Denial-of-service attack

‘Shellshock’ Bug

October 4th, 2014

What is Shellshock Bug?

Attackers are exploiting critical, newly-disclosed security weakness present in countless networks and Websites that depends on Unix and Linux operating systems. According to the Experts, “Shellshock Bug,” is so tangled with the modern Internet that it could prove puzzling to find solution.

If the threat remains unchecked then in the short run it is likely to put millions of networks and countless consumer records at risk of exposure. There are lot of similarities between recent Heartbleed vulnerability because of its omnipresence and sheer potential for causing havoc on Internet-connected systems mainly websites. According to the reports, the issue lies in the GNU Bourne Again Shell (Bash), the text-based, command-line utility on multiple Linux and Unix operating systems.

Jaime Blasco, labs director at AlienVault, has been running a honeypot on the vulnerability since yesterday to emulate a vulnerable system.

“With the honeypot, we found several machines trying to exploit the Bash vulnerability,” Blasco said. “The majority of them are only probing to check if systems are vulnerable. On the other hand, we found two worms that are actively exploiting the vulnerability and installing a piece of malware on the system. This malware turns the systems into bots that connect to a C&C server where the attackers can send commands, and we have seen the main purpose of the bots is to perform distributed denial of service attacks.”

The OS vulnerability table can be given as:

Microsoft Windows users: No Impact

Linux and UNIX systems: Patches are available

Mac users: Vulnerable

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Suspect arrested for ‘biggest cyberattack in history’

June 7th, 2013

A Dutch national suspected as the mastermind behind the largest DDoS attack ever recorded has been arrested in Spain.

The Associated Press reports that 35 year-old Sven Kamphuis, identified by The New York Times, was arrested Thursday in a city 22 miles north of Barcelona.

Originally from the Dutch city of Alkmaar, the hacking suspect operated from a mobile bunker — a van “equipped with various antennas to scan frequencies” and able to break into networks anywhere in the country. An Interior Ministry statement said that Kamphuis was able to use his “mobile computing office” to coordinate cyberattacks and speak with media before being arrested by Spanish police on the basis of a European arrest warrant issued by the Dutch. German, Dutch, British and U.S. forces all took part in the investigation.

Kamphuis runs Internet service provider CB3ROB and web hosting firm CyberBunker, which has hosted websites including the Pirate Bay and WikiLeaks in the past. The Interior Ministry’s statement says that the accused called himself a spokesperson and diplomat belonging to the “Telecommunications and Foreign Affairs Ministry of the Republic of Cyberbunker.”

The alleged hacker is accused of launching an attack against anti-spam watchdog group Spamhaus. A 300Gbps distributed denial-of-service sent the non-profit into disarray, taking down the agency’s website and forcing Spamhaus to turn to Cloudflare for assistance. According to the cloud services provider, the majority of the attack was traffic sent using a technique called DNS (domain name system) reflection. Usually, DNS resolves wait for a user request, but if the source address is forged, then requests may be “bounced” off different servers, amplifying the amount of traffic a domain name has to cope with and exploiting vulnerabilities in the Internet’s DNS infrastructure. Most cyberattacks tend to peak at 100 billion bits a second, which a third of what Spamhaus and Cloudflare is had to cope with.

The attack on DNS infrastructure resulted in lower speeds for Internet users worldwide.

The attack against Spamhaus — which is known for blocking fake good advertising and preventing it from reaching our email addresses — was one in a list of major DDoS campaigns thought to be masterminded by the Dutch national.

Kamphuis has denied any role in the attack, calling himself simply a “spokesperson” for one of the loose groups established to take down Spamhaus. However, according to the NYT, the alleged hacker used his Facebook page to proactively look for supporters to attack the agency, saying “Yo anons, we could use a little help in shutting down illegal slander and blackmail censorship project ‘spamhaus.org,’ which thinks it can dictate its views on what should and should not be on the Internet.”

The hacking suspect is likely to be extradited from Spain to attend court in the Netherlands.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta

Large Scale Botnet Brute Force WordPress

May 23rd, 2013

There have always been a lot of brute force attempts/bot scans and hacking attempts on WordPress hosted sites (due to flaws in the core and a multitude of insecure plugins) – this site being no exception (they’ve even done some minor damage before).

