Category - DDoS Attacks

NBC, Google preparing for hackers for Olympic games 2012 in London
TechWeekEurope investigates the Distributed Denial of Service ‘DDoS’ market
Alleged Lulzsec member, Ryan Cleary, indicted in U.S.
More Sophisticated DDoS Attack a New Threat to Apache Servers
GM Food Research Site Hit by Cyber Attack
‘SOCA’s weak response to a recent DDoS attack sends the wrong message’
Anonymous Leaks 1.7 GB Justice Department Database
Hosters: Is Your Platform Being Used to Launch DDoS Attacks?
ESET Lists the Dominant E-Threats of 2010
Securing the cloud

NBC, Google preparing for hackers for Olympic games 2012 in London

NBC and Google are conducting ?war games? in at least three countries, to prepare for the possibility of hacker attacks or hardware malfunction disrupting the online streaming of the? Summer Olympics Games in London, which start this month.

For the past nine months the network?s online team, together with Google, which is managing the streaming of the games, have simulated hundreds of disruptive scenarios, some lasting eight hours. They have simulated a range of problems from broken broadcast encoders to traffic overloads and hacker assaults on the systems, NBC staff told CIO Journal.

?We have it very well-scripted, so we know that when a problem occurs who is on point and what steps we need to take,? said Eric Black, vice president of technology for NBC Sports and Olympics. ?At some point during the games there?s likely to be an outage, but the goal is for us to be on top of that and have no end-user impact.?

The roll-out, if successful, will represent the largest-ever online offering of a sporting event. NBC called the Beijing Olympics, which offered 2,200 hours of streaming events, a ?billion dollar lab,? which helped the company to innovate its sports coverage.

For example, some feared that an online broadcast would cannibalize TV viewership, said Rick Cordella, senior vice president for digital media at NBC Sports and Olympics. But NBC found that streaming online content actually created ?pre-air buzz? and encouraged more people to watch a taped broadcast on television. The improvements made in the Beijing Olympics allowed NBC to stream a Super Bowl for the first time last February, reaching 2.1 million viewers.

The simulations aim to head-off disruptions as NBC, partnering with Google?s YouTube, plans to offer live, online coverage of 3,500 hours of events scheduled for the end of the month, with the goal of making the summer games the most watched online event in history. ?If there is a camera on it we?ll stream it,? Cordella said.

NBC is hoping to beat its online viewership for the Beijing Olympics, which drew around 52 million unique visitors to its site. Those viewers watched 75.5 million video streams.

NBC staff declined to talk about specific security preparations, but NBC spokesman Chris McCloskey confirmed that the war games did include preparing for the possibility of hacker attacks.

The 17-day games will be captured in London and then sent to NBC?s New York and Stamford, Conn., offices, where advertising will be inserted. The footage will then go to Google?s offices in San Bruno, Calif., where it will be prepped for online and streamed across the search giant?s networks to several NBC sites. Cable or satellite subscribers will be able to go online to watch the entirety of the games live or in replay.

But streaming so much content?more than any other sporting event in history?presents complex risks during the high-profile games. NBC will be monitoring for unexpected traffic spikes or hardware failure. And even if a local disruption occurs as the result of an event unrelated to NBC or Google, the network knows it could still be blamed.

?One of the inherent things with streaming is there are things outside of our control,? said Cordella. ?Journalists and writers and guys that tweet will blame NBC but it?s hard to diagnose for sure where the issue is coming from.?

Analysts say it?s likely that hackers will attempt to disrupt the video streams, and NBC and Google are taking steps to harden their defenses, according to the network. The U.S. Department of Homeland Security released a bulletin in May warning companies that hackers, motivated by ?ideological or financial objectives,? may attempt to disrupt coverage of the games.

Companies and individuals in China were subjected to 12 million hacker attacks a day during the 2008 Olympics, the report said.

As Black spoke to CIO Journal, last week, he said NBC, Google and other teams were conducting a ?war game? that spanned Zurich, Switzerland; Turin, Italy; Stamford, Conn., and San Bruno, Calif. The simulation was designed to help the teams adapt if a broadcast encoder, the hardware that transfers video into a digital format for on-air broadcast, went down.

In that war game, NBC?s New York office took the lead in re-routing the television feed through a back-up encoder.

Google teams in San Bruno and Zurich and NBC teams in Stamford monitored the feeds to make sure that as the encoder was changed in the midst of the war game, the hardware swap did not disrupt footage elsewhere as the video moved through the system, according to NBC. A Google spokesman declined to comment.

NBC?s teams are also preparing for the remote possibility that a systems failure or bandwidth overload will overwhelm Google?s ability to deliver content. NBC has contracted with other vendors to serve as alternates in that unlikely event, Black said. He declined to name those back-up vendors.

NBC and Google are also likely preparing to defend themselves against distributed denial of service attacks, in which hackers attempt to overload sites with high volumes of traffic, said John Kindervag, a security analyst with Forrester. DHS, in last month?s report, singled out this method as a potential disruptor of this year?s games.

