Don’t ban the bots

I do a lot of DDoS related research online, which results in a lot of DDoS protection related spam/offers. A trend I have seen gaining popularity lately is “ban the bots”.

These emails contain a lot of emotionally charged language trying to persuade the reader that bots are destroying the internet, wasting your bandwidth and pillaging your website (and how for a modest monthly fee they can keep the digital invaders at bay). I couldn’t disagree more. For the most part I like bots. Bots save me a ton of work and allow me to the focus on tasks that are meaningful to me. The only reason that search engines, hotel booking sites, and social media sites operate so successfully (or at all) is because of bots.

These advertisements do acknowledge there are some good bots out there, while stressing the need to block the bad bots. I thought I’d pull some numbers from traffic running through our system. I was pleasantly surprised, as a DDoS protection service I was expecting to see more malicious bots than legitimate but what I found was 85% of the bot traffic is classified as good: SES (which stands for Search Engine Spiders, but is a general list of the known good bots) which we don’t want to block, and XSE which contains alternate Spiders and bots that while legitimate can cause impact on some websites.

Screen Shot 2017-07-27 at 15.38.10

The other 15% of traffic is from hosting companies, ISPs, and commercial traffic from unknown bots. This traffic is not automatically bad, but hidden somewhere in there are the malicious bots and scrapers which we do want to block. This is where the philosophy “ban the bots” makes things more complicated than it needs to be, because while it is a trivial matter to find and locate bots, it focuses you on the actor not the action. Don’t ban the bots, ban the malicious actions. If you design your web security to defend against malicious actions it shouldn’t matter whether they are from bots or not. At DOSarrest this is what we do, we create

special features to focus on the malicious bot traffic and apply them to customer configurations and leave the good bots alone.

In fact, I’ll go one step further: don’t ban the bots, help the bots. Because while I disagree with the conclusion the facts are not wrong, bots do consume more than a trivial amount of resources. By helping the bots find the content they are looking for you can reduce the impact on your site and possible improve your overall ranking.

Your first goal is getting the bots to your content in as few requests as possible, and at the same time stopping the bots from crawling pages you don’t need (or want) to show up in search results. Most modern sites have dynamic, pop-up, hidden menus that require multiple javascript and CSS resources to properly render. They might look fantastic, but a bot isn’t interested in the aesthetics of your site, they are looking for content. A sitemap is a great tool for linking all the content you want to emphasize without a bot having to navigate through a bunch of complicated dynamic resources. Then there are the rest of the pages in your site, things that are useful to your users but not things that need to appear in the search rankings, login pages, feedback forms, etc. Use robots.txt file or ‘noindex’ meta tags to direct the bots not to bother with these pages.

Your sitemap and robots.txt will help bots find the resources you want them to find, and avoid the ones you don’t. This will help lighten the load on your webserver, but won’t necessarily help your site ranking. The number one thing they are looking for is quality content. But searchbots also look for good performing sites. Too many errors or slow responses will negatively impact your ranking in a big way. The answer here is caching. Many bots, googlebot included, do full page downloads when indexing your site. They are looking for javascript and CSS files, images and PDFs, or whatever resources you’ve linked. Most of these resources are static and can be served up out of a CDN. Not only will this alleviate the load on your server, but the performance improvement will make all your quality content that much more appealing to the bots.

Sean Power

Security Solutions Architect

DOSarrest Internet Security

Source: https://www.dosarrest.com/ddos-blog/don-t-ban-the-bots/

 

  • 0

DDoS Attacks Could Disrupt Brexit Negotiations

IT security professionals are bracing for DDoS attacks of unprecedented frequency in the year ahead, and are already preparing for attacks that could disrupt the UK’s Brexit negotiations and cause outages worldwide.

That’s according to a survey from Corero Network Security, which found that more than half (57%) of respondents believe that the Brexit negotiations will be affected by DDoS attacks, with hackers using DDoS to disrupt the negotiations themselves, or using the attacks merely as camouflage while they seek to steal confidential documents or data.

The latter “hidden attack” scenario is on the radar of many, and it generally involves the use of smaller, low-volume DDoS attacks of less than 30 minutes in duration. As Corero found in its research, these Trojan-horse campaigns typically go un-mitigated by most legacy solutions, and are frequently used by hackers as a distraction mechanism for additional efforts, like data exfiltration.

About 63% of respondents are worried about these hidden effects of these attacks on their networks— particularly with the GDPR deadline fast-approaching, where organizations could be fined up to 4% of global turnover in the event of a data breach.

At the same time, worryingly, less than a third (30%) of IT security teams have enough visibility into their networks to mitigate attacks of less than 30 minutes.

Meanwhile, many in the industry expect to see a significant escalation of DDoS attacks during the year ahead, with some (38%) predicting that there could even be worldwide Internet outages during 2017.

As for who’s behind the growing wave of attacks, the perpetrators are generally financially motivated, IT pros said—despite continued discussions about nation-state attackers or political activism. Security teams believe that criminal extortionists are the most likely group to inflict a DDoS attack against their organizations, with 38% expecting attacks to be financially motivated. By contrast, just 11% believe that hostile nations would be behind a DDoS attack against their organization.

This financial motivation explains why almost half of those surveyed (46%) expect to be targeted by a DDoS-related ransom demand over the next 12 months. Worryingly, 62% believe it is likely or possible that their leadership team would pay.

