Tag Archives: DDoS

Security News for the Week Ending Jan 1, 2021

Happy New Year. May 2021 be more sane than 2020.

Microsoft Says Goal of Solar Winds Attack Was Your Cloud Data

Microsoft says that the objective of the Solar Winds Hackers was to get into a number of organizations and then pick and choose which ones to attack, leaving the back door in place at the others for future operations. One way to do that was to generate SAML login tokens from inside the network and then use those tokens to gain access to cloud resources, including, but not limited to email. The article also provides more information on how to detect if the hackers did compromise your cloud resources. Credit: Bleeping Computer

“Swatting” Moves to the Next Level

Swatting, the practice of calling in a fake 911 call so that SWAT teams are deployed to the victim’s location based on, say, a fake kidnapping, are moving to the next level. As if having the police show up unexpected with lots of guns and breaking down your door isn’t bad enough, now the perpetrators are taking advantage of the fact that people choose crappy passwords and are watching and listening to the police assault on the victim’s own smart devices. On occasion, the situation becomes deadly when the police, not really knowing what to believe, shoot the victim. On rare occasions, the swatters, as they are called, are caught and prosecuted. Credit: Bleeping Computer

I Think The Wasabi Got a Little Too Hot

Wasabi, the cloud storage competitor to Amazon S3 that claims that it is significantly cheaper than Amazon and 99.999999999% reliable just got a little less reliable. Their domain registrar notified them of some malware hosted on one of their domains. Only they sent the email to the wrong email address. The registrar, following normal procedures, suspended their domain for not responding to an email they never got, knocking many of their customers offline.

After Wasabi discovered they had been DDoSed by their domain registrar, they suspended the offending customer and asked to get their domain back. That process took over 13 hours. Are you ready for this kind of attack from your suppliers?

That attack probably knocked several of those 9’s off their reliability, depending on how the mess with the data.

Credit: Bleeping Computer

Solar Winds Troubles Are Not Over

A second piece of malware called SUPERNOVA and a zero-day vulnerability that it exploited makes it look like there may have been a second attack against Solar Winds. This appears to be a separate attack from the Russian attack. The attack vector is different too – this is not an attack against Solar Winds code base. This spells additional trouble for Solar Winds. Credit: Security Week

Security News for the Week Ending June 19, 2020

Akamai Sees Largest DDoS Attack Ever

Cloudflare says that one of its customers was hit with a 1.44 terabit per second denial of service attack. A second attack topped 500 megabits per second. The used a variety of amplification techniques that required some custom coding on Akamai’s part to control, but the client was able to weather the attack. Credit: Dark Reading

Vulnerability in Trump Campaign App Revealed Secret Keys

Trump’s mobile campaign app exposed Twitter application keys, Google apps and maps keys and Branch.io keys. The vulnerability did not expose user accounts, it would have allowed an attacker to impersonate the app and cause significant campaign embarrassment. This could be due to sloppy coding practices or the lack of a secure development lifecycle. Credit: SC Magazine

FBI and Homeland Use Military-Style Drones to Surveil Protesters

Homeland Security has been using a variety of techniques, all likely completely legal, to keep track of what is going on during the recent protests.

Customs (part of DHS) has Predator drones, for example. Predator drones have been used in Iraq and other places. Some versions carry large weapons such as missiles. These DHS drones likely only carry high resolution spy cameras (that can, reportedly, read a license plate from 20,000 feet up) and cell phone interception equipment such as Stingrays and Crossbows. Different folks have different opinions as to whether using the same type of equipment that we use to hunt down terrorists is appropriate to use on U.S. soil, but that is a conversation for some other place. Credit: The Register

Hint: If You Plan to Commit Arson, Wear a Plain T-Shirt

A TV news chopper captured video of a masked protester setting a police car on fire. Two weeks later, they knocked on her door and arrested her for arson.