The simulations would allow NBC and Google staff to see the effects such an attack would have on the network, and to calculate how quickly they could rebound, Kindervag said.

?The tests show you weak points you didn?t anticipated,? Kindervag said. ?You make the assumption there is going to be a failure and you learn how to react.?


TechWeekEurope investigates the Distributed Denial of Service ‘DDoS’ market

?I?ve put lots of sites offline,? the dealer says. ?Shops, schools and another site, but I can?t tell you about that one here.?

Those pushing services on the Internet?s black market are unsurprisingly secretive about their targets when talking directly. Even with Skype?s encryption and peer-to-peer protections, this Distributed Denial of Service (DDoS) dealer wouldn?t reveal too much, for fear of being ensnared by law enforcement.

Sites across the web are being smashed offline by such DDoS dealers every day. Criminal organisations, disgruntled individuals, governments and private organisations pay them to knock enemies offline. And they know they can earn a lot by doing a little.

It isn?t difficult to find them either. Just head onto one of the many hacker forums and you?ll come across shiny DDoS advertisements, with tawdry, 90s-era banners displaying prices and contact details.

On the darker parts of the web, things are a little less glamorous, but the menus are largely the same.

More aggressive marketing

One seller going by the name of Gwapo is particularly open about the business he/she is running. Gwapo has a website called DDoS Service, which is remarkably simple, containing just two landing pages. But it also features a video advertisement of a young American man talking about what Gwapo can do.

The man claims Gwapo has four years of DDoS experience, in both attack and defence. It is a remarkably brazen piece of marketing. Perhaps even more remarkable is the fact that YouTube allows such videos to be published. Since being thrown on the site in mid-June, it has already acquired over 32,000 views. This is not the first promo vid Gwapo has put out either. The one below takes a more salacious tack.

DDoSers are unafraid of outlandish promotion. They know there is money to be earned here, and they know there is plenty of competition.
Dealing with the dealers

Whilst finding them is simple, getting dealers to open up is trickier. Gwapo was particularly reticent when speaking over Skype. But Tor Chat provided enough peace of mind for dealers to reveal more about themselves to TechWeekEurope, which has been contacting those pushing their wares on the DDoS market over the last month. To be clear, we did not ask the sellers to take down websites. DDoS is against the law and TechWeekEurope does not support it in any way.

Ned ? not his real name ? told us he was a 17-year-old computer science student. He claims friends introduced him to the illicit cyber services game. ?Now I got some Russian friends,? he quips. His biggest ever hit lasted for two days, for which he was paid just over $250. In that case, he was asked to kill the attack early. The buyer got tetchy about how successful the hit was.

To carry out that brutal hit, Ned relied on a botnet of around 2000 bots, he says. Without prompting, Ned initiates a demo. His target? One of the most popular hacking forums on the Web. We go to the site as soon as he says it is down. He knocks it offline for around 30 seconds before killing the DDoS. Any site is fair game, it seems.

As for pricing, he was offering a small site without protection at just $4 an hour. For a larger website, the cost can be as much as $100 an hour. Initially, Ned comes across as ambivalent to the dangers of selling DDoS services. Is he not worried about getting chucked out of school and thrown in jail? ?Nah,? he coolly responds. But when we push him, asking if he would be happy to take down a major banking site, Ned backs down. ?I don?t want to get in trouble,? he says.

Another dealer, who claims to focus his botnet?s energy specifically on sites using Cisco, Juniper and Cloudflare gear to mitigate attacks, says he has done single deals for over a $1000. Like Ned, he says some buyers will pay as much as $100 for each hour a big-league website is downed.

Yet, as with many other dealers, BProof said he will happily accept between $5 and $10 to take easy targets offline for an hour. The bots he was herding could apparently do plenty of damage with just a little effort. ?I can take down CloudFlare lines with 30 bots, that?s nothing for me,? was one claim (CloudFlare is a content delivery network). He offers us a 10 minute test. We decline. It was already clear how easy it was for these denizens of the dark web to kill websites.

It?s also clear that acquiring services can be very cheap indeed. Even the most impecunious of businesses could knock a competitor down. For many companies, having a website taken offline for a while causes nothing more than a little embarrassment. But for others, it can cause substantial financial damage.
Who?s buying?

All kinds of organisations are getting pummelled by DDoS attacks in today?s world. And all kinds of organisations are paying for them too.

Some even get creative with their DDoS strikes. Andr? Stewart, president international at Corero Network Security, said he knew of a telecoms company that saw its services downed by a competitor after launching a free VoIP service. The envious rival set up an online game, which, when played, sent very small UDP [User Datagram Protocol] packets to attack the site from which free VoIP was being offered. It was a rare case of malicious gamification.

?That was almost undetected. We looked at it very carefully and analysed the packets and saw what was going on,? Stewart said. ?There are cases of companies attacking other companies. That exists ? for competitive advantage or to deny something that has been competitive.?

