Monthly Archives: November 2013

Avoiding Website Outages During the Holiday Season

The holiday shopping season is practically upon us, and online retailers don’t want to endure any IT downtime between Thanksgiving and Christmas when many ring up a third of their annual receipts. That’s a lot of green. Online shopping carts should register nearly $100 billion this holiday season in online sales – up 12% from a year ago, estimates Shop.org. What can online retailers do to avoid outages and other disruptions? It’s an important issue because an estimated one-in-five retailers suffered outages last year. The damage? Forty-five% estimated they could lose $500,000 to $5 million in one day due to a website crash. Gartner consultants predict a 10% growth in the financial impact that cybercrime will have on online businesses through 2016. They see distributed denial-of-service (DDoS) attackers taking advantage of new software vulnerabilities to begin an assault with multiple sources and often multiple targets. These can be introduced via employee-owned devices used in the workplace and even via the Cloud. Actions to Take Now While it’s probably too late to take major actions this holiday season, retailers can still take some steps to minimize such disruptions. However, to really combat the outage and downtime challenges, retailers should begin taking more effective steps after the New Year starts to get ready for the 2014 holiday rush. Three-of-four online retailers (77%) strengthened their online IT defenses this year to reduce downtime from last year. Downtime certainly occurs. Considering the common 99.5% system uptime, this leaves 43 hours – roughly one-and-a-half days – of downtime yearly. A key focus area should be ensuring your site can handle rapid and unexpected increases in demand. That demand can take two forms: desired demand, which should be scaled up Cyber Monday and undesired demand, which should be mitigated, like a cyberattack. Here’s what online retailers still can do before the approaching Big Season. Determine whether you can handle the increased traffic from desired demand expected during the holiday season, especially on Cyber Monday, when online sales soar. You might still be able to turn to cloud-based services to add capacity and prevent a site crash. But if you don’t have a cloud provider, it’s probably too late to make those arrangements and transfer your data to the provider’s site. Determine if you have adequate mitigation capabilities for DDoS attacks from hackers. The last quarter of the year, primarily holiday season, is when DDoS attacks increase in size and intensity. In the 2012 fourth quarter, one DDoS protection service mitigated attacks that reached more than 50 gigabits per second directed against ecommerce clients; the average attack duration was 32.2 hours. Find out how various types of DDoS threats can impact different elements of your network and determine mitigation actions that can protect them, including employing a DDoS mitigation service. Keep tabs on blogs and social media sites because hackers enjoy bragging about their activities and sometimes disclose their next industry target. Make sure your payment data being collected remains secure because attackers often are going after customer credit card data. For retailers about to begin or who have begun what’s called the “network freeze,” in which no changes of any type can be made to their network and system components or apps operations until mid-January to avoid triggering downtime, if any severe vulnerability that has the potential to cause downtime is found, an emergency change window should be requested to remediate the problem – even during the “freeze.” This “freeze” practice actually is a Payment Card Industry (PCI) regulation. But only 21%bof businesses that store credit and debit card data comply with that regulation in between their mandatory annual audits, a Verizon study finds. What to Do for Next Holiday Season When the holiday and post-holiday sales rush slows, begin thinking about the 2014 holiday season, especially if you’re really bent on enhancing your defenses and scalability against downtime or outages and you haven’t taken major steps yet. Here are some suggested initiatives: Confer with a consulting firm or a data center or cloud provider about what you need to do, specifically, to realize your objectives. Consider actually retaining a service provider that delivers services to help you scale out and protect your IT operations. Going to the cloud doesn’t alleviate your IT responsibility where security is involved. The cloud doesn’t necessarily make your apps secure. A service provider can work with developers to develop and meet these objectives. Shift to a scale-out IT model so your applications scale out, not up, and this may require application transformation efforts to make you application resilient even when infrastructure services are disrupted in local regions. Act early in the year because this type of transformation effort will require changes across all parts of your infrastructure and application; no real shortcut exists and there won’t be time to make these types of changes once the selling season is upon you. Embrace cloud-type platforms if you’re a seasonal online retailer because they’re more dynamic and it’s easy to scale up quickly to meet demand and not incur extra costs when the demand isn’t there. Look into establishing a hybrid cloud so those apps that can’t be moved to the cloud quite yet, can continue to be handled in their traditional manner. For instance, you might use the cloud for web and application tiers and keep other operations in your normal IT setup until you are ready to take on the transformation actives required to update your database environment. Be sure to test your enhanced system before the holiday season and design it to support 100% availability because your goal must strive to always be up. This means securing secondary and tertiary facilities and resources far apart from your principal facility so if an outage occurs in one site, the load can be automatically shifted to an alternate site. Lastly, understand your key performance indicators, or KPIs – those measurements used to evaluate the success of particular activities in which you’re engaged. To do this well, you must possess a firm understanding of the KPIs across all tiers of your applications. Certainly for online retailers, the holiday selling season is critical to their financial strength and even survival. That’s why it’s imperative to keep your IT operations up and running and to recognize and repel cyber-attackers. But remember. You can’t do everything. Simply do what you can for this year and move swiftly to prepare for the 2014 holiday season. Source: http://multichannelmerchant.com/crosschannel/avoiding-outages-holiday-season-06112013/