How? She was wearing a distinctive T-Shirt, sold on Etsy, which led investigators to her LinkedIn page and from there to her profile on Poshmark. While some are saying that is an invasion of privacy, I would say that the Feds are conducting open source intelligence (OSINT). The simple solution is to wear a plain T-Shirt. If you are committing a felony, don’t call attention to yourself. Credit: The Philly Inquirer

Ad-Tech Firm BlueKai has a bit of a Problem

BlueKai, owned by Oracle, had billions of records exposed on the Internet due to an unprotected database. This data is collected from an amazing array of sources from tracking beacons on web pages and emails to data that they buy from a variety of sources. Apparently the source of the breach is not Oracle it self but rather two companies Oracle does business with. They have not said whether those companies were customers, partners or suppliers and they haven’t publicly announced the breach. If there were California or EU residents in the mix, it could get expensive. The California AG has refused to say whether Oracle has told them, but this will not go away quietly or quickly. Credit: Tech Crunch

Minneapolis City Web Sites Hit by Denial of Service Attacks

Last Thursday, early in the morning, a number of City of Minneapolis web sites were disabled by denial of service attacks. The attacks are short lived and the city was able to restore most of the services within a few hours. It is certainly possible that we will see more cyberattacks as a way to continue civil disobedience. Credit: The Hill

GA Gov. Kemp’s (R) Claims that Dems Hacked his SoS Web Site In 2018 Are False

Two days before the 2018 election, then GA Secretary of State Kemp opened an investigation into what he said was a failed hacking attempt of voter registration systems by the Democratic Party.

Newly released case files from the GBI says that there was no such hacking attempt. The report says that Kemp got confused by an authorized and planned security test by HOMELAND SECURITY with a hack. Kemp’s CIO approved the scan by DHS.

The GBI did say that there were significant security holes in the web site at the time, even though Kemp said that patches to the web site two days before the election were standard practice. No one in their right mind would make changes to critical election systems two days before the election unless it was an emergency. Credit: Atlanta Journal Constitution

Chinese and Iranians Hacking Biden and Trump

Google’s Threat Analysis Group (TAG) warned the campaigns that the were seeing the Chinese targeting Biden and the Iranians targeting Trump. Currently, there is no sign of compromise, but we still have months to go before the election. Not only is there lots of information to steal, but they have the possibility of impacting the election or causing a loss of trust by voters in the process. Credit: SC Magazine

FBI Says Big Business Email Compromise Attacks on the Upswing

The FBI has reports of multiple fraudulent invoice BEC attacks in April and May. In on case hackers used a trusted vendor relationship and a transportation company to steal $1.5 Million. They are reporting multiple incidents in different industries, so caution is advised. Credit: FBI Liaison Information Reports 200605-007, security level GREEN.

DDoS Attack Turns Off The Heat. In Finland. In the Winter.

The most recent distributed denial of service attack (DDoS) meant that most people could not get to Twitter.  While that was awful and may have forced a few people to actually work instead of tweeting, for the most part, that was not a big deal.  In fairness to the DYN attack, there were actually hundreds of web sites that were effectively offline, but still, in the grand scheme of things, a small problem.

The Metropolitan, an English language newspaper in Finland is reporting a much more serious issue and that is combining DDoS attacks with the Internet of Things (IoT).

In this case, two apartment buildings in the city of Lappeenranta lost heat and hot water due to a DDoS attack on the computer that controls the heating system.  The CEO of the company that manages these buildings said the heat and warm water were “temporarily disabled”.

By temporary, he means from late October to November 3rd, a period of over a week.  Remember, Finland is pretty chilly this time of year, so to have no heat or hot water for a week or two is, kind of, “a problem”.

The attack deluged the computers that control the system with traffic.  The system’s solution to this is to reboot, but that doesn’t make the traffic go away, so it is sort of “rinse and repeat”.  Since the systems were continuously rebooting, they could not turn on the heat or hot water.

Since the building maintenance engineers are not cyber security experts, they had no clue what was happening.  If they had replaced the “faulty” computers, they would have done the same thing because the computers were not faulty – just doing what they were programmed to do.