DDoS is a well-known as a protester?s weapon too. Hacktivists like Anonymous and LulzSec have proven that, with successful strikes on big-name sites, from Theresa May to the CIA. But Stewart believes everyday people are now buying DDoS services too, simply to vent their discontent at whatever organisation they?re frustrated at.

?Low-cost airlines get attacked, for instance, and government entities that manage speeding fines,? he said. ?It has almost become the new way of customer dissatisfaction.?

This year has also seen a new target: non-profit groups. Avaaz, which campaigns against what it believes are immoral measures of nation state regimes, including the US and China, one can guess who would be keen to knock down their site. Removing Avaaz?s website also removes its donation page ? i.e. its main source of funding.

The Pirate Bay has obvious enemies too ? copyright holders. ?I do think the music industry, the film industry, where there is a serious amount of money leaking, they would like to see it close down,? Stewart added. ?They [music and film industry organisations] can operate in ways that are completely anonymous. If they want they can attack those types of sites [like The Pirate Bay].?

DDoS services are in high demand and for myriad reasons. Big corporations, small businesses, governments and irascible individuals all take an interest in them.
Going solo

But DDoS dealers don?t just rely on money from clients. They can go direct and extort those businesses whose very survival relies on an Internet presence. This can provide them with much more income than working the black market.

For those who go after online gambling businesses, the financial rewards can be huge, according to Stewart. ?Somebody will send a note to the betting guys, saying ?we will stop the service just before the game for an hour or two hours?. They will be able to calculate very easily how much it means to them and their business stopping for that amount of time,? he explains. ?If the person is only asking for $50,000 they will pay for it. If they feel their security is not up to scratch.?

Such businesses are easy targets. Corero works with a number of gambling firms and claims to have difficulties in upgrading their kit to mitigate against DDoS strikes. ?We?re not able to do any upgrades to their network or any changes until a major competition is off. And then there is always another one that starts,? Stewart adds.

Geopolitical issues also affect gambling firms? level of security against DDoS, he says. ?Because a lot of these betting companies are based in tax havens, there aren?t many authorities that are ready to say ?we will protect you? because they?re already seen as dodging taxes ? a lot of taxes they should be paying onshore. So they?re relatively unprotected.

?They will know how protected they are. If something new comes out and they?re not up to scratch, then they will not talk about it, but they will make the payment.?

Stewart knows of businesses who have paid ??100,000 here and ?100,000 there? just to pay off those threatening to kill their sites. ?That?s not uncommon.? If they didn?t pay, the losses would be much greater. ?Companies have been known to go down for 6 hours, and the losses are in the millions.?

Symantec recently spotted a crimeware bot known as ?Zemra? being used in DDoS attacks against specific machines for extortion. It featured a command-and-control panel hosted on a remote server, as well as a tonne of functionality, including 256-bit DES encryption/decryption for communication between server and client, and propagation through USB.

Zemra comes at a cost though. It first appeared on underground forums in May 2012 at ?100. Even those dealing to the DDoS dealers can make a killing.
Infiltrating the markets

What is clear from TechWeekEurope?s trips to the underground markets is that botnets are at the core of the problem. No doubt many are using tools to carry out application-level DDoS attacks, such as Slowloris and Hulk, but botnets appeared to be the weapon of choice on the market.

If such markets are to be countered in the coming years, killing off botnets would be a fine place to start. Many efforts to slay these nasty networks have seen operations sinkholed, where bots are directed to servers belonging to the good guys, rather than the bad guys? command and control centres.

Others, like the dismantling of DNSChanger, look to completely take apart the physical hardware. This can lead to issues, however. Many fear the hundreds of thousands still connected to the infrastructure of DNSChanger will lose internet connectivity when the FBI pulls the plug on 9 July.

But prophylactic measures are not good enough. Just taking servers offline or sinkholing operations only suspends malicious activity.To kill a botnet, arrests need to be made. ?If you?re going to tackle it long-term, it really is going to involve apprehending the people who are behind it,? says David Emm, senior regional researcher at Kaspersky Lab.

Taking down more botnets will require greater cooperation between private and public bodies, and across borders too, Emm believes. Whilst there have been notable successes in the past year, there remain problems. Overcoming global demarcation of cyber policing is one of the biggest. Emm says most activity continues to happen at a ?more informal level?. If major players such as the US and EU nations could organise more formal frameworks, this would speed up the intelligence sharing operation, he claims.

?One of the difficulties comes with speed of response. Although there is quite a lot of activity where law enforcement agencies in different parts of the world can cooperate, unless there is a supranational agreement that they can combine activities under, it is difficult with the informal stuff to be as quick as say the spammers or DDoSers can be,? Emm adds. ?There are always going to be limits given you?ve got different zones of legislation where the cyber criminals don?t.?