“Despite continued advice that victims should not pay a ransom, a worrying number of security professionals seem to believe that their leadership teams would still consider making a payment in the event of an attack,” said Ashley Stephenson, CEO of Corero. “Corporations need to be proactive and invest in their cybersecurity defenses against DDoS and ransomware to protect themselves against such extortion.”

The good news is that the vast majority of security teams (70%) are already taking steps to stay ahead of the threats, such as putting business continuity measures in place to allow their organizations to continue operating in the event of worldwide attacks. However, they also agree that some responsibility for DDoS protection lies with the ISPs; and about a quarter of those surveyed (25%) believe their ISP is primarily to blame for not mitigating DDoS attacks.

At the end of 2016, the head of Britain’s new National Cyber Security Centre suggested that the UK’s ISPs could restrict the volume of DDoS attacks across their networks by rewriting internet standards around spoofing. Continued discussions on this topic have led nearly three-quarters of respondents (73%) to expect regulatory pressure to be applied against ISPs who are perceived to be not protecting their customers against DDoS threats.

“While most in the IT security industry wouldn’t expect their ISP to automatically protect them against DDoS attacks, there is a growing trend to blame upstream providers for not being more proactive when it comes to DDoS defense,” said Stephenson. “To help their cause, ISPs could do more to position themselves as leading the charge against DDoS attacks, both in terms of protecting their own networks, and by offering more comprehensive solutions to their customers as a paid-for, managed service.”

Source: https://www.infosecurity-magazine.com/news/ddos-attacks-could-disrupt-brexit/

  • 0

Smart Drawing Pads Used for DDoS Attacks, IoT Fish Tank Used in Casino Hack

Some clever hackers found new ways to use the smart devices surrounding us, according to a report published last week by UK-based cyber-defense company Darktrace.

The report, entitled the Darktrace Global Threat Report 2017, contains nine case studies from hacks investigated by Darktrace, among which two detail cyber-incidents caused by IoT devices.

Smart drawing pads used for DDoS attacks

In one of these case studies, Darktrace experts reveal how an unknown hacker had hijacked the smart drawing pads used at an architectural firm to carry out DDoS attacks as part of an IoT botnet.

The hacker had used the default login credentials that came with the design pad software to take over the devices, which the architectural firm had connected to its internal WiFi network, and was exposing to external connections.

“An attacker scanning the internet identified the vulnerable smart drawing pads and exploited them to send vast volumes of data to many websites around the world owned by entertainment companies, design companies, and government bodies,” the report reads. “Involvement in the attack could have legal implications for the firm had their infrastructure been responsible for damaging another network.”

Smart fish tank used to hack North American casino

Another case where attackers leveraged a smart device was at a North American casino. Darktrace says that an unknown hacker had managed to take over a smart fish tank the casino had installed at its premises for the enjoyment of its guests.

In spite of the fact that the fish tank was installed on its own VPN, isolated from the rest of the casino’s network, the hacker managed to break through to the mainframe and steal data from the organization.

“The data was being transferred to a device in Finland,” says Darktrace. “No other company device had communicated with
this external location.”

“No other company device was sending a comparable amount of outbound data,” experts added. “Communications took place on a protocol normally associated with audio and video.”

In total, the hacker managed to steal over 10GB of data by siphoning it off via the IoT fish tank.

Other hacking scenarios detailed in the Darktrace report include the case of a US insurance company who had its servers hijacked by a cryptocurrency miner, and several cases of insider threats, companies hacked by former or current employees.

Source: https://www.bleepingcomputer.com/news/security/smart-drawing-pads-used-for-ddos-attacks-iot-fish-tank-used-in-casino-hack/

  • 0

5 reasons to take a fresh look your security policy

Evolving ransomware and DDoS attacks, new technology such as IoT, and changing user behavior are all good reasons to revise your security policy.

Today’s advanced persistent threats, new business technologies and a younger workforce have prompted security budgets to shift from breach prevention to detection and response. Those same forces have also motivated many organizations to take a fresh look at their security policies and guidelines – and for good reason.

By 2018, for instance, 50 percent of organizations in supply chain relationships will use the effectiveness of their counterpart’s security policy to assess the risks in continuing the relationship, according to Gartner. Does your policy align with those of your partners?

The majority of companies have some form of security policy already in place, whether created from scratch or borrowed from myriad templates available through security organizations and vendors. How effective those policies are today is another story. Some 31 percent of companies have a formal security policy for their company, while another 34 percent have an informal security policy that is adopted by various departments in the company, according to a survey of 1,500 software developers worldwide by Evans Data Corp.

The golden rules for writing security policy still apply, such as making sure the process is shared with all stakeholders who will be affected by it, using language that everyone can understand, avoiding rigid policies that might limit business growth, and ensuring the process is pragmatic by testing it out. Just because policies are intended to be evergreen doesn’t mean they can’t become stale, says Jay Heiser, research VP in security and privacy at Gartner. Particularly at the standards levels, one level below policy, guidance may need to be updated for different lines of business, or for jurisdictions that may be driven by different regulatory rules or geographic norms.  Security and risk experts offer five reasons why companies should take a fresh look at security policies.

1. Ransomware, DDoS and APTs

The number of ransomware attacks targeting companies increased threefold from January to September 2016 alone, affecting one in every five businesses worldwide, according to Kaspersky Lab. The average distributed denial of service (DDoS) peak attack size increased 26 percent in Q1 2017 compared to the previous quarter, according to Verisign.