This is reminiscent of the attack on the Ukrainian power grid last year, with different results.  In Ukraine, the power grid is old and creaky.  What computers there are there are bolted on to the existing infrastructure.  If the computers fail, you have to drive to the substation and throw the switch by hand.  Which is why that attack, while it literally destroyed a lot of the power distribution infrastructure, only turned off the lights for less than a day.

Finland, however, is not a third world country.  They have a lot of modern technology.  I suspect, in this case, that there was no switch to throw in the apartment building to turn on the heat.

Like we see a lot in modern IoT devices, security is an afterthought.  Probably no one considered that someone might want to attack their controller so they didn’t harden it nor did they set up protocols to deal with an attack.

SCADA, the industrial version of IoT (I know that is an over simplification, but it will work for this piece), was also never designed with security in mind.  I used to work for one of the largest SCADA manufacturers in the world.  There was no security in those devices.  Not even a userid and password, never mind something more sophisticated.  SCADA devices were never designed to even be on the Internet, but people figured out that they could save money by doing that.

Unfortunately, water plants, sewage plants, power plants, chemical plants and a lot of other infrastructure is not a good place to experiment, but the money to be saved is too large to ignore.  So we are being guinea pigs.

The attack on DYN, I think, was an experiment.  How did people deal with it?  How did the experts respond?  Did the police do anything?

Now they have some data points and they will continue to experiment.

At some point they will decide it is time to take down the power grid.  While throwing the entire United States in the dark is probably more effort than even a nation state would want to take (although far from impossible), throwing Washington, DC or New York City into the dark might produce some interesting results.  If you could damage the infrastructure at the same time to make it harder, take longer and cost more to repair, that would be a “side benefit”.

You can believe me or not, but this will happen.  It is just a matter of when because the steps that need to be taken now are not being taken.  It is too expensive and too inconvenient.  Remember my mantra.  Security.  Convenience.  Pick one.  You could probably modify that to Security, convenience, cost, pick at most two.

Tell the utilities that all of their little controllers that connect by way of Wi-Fi have to be secured or all of their controllers in the field that live in a secure metal box by the side of the road have to be replaced by something that actually is secure.  They will tell you that it is too expensive to do.  Right now, secure means that there is a padlock on the box.  An attacker could cut the padlock and if that was too hard, they could smash the box to bits with a sledgehammer.

After 9-11, the Feds paid local utilities to put fences around water treatment plants and such.  Some even have fence shakers – cool little gizmos that detect if someone is shaking the fence by trying to climb over it.  And, maybe, that will improve the security of central infrastructure, but there is so much distributed infrastructure that is not effectively protected.

For example, is there a power substation near your house?  How about a gas main line?  How strongly are they protected?  Maybe – and only maybe – there is a fence around it.  For me, there is a fence around the substation but not around the gas main.  Of course, even with the fence, there is no one there to physically disable the attacker and by the time the police or utility got there, the damage would be done.

Maybe the attack in Finland is a warning. But are enough people and the right people listening?  I don’t know.

 

Information for this post came from the Metropolitan.

Yet Another Denial Of Service Attack

Denial of Service attacks are a big deal now.  Last week the attack against Dyn stopped people from accessing Twitter and hundreds of other busy web sites for hours.

These attacks, called denial of service or distributed denial of service (DDoS) attacks have many computers send a lot of data at a web server until it rolls over,sticks it’s little computer legs in the air and plays dead.

A critical part of these attacks is something called amplification.  If I have a 1 megabit internet connection and can amplify that attack by a factor of 20, that 1 megabit connection can hit the target web site with 20 megabits (per second) of traffic.  Multiply that by, say, 500,000 computers doing the attack and you can destroy a web site.  If I have a 100 megabit Internet connection, the problem is 100 times bigger.

So the hackers keep trying to come up with more powerful amplification attacks,  They have a new one.  It uses CLDAP, a protocol computers use to authenticate users.  Or destroy web servers.

The amplification factor for this attack was between 46 and 55, meaning that, on average, for every 1 character sent, the attack generated 46-55 bytes back to the site being attacked.