Behind all this additional cooperation, ?just good old-fashioned policing? is needed, says Ross Anderson, professor of security engineering at the University of Cambridge?s Computer Laboratory. ?Even the UK police have had occasional successes. It?s just a matter of trying. Even crooks in Russia can be arrested if the Foreign Office starts to care about it,? he adds.

One recent case proved how more surreptitious means can help bring down cyber crime operations too. When the FBI announced the arrest of 24 people in June, it hinted at a maturation of cybercrime efforts. The cops set up their own market, where unwitting crooks went to sell and buy credit card details. IPs were collected and activity tracked across other nasty websites. Then the suspects were apprehended, not just in the US, but across the globe, with six taken into custody in the UK. It was one of the most impressive cyber operations in recent times.

Infiltrating the DDoS markets, or setting up honey traps as the FBI did, looks like the most efficient way to bring them down. In turn, botnets will become inactive and other cyber crimes mitigated too. The tools are there, police just have to be given the opportunity to start using them more.

Source: techweekeurope

Alleged Lulzsec member, Ryan Cleary, indicted in U.S.

A U.S. federal grand jury has indicted Ryan Cleary, a British citizen, accusing him of orchestrating a hacking rampage last year that victimized Sony Pictures Entertainment, Fox Entertainment Group and others.

The indictment, filed on Tuesday in Los Angeles district court, alleges Cleary ran a powerful botnet used to execute distributed denial-of-service (DDOS) attacks, vandalize websites and steal sensitive data as part of the hacking group Lulz Security, or LulzSec.

LulzSec, an offshoot of Anonymous, fell under heavy scrutiny from law enforcement worldwide for its successful attacks and relentless bravado, often publicized through its Twitter account.

Cleary, 20, was arrested in June 2011 at his home in Wickford, England, for allegedly taking part in the DDOS attacks against Britain’s Serious Organised Crime Agency. He is charged in the U.K. with five computer-related offenses and is accused of distributing botnet programs to attack SOCA as well as websites of the International Federation of the Phonographic Industry and the British Phonographic Industry.

An FBI spokeswoman said the U.S. will evaluate after Cleary’s legal proceedings have finished in the U.K. whether to request his extradition.

Cleary, who has been diagnosed with a type of high-functioning autism called Aspergers Syndrome, is in jail awaiting trial. He was arrested again in March for breaching his bail conditions by using the Internet and contacting former LulzSec leader Hector Xavier Monsegur, The Guardian reported.

Monsegur, who was known as “Sabu,” was arrested in secret by the FBI and provided information that led to another spate of LulzSec arrests, including of one American man and four in the U.K. in March. Monsegur pleaded guilty in August 2011 to various hacking charges, including attacks against HBGary Federal, the Public Broadcasting System, Sony Pictures and Fox.

Cleary is also accused of either attacking or stealing data from Fox, PBS, Sony, Riot Games and SOCA. He is charged with one count of conspiracy and two counts of unauthorized impairment of a protected computer. If convicted, he could face a maximum of 25 years in prison.

Cleary, already charged in the U.K., is accused of attacking Sony Pictures and Fox Entertainment

The indictment alleges Cleary controlled a botnet that may have been composed of hundreds of thousands of computers. Botnets are networked of hacked computers that can be remotely controlled.

He is also accused of identifying security vulnerabilities on computer networks, obtaining sensitive information and coordinating the publishing of the information taken from LulzSec’s victims. Prosecutors allege in one instance Cleary stole the personal data of people registered to receive information on auditions for Fox’s “The X-Factor” talent show.


More Sophisticated DDoS Attack a New Threat to Apache Servers

A once flawed DDoS attack targeting the world’s most widely used Web servers has improved its cryptography and attack capabilities to become a more serious threat.

MP-DDoser, also known as “IP-Killer,” uses a relatively new low-bandwidth, “asymmetrical” HTTP attack to inflict a denial-of-service attack against Apache Web servers by sending a very long HTTP header. This forces the web servers to do a great deal of server-side work for a relatively small request. Additionally, the malware now incorporates multiple layers of encryption.

Such sophistication is a far cry from the first version that appeared as a proof-of-concept Perl script in August 2011 and again months later in the Armageddon DDoS bot, according to a new report by Arbor Networks.

“These early versions had a number of serious flaws, such as a completely broken Slowloris attack implementation, and really awful crypto key management,” writes Arbor Networks research analyst Jeff Edwards. “But the latest samples (now up to ‘Version 1.6’) are much improved; the key management is quite good, and the buggy DDoS attacks are not only fixed, but now include at least one technique (‘Apache Killer’) that may be considered reasonably cutting edge.”

Using data collected anonymously from more than 200 service providers participating in Arbor’s ATLAS sensor network, Edwards was able to analyze the newest iteration of the DDoS bot and offer instructions for decrypting its transmissions.

“The malware actually uses a pretty straightforward algorithm for encrypting and decrypting the transmissions sent between bot and C&C server. It modulates the plaintext message with a key string using the XOR operator, but it applies this XOR operation only to the least significant four bits of each message byte,” he said in the report.