In the past, security policies focused on how to protect information. There would be policies associated with data classification and policies associated with how to not share information in a certain way on the network. “Now, because of ransomware and advanced persistent threats (APTs), policies have to focus more on user behavior and on the behavior of the bad guys,” says Eddie Schwartz, chairman of ISACA’s cybersecurity advisory council and executive vice president of cyber services at DarkMatter LLC.

While a security policy should be “fairly stalwart and stable” to withstand those threats, some standards and individual procedures written for how to deal with individual threats may have to be updated more frequently as the threat environment changes, Bernard says Julie Bernard, principal in the cyber risk services practice at Deloitte in Charlotte, N.C..

2. Cloud, IoT blockchain and other new technology

Next-generation tools, such as the Internet of Things (IoT) in manufacturing or blockchain in financial services, are driving changes to security policies. “Policy has to keep up with the dynamic environment you’re in,” says Bernard. “If your company is going to cloud, tech people are worried about uptime and security, but what about the policies that go along with it? Can I share information with one of my key vendors through a cloud app? If so, which one? And how do you facilitate that, which gets into standards questions,” Bernard explains.

“You could have a policy of ‘thou shall not share,’ but unless you have the technical ability to block that, people are still going to try to get their work done” and do it anyway, she adds.

3. Changing user behavior

A growing millennial workforce is changing the technology expectations and work behaviors that affect security policies and standards, Schwartz says. “It’s more about ‘if you’re on Facebook at work watching that funny cat video, be careful because it might contain embedded malware,’ or ‘just don’t do it at work,’” he says. “Instead of giving users instructions that are generic about protecting information, you really have to tailor those instructions to the behaviors that we know they’re doing at the office,” such as using smart devices connected to corporate networks or surfing social media on company laptops.

In some organizations, security standards and procedures include equal parts of preventative measures and response measures, including directions for taking action after a breach inevitably happens, Schwartz says.

4. Security fatigue and lax enforcement

Sometimes employees just get tired of following all the rules, Heiser says. Pile on too many “don’ts” over time in the security policy, and security fatigue can start to diminish a policy’s effectiveness. “They’ll just begin tuning it out,” he says.

In response, organizations often lighten up on enforcing policies because of rampant use, such as areas of public and cloud computing. “The majority of organizations are not enforcing the use of SaaS,” Heiser says. “They’re allowing fairly free use of anything that employees can connect to,” which negates having the policy at all.

5. Some policy elements are obsolete

“Organizations typically don’t take a methodical look at their policy elements to see if they’re actually changing what happens,” Heiser says. “If they don’t change what happens, then what’s the point?”  He suggests making a spreadsheet of all security policies and grading them on a scale from one to five.  “Are they followed or not? If they were followed, would it reduce risk? If either one of those is zero, then the net outcome is probably zero, unless there’s an audit requirement” to include it.

“The fewer rules there are, the more reasonable it is to expect people to follow them,” Heiser says. “If you want to add something, then take something out.”

Policy refresh

While an annual review of security policies is common, especially where compliance rules are involved, some analysts believe the standards and procedures should be reviewed quarterly. “In general, for a large organization the absolute minimum is quarterly, but they should also be reviewed as needed,” Schwartz says. “If they discover a gap due to a change in the threat landscape, or get a new system HR system or move to the cloud, a new mobile environment – all of those events are going to trigger potential changes in policy.”

All new threats should be held up to established security policies to make sure they are addressed at the highest level. If they aren’t, then, “You have to have an executive leadership conversation on what do you want to do on principle” with the security team, legal, audit and compliance to determine the right course of action and then craft a policy, Bernard says. Once the security policy, standards and procedures are cleaned and up to date, make it easy for employees to find quickly, she adds.

One of the first things that James Baird did when he joined the American Cancer Society in October 2015 as vice president of IT security and compliance was to make the organization’s security policy easily accessible and searchable for employees. About 1,800 static PDF pages were replaced with HTML pages hosted on SharePoint.  Topics are now easily searchable, and hyperlinks take employees from one policy to any supporting policies, or to a set requirements or guidelines.

When searching the acceptable use of Wi-Fi, for example, an employee will quickly find the policy and a link to list of standards, access points they can have, and brands they can use. “My goal is to give people the tools that they need to inform themselves and to investigate as much or as little as they need to in a policy,” Baird says.

The right balance of security policy and risk tolerance varies greatly with each organization, Heiser says. Having very specific policy goals is the starting point for governance, but there’s no data that proves what that optimal level of policy should be, he adds. “Once [a security policy] has been out there, you can go back and ask, did this have an impact?”

Source: http://www.csoonline.com/article/3209160/security/5-reasons-to-take-a-fresh-look-your-security-policy.html

  • 0

British Man Confesses to Deutsche Telekom Mirai Attack

A 29-year-old British man has confessed to a German court that he was behind a Mirai-based attack on Deutsche Telekom routers which ended up taking nearly one million customers offline last year.

The man, described in local media reports as “Daniel K”, claims to have been told by then-employer a Liberian telecommunications company to build a botnet to knock out a competitor.

He apparently agreed to the $10,000 commission as he was planning to marry his fiancée and wanted “a good start in married life”.

