Monthly Archives: July 2017

DDoS Extortionist Who Posed as Anonymous Hacker Arrested in the US

On Friday, US authorities arrested a man on charges of launching DDoS attacks and making death and bomb threats against several targets including Leagle.com, the Sydney Morning Herald, the Canadian Broadcasting Corporation (CBC), Metro News Canada, the official website of the Canadian government, and others. The man’s name is Kamyar Jahanrakhshan, a man born in Iran, who later obtained US citizenship in 1991, and then a permanent residency in Canada in 1995. Following two criminal cases of theft in 2005 and fraud in 2011, Jahanrakhshan was deported from Canada to the US in 2014. Suspect wanted his criminal past erased from the Internet According to court documents obtained by Bleeping Computer, after his deportation, Jahanrakhshan started sending emails to online websites that had written articles or had copies of his past criminal record. The first organization that Jahanrakhshan targeted was Leagle.com, a website that offers copies of court opinions and decisions. In the beginning, Jahanrakhshan contacted the site’s team from his personal email address, asking them nicely to remove copies of past court decisions mentioning his name on the premise that it was tarnishing his reputation and violating his privacy. When the Leagle team refused, the suspect even offered to pay a $100 fee to have the documents removed. When Leagle refused again, Jahanrakhshan — who also used the name “Andrew Rakhshan” — sent them a threatening email saying he made friends with dangerous hackers and they should heed his final warning. Suspect poses as group of Anonymous hackers After Leagle had ignored him again, US authorities say Jahanrakhshan launched a DDoS attack on the site’s servers and sent an email from a Yahoo account posing as a member of the Anonymous hacker collective. Copy of the message the suspect sent Leagle US authorities say they found evidence linking Jahanrakhshan to this email account, but also to others emails linked to other DDoS extortions. Because they couldn’t handle the DDoS attack, Leagle eventually removed a decision that Jahanrakhshan had asked. The DDoS attacks stopped after. Initial success leads to more DDoS extortions The FBI says that after having forced Leagle to remove a damaging report on his past criminal record, Jahanrakhshan moved on to other targets. During 2015 and 2016, Jahanrakhshan would allegedly engage in a similar behavior and take aim at other online publications that had written articles on his past crimes, such as the Sydney Morning Herald, Canadian Broadcasting Corporation (CBC), Metro News Canada, and the official website of the Canadian government. To put extra pressure on his targets to remove damaging articles, authorities say he also launched DDoS attacks on the websites of customers advertising on CBC and Canada.com — Postmedia and the Inspiration Foundation. Seeing that all this failed and none of his targets removed the incriminating articles, Jahanrakhshan also moved on to sending bomb threats at the offices of targeted organizations and death threats on family members of employees working for the targeted organizations. He was arrested this week and arraigned in court on Friday. The suspect, if found guilty, could face up to five years in prison and a fine of up to $250,000. The damaging articles Jahanrakhshan was trying to take down described how he used fake credit cards to buy a fleet of luxury cars and a boat Source: https://www.bleepingcomputer.com/news/security/ddos-extortionist-who-posed-as-anonymous-hacker-arrested-in-the-us/