But things appear to have really ramped up recently with a large increase in brute force attacks on WordPress sites. It seems to be the work of a rather crude botnet, which hits up the normal admin username (along with a few others like test/root etc) with a bunch of common passwords. Once it gets in, it leaves a backdoor and adss itself to the botnet – and starts scanning for other victims.

Sucuri have confirmed that the number of brute force attacks in April is double than that of previous months in their blog post here – Mass WordPress Brute Force Attacks? – Myth or Reality

Hosting providers are reporting a major upsurge in attempts to hack into blogs and content management systems late last week, with WordPress installations bearing the brunt of the hackers’ offensive.

WordPress installations across the world were hit by a brute force botnet attack, featuring attempts to hack into installations using a combination of popular usernames (eg, “admin” and “user”) and an array of common passwords. Attacks of this type are commonplace; it is the sharp rise in volume late last week to around three times the normal volume rather than anything technically cunning or devious that has set alarm bells ringing.

The primary target appears to be WordPress installations but Joomla users also reportedly took a bit of a hammering.

Early suggestions are that hackers are looking to harvest “low-hanging fruit” as quickly as possible in order to gain access to a bank of compromised sites for follow-up malfeasance, which could be anything from hosting malware to publishing phishing pages or running some sort of denial of service attack. “It’s doorknob rattling, but on an industrial and international scale,” notes Paul Ducklin, Sophos’s head of technology for Asia Pacific.

This is a large scale attack though, well organized and very well distributed with over 90,000 IP addresses involved. So using something like the WordPress plugin Limit Login Attempts wouldn’t help much – as they are not sending many login requests from each IP address.

Cloudflare have already pushed out a block for this type of attack, both for paying and free customers – so if you’re using that you should be safe.

If you notice your admin login or blog in general is very sluggish, you might have already been hacked. The outgoing brute force attempts take a lot of server resources.

WordPress founder Matt Mullenweg said that the attack illustrates the need to use a distinct username and a hard-to-guess password, common-sense advice that applies to using web services in general, not just for blog administration.

Olli-Pekka Niemi, vulnerability expert at security biz Stonesoft, outlined the range of possible motives behind the attack.

“A concern of this attack is that by compromising WordPress blogs attackers may be able to upload malicious content and embed this into the blog,” Niemi said. “When readers visit the blogs in question they would be then be subject to attack, come under compromise and develop into botnets. The attacks against the word press blogs seem to be distributed, with automated attacks coming from multiple sources.”

Matt Middleton-Leal, UK & Ireland regional director of corporate security dashboard firm Cyber-Ark, said hacks on corporate blogs might be used as an access point to hack into other (more sensitive) enterprise systems. Weak passwords need to be changed pronto, he argues.

“Common usernames and weak passwords are extremely risky online, however, the dangers are compounded if users re-use the same login credentials for other sites. Once the bad guys have cracked a username and password, it’s extremely common that they’ll attempt to use the same combination for additional sites in the attempt to fraudulently use accounts, or access information such as credit card details or corporate data.

“If WordPress users have been targeted in this attack, they should immediately seek to change their username and password details for their WordPress account, but also for any other accounts for which they use the same credentials,” he added.

There’s not a lot of info going around on what happens after a site has been compromised, in technical terms anyway – so I can’t really comment on that. But if you have decent file permissions, a strong password, you have already deleted the admin user long ago you should be safe.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta

The Cyberwar Will Not Be Streamed

May 5th, 2013

In early 2000 — ages ago in Internet time — some of the biggest names in e-commerce were brought to their knees by a brief but massive assault from a set of powerful computers hijacked by a glory-seeking young hacker. The assailant in that case, known online as Mafia boy, was a high school student from a middle-class suburban area of Canada who was quickly arrested after bragging about his role in the attacks.