1 megabit of traffic from the attacker means at least 46 megabits of traffic that the site being attacked sees.  And with these attackers controlling hundreds of thousands to millions of devices – including Internet of Things devices, that adds up to a lot of traffic.

Even if the server didn’t crash, the Internet service provider probably doesn’t have enough bandwidth, so  they will take the server down by “blackholing” it, meaning that, at the very edge of the provider’s network, they will discard ALL traffic directed at the site being attacked.  The attacker wins.  They don’t have to kill the site, the Internet provider does that for them.

Many of – if not most of – these devices that the attackers are using to attack other sites are not configured correctly or do not have the current patches.  It is critical that you change default passwords and update devices regularly.

As a result of this most recent attack, the feds are trying to figure out what ISPs can do, but you can likely be much more effective – if you take security of all of your devices – webcams, DVRs, web based doorbells, smart TVs, smart refrigerators – all of it, seriously.

We need your help!

Information for this post came from Softpedia.

IoT Maker Says It Will Recall; China Says it Will Sue Journalists

Maybe a little good will come from the day the Internet died last week.  And maybe, also, a little bad.

To very briefly recap, attackers using the now free and open source malware Marai attacked Dyn’s servers.  Dyn provides DNS services to the likes of Twitter, Amazon and hundreds of other companies.  The attack against Dyn didn’t directly affect those companies but stopped users from being able to get to those company’s servers – effectively producing a complete outage.

Akamai and Flashpoint have said that infected IoT devices were a large part of the attack – because people don’t patch their refrigerators and don’t change the refrigerator’s default password.

In this case, the Chinese company XiongMai Technologies or XM makes circuit boards for DVRs and IP cameras for lots of other companies.  The default password, in some cases hard coded into the device and impossible for the user to change, is static and well known.  Hence the attack.

XM released a statement which, in part, read “XM have to admit that our products also suffered from hacker’s break-in and illegal use”.

XM said it would be issuing a recall on millions of devices, but XM doesn’t know who owns the devices that their circuit boards were put into.  In fact, in many cases, the company that sold the finished product has no clue who owns those products.

The result of this is that most of these products will never be replaced or fixed.

XM did say that they have made two important changes late last year.  One is to turn off the service, Telnet, that this particular malware used to attack the devices and the other is to make the users change the default password when they initially power up the devices.

99+% of the users who buy these devices have no clue what Telnet is, no clue of how to figure out whether it is on or off for a particular device and no clue of how to fix it -if that is even possible.  Nor do they know how to patch their DVR or cameras.

Which means that this problem isn’t going away any time soon.

Also remember that this attack used these devices and this technique.  Since there are billions of IoT devices, next month it will be a different device and a different technique.  This is kind of like a game of whack-a-mole.

In the meantime, the Chinese Ministry of Justice threatened journalists who reported on the story for issuing “false statements”.

Google translate, which apparently doesn’t deal with grammar well, reported their statement, in part, as “Organizations or individuals false statements, defame our goodwill behavior … through legal channels to pursue full legal responsibility for all violations of people, to pursue our legal rights are reserved.”

The good news, besides getting attention for the problem and getting at least one company to do a recall and issue patches, is that this apparently scared the poop out of the Department of Homeland Security.  While last week’s attack was on Twitter (and others), the next attack could be against the power grid, the DoD or maybe even something important.

The Department of Homeland Security has issued some contracts in the past year to companies working to thwart DDoS attacks and this event is likely to spur more contracts.

What we need to do is find a way to identify these tens of millions of infected systems and get them cleaned up or turned off.  THAT is not a simple task.

Then we need to get vendors to stop implementing the least possible security.  If product liability laws were extended to cover these types of events, or if the Consumer Product Safety Commission could issue mandatory recalls in cases like this, the cost of poor security would move back to the vendors, motivating them to do better.  Unfortunately, I don’t think either of these will happen any time soon.

Information for this post came from Krebs on Security.