Taken from:
DDoS Extortionist Who Posed as Anonymous Hacker Arrested in the US

Don’t ban the bots

I do a lot of DDoS related research online, which results in a lot of DDoS protection related spam/offers. A trend I have seen gaining popularity lately is “ ban the bots” . These emails contain a lot of emotionally charged language trying to persuade the reader that bots are destroying the internet, wasting your bandwidth and pillaging your website (and how for a modest monthly fee they can keep the digital invaders at bay). I couldn’t disagree more. For the most part I like bots. Bots save me a ton of work and allow me to the focus on tasks that are meaningful to me. The only reason that search engines, hotel booking sites, and social media sites operate so successfully (or at all) is because of bots. These advertisements do acknowledge there are some good bots out there, while stressing the need to block the bad bots. I thought I’d pull some numbers from traffic running through our system. I was pleasantly surprised, as a DDoS protection service I was expecting to see more malicious bots than legitimate but what I found was 85% of the bot traffic is classified as good : SES (which stands for Search Engine Spiders, but is a general list of the known good bots) which we don’t want to block, and XSE which contains alternate Spiders and bots that while legitimate can cause impact on some websites. The other 15% of traffic is from hosting companies, ISPs, and commercial traffic from unknown bots. This traffic is not automatically bad , but hidden somewhere in there are the malicious bots and scrapers which we do want to block. This is where the philosophy “ban the bots” makes things more complicated than it needs to be, because while it is a trivial matter to find and locate bots, it focuses you on the actor not the action. Don’t ban the bots, ban the malicious actions . If you design your web security to defend against malicious actions it shouldn’t matter whether they are from bots or not. At DOSarrest this is what we do, we create special features to focus on the malicious bot traffic and apply them to customer configurations and leave the good bots alone. In fact, I’ll go one step further: don’t ban the bots, help the bots. Because while I disagree with the conclusion the facts are not wrong, bots do consume more than a trivial amount of resources. By helping the bots find the content they are looking for you can reduce the impact on your site and possible improve your overall ranking. Your first goal is getting the bots to your content in as few requests as possible, and at the same time stopping the bots from crawling pages you don’t need (or want) to show up in search results. Most modern sites have dynamic, pop-up, hidden menus that require multiple javascript and CSS resources to properly render. They might look fantastic, but a bot isn’t interested in the aesthetics of your site, they are looking for content. A sitemap is a great tool for linking all the content you want to emphasize without a bot having to navigate through a bunch of complicated dynamic resources. Then there are the rest of the pages in your site, things that are useful to your users but not things that need to appear in the search rankings, login pages, feedback forms, etc. Use robots.txt file or ‘noindex’ meta tags to direct the bots not to bother with these pages. Your sitemap and robots.txt will help bots find the resources you want them to find, and avoid the ones you don’t. This will help lighten the load on your webserver, but won’t necessarily help your site ranking. The number one thing they are looking for is quality content. But searchbots also look for good performing sites. Too many errors or slow responses will negatively impact your ranking in a big way. The answer here is caching. Many bots, googlebot included, do full page downloads when indexing your site. They are looking for javascript and CSS files, images and PDFs, or whatever resources you’ve linked. Most of these resources are static and can be served up out of a CDN. Not only will this alleviate the load on your server, but the performance improvement will make all your quality content that much more appealing to the bots. Sean Power Security Solutions Architect DOSarrest Internet Security Source: https://www.dosarrest.com/ddos-blog/don-t-ban-the-bots/