It wasn’t long before the antics from novice hackers like Mafia boy were overshadowed by more discrete attacks from organized cyber criminal gangs, which began using these distributed denial-of-service (DDoS) assaults to extort money from targeted businesses. Fast-forward to today, and although vanity DDoS attacks persist, somehow elements in the news media have begun conflating them with the term “cyber war,” a vogue but still-squishy phrase that conjures notions of far more consequential, nation-state level conflicts.

If any readers have been living under a rock these last few weeks, we are referring to the activities of Anonymous, an anarchic and leaderless collection of individuals that has directed attacks against anyone who dares inhibit or besmirch the activities of Wikileaks, an organization dedicated to exposing secret government documents. To date, the Websites attacked by Anonymous include Amazon.com, EveryDNS.com, Mastercard.com, Paypal.com, and Visa.com, among others.

The websites may be attached, but you can prevent your workstation from being compromised with Alertsec Xpress.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta

DHS OpUSA May Be More Words than Actions

May 3rd, 2013

The U.S. Department of Homeland Security is warning that a group of mostly Middle East- and North Africa-based criminal hackers are preparing to launch a cyber attack campaign next week known as “OpUSA” against websites of high-profile US government agencies, financial institutions, and commercial entities. But security experts remain undecided on whether this latest round of promised attacks will amount to anything more than a public nuisance.

A confidential alert, produced by DHS on May 1, predicts that the attacks “likely will result in limited disruptions and mostly consist of nuisance-level attacks against publicly accessible web page and possibly data exploitation. Independent of the success of the attacks, the criminal hackers likely will leverage press coverage and social media to propagate an anti-US message.”

The DHS alert is in response to chest-thumping declarations from anonymous hackers who have promised to team up and launch a volley of online attacks against a range of U.S. targets beginning May 7. “Anonymous will make sure that’s this May 7th will be a day to remember,” reads a rambling, profane manifesto posted Apr. 21 to Pastebin by a group calling itself N4M3LE55 CR3W.

“On that day anonymous will start phase one of operation USA. America you have committed multiple war crimes in Iraq, Afghanistan, Pakistan, and recently you have committed war crimes in your own country,” the hackers wrote. “We will now wipe you off the cyber map. Do not take this as a warning. You cannot stop the internet hate machine from doxes, DNS attacks, defaces, redirects, DDoS attacks, database leaks, and admin take overs.”

Ronen Kenig, director of security solutions at Tel Aviv-based network security firm Radware, said the impact of the attack campaign will be entirely dependent on which hacking groups join the fray. He noted that a recent campaign called “OpIsrael” that similarly promised to wipe Israel off the cyber map fizzled spectacularly.

“There were some Web site defacements, but OpIsrael was not successful from the attackers point-of-view,” Kenig said. “The main reason was the fact that the groups that initiated the attack were not able to recruit a massive botnet. Lacking that, they depended on human supporters, and those attacks from individuals were not very massive.”

But Rodney Joffe, senior vice president at Sterling, Va. based security and intelligence firm Neustar, said all bets are off if the campaign is joined by the likes of the Izz ad-Din al-Qassam Cyber Fighters, a hacker group that has been disrupting consumer-facing Web sites for U.S. financial institutions since last fall. The hacker group has said its attacks will continue until copies of the controversial film Innocence of Muslims movie are removed from YouTube.

Joffe said it’s easy to dismiss a hacker manifesto full of swear words and leetspeak as the ramblings of script kiddies and impressionable, wannabe hackers who are just begging for attention. But when that talk is backed by real firepower, the attacks tend to speak for themselves.

“I think we learned our lesson with the al-Qassam Cyber Fighters,” Joffe said. “The damage they’re capable of doing may be out of proportion with their skills, but that’s been going on for seven months and it’s been brutally damaging.”

According to the DHS alert, 46 U.S. financial institutions have been targeted with DDoS attacks since September 2012 — with various degrees of impact — in over 200 separate DDoS attacks.

“These attacks have utilized high bandwidth web servers with vulnerable content management systems,” the agency alert states. ”Typically a customer account is compromised and attack scripts are  then uploaded to a hidden directory on the customer website. To date the botnets have been identified as  ’Brobot’ and ‘Kamikaze/Toxin.’”