Jurassic DDoS?

Like something from the digital ice age, distributed denial-of-service (DDoS) attacks have thawed and are roaming the cyber planet again, according to data from Google in collaboration with Arbor Networks, which provides insight into the scale and geography of recent cyber strikes. Various other reports support the same theory. Verisign estimates that a third of downtime incidents stem from DDoS attacks. These attacks are costly for both businesses and consumers, and the costs are rising. The security firm Prolexic found that attacks became bigger and more frequent in 2013 vs. 2012. There was a 58% increase in total DDoS attacks; 101% increase in application layer (Layer 7) attacks; 48% increase in infrastructure (Layer 3 &4); and 12.4% increase in average attack duration. In addition to an increase in frequency and scale, Prolexic observed some interesting metrics that illustrate significant changes in DDoS attack methodologies. Most notably was a shift away from the bulky flat packet SYN floods to UDP-based attacks and the rapid adoption of Distributed Reflection Denial-of-Service (DrDoS) attacks. A “reflection attack” is a compromise of a server’s security caused by tricking it into giving up an authentication security code, allowing a hacker to access it. These attacks are made possible when servers use a simple protocol to authenticate visitors. It exploits a common security technique known as a challenge-response authentication, which relies on the exchange of secure information between authorized user and server. The hacker logs on and receives a challenge. The server is expecting an answer in the form of the correct response but instead, the hacker creates another connection and sends the challenge back to the server. In a weak protocol, the server will send back the answer, allowing the hacker to send the answer back along the original connection to access the server. Systems that use a challenge-response authentication approach to security can be vulnerable to reflection attacks unless they are modified to address the most common security holes. Reflection attacks use a different kind of bot and require a different type of server to spoof the target IP. Prolexic believes the adoption of DrDoS attacks is likely to continue, as fewer bots are required to generate a high volume of attack traffic due to reflection and amplification techniques. Such attacks also provide anonymity by spoofing IP addresses. Another interesting observation by Prolexic is that infrastructure-based attack protocols such as SYN floods remain in steady use and are often implemented in conjunction with the reflection attacks. The US and China are popular targets simply because these two countries have more internet users than any other country, and both countries are popular choices for ideologically based attacks. The top ten DDoS originating countries according to the Prolexic Quarterly Global DDoS Attack Report Q3 2013 are: China – 62% United States – 9.06% Republic of Korea – 7.09% Brazil – 4.46% Russia – 4.45% India – 3.45% Taiwan – 2.95% Poland – 2.23% Japan – 2.11% Italy – 1.94% So, what does the future hold for DDoS attacks? Future DDoS attacks will likely be conducted through the use of booter scripts, stressor services, and related Application Programming Interfaces (API). The increasing use of this attack method will result in much more effective attacks with fewer resources required. Since these attacks are easier to employ, DrDoS attacks will become more popular. In fact, according to Prolexic, script kiddies are graduating into digital crime and assembling DDoS-for-hire sites for as little as five dollars ($5). That $5 can buy you 600 seconds of DDoS and just $50 could put a credit union down for an afternoon. Remember, it costs far less to generate an attack than to mitigate an attack. Security professionals must promote cleanup efforts and make it difficult for hackers to send money to criminals offering DDoS for hire. The financial institutions with smaller security budgets become more lucrative targets because they cannot apply the resources to identify threats. Verizon’s Chris Novak agreed: “We are seeing where DDoS is used to distract a medium-size financial institution. While they are busy fighting off the DDoS, they don’t see that terabytes of data just walked out the door. That’s scary.” DDoS is not dead. In fact, it is alive and kicking. In addition to the foray of targets, many new government programs have become recent hacker targets using DDoS. As new software is developed, it is incumbent on IT security professionals to be cognizant of potential DDoS vulnerabilities and to initiate countermeasures as quickly as possible. Source: http://www.infosecurity-magazine.com/blog/2013/11/5/jurassic-ddos/1050.aspx