Read More:
Don’t ban the bots

DDoS Attacks Could Disrupt Brexit Negotiations

IT security professionals are bracing for DDoS attacks of unprecedented frequency in the year ahead, and are already preparing for attacks that could disrupt the UK’s Brexit negotiations and cause outages worldwide. That’s according to a survey from Corero Network Security, which found that more than half (57%) of respondents believe that the Brexit negotiations will be affected by DDoS attacks, with hackers using DDoS to disrupt the negotiations themselves, or using the attacks merely as camouflage while they seek to steal confidential documents or data. The latter “hidden attack” scenario is on the radar of many, and it generally involves the use of smaller, low-volume DDoS attacks of less than 30 minutes in duration. As Corero found in its research, these Trojan-horse campaigns typically go un-mitigated by most legacy solutions, and are frequently used by hackers as a distraction mechanism for additional efforts, like data exfiltration. About 63% of respondents are worried about these hidden effects of these attacks on their networks— particularly with the GDPR deadline fast-approaching, where organizations could be fined up to 4% of global turnover in the event of a data breach. At the same time, worryingly, less than a third (30%) of IT security teams have enough visibility into their networks to mitigate attacks of less than 30 minutes. Meanwhile, many in the industry expect to see a significant escalation of DDoS attacks during the year ahead, with some (38%) predicting that there could even be worldwide Internet outages during 2017. As for who’s behind the growing wave of attacks, the perpetrators are generally financially motivated, IT pros said—despite continued discussions about nation-state attackers or political activism. Security teams believe that criminal extortionists are the most likely group to inflict a DDoS attack against their organizations, with 38% expecting attacks to be financially motivated. By contrast, just 11% believe that hostile nations would be behind a DDoS attack against their organization. This financial motivation explains why almost half of those surveyed (46%) expect to be targeted by a DDoS-related ransom demand over the next 12 months. Worryingly, 62% believe it is likely or possible that their leadership team would pay. “Despite continued advice that victims should not pay a ransom, a worrying number of security professionals seem to believe that their leadership teams would still consider making a payment in the event of an attack,” said Ashley Stephenson, CEO of Corero. “Corporations need to be proactive and invest in their cybersecurity defenses against DDoS and ransomware to protect themselves against such extortion.” The good news is that the vast majority of security teams (70%) are already taking steps to stay ahead of the threats, such as putting business continuity measures in place to allow their organizations to continue operating in the event of worldwide attacks. However, they also agree that some responsibility for DDoS protection lies with the ISPs; and about a quarter of those surveyed (25%) believe their ISP is primarily to blame for not mitigating DDoS attacks. At the end of 2016, the head of Britain’s new National Cyber Security Centre suggested that the UK’s ISPs could restrict the volume of DDoS attacks across their networks by rewriting internet standards around spoofing. Continued discussions on this topic have led nearly three-quarters of respondents (73%) to expect regulatory pressure to be applied against ISPs who are perceived to be not protecting their customers against DDoS threats. “While most in the IT security industry wouldn’t expect their ISP to automatically protect them against DDoS attacks, there is a growing trend to blame upstream providers for not being more proactive when it comes to DDoS defense,” said Stephenson. “To help their cause, ISPs could do more to position themselves as leading the charge against DDoS attacks, both in terms of protecting their own networks, and by offering more comprehensive solutions to their customers as a paid-for, managed service.” Source: https://www.infosecurity-magazine.com/news/ddos-attacks-could-disrupt-brexit/

Read the original:
DDoS Attacks Could Disrupt Brexit Negotiations

An internet-connected fish tank let hackers into a casino’s network

A high-tech, internet-connected fish tank in a North American casino has been used to exfiltrate data from the company’s network. Smart drawing pads used in an architectural firm were part of a botnet used to mount DDoS attacks against websites around the world owned by entertainment companies, design companies, and government bodies. These are just some of the discoveries made by UK-based cyber defense Darktrace, but serve as perfect examples of how lax security when … More ?

Follow this link:
An internet-connected fish tank let hackers into a casino’s network

Smart Drawing Pads Used for DDoS Attacks, IoT Fish Tank Used in Casino Hack

Some clever hackers found new ways to use the smart devices surrounding us, according to a report published last week by UK-based cyber-defense company Darktrace. The report, entitled the Darktrace Global Threat Report 2017, contains nine case studies from hacks investigated by Darktrace, among which two detail cyber-incidents caused by IoT devices. Smart drawing pads used for DDoS attacks In one of these case studies, Darktrace experts reveal how an unknown hacker had hijacked the smart drawing pads used at an architectural firm to carry out DDoS attacks as part of an IoT botnet. The hacker had used the default login credentials that came with the design pad software to take over the devices, which the architectural firm had connected to its internal WiFi network, and was exposing to external connections. “An attacker scanning the internet identified the vulnerable smart drawing pads and exploited them to send vast volumes of data to many websites around the world owned by entertainment companies, design companies, and government bodies,” the report reads. “Involvement in the attack could have legal implications for the firm had their infrastructure been responsible for damaging another network.” Smart fish tank used to hack North American casino Another case where attackers leveraged a smart device was at a North American casino. Darktrace says that an unknown hacker had managed to take over a smart fish tank the casino had installed at its premises for the enjoyment of its guests. In spite of the fact that the fish tank was installed on its own VPN, isolated from the rest of the casino’s network, the hacker managed to break through to the mainframe and steal data from the organization. “The data was being transferred to a device in Finland,” says Darktrace. “No other company device had communicated with this external location.” “No other company device was sending a comparable amount of outbound data,” experts added. “Communications took place on a protocol normally associated with audio and video.” In total, the hacker managed to steal over 10GB of data by siphoning it off via the IoT fish tank. Other hacking scenarios detailed in the Darktrace report include the case of a US insurance company who had its servers hijacked by a cryptocurrency miner, and several cases of insider threats, companies hacked by former or current employees. Source: https://www.bleepingcomputer.com/news/security/smart-drawing-pads-used-for-ddos-attacks-iot-fish-tank-used-in-casino-hack/