The key string in earlier versions was simply hard-coded into the bot executable in plain text. It’s since improved to now be encrypted and stored in an RCDATA resource named MP, along with some other sensitive information such as the hostname and port of the C&C and the botnet ID.

“To decrypt the MP resource string, the bot uses a lookup table (‘LUT’) that maps ASCII characters to integers for the initial phase of the decryption loop. But even this lookup table is itself encrypted! Fortunately, it is encrypted using the same algorithm used for crypting the network comms, and thus the decrypt_mpddos_comms() Python function will handle it,” according to the report. “And mercifully, the key string needed to decrypt the LUT happens to be stored in plain text in the bot executable. In all the samples that we?ve encountered to date, that key string is: 00FF00FF00FF, but that could easily change in the future.”

The 50-page report goes into detail on how to break MP-DDoS’s multi-layered encryption and thwart transmissions. In general, Edwards recommends:

Decrypting the LUT using decrypt_mpddos_comms()
Then using the LUT to decrypt the MP resource via decrypt_mpddos_rsrc()
And then pulling the comms key from the plain text resource and providing it to decrypt_mpddos_comms() to decrypt the actual network traffic

“All in all, MP-DDoser uses some of the better key management we have seen,” Edwards wrote in a blog post on his research.

“But of course, at the end of the day, every bot has to contain — or be able to generate ?- its own key string in order to communicate with its C&C, so no matter how many layers of encryption our adversary piles on, they can always be peeled off one by one.”


GM Food Research Site Hit by Cyber Attack

Rothamsted Research says its Web site appers to have been taken down by a DDoS attack.

The Web site for the UK agricultural institute Rothamsted Research was taken down by a cyber attack on Sunday night.

“The Twitter handle @AnonCrash1 was the first to mention the attack, at 5:18pm on Sunday, tweeting ‘Tango Down,'” Information Age reports. “Five hours later, @AnonOpsLegion tweeted: ‘TANGO DOWN these guys are like the MONSANTO of the UK'”

“The cyber-strike came after hundreds of protestors went to the agricultural research station in Hertfordshire to try to attack the facility’s trial of genetically modified wheat,” writes The Register’s Brid-Aine Parnell. “A large force of mounted police and foot patrols stopped the activists from ripping up the crop, one of the stated aims posted on the protest’s website.”

In a press release, Rothamsted Research stated, “We believe this was a distributed denial-of-service (DDoS) attack but it is unclear who was responsible. The timing of the attack and the information we have seen on Twitter would suggest this attack relates to an experiment being conducted at Rothamsted Research to test wheat which has been genetically modified to repel greenfly and blackfly pests as a sustainable alternative to spraying pesticides.”

“Rothamsted’s wheat contains genes that have been synthesised in the laboratory; a gene will produce a pheromone called E-beta-farnesene that is normally emitted by aphids when they are threatened by something,” BBC News reports. “When aphids smell it, they fly away. Prof John Pickett, a principal investigator at Rothamsted Research, told BBC News there was ‘a very, very remote chance that anything should get out.'”


‘SOCA’s weak response to a recent DDoS attack sends the wrong message’

Andr? Stewart, president international at Corero Network Security, argues that the Serious Organised Crime Agency should have taken a recent DDoS attack more seriously?

The response by the Serious Organised Crime Agency (SOCA) to the distributed denial of service (DDoS) attack directed at its public website is somewhat disappointing for the nation’s leading anti-crime organisation. The agency’s statement that it does not consider investing in DDoS defence protection “a good use of taxpayers’ money” fails to take into account potentially serious security consequences. Further, it sends the wrong message to cyber criminals at a time when businesses and organisations in the United Kingdom and around the world operate under continuous threat of attack.

The attack against the SOCA website used a network-layer DDoS attack which is a very publicly visible form of cyber crime. The attackers’ intent is to slow or bring down a website for the entire world to see. The victim organisation has to own up to what has happened and, in the case of government entities, explain why it will not or cannot respond effectively.

However, hacktivist groups and criminals frequently use DDoS attacks as a smokescreen to hide more surreptitious intrusions aimed at stealing data. For example, the theft of 77 million customer records from the Sony PlayStation Network was preceded by a severe DDoS attack. In discussing its 2012 Data Breach Investigations Report, Verizon’s Bryan Sartin said that diversionary DDoS attacks are common practice to mask data theft, including many of the breaches by hacktivists which totalled some 100 million stolen records.

This raises the question about SOCA’s approach to securing its networks and the protection of critical information from more sinister, stealth cyber attacks. Criminals want to create diversions and remain unnoticed while they infiltrate deeper into a network and steal data. Most data breaches go undetected for weeks, months, even years in some cases. Can we be confident, based on SOCA’s response to its public website being hit for the second time in less than a year, that it is addressing more critical security risks? The response to the latest incident could undermine confidence in the quality of the agency’s security program. How deep does its estimable high regard for taxpayer money go?