Read the original:
Jurassic DDoS?

Anonymous Philippines hack and DDoS Government sites

Critics of the Aquino administration responsible for hacking government websites will be dealt with accordingly, Malacañang warned yesterday. “There are existing laws against hacking and proper action will be taken,” Press Secretary Herminio Coloma told a news briefing when sought for comment on the latest attacks on the websites of several government agencies by activist hacker group Anonymous Philippines. “There are sufficient avenues for free expression so there is no need to resort to illegal acts such as hacking of government websites,” Coloma said. He said that sentiments against the government could be aired in street protests. According to Coloma, there is enough “democratic space” where the public can air their grievances. More gov’t sites under attack Anonymous Philippines claimed it has stopped the operation of major government websites as hackers geared up for today’s “Million Mask March” in Quezon City. In a post on its Facebook page yesterday, the group said the websites of around 100 local and national government agencies – including that of the Official Gazette, Senate, House of Representatives and the National Bureau of Investigation – were “currently down.” With the exception of the Senate website (senate.gov.ph), a random check showed that most of the national government websites in the list were accessible as of yesterday afternoon. Despite having a security feature to mitigate attacks, the Official Gazette website (gov.ph) was temporarily inaccessible yesterday. In a phone interview with The STAR, Roy Espiritu of the Information and Communications Technology Office confirmed that a number of government sites have been under distributed denial of service (DDoS) attacks since Monday. However, he said that “critical” government websites are “secure.” Espiritu said government websites are currently in the process of migrating into more secure servers as mandated by Administrative Order 39, signed by the President in July, which establishes a Government Web Hosting Service. The service seeks to “ensure the government’s Internet presence around the clock under all foreseeable conditions.” Earlier, Espiritu said they are looking into the possibility of incorporating security measures to beef up the defenses of government websites. A DDoS attack is mounted to shut down an Internet site by flooding it with access requests and overload its server handling capabilities. Websites affected by successful DDoS attacks are inaccessible to legitimate users who wish to view their content. The Official Gazette website is protected from DDoS attacks by CloudFare, which offers security by checking the integrity of browsers and looking for threat signatures from users who wish to access the site. DDoS attacks are dependent on the number of people trying to access the website at the same time. Espiritu earlier said that even the most secure websites could be affected by such attacks. In 2010, the websites of Visa and MasterCard were affected by a DDoS attack mounted by supporters of whistle-blower organization WikiLeaks. DDoS attacks are different from hacking, which requires an Internet user to access the website using the password of a legitimate administrator. Investigation According to Espiritu, an investigation will be conducted to determine the people behind the attacks on government websites. He said the people behind the attacks may be charged under the e-Commerce law as the move to shut down the websites deprived the public of the information that they need from the government. On Monday, the website of the Office of the Ombudsman was defaced by people claiming to be members of Anonymous Philippines. The latest cyber attacks on government websites came amid issues involving alleged misuse of the Priority Development Assistance Fund and the Disbursement Acceleration Program of the legislative and the executive, respectively. In August, various government sites were hacked during the Million People March attended by thousands in Luneta. Previous incidents of attacks happened during the height of discussions on various issues such as the passage of the Cybercrime Prevention Law and the territorial dispute with China. Worldwide protest The Million Mask March is an event that will be held in various locations around the globe today “to remind this world what it has forgotten. That fairness, justice, and freedom are more than just words.” According to its official Facebook page, the march will cover various topics including government, education reform, constitutional rights, freedom, unity, drug abuse, respect for all, corruption, nutrition and health and violence among children, among others. Based on the events page of the Million Mask March-Philippines, over 1,000 Facebook users have confirmed attendance in today’s march. A post by an Anonymous member said participants will meet at the Quezon Memorial Circle at 8 a.m. to discuss the activities for the day. The march will start in front of the Sandiganbayan along Commonwealth Avenue to Batasang Pambansa. In a text message to The STAR, Quezon City department of public order and safety chief Elmo San Diego said they received no application for a permit to hold a rally or a march near Batasang Pambansa today. The Anonymous member reminded participants not to bring any form of weapon, adding that the event will be held to show the public’s reaction to the mishandling of the government committed by people in power. The Department of Science and Technology (DOST) Information and Communications Technology Office yesterday underscored the need to fast track efforts to set up a more secure government website hosting facility following the latest hacking of government websites. The websites of the Insurance Commission, Southern Philippines Development Authority, Optical Media Board and that of the local government units of Bolinao, Pasig City, Pateros and the municipality of Basnud, Oriental Mindoro were defaced by members of Anonymous Philippines. Source: http://www.philstar.com/headlines/2013/11/05/1253167/palace-act-vs-hackers