More here:
Smart Drawing Pads Used for DDoS Attacks, IoT Fish Tank Used in Casino Hack

Surprisingly stealthy botnet has been targeting users for years

ESET researchers have unearthed a botnet of some 500,000 infected machines engaged mostly in ad-related fraud by using malicious Chrome extensions, but also Facebook fraud and brute-forcing Joomla and WordPress websites. In addition to this, the compromised machines are also equipped with a fully featured backdoor, which allows the operators to spy on all the victims, and to download additional malware on the computers. A long-standing operation There are many unusual things about the so-called … More ?

View article:
Surprisingly stealthy botnet has been targeting users for years

So, FCC, how about that massive DDoS? Hello? Hello…? You still there?

Like trying to get blood out of a stone Updated   America’s broadband watchdog, the FCC, has declined to spare any more details on the cyber-assault that supposedly downed its website shortly after it announced its intent to kill net neutrality.…

More:
So, FCC, how about that massive DDoS? Hello? Hello…? You still there?

Attacking Democracy: Should DDoS Be Considered a Legitimate Form of Protest?

It used to be that news about DDoS attacks was largely limited to tech websites and other specialized information sources, where the focus was on attack vectors, attack sizes, how exactly the perpetrators pulled it off and how websites could protect themselves going forward. These still have their place, especially with the ever-increasing size, complexity and frequency of attacks, but over the last few years DDoS has gone mainstream and gotten political. With DDoS attacks appearing in headlines regarding the U.S. election, Brexit and the push for democracy in Hong Kong, the question has to be asked: should these attacks be considered a legitimate form of protest? Denying services DDoS stands for distributed denial of service, a form of cyberattack that takes aim at websites or online services with the intent of taking them offline or slowing them downso much that they can’t be used. This is accomplished through the use of a botnet – a network of devices that have been infected with malware, allowing attackers to control them remotely and direct the botnet’s considerable traffic at the target, overwhelming the server or network infrastructure. DDoS attacks have been in the mainstream news for the last couple of years. This is because of how pervasive they’ve become, with nearly every website on the Internet now a potential target thanks to DDoS for hire services and DDoS ransom notes, and also because of the high-profile sites that have fallen victim to attacks, including Netflix, PayPal, Twitter and Reddit. Now DDoS attacks stand accused of involvement in some of the biggest political events in recent history. Recent political incidents Distributed denial of service attacks hit the political headlines in 2014 when the people of Hong Kong were in the midst of a major push for democracy, asking for genuine universal suffrage instead of the newly-reformed system that allows citizens to vote for candidates selected by an exclusive nominating committee – a system that seemed overly restrictive as well as too similar to the previous system in which the Chinese Communist Party selected the candidates. When the democratic movement’s official website launched, it logged 680,000 votes in an unofficial poll on candidates in the site’s first weekend despite the fact that it was being battered by DDoS attacks weighing in at over 300 Gbps. Though a perpetrator was not definitively named, it was widely speculated the Chinese government was behind the attacks. In a recent report, the Chinese government has come up alongside the Russian government in rumors surrounding the Brexit vote. In the hours before the deadline to register to vote in the Brexit referendum, the registration site crashed, reportedly due to a DDoS attack. The outage left tens of thousands of voters unable to register to vote, and the referendum ended with 51.9 percent voting to leave the European Union. Though the Russian government has been suspected of meddling via hacking in both the U.S. and French elections, reportedly in favor of Donald Trump and Marine Le Pen, it’s unknown if the Kremlin was involved in DDoS attack attempts on either Hillary Clinton or Donald Trump’s website; it seems more likely these Mirai botnet-powered attempts were instead the work of hackers from underground forums. The argument for recognizing DDoS as legitimate (and legal) protest The history of distributed denial of service attacks go all the way back to 1995 when an Italian collective brought down the French government’s website in protest of France’s nuclear policy. Soon after, a group by the name of the Electronic Disturbance Theater built a tool that enabled anyone to join their virtual sit-ins that targeted the White House website as well as the websites of politicians. Current hacktivist group Anonymous has taken the idea of the virtual sit-in and turned it into a voluntary botnet that allows anyone to donate the use of their device for attacks against targets like the Brazilian government in protest of the FIFA World Cup. These actions would seem to fit the criteria of legal protest, allowing citizens to peacefully albeit virtually demonstrate and rendering a website unavailable in much the same way a sit-in would render an office or institution unavailable. However, in the United States this kind of online activism can be considered a felony. The argument against Not only are DDoS attacks illegal, regardless of whether or not the attack is intended as a form of protest, but legitimizing or legalizing these attacks may cause more problems than it solves. For instance, while an opt-in botnet does seem to be a form of voluntary political activism, almost all botnets are populated by devices that have decidedly not opted in, which means politically-motivated DDoS attacks would be largely perpetrated using the property of people who have not consented. Like signing someone else’s name to a petition, this cannot be permitted. Furthermore, any legislation attempting to legalize DDoS protests would have to find a way to differentiate between attacks coming from voluntary botnets and attacks coming from nation states. A murky area, at best. With so many other forms of protest available to motivated citizens, it’s hard to imagine legalizing or legitimizing any form of DDoS attack. It’s just too easy for these attacks to be used for altogether nefarious and malicious purposes by groups that decidedly do not represent the will or wishes of the people. Source: http://www.techzone360.com/topics/techzone/articles/2017/07/19/433542-attacking-democracy-should-ddos-be-considered-legitimate-form.htm