What’s more, the DHS warning comes just days after the FBI issued a flash alert on Brobot (PDF) warning that hackers have been modifying the attack scripts to ensure they can evade their targets’ mitigation efforts.

“Because the attacks have been ongoing for seven months, the actors are changing their attack methodology to circumvent mitigation efforts of the financial institutions,” reads an FBI alert obtained by BankInfoSecurity.com. “The latest version of the ‘Brobot’ attack scripts that have been utilized to attack the login capabilities of a financial institution’s website spoofs a fraudulent access cookie, user-agent string and referrer. The login script includes several random strings, but does contain one hard-coded string, ‘63.83.61.17-1365521883478351’, in the script,” it continues.

The FBI alert notes that the hard-coded string does not affect the new attack script, but can be used as signatures for intrusion detection and intrusion prevention devices to detect and block attacks from the Brobot botnet.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta

The Hacker Dutchman – Arrested in Spamhaus DDoS

April 29th, 2013

A 35-year-old Dutchman thought to be responsible for launching what’s been called “the largest publicly announced online attack in the history of the Internet” was arrested in Barcelona on Thursday by Spanish authorities. The man, identified by Dutch prosecutors only as “SK,” was being held after a European warrant was issued for his arrest in connection with a series of massive online attacks last month against Spamhaus, an anti-spam organization.

According to a press release issued by the Public Prosecutor Service in The Netherlands, the National Prosecutor in Barcelona ordered SK’s arrest and the seizure of computers and mobile phones from the accused’s residence there. The arrest is being billed as a collaboration of a unit called Eurojust, the European Union’s Judicial Cooperation Unit.

The dispute began late last year, when Spamhaus added to its blacklist several Internet address ranges in the Netherlands. Those addresses belong to a Dutch company called “Cyberbunker,” so named because the organization is housed in a five-story NATO bunker, and has advertised its services as a bulletproof hosting provider.

“A year ago, we started seeing pharma and botnet controllers at Cyberbunker’s address ranges, so we started to list them,” said a Spamhaus member who asked to remain anonymous. “”We got a rude reply back, and he made claims about being his own independent country in the Republic of Cyberbunker, and said he was not bound by any laws and whatnot. He also would sign his emails ‘Prince of Cyberbunker Republic.” On Facebook, he even claimed that he had diplomatic immunity.”

Cyberbunker’s IP ranges. Its WHOIS records put the organization in Antarctica.

Spamhaus took its complaint to the upstream Internet providers that connected Cyberbunker to the larger Internet. According to Spamhaus, those providers one by one severed their connections with Cyberbunker’s Internet addresses. Just hours after the last ISP dropped Cyberbunker, Spamhaus found itself the target of an enormous amount of attack traffic designed to knock its operations offline.

It is not clear who SK is, but according to multiple sources, the man identified as SK is likely one Sven Olaf Kamphuis. The attack on Spamhaus was the subject of a New York Times article on Mar. 26, 2013, which quoted Mr. Kamphuis as a representative of Cyberbunker and saying, “We are aware that this is one of the largest DDoS attacks the world had publicly seen.” Kamphuis also reportedly told The Times that Cyberbunker was retaliating against Spamhaus for “abusing their influence.”

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta

Brute-Force Attack on WordPress blogs and Joomla Sites

April 15th, 2013

At present, Thousands of WordPress and Joomla sites are under brute-force passwords attacks by a large botnet. This calls for administrators to take the charge by making sure that they all have strong passwords and uncommon usernames for their installations on WordPress and Joomla.

According to reports from CloudFlare, HostGator, and several other company reports, the cyber criminals have been significantly stepping up on brute-force, dictionary-based login attempts, during the past few days against the WordPress blogs and Joomla sites. These kinds of cyber attacks looks for familiar account names, such as “admin,” and tries to systematically enter with common passwords on the site in order to break into the WordPress or Joomla accounts.

These kinds of cyber attacks warns the administrators, which in turn let them stop perpetrators from breaking in getting access to their sites, as that would lead attacker to mutilate the site or embed malicious codes to infect other people with malware. However, the highly organized nature of the cyber attacks, and its large-scale application implied even more menacing goals. It appears now, that the attackers are likely to make an attempt to get a foothold onto the server in order to figure out a way to take over the entire machine. Generally, web servers are more powerful and carry bigger bandwidth pipes than home computers, making them more attractive targets for the cyber criminals.