However, despite working as an IT technician at the firm, the Israeli born Brit, living until recently in Cyprus, had no specialist tech training and didn’t plan on the attack effectively sending the routers offline, according to the Guardian.

“The malware was badly programmed, it didn’t function properly and didn’t do what it was meant to do,” A Deutsche Telekom spokesperson said at the time. “Otherwise the consequences of the attack would have been a lot worse.”

The Mirai attack came amid a flurry of similar incidents, which knocked routers offline for over 100,000 Post Office and TalkTalk broadband customers in the UK.

Most famously, an earlier blitz took out DNS provider Dyn, and in so doing led to outages at internet giants including Spotify, Reddit and Twitter.

The malware, which was effectively open sourced after its source code was made public last year, was also used in a huge DDoS attack against Krebs on Security and – more curiously – an attack which knocked most of Liberia’s internet offline.

Mirai works by scanning the web for IoT devices like routers which are only protected by factory default or hard-coded credentials, with the aim of recruiting them into a botnet which can be directed to launch DDoS attacks.

A second witness is set to appear in court on Friday, after which a verdict could be swiftly forthcoming. “Daniel K” apparently faces up to 10 years in prison.

Source: https://www.infosecurity-magazine.com/news/british-man-confesses-to-deutsche/

  • 0

Almost 60% of Scottish councils hit by cyber attacks

Almost 60 per cent of Scottish councils and more than half of Scotland’s health boards have been targeted by cyber criminals since 2014, a Scotsman investigation has revealed.

Nine universities and numerous government bodies have also been hit during the last three years, the investigation found.

Some local authorities reported being bombarded with thousands of spam emails and receiving ransom demands to decrypt data.

Freedom of Information requests showed 19 of Scotland’s 32 councils experienced either attempted or successful attacks since 2014.

Ransomware attacks were reported by 14 local authorities, sometimes on multiple occasions.

Four councils refused to reveal any information, with two fearing doing so would leave them vulnerable to future attacks. Of the incidents logged by 19 councils, only nine authorities reported any of them to police, although no data was stolen or lost.

The investigation revealed Scottish local authorities were subject to more than 50 notable incidents in the past three financial years.

Aberdeen City Council was one of the hardest hit. Between 2014 and 2017, it suffered 12 successful cyber attacks, including six ransomware incidents, and had its webpage defaced. It also recorded more than 15 million attempts, including intrusion threats, spam, web risks and viruses, in the last eight months of 2016. Police were notified of two incidents.

Highland Council reported being targeted 953 times, including two partially-successful ransomware attacks, while more than 415,000 unsuccessful spam emails were sent to East Lothian Council.

Perth and Kinross Council reported blocking an average of 1.2 million spam emails every month. None of its three ransomware attacks were reported to any authority as it said “attacks were treated as business as usual and not significant enough to warrant reporting”.

Falkirk, Glasgow City, North Ayrshire and Dumfries and Galloway councils refused to disclose any details.

Three ransomware hits got through Dundee City’s defences, North Lanarkshire Council had two malware incidents in 2015 and three ransomware in 2016 and Edinburgh City Council reported nine incidents, including malware preventing access to systems, a sustained denial of service (ddos) attack, and malware being installed and copied.

A spokesman for local authority umbrella body Cosla said: “This is a fine balancing act for councils.

“Scotland’s councils have good defences in place and as such are confident around them preventing it happening to us. That said, we are certainly not, and never will be complacent or think that this couldn’t happen to us. “

We fully recognise how important our cyber security is and we are doing everything we can to safeguard councils against such attacks.“

The research, conducted together with The Scotsman’s sister titles in Johnston Press, found 11 of Scotland’s health boards were affected by the WannaCry attack in May which affected the NHS network across the UK.

In addition, NHS Fife logged 693 attempted malware attacks in the past three years. It was also hit by three successful ransomware attacks which required PCs to be rebuilt.

NHS Lanarkshire reported 51 attempted or successful attacks and NHS Greater Glasgow and Clyde was subject to four cyber breaches in 2016. Files became inaccessible after being encrypted by ransomware. However, data was recovered and the ransom was not paid.

NHS Ayrshire and Arran said it did not record attempts, but has one successful ransomware attack on a GP practice in 2015.

In the past year, NHS Highland had one ransomware email that attacked a “small number of files”. No ransom was paid and no data was lost.

NHS Tayside reported being bombarded with up to 7,000 attempts every month including ransomware.

NHS Orkney refused to reveal the details, stating that disclosure could pose a risk to national security. NHS Grampian did not respond, and NHS Lothian reported no cyber attacks had resulted in a breach of security.

Dumfries and Galloway, Shetland and the Borders health boards said they had no attempted cyber attacks. No board reported losing data.

Jann Gardner, director of planning and strategic partnerships with responsibility for IT at NHS Fife, said: “Of the 693 attempted malware attacks, only three affected small areas of our network, with swift action taken to contain and repair systems.

“No patient data was lost or compromised.”

A Scottish Government spokesperson said: “Scotland’s public sector bodies take cyber security seriously and already implement a wide range of measures to ensure basic security standards are met.

“The Scottish Government has committed to accelerating the development of a public sector action plan to help promote a common approach to cyber resilience across Scotland’s public bodies.

“Ministers expect to receive recommendations from the National Cyber Resilience Leaders’ Board (NCRLB) shortly.

“Following this, the Scottish Government will consult with Scottish public bodies on any implementation challenges before taking the plan forward.