More here:
Attacking Democracy: Should DDoS Be Considered a Legitimate Form of Protest?

Organizations Must Adapt to Evolving DDoS Attacks

Distributed Denial-of-Service (DDoS) attacks are becoming larger, more frequent, and more complex than ever before. According to Arbor Networks’ 12 th Annual Worldwide Infrastructure Security Report (WISR), attack size has grown 7,900% since its initial report – a compound annual growth rate (CAGR) of 44%. The most recent attacks are significantly larger than anything previously seen, and can now disrupt even the largest internet service providers. This data shows that DDoS attacks have become more than just a nuisance: they are rapidly increasing in size and now threaten to disrupt core Internet infrastructure. Within the broader spectrum of risks for corporate security and IT decision makers, DDoS attacks present a nettlesome and growing challenge for several reasons. First, while the underlying technology behind DDoS attacks hasn’t changed much, the number of internet-connected devices in the world that can be compromised has dramatically increased. In addition, the level to which DDoS attacks have become automated and commoditized has also increased. The Mirai-enabled attacks showed off the former; they used an army of internet-connected IoT devices to generate unprecedented levels of traffic. In the past, a connection to the internet required significant hardware and expense. These days, even light bulbs can be connected to a network, which provides a lot more sources for traffic. Second, the amount of skill required to successfully run a DDoS attack has been lowered over the last twenty years. While large attacks such as Mirai take some amount of coordination and planning, in many cases a connection to the right forum and a small amount of money ($50-100) can buy you a short attack that can take down unprotected web services. Why DDoS attacks are hard to prevent The best way to think about the DDoS problem is to imagine a river system, like the Mississippi or Columbia. At the end of those systems, where they meet the ocean, it’s very obvious that there’s a lot of water moving through those rivers: but at the source of all that water — at the little tiny creeks and streams and rivulets where the water first gathers — those sources don’t necessarily look like that much. Volumetric-style DDoS attacks, whereby attackers simply flood a target with more data than their connection can handle, use a similar effect: each network only cares about sending IP packets to the “next hop”, without a holistic view or awareness of what the total, internet-wide traffic picture looks like. So, at the source of a DDoS attack, it can be difficult to differentiate between someone uploading a file and someone perpetrating an attack. What actually matters is whether that one traffic flow joins together with a bunch of other traffic to form a giant river, or if the traffic flow is bounced off a server in such a way that it magnifies the size of the traffic many-fold. In either case, by the time you notice that you’ve got a really huge river of traffic coming at you, it may already be too late. Emerging approaches to combat DDoS attacks A promising approach to DDoS can be found with the DDoS Defense for a Community of Peers (3DCoP) project, which uses peer-to-peer collaboration so that like-minded organizations (such as a group of universities, government agencies, banks, or ISPs) act together to rapidly and effectively detect and mitigate DDoS attacks. With a peer-to-peer collaborative approach, the target of a DDoS attack can send out distress calls to the origin of any traffic it sees. The receivers of these distress calls can then take a look at the traffic they’re seeing, and either pass that message on appropriately or take local action. Universities, for example, might learn that what looks like normal traffic coming out from one of their student labs looks like a big attack to a target, and use this information to shut off or rate-limit that lab. Other approaches involve technologies like BGP FlowSpec, an improvement over conventional IP blacklisting. FlowSpec allows a victim of a DDoS to ask its upstream service providers and intermediate networks to block specific kinds of traffic, with a good level of granularity. Organizations can also relocate services into the cloud, as some cloud operators deploy sensors that can detect and mitigate attacks earlier. Unfortunately, today’s largest attacks are too large for cloud operators to handle, and the attacks may impact geographic regions or critical internet infrastructure. In the end, there are a variety of methods to filter and redirect traffic, especially for those systems housed in the cloud. However, for the biggest attacks, and for institutions that cannot create replicated versions of their systems in the cloud, techniques such as 3DCoP are key in mitigating DDoS risk. Specifically, we believe that it is only through rapid, real-time collaboration that DDoS attacks can be correctly identified, sourced, and addressed; without such collaboration, institutions must rely on phone calls and manual router updates, while a river crashes down around them. Source: https://www.infosecurity-magazine.com/opinions/organizations-adapt-evolving-ddos/