“The attacker is using a relatively weak botnet of home PCs in order to build a much larger botnet of beefy servers in preparation for a future attack,” informed Matthew Prince – CEO of CloudFlare, on his company blog.

According to researchers, they believe that “The Brobot botnet” are behind all the massive denial-of-service attacks or cyber attacks which were against the U.S. financial institutions, made up of compromised Web servers. Following this discussion, Prince said, “These larger machines can cause much more damage in DDoS attacks because the servers have large network connections and are capable of generating significant amounts of traffic.”

Accounts that are Brute-Forced

For the purpose of attacking the WordPress blogs and Joomla sites, the cyber criminals are using brute-force tactics to break into the user accounts of these sites. And the top five user names being targeted by the attackers were “admin,” “test,” “administrator,” “Admin,” and “root.” In order to brute-force attack a particular site, the perpetrators systematically tried  out all the possible combinations of passwords until they successfully logged in to the accounts and hacked it ultimately. For the attackers, it is easy for them to predict and figure out simple passwords which are in number sequences and dictionary words, also when a botnet automates the entire process. The top five passwords being attempted in this attack happen to be “admin,” “123456,” “111111,” “666666,” and “12345678.”

When a user creates an account on these sites with a common username and common password, they should immediately change it to something less obvious and familiar, to avoid any kind of cyber attacks.

“Do this and you’ll be ahead of 99 percent of sites out there and probably never have a problem,” Matt Mullenweg, creator of WordPress, wrote on his blog.

Surge in Cyber Attack Volume

As per Sucuri’s statistics, indicates that the attacks were still increasing. And the company had already blocked 678,519 login attempts in December, followed by 1,252,308 more login attempts blocked in the month of January, 1,034,323 login attempts in February, and 950,389 attempts in March, Daniel Cid, CTO of Sucuri, on the company blog. However, in the beginning 10 days of April, Sucuri has already blocked 774,104 login attempts, Cid said. That’s is quite a significant jump, going from 30 thousand to 40 thousand cyber attacks per day to about 77,000 per day on an average, and there have been days when these attacks even exceeded 100,000 per day, this month, Sucuri said.

“In these cases, by the sheer fact of having a non- admin / administrator / root usernames you are automatically out of the running,” Cid said, before adding, “Which is kind of nice actually.”

Hints of a Large Botnet

The cyber attacks volume is a hint at the size of a botnet. Sites like HostGator made an estimate of at least 90,000 computers involvement in these kinds of attacks, and CloudFlare believes “more than tens of thousands of unique IP addresses” are being used for the same.

What is a Botnet?

A botnet is basically, made up of several compromised computers receiving instructions from one or more than one centralized command-and-control-servers, and then executing those commands as per the requirements. For most of the times, these computers have been infected with some kind of malware and sometimes, the user is even unaware of the fact that the attackers are controlling the machines.

Updated Software and Strong Credentials

The actual thing to worry about all these attacks is that the cyber attacks against the popular content management systems are not new, but the sheer volume and sudden increment in them. At this situation, there is not much an administrator can do, apart from using a strong username and password combination making it more complex for the attackers and also by ensuring the CMS and associated plugins are up-to-date.

“If you still use ‘admin’ as a username on your blog, change it, use a strong password, if you’re on WP.com turn on two-factor authentication, and of course make sure you’re up-to-date on the latest version of WordPress,” Mullenweg said. An updated version of WordPress released three years ago, that was WordPress 3.0, which allowed its users to create a username which can be customised too, so there was no reason to use an “admin” or “Administrator” as a password.

Protect yourself with Alertsec

Organisations are now made aware about their data security and are implementing data encryption techniques. Alertsec uses encryption software to protect data from breaches and theft.

Alertsec Xpress is backed up by Check Point Full Disk Encryption and is used by over 4 million users worldwide, with single deployments exceeding 150,000 laptops and PCs. This is the most deployed software of its kind and is seen as today’s market leader.