“The NCRLB’s recommendations are expected to have reference to the Cyber Essentials accreditation scheme, which is endorsed by the National Cyber Security Centre, and which helps protect organisations from the most common forms of cyber-attack.

“The Cyber Essentials scheme is open to the public, private and third sectors, and offers a sound foundation of basic cyber security measures that all types of organisation can implement and potentially build upon.”

A spokesman for NHS Lanarkshire said that only the Wannacry incident was reported to the police as no data was lost or stolen in the other cases.

A spokeswoman for Police Scotland said: “We always encourage anyone who thinks they’ve been a victim of cybercrime to come forward and report it to police.”

Detective Inspector Eamonn Keane from Police Scotland’s cyber crime unit, added: “Cyber crime has witnessed significant growth.

“The cyber threat to Scotland is indicative of that local, national and international threat applicable to all regions in the UK.”

Source: http://www.scotsman.com/news/politics/almost-60-of-scottish-councils-hit-by-cyber-attacks-1-4512060

  • 0

Profile of a Hacker: The Real Sabu

There are multiple stories about how the capture of the infamous Anonymous leader Sabu went down. Here’s one, and another about what he is doing today.

 The capture of Sabu was perhaps the most spectacular fall from grace this century — at least in the security world. He went from being the most beloved figure in the hacktivist group, Anonymous, to being its most hated.

From 2011 to 2012, Sabu was the unofficial leader of the online activist group. He organized effective distributed denial-of-service (DDoS) campaigns and enforced meaningful discipline within Anonymous where there hadn’t been any before — and hasn’t been since.

During Sabu’s reign, Anonymous became adept at handling the media, making effective use of Twitter to claim victory (even if they were hollow victories at best). Screenshots of “site down” pages were taken, tweeted, and trumpeted to the media, which eagerly wrote about the fearsome prowess of Anonymous. These were the salad days of Anonymous, when they seemed untouchable and everywhere.

To maximize the glory, Sabu collected a smaller cadre of hacktivists from Anonymous and named it LulzSec, which became famous very quickly for a series of high-profile hacks. Where many people passively supported the egalitarian goals of Anonymous, they were turned off by the actions of LulzSec, which were seen as creating much collateral damage to innocent citizenry.

The LulzSec attack of Sony Pictures is an illustrative example. Sony Pictures was running several prize giveaways as part of a marketing campaign. LulzSec used a basic SQL injection to breach the SonyPictures.com database and grabbed the usernames, passwords, and personal profiles of over one million registered users. They then dumped the data to Pastebin. LulzSec’s justification at the time was that Sony Pictures’ security was “… disgraceful and insecure: they were asking for it.” But the justification seemed little more than braggadocio to the community. When someone asked LulzSec why they would compromise the credentials of so many innocent television watchers, they replied “we do it for lulz” (the laughs).

Well, LulzSec wasn’t going to keep laughing for long.

By that time, Sabu had achieved an almost messianic following among Anonymous, and his twitter account, @anonymouSabu, had hundreds of thousands of followers. He was number one on the FBI’s most wanted cybercriminal list.

Screen Shot 2017-07-21 at 09.34.03

If that weren’t enough heat, Sabu had also attracted the attention of his polar opposite: the famous pro-U.S., ex-Special Ops service member and hacker known as The Jester. The Jester, too, was known for distributed denial-of-service attacks and had been spending months attacking Jihadist websites in order to drive their users into more centralized, resilient networks where they could be monitored by the various agencies that track terrorist activity.

As an ex-military operative, The Jester loathed Sabu. The two stood at opposite sides on nearly any given topic: WikiLeaks, Anonymous, the Occupy movement, the forum 4chan, the CIA, and the Palestinian/Israeli conflict, to name just a few. One notable exception was the Westboro Baptist Church (WBC), which is known for conducting anti-gay protests at military funerals. Both Sabu and the Jester agreed about this group, and they both attacked the WBC repeatedly.

During the first half of 2011, Sabu and The Jester tried repeatedly to uncover each other’s identity. The conflict between Sabu and the Jester reached a fever pitch at DEF CON 19, the nineteenth annual security convention in Las Vegas. Both hackers claimed to be in attendance along with the 20,000 other hackers, researchers, and undercover FBI agents. The Jester taunted Sabu to come out and meet him face-to-face. Sabu replied that of course he would not. The Jester was suspected to be in collusion with, or at least sanctioned by, the U.S. government. Sabu protested that if he were to expose his own identity, even privately, to The Jester, he would be immediately pounced upon by the authorities.

Sabu did not come out to meet The Jester, and a few months later we found out why. Sabu had already been nabbed and turned by the FBI. There are multiple stories about how the capture of Sabu went down. The simplest one goes like this: Of course, Sabu used anonymization networks to hide his identity and make source tracing impossible. Network anonymization would have been a basic precaution for the most-wanted cybercriminal at the time.

According to one story, Sabu forgot to activate his Tor link a single time, and logged into a server using his real IP address. The authorities traced his real IP address, and Sabu was quickly and quietly detained.

Sabu’s real name, as it turns out, was Hector Xavier Monsegur, from the Puerto Rican island of Viecques.  Monsegur had been implicated in, or bragged about dozens of illegal, high-profile hacks, not to mention multiple DDoS attacks. Facing a sentence of 25 to 100 years in prison, he struck a deal in which he agreed to turn over his friends from LulzSec to the authorities.