Just last June, the LulzSec group claimed credit for taking SOCA offline with a DDoS attack. One has to wonder if SOCA is truly dismissive of these attacks or simply has been slow to address the issue. Whilst the agency is dismissive of the latest DDoS attack its inability to protect itself nearly a year after the first public attack plants a seed of doubt about the calibre of its security program.

Perhaps most concerning is that SOCA is conceding the initiative to criminals who are attacking the agency directly. Would the police stand by, for example, while some hooligan scrawled graffiti on a local station with the explanation that they had more important things on which to spend time and money? Would the public tolerate that response?

Whilst putting its foot down on spending public funds is commendable, failing to respond to a direct criminal attack on law enforcement’s public face seems an odd place for SOCA to draw a line in the sand.


Anonymous Leaks 1.7 GB Justice Department Database

Attackers were assisted by Anonymous affiliate AntiS3curityOPS, which launched its own anti-NATO attack against the Chicago Police Department website.

By Mathew J. Schwartz

In what was billed as “Monday Mail Mayhem,” the hacktivist group Anonymous released a 1.7-GB archive that it’s characterizing as “data that used to belong to the United States Bureau of Justice, until now.”

“Within the booty you may find lots of shiny things such as internal emails, and the entire database dump,” according to a statement released by the group. “We Lulzed as they took the website down after being owned, clearly showing they were scared of what inevitably happened.”

That statement was included with a BitTorrent file (named 1.7GB_leaked_from_the_Bureau_of_Justice) uploaded Monday to the Pirate Bay by “AnonymousLeaks,” although multiple downloaders Tuesday complained that the Torrent download was stuck at the 94%-completion point.

Why “dox”–release purloined data from–the Bureau of Justice Statistics? “We are releasing data to spread information, to allow the people to be heard, and to know the corruption in their government,” according to the Anonymous statement. “We are releasing it to end the corruption that exists, and truly make those who are being oppressed free.”

The Bureau of Justice Statistics compiles statistics related to hacking crimes. Except for that fact, the agency would make for an odd attack choice, since it’s devoted to number-crunching “information on crime, criminal offenders, victims of crime, and the operation of justice systems at all levels of government,” according to its website.

The Department of Justice said that it’s investigating the alleged attack. “The department is looking into the unauthorized access of a website server operated by the Bureau of Justice Statistics that contained data from their public website,” said a Department of Justice spokesman via email. “The Bureau of Justice Statistics website has remained operational throughout this time. The department’s main website,, was not affected.”

“The department is continuing protection and defensive measures to safeguard information and will refer any activity that is determined to be criminal in nature to law enforcement for investigation,” he said.

In other hacktivism news, Anonymous affiliate AntiS3curityOPS said that it had launched a distributed denial-of-service (DDoS) attack against government websites in Chicago, to support anti-NATO protest marches in the city that saw police officers clash with protestors, resulting in several injuries and 45 arrests. All told, 51 world leaders attended the two-day NATO summit, including President Barack Obama.

On Sunday, prior to the protest marches, the Chicago Police Department and city council websites were knocked offline, and AntiS3curityOPS took credit. “We are actively engaged in actions against the Chicago Police Department and encourage anyone to take up the cause and use the AntiS3curityOPS Anonymous banner,” according to a YouTube video released by the group. “We are in your harbor Chicago, and you will not forget us.”

Interestingly, AntiS3curityOPS said that it had also assisted with the Bureau of Justice Statistics attack. “We were not behind DB attack. However, we can confirm we ‘helped’ attacked site, and another faction has email spools,” the group said Tuesday via Twitter.

When it comes to DDoS attacks of late, however, hacktivists haven’t been the only actors. Notably, the Pirate Bay–where a Torrent file for downloading the purloined Bureau of Justice Statistics information was uploaded–was itself recently knocked offline for 24 hours by a DDoS attack.

The attack came after the Pirate Bay had criticized an Anonymous-led DDoS campaign against Virgin Media in the United Kingdom, which had begun blocking U.K. access to the Pirate Bay, in compliance with a court order. “We do NOT encourage these actions. We believe in the open and free internets, where anyone can express their views. Even if we strongly disagree with them and even if they hate us,” the Pirate Bay said in its anti-DDoS statement, which was posted to Facebook. “So don’t fight them using their ugly methods. DDOS and blocks are both forms of censorship.”

Interestingly, the Pirate Bay statement included a practical call to arms that stands in sharp contrast to the use of DDoS attacks by Anonymous as a form of online protest. “If you want to help; start a tracker, arrange a manifestation, join or start a pirate party, teach your friends the art of bittorrent, set up a proxy, write your political representatives, develop a new p2p protocol, print some pro piracy posters and decorate your town with, support our promo bay artists, or just be a nice person and give your mom a call to tell her you love her,” recommended the Pirate Bay.