Enhanced by Zemanta

A look at the Biggest Cyberattack in History

March 28th, 2013

 

A recent cyber attack has captured everybody’s attention, primarily targeting a single company, now being described by experts as one of the biggest Distributed Denial of Service (DDoS) attacks in the history of Internet. The privacy violation which began affecting every element related to Internet’s physical infrastructure, also due to which the Internet speed may slow down all over in Europe for a while.

It all started when the attacks targeted an anti-spam company Spamhaus, based in Europe. This company work by refraining the main source of the email spam and later sell those blacklists to the Internet Service Providers. The cyber attack began to hit as the waves of typical DDoS assaults when Spamhaus blacklisted a dodgy Dutch web hosting company, Cyberbunker. But it did not took the responsibility of the cyber attack directly against Spamhaus.

Commonly, in such attacks, computer hackers send fake traffic at a specific server for the purpose of overburdening it. The computer systems involved in the DDoS operated cyber attacks have already been infected with malware before computer hackers get control of the machine without the owner’s prior knowledge. Spamhaus entered into a contract with CloudFlare,  a data security firm which mitigates the cyber attacks soon after they proceeded. Now, it’s CloudFlare’s  responsibility to defend Spamhaus by dispersing the attacks across multiple data centers. It is a technique that keep a website online even after hitted by the maximum amount of traffic a usual DDoS can generate.

“Usually these DDoS attacks have kind of a natural cap in their size, which is around 100 gigabits per second,” CloudFlare CEO Matthew Prince told Mashable before explaining the limitation in typical DDoS attack size is due to routing hardware limitations.

“Usually these DDoS attacks have kind of a natural cap in their size, which is around 100 gigabits per second,” CloudFlare CEO Matthew Prince told Mashable before explaining the limitation in typical DDoS attack size is due to routing hardware limitations. When computer hackers failed to knock down Spamhaus while CloudFlare was protecting it, they chose to target CloudFlare’s network providers by exploiting a known fault in the key piece of Internet Infrastructure, i.e., DNS. “The interesting thing is they stopped going after us directly and they started going after all of the steps upstream from us,” said Prince. “Going after our immediate transit providers, then going after their transit providers.”

Basically, DNS alters a URL into the desired website’s IP address and eventually helps in delivering desired Internet content to user’s computer. Also, there’s a vital element of the DNS system, known as DNS resolvers. “The attack works by the attacker spoofing the victim’s IP address, sending a request to an open resolver and that resolver reflecting back a much larger response [to the victim], which then amplifies the attack,” said Prince.

Prince said that these attacks have been “certainly the largest attacks we’ve seen.” he added. According to a leading data security research group, “it is one of the largest DDoS operations to date. “Due to Internet reliability on DNS, Internet speeds world over can be affected by such large-scale DNS amplified DDoS operations.

“Anyone that’s running a network needs to go to openresolverproject.org, type in the IP addresses of their network and see if they’re running an open resolver on their network,” said Prince. “Because if they are, they’re being used by criminals in order to launch attacks online. And it’s incumbent on anyone running a network to make sure they are not wittingly aiding in the destruction of the Internet.”

Because of the past few continued cyber attacks, the data security industry is likely motivated. Though it has been talking about it, but they have taken the issue apparently insufficient to act upon. Prince however advises that these DNS-amplified DDoS operations won’t be leaving away any time soon. “The good news about an attack like this is that it’s really woken up a lot of the networking industry and these things that have been talked about for quite some time are now being implemented,” said Prince.

Get your personal as well as office laptops encrypted by Alertsec

With so much vulnerability on public networks Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen. Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

DDoS Attack on Bank Hid $900,000 Cyberheist

February 1st, 2013

A Christmas Eve cyber attack against the Web site of a regional California financial institution helped to distract bank officials from an online account takeover against one of its clients, netting thieves more than $900,000.

At approximately midday on December 24, 2012, organized cyber crooks began moving money out of corporate accounts belonging to Ascent Builders, a construction firm based in Sacramento, Calif. In short order, the company’s financial institution – San Francisco-based Bank of the West — came under a large distributed denial of service (DDoS) attack, a digital assault which disables a targeted site using a flood of junk traffic from compromised PCs.