As part of Monsegur’s plea deal, the authorities were given access to his Twitter account and used it to collect information about Anonymous and LulzSec sympathizers. The judge in Monsegur’s case praised him for his “extraordinary cooperation” with the FBI. Armed with their informant’s information, the authorities apprehended the members of LulzSec. Many are now serving long jail sentences and owe hundreds of thousands of dollars in restitution to the organizations they once brazenly penetrated. Many in Anonymous felt betrayed by Monsegur’s cooperation with the authorities and publicly called him out. He has had little comment about it since.

Monsegur himself was freed on May 27, 2014 after time served. He now lives in New York City, where he, on occasion, gives interviews. He no longer Tweets as Sabu, but instead as Hector X. Monsegur.

With LulzSec members behind bars, and Monsegur neutralized, The Jester went back to attacking Jihadist websites and gathering intel on ISIS. He blogsvociferously against the Trump Administration and maintains a store of “JesterGear” when he’s not running his own Minecraft server.

The Jester remains undoxxed to this day.

Source: http://www.darkreading.com/partner-perspectives/f5/profile-of-a-hacker-the-real-sabu-/a/d-id/1329359

  • 0

FCC has no documentation of DDoS attack that hit net neutrality comments

Records request denied because FCC made no “written documentation” of attack.

The US Federal Communications Commission says it has no written analysis of DDoS attacks that hit the commission’s net neutrality comment system in May.

In its response to a Freedom of Information Act (FoIA) request filed by Gizmodo, the FCC said its analysis of DDoS attacks “stemmed from real time observation and feedback by Commission IT staff and did not result in written documentation.” Gizmodo had asked for a copy of any records related to the FCC analysis that concluded DDoS attacks had taken place. Because there was no “written documentation,” the FCC provided no documents in response to this portion of the Gizmodo FoIA request.

The FCC also declined to release 209 pages of records, citing several exemptions to the FoIA law. For example, publication of documents related to “staffing decisions made by Commission supervisors, draft talking points, staff summaries of congressional letters, and policy suggestions from staff” could “harm the Commission’s deliberative processes,” the FCC said. “Release of this information would chill deliberations within the Commission and impede the candid exchange of ideas.”

The FCC also declined to release internal “discussion of the Commission’s IT infrastructure and countermeasures,” because “It is reasonably foreseeable that this information, if released, would allow adversaries to circumvent the FCC’s protection measures.”

The FCC did release 16 pages of records, “though none of them shed any light on the events that led to the FCC’s website crashing on May 8,” Gizmodo wrote yesterday. “The few e-mails by FCC staff that were actually released to Gizmodo are entirely redacted.”

The Gizmodo article comes in the same week that the FCC refused to release the text of more than 40,000 net neutrality complaints that it has received from Internet users since June 2015. Pai has claimed that net neutrality rules were a response to “hypothetical harms and hysterical prophecies of doom,” but most complaints to the FCC about potential net neutrality violations by ISPs are being kept secret. (The FCC did release 1,000 of the complaints to the National Hispanic Media Coalition, which had filed a FoIA request.)

Pai has claimed that his proposed repeal of net neutrality rules is using a “far more transparent” process than the one used to implement net neutrality rules in 2015.

UPDATE: The FCC released a statement this afternoon claiming that it is “categorically false” to suggest that “the FCC lacks written documentation of its analysis of the May 7-8 non-traditional DDoS attack that took place against our electronic comment filing system.” The FCC statement said there is publicly available written analysis in the form of a letter to Congress (which we quoted and linked to in the next section of this article). The FCC statement also said it has “voluminous documentation of this attack in the form of logs collected by our commercial cloud partners,” which has not been released publicly.

But again, the FCC refused to provide its internal analysis of the attack, which is what Gizmodo requested. The FCC’s new statement says that “Gizmodo requested records related to the FCC analysis cited in [CIO] David Bray’s May 8 public statement about this attack. Given that the Commission’s IT professionals were in the midst of addressing the attack on May 8, that analysis was not reduced to writing. However, subsequent analysis, once the incident had concluded, was put in writing.”

We asked the FCC to provide this “subsequent analysis,” and haven’t heard back yet.

The FCC’s position seems to be that it wasn’t asked to provide any analysis that was written down after May 8. But Gizmodo requested “A copy of any records related to the FCC ‘analysis’ (cited in Dr. Bray’s statement) that concluded a DDoS attack had taken place.” The FCC’s analysis after May 8 did not change—the commission continues to say it was hit by DDoS attacks. Yet the FCC refused to provide records related to its analysis that it was hit by DDoS attacks.

“We asked for all records ‘related to’ this analysis (emails, etc.), not just the analysis itself, which they claim does not exist,” Gizmodo reporter Dell Cameron wrote on Twitter.

Ars’ FoIA request denied

Separately, Ars filed a FoIA request on May 9 for e-mails and other communications and records related to the attack on the net neutrality comment system and related downtime. The FCC denied our request on June 21, saying that “due to an ongoing investigation we are not able to release records associated with this incident.”

Ars appealed that decision to the FCC on June 30 in light of Chairman Ajit Pai’s statement to US senators that the FBI is not investigating the comment system attack.

