziness. Do it before the attack hits so you can calmly execute your plan and get your site back up and running. Note that this doesn’t just mean “technical” contacts. You want to let the head of support and customer service know as well. You can bet customers will be calling in and there is nothing worse than to answer “weird, I didn’t know our site was down” when a customer calls. You also want to let your CEO know (if he or she doesn’t already). Each business is different, so you should consider your situation and think of all the people who might want to know the website is down and add them to the list. An “outages” mailing list is a central place to report these items without you needing to remember who to send the info to every time. If you do have a cloud-based DDoS protection service in place, make sure the group you have chosen internally to be the touch point with the provider has the up to date 24/7 hotline, email address to send capture files to, etc. The vendor should be one of the first calls you make to start the mitigation. You need to engage your mitigation provider immediately as they have done this many times before and will know what to do to get your site back up and running. 3. Use Layered Filtering In the discussion on size vs. complexity of an attack, you need to be able to handle both the “big and dumb” types (a whole lot of requests that are generally easy to spot as malicious – often known as “network level”) and “small and complex” (fewer requests, but extremely difficult to differentiate legitimate vs. malicious – commonly referred as “application level” or “layer 7? attacks). Some tools and techniques work (and scale) very well to mitigate against the “big and dumb” types, but fail miserably on the application attacks. On the other hand, some techniques that are required for application attacks have trouble scaling on the larger network attacks. Recently, we have seen more of a third type of attack, “big and complex!” A combination of the two aforementioned attack types, these are big attacks where the traffic is really hard to identify as malicious or legitimate. With great technology and layered filtering though, you are in a better position to handle any of these types of attacks. 4. Address Application and Configuration Issues Not only are DDoS attacks really good at pinpointing bottlenecks in your network and security infrastructure, they are also amazing at identifying problems in your application; especially when it comes to performance tuning and configuration. If you haven’t done proper application load testing (both before launch and every so often to check for any slowness that may have crept in) a DDoS attack may be the first time your website or application has really been stress-tested. You may find your database configuration is sub-optimal, or your Web server isn’t configured for enough open connections. Whatever the issue, you will quickly see how well you have tuned your website. It’s always a good idea to do load testing of your site on your schedule, not the attackers’. 5. Protect Your Domain Name System (DNS) This is crucial and yet probably the most overlooked of all of the above recommendations. I can’t tell you how many enterprises have spent millions of dollars on their Web hosting infrastructure (data centers, web servers, load balancers, database servers, etc.) but have only two low end DNS servers to handle all of their DNS traffic. DNS is an extremely common target of a DDoS attack due to how critical the service is for Web availability (there are plenty of articles and examples of large Web properties going down due to DNS issues – often attack-related). If a customer can’t resolve the IP address of your website (which is the job of DNS), it doesn’t matter how much you have spent on your hosting, that customer is not getting to your site. Protecting your DNS as part of a good DDOS mitigation strategy is fundamental. (Here’s a report from Gartner Research that discusses this issue. Conclusion It would take a book to cover all of these topics in depth. Hopefully this will at least give you, some things to think about and plan for with your DDoS mitigation strategy. Stay tuned for my next post where I will go in depth on some of the cool technology we use at Verisign to protect both our own and our customers’ infrastructure. Source: http://www.circleid.com/posts/20130731_5_steps_to_prepare_for_a_ddos_attack/

See more here:
5 Steps to Prepare for a DDOS Attack

ZeroAcces rootkit dominates, adds new persistence techniques

According to a recent report by Alcatel-Lucent subsidiary Kindsight, as much as 10 percent of home networks and over 0.5 percent of mobile devices are infected with malware, and the ZeroAccess botnet …

View article:
ZeroAcces rootkit dominates, adds new persistence techniques