Was Anonymous behind the DDoS attack against the Pirate Bay? While that rumor was circulating online, the Pirate Bay dismissed it. “Just to clarify, we know that it is not Anonymous who is behind the DDoS attack. Stop spreading rumors like that,” it said. “We may not agree with Anonymous in everything, but we both want the internet to be open and free.”

Likewise, Corero Network Security president Andre Stewart emphasized that non-Anonymous actors–a foreign government, record labels, or even a long hacker–were likely to have been behind the attack. “There are a lot of motives out there to bring down a site like The Pirate Bay,” he told PC Pro. “It doesn’t make any sense to be Anonymous … it’s one of the main areas it defends.”


Hosters: Is Your Platform Being Used to Launch DDoS Attacks?

May 15, 2012 11:12 AM PDT

As anyone who’s been in the DDoS attack trenches knows, large multi-gigabit attacks have become more prevalent over the last few years. For many organizations, it’s become economically unfeasible to provision enough bandwidth to combat this threat.

How are attackers themselves sourcing so much bandwidth? It’s actually easier than you might think. While botnets comprised of malware-infected computers can be used to launch attacks, you don’t actually need thousands of devices. In some cases, attackers are infiltrating hosting company resources (shared hosting, virtual private servers, dedicated hosting, etc.), availing themselves of bandwidth by using hacked, stolen and fraudulent accounts.

Let’s say that an attacker manages to get his/her hands on 5 hosting accounts with 5 different hosting companies. It’s not unusual for these hosting companies to have 1 Gbps+ of connectivity to the Internet. A lot of hosters don’t look at their outbound traffic all that closely or have difficulty policing what their customers do. All an attacker needs to do is install a script on each account and he/she has easy access to gigabits of connectivity.

For hosters, finding the trouble spot can be like looking for a needle in a haystack (especially if thousands of accounts share resources). While the offender might be found eventually and the account shut down, the damage has already been done.

What can hosters do to help prevent this or detect this better?

Restrict outbound traffic from your customers by using ACLs (Access Control Lists). For example, there are few reasons your customers will ever need to make port 80 UDP connections to other hosts on the Internet. Put policies in place to block all outbound traffic except to specific, acceptable, understood destinations or ports. If customers have legitimate reasons to make an outbound connection from your infrastructure, they should be able to notify you and justify it (this will affect a only tiny percentage of your base) so you can make the appropriate arrangements. Some hosters do not even accommodate these requests.

Throttle outbound traffic from your customers. Even for legitimate outbound connections, most likely they don’t need to take up 500 Mbps of outbound bandwidth. Simply set a lower limit.

Put alarms in place when outbound traffic utilization spikes. If, for example, all of a sudden the amount of data leaving your network increases by 40%, there’s probably an issue somewhere and your tech folks should be investigating.

Restricting and monitoring your outbound traffic will probably save you money on bandwidth costs and decrease the amount of abuse reports. Best of all, attackers will realize they’re not getting what they want out of your platform. The less you have to worry about, the better, right?


ESET Lists the Dominant E-Threats of 2010

According to its “End of 2010 Report’ that ESET the Slovakian security company released recently, the firm has detected Conficker, INF/Autorun and Win32/PSLOnlineGames as the three most prevalent malicious e-threats that respectively contributed a share of 8.45%, 6.76% and 3.59% to the total malware during 2010.

Moreover, ESET discloses that over 3 consecutive months, the malicious program Bflient.k has remained within the company’s Top Ten Threats List that ESET prepares every month.

Elaborate the security researchers that Bflient, which’s traded among cyber-criminals, is a toolkit with which botnets can be built and preserved. Moreover, the toolkit is customized for each client so that a distinction is maintained from customer to customer.

Notes the report that after a purchase takes place, the client is equipped with instructing his botnet for carrying out the typical operations viz. executing a DDoS (distributed denial-of-service) assault, contaminating other PCs, as well as downloading and planting suspicious programs whenever wished. reported this on February 1, 2011.

Furthermore, there’s a special risk from Facebook to users visiting the website in that they could contract malware as well as other assaults based on social engineering. Facebook, in its attempt at eliminating the symptom instead of the malaise, may keep on offering the privacy-infiltration factor which typically associates social media, since users want just that, in order that they (users) themselves have the onus of making sure that their databases aren’t given out in manners disagreeable to them. A few websites like Bebo have in fact switched to the “deny some things” option from “deny nothing” despite the fact that sharing the maximum of user database is basic so far as the website’s commercial model is concerned.

Additionally, aside the aforementioned issues, ESET in its report discusses the Wikileaks story as well which was dominant between July and December 2010. First, several attempts were made, though unsuccessful, for closing stable door via disabling Wikileaks servers first and subsequently with prominent online players’ coordinated corporate exertion for stopping funding and obstructing any more dissemination of the hacked database. Indeed, consequent of the Wikileaks episode, many DDoS and spam attacks took place worldwide.