Continue Reading:
Organizations Must Adapt to Evolving DDoS Attacks

Two Iranians Charged With Hacking US Defense Contractor

The US Department of Justice (DOJ) unsealed an indictment on Monday against two Iranian nationals accused of hacking a US company and stealing software used in ammunition design. The two suspects are Mohammed Reza Rezakhah, 39 and Mohammed Saeed Ajily, 35, both Iranian businessmen. According to the indictment, Ajily ran a company named Andisheh VesaJ Middle East Company, which he used as a front to obtain and sell software in contravention of Western sanctions against Iran. Ajily’s customers included Iranian private companies, but also Iranian military and government entities. Rezakhah ran his own company called Dongle Labs, which provided DRM and license cracking services. Rezakhah was one of the many hackers Ajily hired to steal software from Western companies. The two orchestrated the 2012 hack of Arrow Tech DOJ officials claim that in 2012, Ajily hired Rezakhah to hack and steal software from a US company called Arrow Tech. The indictment says that Rezakhah, together with another accomplice named Nima Golestaneh, rented a server that they used on October 22, 2016, to hack into the Arrow Tech website and adjacent network. Officials say the two hackers stole a software application named Projectile Rocket Ordnance Design and Analysis System (PRODAS), created by Arrow Tech to aid in the design of bullets, missiles, and other military projectiles. Rezakhah cracked the program, which he later supplied to Ajily to market in the Iranian market, but also elsewhere outside the US. Group worked together for at least six years While officials brought charges only for hacking Arrow Tech, the indictment also claims that Ajily and Rezakhah worked together for years, between 2007 and 2013, hacking several targets and stealing software. The FBI also claims that Ajily had many other partners and hackers that he used to obtain his software, along with a network of companies that he used to sell the stolen goods. US officials charged the two suspects with criminal conspiracy relating to computer fraud and abuse, unauthorized access to, and theft of information from, computers, wire fraud, exporting a defense article without a license, and violating sanctions against Iran. A US judge has issued a warrant in their names. Their partner, Nima Golestaneh pleaded guilty to hacking Arrow Tech back in December 2015. In March 2016, the US also charged seven Iranian nationals on accusations of launching repeated DDoS attacks and orchestrating hacks of industrial SCADA equipment on the behest of the Iranian government. Source: https://www.bleepingcomputer.com/news/security/two-iranians-charged-with-hacking-us-defense-contractor/

Read the original:
Two Iranians Charged With Hacking US Defense Contractor