“In speaking with the FBI, the conclusion was reached that, given the facts currently known, the attack did not appear to rise to the level of a major incident that would trigger further FBI involvement,” Pai wrote to Senate Democrats who asked for more details about the attacks and the FCC’s response to the attacks.

The FCC has not responded to our FoIA appeal or to a followup e-mail we sent on Tuesday this week.

UPDATE: The FCC responded to our FoIA appeal two hours after this story published, saying it won’t release the e-mails and other records because of an internal investigation.

“An internal investigation into the matter is under consideration,” the FCC told us. “Agency staff have concluded that release of the records you requested could be reasonably expected to impede and interfere with this investigation.”

Comment system failure and DDoS analysis

The FCC’s website failure temporarily prevented the public from commenting on Pai’s controversial proposal to dismantle net neutrality rules. The downtime coincided with a heavy influx of comments triggered by comedian John Oliver’s HBO segment criticizing Pai’s plan, but the FCC attributed the downtime solely to “multiple distributed denial-of-service attacks.”

We published an analysis of the FCC’s statements in May, concluding that the incident was caused either by “an unusual type of DDoS or poorly written spam bots.” Cloudflare, which operates a global network that protects websites from DDoS attacks, supported the FCC’s statements. The FCC’s descriptions are consistent with “a ‘Layer 7′ or Application Layer attack,” Cloudflare Information Security Chief Marc Rogers told Ars.

“In this type of [DDoS] attack, instead of trying to saturate the site’s network by flooding it with junk traffic, the attacker instead tries to bring a site down by attacking an application running on it,” Rogers said.

The FCC also refused to release server logs related to the attack because they might contain private information such as IP addresses. Security experts who spoke to Ars supported this decision.

There are now more than 10 million comments on Pai’s plan to overturn net neutrality rules, though many contain the same text because they come from spam bots or from campaigns urging people to submit pre-written comments. Pai has said that the number of comments opposing or supporting his plan “is not as important as the substantive comments that are in the record.”

Source: https://arstechnica.com/information-technology/2017/07/fcc-has-no-documentation-of-ddos-attack-that-hit-net-neutrality-comments/

  • 0

Attacking Democracy: Should DDoS Be Considered a Legitimate Form of Protest?

It used to be that news about DDoS attacks was largely limited to tech websites and other specialized information sources, where the focus was on attack vectors, attack sizes, how exactly the perpetrators pulled it off and how websites could protect themselves going forward. These still have their place, especially with the ever-increasing size, complexity and frequency of attacks, but over the last few years DDoS has gone mainstream and gotten political.

With DDoS attacks appearing in headlines regarding the U.S. election, Brexit and the push for democracy in Hong Kong, the question has to be asked: should these attacks be considered a legitimate form of protest?

Denying services

DDoS stands for distributed denial of service, a form of cyberattack that takes aim at websites or online services with the intent of taking them offline or slowing them downso much that they can’t be used. This is accomplished through the use of a botnet – a network of devices that have been infected with malware, allowing attackers to control them remotely and direct the botnet’s considerable traffic at the target, overwhelming the server or network infrastructure.

DDoS attacks have been in the mainstream news for the last couple of years. This is because of how pervasive they’ve become, with nearly every website on the Internet now a potential target thanks to DDoS for hire services and DDoS ransom notes, and also because of the high-profile sites that have fallen victim to attacks, including Netflix, PayPal, Twitter and Reddit. Now DDoS attacks stand accused of involvement in some of the biggest political events in recent history.

Recent political incidents

Distributed denial of service attacks hit the political headlines in 2014 when the people of Hong Kong were in the midst of a major push for democracy, asking for genuine universal suffrage instead of the newly-reformed system that allows citizens to vote for candidates selected by an exclusive nominating committee – a system that seemed overly restrictive as well as too similar to the previous system in which the Chinese Communist Party selected the candidates.

When the democratic movement’s official website launched, it logged 680,000 votes in an unofficial poll on candidates in the site’s first weekend despite the fact that it was being battered by DDoS attacks weighing in at over 300 Gbps. Though a perpetrator was not definitively named, it was widely speculated the Chinese government was behind the attacks.

In a recent report, the Chinese government has come up alongside the Russian government in rumors surrounding the Brexit vote. In the hours before the deadline to register to vote in the Brexit referendum, the registration site crashed, reportedly due to a DDoS attack. The outage left tens of thousands of voters unable to register to vote, and the referendum ended with 51.9 percent voting to leave the European Union.

Though the Russian government has been suspected of meddling via hacking in both the U.S. and French elections, reportedly in favor of Donald Trump and Marine Le Pen, it’s unknown if the Kremlin was involved in DDoS attack attempts on either Hillary Clinton or Donald Trump’s website; it seems more likely these Mirai botnet-powered attempts were instead the work of hackers from underground forums.

The argument for recognizing DDoS as legitimate (and legal) protest

The history of distributed denial of service attacks go all the way back to 1995 when an Italian collective brought down the French government’s website in protest of France’s nuclear policy. Soon after, a group by the name of the Electronic Disturbance Theater built a tool that enabled anyone to join their virtual sit-ins that targeted the White House website as well as the websites of politicians.

Current hacktivist group Anonymous has taken the idea of the virtual sit-in and turned it into a voluntary botnet that allows anyone to donate the use of their device for attacks against targets like the Brazilian government in protest of the FIFA World Cup.

