Yet Another Denial Of Service Attack

Denial of Service attacks are a big deal now.  Last week the attack against Dyn stopped people from accessing Twitter and hundreds of other busy web sites for hours.

These attacks, called denial of service or distributed denial of service (DDoS) attacks have many computers send a lot of data at a web server until it rolls over,sticks it’s little computer legs in the air and plays dead.

A critical part of these attacks is something called amplification.  If I have a 1 megabit internet connection and can amplify that attack by a factor of 20, that 1 megabit connection can hit the target web site with 20 megabits (per second) of traffic.  Multiply that by, say, 500,000 computers doing the attack and you can destroy a web site.  If I have a 100 megabit Internet connection, the problem is 100 times bigger.

So the hackers keep trying to come up with more powerful amplification attacks,  They have a new one.  It uses CLDAP, a protocol computers use to authenticate users.  Or destroy web servers.

The amplification factor for this attack was between 46 and 55, meaning that, on average, for every 1 character sent, the attack generated 46-55 bytes back to the site being attacked.

1 megabit of traffic from the attacker means at least 46 megabits of traffic that the site being attacked sees.  And with these attackers controlling hundreds of thousands to millions of devices – including Internet of Things devices, that adds up to a lot of traffic.

Even if the server didn’t crash, the Internet service provider probably doesn’t have enough bandwidth, so  they will take the server down by “blackholing” it, meaning that, at the very edge of the provider’s network, they will discard ALL traffic directed at the site being attacked.  The attacker wins.  They don’t have to kill the site, the Internet provider does that for them.

Many of – if not most of – these devices that the attackers are using to attack other sites are not configured correctly or do not have the current patches.  It is critical that you change default passwords and update devices regularly.

As a result of this most recent attack, the feds are trying to figure out what ISPs can do, but you can likely be much more effective – if you take security of all of your devices – webcams, DVRs, web based doorbells, smart TVs, smart refrigerators – all of it, seriously.

We need your help!

Information for this post came from Softpedia.

Facebooktwitterredditlinkedinmailby feather

If You Click on Bit.ly Shortened URLs, Here is Why You Should Stop. Now.

In case you still think that clicking on any of those shortened web page links (like http://bit.ly/4wx345) is a good idea, here comes the best reason ever NOT to click on those links.

It appears that the Hillary Clinton email leak may have been caused by clicking on one of those stupid shortened URLs.

The problem with shortened URLs is that you have no clue as to what you are clicking on.  You might think you are clicking on Google when in fact you are clicking on some web site in Moscow or Beijing.

Reports are that the Clinton email leak may have started with John Podesta.  He received an email that looked like a Google security alert.

The campaign’s IT team said that it was real.  Given what little has been released about the email, that seems like a terrible call, but in fairness, I wasn’t there.  The email told him that someone attempted to log on to his account from Ukraine and that he should change his password.

That’s all good except that the email did not come from Google.com but instead from accounts.googlemail.com .  The subject line said Someone has your password.

The email said that you should change your password immediately and a link titled CHANGE PASSWORD shows up – suggesting, not so subtly that John should click on the link.

However, the link was not to a Google page.  Instead it was to a shortened Bit.ly link, so if Podesta clicked on the link – Dell Secureworks says that the link was clicked on twice – he was sent to who knows where – and he may have entered his password, giving it to the Ruskies.

Dell’s Secureworks says that 108 of those emails went out and at least 20 of those links were clicked on.  They say that there were 213 of those Bit.ly links created but some were duplicates.

Secureworks says that the account that created those links belongs to Fancy Bear, one of the names for the Russian, state sponsored, hacking team also known as APT28.  While the US Gov has not officially attributed the attack to Russia, they have, apparently, using Ukraine as a proxy, started hacking back, attacking some of Putin’s staff.

My recommendation is that, if you care about your security, avoid clicking on those links.

If you really  have to click on one of those links, there are a number of services (google expand short url), but I don’t have any specific recommendations for which one is best.

Information for this post came from CNN.

Facebooktwitterredditlinkedinmailby feather

Microsoft Battles Google – Can You Believe It?

OK, that subject, while true, was really just to catch your attention.

Here is the rest of the story (and sorry, this is a bit of a rant).

Google has a team that researches security vulnerabilities in all kinds of software.  The team, founded in 2014, is called Project Zero. While I am sure it finds bugs in Google’s own software (it does!), it seems to, frequently, find bugs in competitor’s software.  That usually includes Microsoft and Adobe, among others.

Google has a database of the vulnerabilities that it finds and it has a very strict protocol for disclosing these vulnerabilities.

Part of what Google wants to have happen is for the industry to fix vulnerabilities quickly.  To be honest, the industry as a whole has a horrible track record for fixing bugs quickly.

Part of the “battle” if you will, is that companies like Microsoft have software that they have to create, test on hundreds of different configurations, package and distribute and users have to download, test and install – think Windows, Office, Adobe Flash and others.  Google, on the other hand, is almost exclusively web based.

Web based offerings are inherently easier to patch.  Google controls every single server that their software runs on.  They know what the hardware looks like and if the software does not work on a particular brand or model of hardware they don’t use it.  In fact, Google BUILDS their own servers.  Companies like Microsoft can only dream about that.

Microsoft USED to release patches at random.  It drove system administrators crazy.  As a result, they now only release patches once a month and it usually takes them two or three months to get a fix through that release cycle.

Needless to say – and this is part of Google’s point – the hackers don’t have to follow that model.  As a result, the hackers win most of the time.

So what are Google and Microsoft battling about this week?

Google disclosed a flaw that it found October 21st (that is about 10 days ago) in Windows.  On that same day, Google also found a bug in Adobe Flash.  Adobe has fixed their bug.  Microsoft has not.

Google would normally give Microsoft at least 60 days to fix the bug (and sometimes adds extensions) before they announced the bug to the world, but in this case, Google says, the bug is ACTIVELY being exploited in the wild.  So Google had two choices – be quiet for three months while people’s systems were being attacked and allow Microsoft to work through it’s process or, alternatively, warn people and let Microsoft be a tad bit displeased with them.

The bug is a privilege escalation attack which allows a hacker to escape the Windows sandbox and do things that they should not be able to do.

Microsoft COULD have told people that there was a problem and provide them with workarounds or a possibly a temporary fix but they chose not to.  They did say, now, that users should upgrade to Windows 10 and use the Edge browser.  That doesn’t help the tens of millions of users of Windows 7 and Windows 8.

Instead Microsoft said that Google’s disclosure of hacker’s attacking Microsoft’s customer’s systems in the real world was irresponsible.  What would have been responsible, Microsoft says, is to keep people in the dark while attackers compromise their systems.    Somehow I have a problem with Microsoft’s reasoning.

Microsoft said that they are the ONLY platform committed to investigating security issues and providing updates as soon as possible.  While those of you who read this column know that I am not much of an Adobe Flash fan, I do give them a LOT of credit for releasing fixes sometimes the next day after a bug is found when hackers are exploiting it, so I think Microsoft’s claim is a bit self serving.

The bottom line here is that the industry – and it doesn’t matter whether we are talking Windows, Mac, Linux, Android, iPhone, Web, whatever – needs to be more aggressive at identifying and fixing bugs.  Not just the kind of bugs that we usually think of but also issues like the attack on DYN last week that took out Twitter and hundreds of other sites.

Attackers don’t care about collateral damage and they don’t care about following the rules.  WE as an industry need to get more effective about fixing problems.

At least that is the way that I see it.

Information for this post came from CSO Online.

Google’s Project Zero has its own Wikipedia page, found here.

Facebooktwitterredditlinkedinmailby feather