Securing the cloud

The future of the Internet could look like this: The bulk of the world?s computing is outsourced to ?the cloud??to massive data centers that house tens or even hundreds of thousands of computers. Rather than doing most of the heavy lifting themselves, our PCs, laptops, tablets and smart phones act like terminals, remotely accessing data centers through the Internet while conserving their processing juice for tasks like rendering HD video and generating concert-quality sound.

What needs to be figured out for this cloud-based future to emerge are three big things. One is how the computers within these data centers should talk to each other. Another is how the data centers should talk to each other within a super-secure cloud core. The third is how the cloud should talk to everyone else, including the big Internet service providers, the local ISPs and the end-of-the-line users (i.e. us).

This last channel, in particular, interests Michael Walfish, an assistant professor of computer science and one of the principal investigators of the NEBULA Project, which was awarded $7.5 million by the National Science Foundation to develop an architecture for making the Internet more cloud-friendly. If we?re going to be trusting so much of our computing lives to the cloud, he believes, we need to develop a more secure model for how information travels.

?A sender should be able to determine the path that information packets should take,? says Walfish. ?A receiver should not have to accept traffic that she does not want. An intermediate provider should be able to know where the packet?s been and should be able to exercise its policies about the downstream provider that?s going to handle the flow next.?

Walfish?s system for providing such capacities, which he?s developing with colleagues at Stanford, the Stevens Institute of Technology, and University of California-Berkeley, is called ICING. It?s a set of protocols that allow every packet of information not only to plot out a path from beginning to end, choosing every provider along the way, but also to establish a chain of provenance as it goes that proves, to both the intermediaries and the final recipients, that it came from where it said it was coming from.

?What we do is take a packet, a unit of data, and we add some fields to the head of the packet,? says Walfish, who in 2009 won an Air Force Young Investigator Award for work related to ICING.

?These fields contain enough cryptographic information to be able to communicate to every realm along the way, and back to the sender, where the packet?s been. So when a packet shows up, I know where it?s been. I know whether it obeys the policies of everyone along the path. That property does not exist today.?

The advantages of such knowledge, says Walfish, should be considerable. Senders, for instance, could contract with intermediate providers for a kind of expressway through the Internet. Recipients would have an easier time sorting their incoming traffic into different levels of priority depending on the routes the packets took.

Michael Walfish, assistant professor of computer science, is working to secure the future of cloud computing.

Perhaps the greatest advantage of adopting a system like ICING, says Walfish, would come in the area of security. Targets of various kinds of Internet attacks, like denial-of-service attacks, would be able to sever traffic from their attackers faster and with much greater precision. Governments would be able to set up channels of communication that pass through only well-vetted and highly-trusted service providers. Internet security companies could, from anywhere in the world, inspect your traffic for viruses.

?Right now,? says Walfish, ?there are ways to deal with attackers, but they?re crude, and they?re reactive. Once the traffic enters the victim?s network link, you?re hosed. All you can do is shut it all down. It would be like if you had a huge line of people coming into your office, not letting you get work done. You could kick them all out, but you still wouldn?t get any work done because you?d spend all your time kicking them out. What you really need is for them to not show up in the first place.?

ICING, says Walfish, would also prevent ?IP hijacking,? a kind of attack in which a network provider redirects net traffic by falsely ?advertising? to hold a given IP address or by claiming to offer a more direct route to that address. Such IP hijackings can be globally disruptive. In 2008, for instance, the Pakistani government sought to block videos containing the controversial Danish cartoons that depicted Mohammed. The result was a global shutdown of Youtube for more than an hour. Last year, it?s believed, China Telecom was able to capture 15% of the world?s Internet traffic, for 18 minutes, by falsely claiming to be the source of more than 30,000 IP addresses.

?There are multiple reasons why this wouldn?t happen in ICING,? says Walfish. ?First, in ICING, the contents of the advertisement and the name of the advertised destination are tightly bound; lie about one, and the other looks invalid. Second, because packets must respect policy, a packet taking an aberrant path will be detected as such.?

ICING, and its parent project NEBULA, are one of four multi-institutional projects being funded by the National Science Foundation?s Future Internet Architecture (FIA) program. The point of the FIA program, and of the efforts of Walfish and his colleagues, is to step back from the day-to-day challenges of managing the flow of information on the ?net, and think more fundamentally about what kind of architecture the Internet should have going forward.

?Where ICING was born, I think,? says Walfish,? ?was in the realization my teammates and I had that while there was a consensus about what kinds of things needed to change, and there were? a lot of proposals to make those changes, all the proposals seemed to be mutually exclusive. They all required the same space in packets. It would be like if your bike was out-of-date and someone said, oh, you can get this really cool feature if you just replace your front wheel with this wheel, and then someone else came along said, oh, you can get this other really cool feature, but you have to replace your front wheel with this wheel. Well, you can only have one front wheel. So what we set out to do was to design a much more general-purpose mechanism where you could get all these properties without their conflicting with each other, and that?s what I think we?ve done.?


Copyright © 2013. Created by Meks. Powered by WordPress.