These actions would seem to fit the criteria of legal protest, allowing citizens to peacefully albeit virtually demonstrate and rendering a website unavailable in much the same way a sit-in would render an office or institution unavailable. However, in the United States this kind of online activism can be considered a felony.

The argument against

Not only are DDoS attacks illegal, regardless of whether or not the attack is intended as a form of protest, but legitimizing or legalizing these attacks may cause more problems than it solves. For instance, while an opt-in botnet does seem to be a form of voluntary political activism, almost all botnets are populated by devices that have decidedly not opted in, which means politically-motivated DDoS attacks would be largely perpetrated using the property of people who have not consented. Like signing someone else’s name to a petition, this cannot be permitted.

Furthermore, any legislation attempting to legalize DDoS protests would have to find a way to differentiate between attacks coming from voluntary botnets and attacks coming from nation states. A murky area, at best.

With so many other forms of protest available to motivated citizens, it’s hard to imagine legalizing or legitimizing any form of DDoS attack. It’s just too easy for these attacks to be used for altogether nefarious and malicious purposes by groups that decidedly do not represent the will or wishes of the people.

Source: http://www.techzone360.com/topics/techzone/articles/2017/07/19/433542-attacking-democracy-should-ddos-be-considered-legitimate-form.htm

  • 0

Organizations Must Adapt to Evolving DDoS Attacks

Distributed Denial-of-Service (DDoS) attacks are becoming larger, more frequent, and more complex than ever before. According to Arbor Networks’ 12th Annual Worldwide Infrastructure Security Report (WISR), attack size has grown 7,900% since its initial report – a compound annual growth rate (CAGR) of 44%.

The most recent attacks are significantly larger than anything previously seen, and can now disrupt even the largest internet service providers. This data shows that DDoS attacks have become more than just a nuisance: they are rapidly increasing in size and now threaten to disrupt core Internet infrastructure.

Within the broader spectrum of risks for corporate security and IT decision makers, DDoS attacks present a nettlesome and growing challenge for several reasons. First, while the underlying technology behind DDoS attacks hasn’t changed much, the number of internet-connected devices in the world that can be compromised has dramatically increased.

In addition, the level to which DDoS attacks have become automated and commoditized has also increased. The Mirai-enabled attacks showed off the former; they used an army of internet-connected IoT devices to generate unprecedented levels of traffic.

In the past, a connection to the internet required significant hardware and expense. These days, even light bulbs can be connected to a network, which provides a lot more sources for traffic.

Second, the amount of skill required to successfully run a DDoS attack has been lowered over the last twenty years. While large attacks such as Mirai take some amount of coordination and planning, in many cases a connection to the right forum and a small amount of money ($50-100) can buy you a short attack that can take down unprotected web services.

Why DDoS attacks are hard to prevent

The best way to think about the DDoS problem is to imagine a river system, like the Mississippi or Columbia. At the end of those systems, where they meet the ocean, it’s very obvious that there’s a lot of water moving through those rivers: but at the source of all that water — at the little tiny creeks and streams and rivulets where the water first gathers — those sources don’t necessarily look like that much.

Volumetric-style DDoS attacks, whereby attackers simply flood a target with more data than their connection can handle, use a similar effect: each network only cares about sending IP packets to the “next hop”, without a holistic view or awareness of what the total, internet-wide traffic picture looks like.

So, at the source of a DDoS attack, it can be difficult to differentiate between someone uploading a file and someone perpetrating an attack. What actually matters is whether that one traffic flow joins together with a bunch of other traffic to form a giant river, or if the traffic flow is bounced off a server in such a way that it magnifies the size of the traffic many-fold. In either case, by the time you notice that you’ve got a really huge river of traffic coming at you, it may already be too late.

Emerging approaches to combat DDoS attacks

A promising approach to DDoS can be found with the DDoS Defense for a Community of Peers (3DCoP) project, which uses peer-to-peer collaboration so that like-minded organizations (such as a group of universities, government agencies, banks, or ISPs) act together to rapidly and effectively detect and mitigate DDoS attacks.

With a peer-to-peer collaborative approach, the target of a DDoS attack can send out distress calls to the origin of any traffic it sees. The receivers of these distress calls can then take a look at the traffic they’re seeing, and either pass that message on appropriately or take local action.

Universities, for example, might learn that what looks like normal traffic coming out from one of their student labs looks like a big attack to a target, and use this information to shut off or rate-limit that lab.

Other approaches involve technologies like BGP FlowSpec, an improvement over conventional IP blacklisting. FlowSpec allows a victim of a DDoS to ask its upstream service providers and intermediate networks to block specific kinds of traffic, with a good level of granularity.

Organizations can also relocate services into the cloud, as some cloud operators deploy sensors that can detect and mitigate attacks earlier. Unfortunately, today’s largest attacks are too large for cloud operators to handle, and the attacks may impact geographic regions or critical internet infrastructure.

In the end, there are a variety of methods to filter and redirect traffic, especially for those systems housed in the cloud. However, for the biggest attacks, and for institutions that cannot create replicated versions of their systems in the cloud, techniques such as 3DCoP are key in mitigating DDoS risk.

Specifically, we believe that it is only through rapid, real-time collaboration that DDoS attacks can be correctly identified, sourced, and addressed; without such collaboration, institutions must rely on phone calls and manual router updates, while a river crashes down around them.

Source: https://www.infosecurity-magazine.com/opinions/organizations-adapt-evolving-ddos/

  • 0