Extra Life DDoS Attack: Children’s Charity Extra Life Website Hit By DDoS During Annual Gaming Marathon

Extra Life — a charity organization dedicated helping Children’s Miracle Network Hospitals through an annual gaming marathon — has been hit with a Distributed Denial of Service (DDoS) attack. According to Escapist Magazine, Extra Life raises money for Children’s Miracle Network Hospitals by taking pledges and then playing games — anything from video games to board games and tabletop miniatures — for 25 hours straight. Extra Life was in the middle of this year’s event, which began at 8 a.m. today and ends at 8 a.m. on November 3, when their website suddenly went down. As a result, pledges could not be taken. News of the DDoS attack was confirmed with a statement on the Extra Life Facebook page by founder Jeromy “Doc” Adams: “We’ve discovered that the Extra Life website experienced a DDoS attack against our datacenter,” the statement reads. “I am not sure what kind of person would DDoS a charitable initiative. I am so sorry that you are going through this frustration today. Our entire team is purely heartbroken that someone would do this. But it has happened. As frustrating as this is for everyone involved, it pales in comparison to what the kids we’re trying to save go through. That reality, for me personally, is about the only thing keeping me somewhat calm right now. “I am very angry and very sorry,” the statement continues. “You deserve better than this. The kids deserve better than this. Extra Life has given a lot of us some of the happiest moments in our lives. This is not one of those moments. Please hang with us through this. It is important that we spread the word. Please get on every form of social media you can and tell your friends what happened. We can overcome this together.” After a few of hours of downtime, the Extra Life website was back online. Many took to Facebook to vent their outrage that hackers would choose to DDoS a charity organization. “I understand DDoS’ing a website of a corrupt business or government, but…Why would someone DDoS this?” one user wrote. “May whoever did this lose their shoes and have every child in their neighborhood strew Legos in their path forever,” another user commented. A DDoS attack takes place when hackers use an army of infected computers to send traffic to a server, causing a shutdown in the process. Source: http://www.ibtimes.com/extra-life-ddos-attack-childrens-charity-extra-life-website-hit-ddos-during-annual-gaming-marathon

Originally posted here:
Extra Life DDoS Attack: Children’s Charity Extra Life Website Hit By DDoS During Annual Gaming Marathon