Money mules are individuals who are willingly or unwittingly recruited to help the fraudsters launder stolen money and transfer the funds abroad. The mule in this case had been hired through a work-at-home job offer after posting her resume to a job search site, and said she suspected that she’d been conned into helping fraudsters.

Ascent was unaware of the robbery at the time, but its bank would soon verify that a series of unauthorized transactions had been initiated on the 24th and then again on the 26th. The money mule I spoke with was just one of 62 such individuals in the United States recruited to haul the loot stolen from Ascent. Most of the mules in this case were sent transfers of between $4,000 and $9,000, but several of them had bank accounts tied to businesses, to which the crooks wired huge transfers from Ascent’s account; five of the fraudulent transfers were for amounts ranging from $80,000 to $100,000.

Mark Shope, president of Ascent Builders, said that when the company’s controller originally went online on the morning of Dec. 24 to check the firm’s accounts, her browser wouldn’t let her access the bank’s page. She didn’t know it at the time, but her computer was being remotely controlled by the attackers’ malware, which blocked her from visiting the bank’s site.

“It said the bank was offline for 24 hours, and we couldn’t get in to the site,” Shope said. “We called the bank and they said everything was fine.”

But soon enough, everything would not be fine from Bank of the West’s end. Not long after putting through a batch of fraudulent automated clearing house (ACH) and wire transfers from Ascent’s accounts, the fraudsters initiated a DDoS attack against the bank’s Web site, effectively knocking it offline. It’s not clear what tactics or botnets may have been used in the DDoS attack, but the cyberheist+DDoS approach matches the profile of cybercrime gangs using the Gameover Trojan – a ZeuS Trojan variant that has been tied to numerous DDoS attacks initiated to distract attention from high-dollar cyberheists.

Shope said the FBI is actively investigating the breach. The FBI declined to comment for this story. Bank of the West also did not respond requests for comment.

But a law enforcement source working the case and speaking on condition of anonymity confirmed that the bank was subjected to a DDoS attack at the time of the robbery. The law enforcement official added that Ascent may not have been the only victim that day at Bank of the West, and that several other businesses and banks in the local area had been similarly robbed on or around Christmas Eve.

Shope said Bank of the West has been able to claw back about half of the stolen funds, and expects to recover a great deal more. He said many of the bigger fraudulent transfers went to other businesses. For example, one of the mules was either running or working at a Hertz equipment rental franchise on the East Coast, and had called Ascent Builders to complain after the bank discovered the fraud and began clawing back large transfers. That mule, apparently unaware he was helping thieves launder stolen money, was calling to find out what happened to his $82,000.

“We got a call from a Hertz rental equipment company back east, and they said “Why did you take this deposit out of our account?’ Shope recalled. “I asked him what he thought it was for, and he said, “Oh, this was for some equipment that we were purchasing for you guys from Russia, and we already sent the money on [to Russia], so what’s going on?”‘

A few thoughts about this attack. If you run a business and suddenly find yourself unable to log in to your commercial account, pick up the phone and call your bank to inquire about any recent money transfer activity. Very often, malware that thieves use to steal banking passwords in these cyberheists will also redirect the victim to an error page that says the bank’s site is down for maintenance. If this happens to you, call your bank and ask them to check your accounts (don’t trust a customer service phone number offered on a “down for maintenance” page; call the number on your bank card or search online for the institution’s customer service number).

Also, get educated about the risks of banking online with a business account, and then take steps to make sure your organization isn’t the next victim. Regulation E limits the liability for consumers who lose money due to unauthorized account activity online (provided they notify their financial institution of the fraudulent activity within 60 days of a statement). Businesses do not enjoy such protections, although a couple of recent court cases brought by cyber-heist victims against their banks have gone in favor of the businesses, suggesting that banks may find it increasingly difficult to disavow financial liability in the wake of these attacks going forward.

Finally, consider banking online with a dedicated system. This among several recommendations I include in a short list of other tips that small businesses should consider when banking online.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta