STE WILLIAMS

The days when attackers relied on sheer bandwidth volume alone to knock out websites are over, with miscreants increasingly using application-layer and multi-vector attacks.

The latest annual study from DDoS attack protection company Arbor Networks reports that 46 per cent of respondents said they had experienced multi-layer attacks in the year up to the end of September 2012, markedly up from the 27 per cent recorded in the year before. The largest attack reported was 60 Gbps, the same figure as 2011.

In 2010, the peak attack hit a bumper 100 Gbps.

Instead of concentrating on upping the noise, the bad guys have switched tactics towards application-layer (targeting web services, mostly) and multi-vector attacks rather than less sophisticated packet flood attacks, Arbor said.

Data centres and cloud services are increasingly getting hit by DDoS attacks, which have traditionally been slung solely against websites. Arbor reports that “distributed denial of service (DDoS) attacks have plateaued in size but become more complex” adding that “data centre and cloud services are especially attractive targets”. The vast majority (94 per cent) of data centre operators polled by Arbor Networks reported they had been hot by attacks during the study period.

DDoS attacks are used by a variety of players from hacktivists to cybercriminals using packet floods as a means of extortion to business rivals of targeted companies. Arbor reports that e-commerce and online gaming sites are among the most common targets of attack.

Arbor’s study, generally regarded as one of the best of its type, is based on survey data provided by network operators from around the world that use its technology to fend off DDoS attacks.

The study also found that DNS (Domain Name Server) infrastructure remains vulnerable. More than a quarter (27 per cent) of respondents experienced customer-impacting DDoS attacks on their DNS infrastructure—a significant increase over the 12 per cent of respondents from previous year’s survey.

Arbor Network’s eight annual Worldwide Infrastructure Security Report report can be found here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/31/ddos_survey_arbor/

In just under a month, security folks are coming to San Francisco for the annual RSA show, and if Wednesday’s announcement from the company is to go by, one of the major themes at conference will be Big Data.

At a press conference at its Massachusetts headquarters, RSA unveiled its Security Analytics appliance that’s designed to plug into large corporate networks and churn through huge chunks of data looking for security problems. RSA has also included real-time malware detection, threat monitoring, and heuristic analysis, so consultants can get an accurate read on any threats as they happen.

“It’s all about mixing full monitoring capabilities with compliance and reporting in a fully scalable architecture,” Paul Stamp, director of product marketing at RSA told The Register. “It’s the first appliance on the market to do these kind of log analytics and data reconstruction.”

The system uses a decoder to capture all layer 2-7 traffic with a concentrator to index metadata into a form usable by the analytics engine. A Hadoop-based warehouse of three or more nodes is included for long-term analysis of large data sets, and the system reports back with an HTML5 user interface.

RSA is also touting the system as helping with corporate compliance returns. Security Analytics is HIPAA and SOX-compliant, as well as being ready for BASEL II and ISO 27002, and can automate many of the reporting procedures needed.

RSA isn’t the first in the security Big Data field, however. In October, IBM claimed that title with the release of its InfoSphere Guardium v9 for Hadoop security system. It seems more than a few vendors are keen to bring some of the Big Data hype to the security space.

“The Big Data phenomenon could help address this situation for security professionals, making it important for organizations to rethink their choice of security solutions,” said Jon Oltsik, principal analyst at the Enterprise Strategy Group.

“Marrying intelligence-driven security with Big Data analytics has the potential to help enterprises address the complex problem of advanced threats and thus meet a significant need in the marketplace.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/31/rsa_security_analytics/

Islamist hackers busy blasting bank websites with network traffic have suspended their assault after a controversial anti-Muslim video ceased to be available through YouTube.

The Izz ad-Din al-Qassam Cyber Fighters crew launched a series of distributed denial-of-service (DDoS) attacks in September and December, with the stated aim of protesting against extracts of the Innocence of Muslims film appearing on Google’s video clip site.

The search giant restricted the availability of the video in some countries following a wave of protests across the Middle East. The footage did not actually violate YouTube policies so it remained available to most, prompting the Izz ad-Din al-Qassam Cyber Fighters to launch packet-flooding attacks against Wells Fargo, Bank of America, Citibank and many other US banking organisations.

The assaults caused partial service disruption in some cases and may have spilled over to affect the website operations of European banks.

Earlier this month, US intelligence types told news reporters that the Iranian government was behind the “sophisticated” attacks.

But information security experts said the theory was unsubstantiated by any technical evidence and probably just hawkish sabre-rattling. The attacks involved hijacking thousands of compromised servers, rather than using a botnet of compromised home PCs, and generating huge volumes of traffic, reaching peaks of 75Gbps at times.

The security boffins said that compromised PHP web applications and insecure WordPress installations powered the flood, which was directed using a hacker tool called Itsoknoproblembro.

There’s no need to introduce a nation state to explain this type of attack, a point explained in some detail by Robert Graham of Errata Security here.

‘Clear indication of progress and establishment of logic’

In any case, the Izz ad-Din al-Qassam Cyber Fighters crew suspended its campaign on Tuesday. In a message on Pastebin, the group said the “main copy of the insulting movie was removed from YouTube” describing this as a “clear indication of progress and establishment of logic instead of obstinacy”.

The hacktivists said that, in response, they were downing DDoS tools even though copies of the trailer for the film continue to be available from YouTube.

“All of them needed to be removed. Meanwhile, we will control the situation constantly and closely and will adopt the correct decision according to the future circumstances,” the group said. “The suspension of Operation Ababil has started today and will continue till further notice.”

It’s unclear whether or not Google has actually done anything. It’s quite possible that the Izz ad-Din al-Qassam Cyber Fighters have decided to call a halt to their DDoS operations for some other reason and the group are trying to spin this as a victorious conclusion to a principled campaign.

From a Western perspective, there’s no link between banks and online outlets such as YouTube. However cultural norms in the Middle East, where the state often controls media outlets and sometimes runs the banks, are very different, a factor that goes at least some way to explaining why Muslim activists would target financial institutions rather than the source of their displeasure. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/30/hackers_suspend_us_bank_attacks/

PayPal has fixed a security bug that could have allowed hackers to compromise the payment website’s databases using an SQL injection attack.

Researchers at Vulnerability Laboratory earned a $3,000 reward for discovering and reporting the critical bug to PayPal in August. An advisory sent to the Full Disclosure security mailing list explained the scope of the vulnerability, which was fixed this month.

The flaw was found in the code that confirms an account holder’s email address, and could have allowed attackers to get past PayPal’s security filters to compromise backend databases and grab sensitive information.

“A blind SQL injection vulnerability was detected in the official PayPal e-commerce website application,” Vulnerability Laboratory explained. “The vulnerability allows remote attackers or a local low-privileged application user account to inject or execute (blind) SQL commands on the affected application databases. The vulnerability is located in the ‘confirm email address’ module.

“The result is the successful execution of the SQL command when the module is reloading the page. Exploitation of the vulnerability requires a low-privileged application user account to access the website area and can be processed without user interaction.”

Vulnerability Laboratory published a proof of concept exploit to underline its concerns. There’s no evidence the vulnerability was actually abused or that it caused any harm.

Nonetheless it’s good news that the flaw has been exorcised from PayPal’s website. And the whole process that led to fixing the problem was lubricated by the payment biz’s bug bounty programme, even though the financial reward in this particular case was modest.

Bug bounty programmes have become commonplace across the industry – a comprehensive list of them is here. The schemes offer an incentive for researchers to report flaws to software makers and websites, rather than sell them on the black market to miscreants.

The bugs tend to be found and fixed more quickly as a result, benefiting users and businesses in the process. And more and more vendors are joining in, with antivirus vendor Avast among the latest. Google in particular has become a master at getting positive attention for its own high-profile bug bounty programme.

PayPal, by contrast, was reluctant to talk about its own reward system, offering only a defensive statement in the wake of the Vulnerability Laboratory’s advisory:

We don’t discuss specific vulnerabilities identified by the Bug Bounty Program, however we can assure you that the SQL Injection vulnerability is not impacting our website.

Of course, PayPal is in the payment-handling business, and with millions of dollars trickling through it, this may account for its reluctance to get into any discussion of the security of its website. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/30/paypal_sql_infection_flaw/

The FBI has announced the arrest of a 27 year-old man over charges that he hacked into the data of over 350 female victims and blackmailed them into providing him with nude photographs and video calls.

Karen “Gary” Kazaryan, 27, was arrested in Glendale, California on Tuesday after being indicted on 15 counts of computer intrusion and 15 counts of aggravated identity theft, and faces a possible 105 years in the Big House if convicted. Police found over 3,000 images of women he had is claimed to have targeted on his computer.

According to the FBI – which dubbed the case one of “sextortion” – between 2009 and 2010, Kazaryan hacked into women’s computers and email accounts in search for images of the victim unclothed, as well as any passwords and details on their female friends. He would then contact these friends, pretending to be the victim, and persuade them to disrobe so he could take pictures of them.

The indictment also states that Kazaryan would use these pictures to blackmail some of his victims into providing more naked photographs or Skype video calls. It is claimed that in some cases he posted nude photographs on Facebook as punishment, after some women refused his demands.

Police say over 350 women have been traced from Kazaryan’s records so far, but others are still unidentified. Anyone thought to have been affected by this should contact the FBI’s Los Angeles Field Office at +1 (310) 477-6565.

Sadly, these cases are becoming more and more common, and malware writers are increasingly catching on. Pictures have been stolen via peer-to-peer, social networking, and custom malware, and then used to extort more from the victims, who often keep quiet for fear of embarrassment.

For those with such saucy snaps, the solution is straightforward – air-gap them on offline storage like an SD card or portable hard drive whenever possible, and contact the police if you are targeted. Any embarrassment from an investigation could be as naught compared to the satisfaction of seeing a scumbag behind bars. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/30/fbi_arrest_sexploitation_hacker/

Cisco proclaimed that it is more dangerous to click on a web ad than a porn site these days as it unveiled the latest version of its security threat report.

The vendor also expanded its security offering, pulling in mobile management support for its ISE platform and announcing it had hoovered up Czech-based real-time security intelligence firm Cognitive Security.

Chris Young, senior veep for Cisco’s Security and Government Group, said the nature of IT security threats were changing in the same way as the industry as a whole, meaning “the cloud” and “mobility” are trends for the cybercrime community too. This means that security managers should worry less about securing the perimeter and consider the “any-to-any” problem (any user, on any device, on any connection).

Cyber criminals and other miscreants were hitting their targets where they were most likely to gather, he said, and were increasingly launching “combinational” attacks.

This throws up some, arguably counterintuitive, conclusions. Malicious content is 27 times more likely to be encountered via search engines than counterfeit software, the vendor’s 2012 Annual Security Report claims.

On the upside, perhaps, online adverts were 182 times more likely to deliver malware than a porno site, the survey said.

“We’ve been led to believe you have to go to an unsavoury place [to encounter malware],” he said. “That’s not the case.”

The report also said that mobile malware accounted for barely a half a per cent of malware encounters, though it also showed a whopping 2,577 per cent jump on Android-based malware last year.

The report also noted a spike in malware encounters in the Nordics, something which was ascribed to fans of Julian Assange hitting sites in Sweden to show their displeasure at extradition proceedings against the WikiLeaker-in-chief.

Young said that with the change in computing models, including the shift to the cloud, old attacks had become “new” again. For example, a DDoS attack becomes a bigger threat to a company when it relies on the cloud for its enterprise applications or data.

Unsurprisingly, Cisco has answers to these threats, or at least for those whose preferred solution is not to spend all their web time browsing for porn.

While continuing to focus on access control, companies should “expect the perimeter is porous,” he said.

With threats lingering and propagating within organisations, this means discovery and remediation – cleansing devices – was more important. “This is a cycle,” he declared. Young said that scalability is also becoming increasingly important for security tools.

The vendor has just announced an upgrade to its Identity Services Engine, 1.2, which sees it partnering with device management partners, including SAP, Citrix and Good.

The firm has also bolstered the intelligence part of its proposition with the acquisition of Prague-based firm Cognitive Security. The 30-strong company offers a machine learning service that analyses security threats.

Cisco plans to integrate Cognitive’s tech into its own cloud-based security offering by the end of the calendar year, and will retire its standalone product. While the Czech firm’s customer base is pretty minuscule, Cisco VP of engineering Mike Furhman promised no one would be left high and dry. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/30/cisco_security_report/

Oracle has broken its silence to admit there are security issues with Java in web browsers – but it insists the tech is solid on servers and within mobile and desktop apps.

In a blog post published on Friday, Oracle noted the “media firestorm” around the recent Java vulnerability, admitting users may have been left “frustrated with Oracle’s relative silence on the issue”.

Oracle released a new version of Java 7 (Java 7u11) on 13 January designed to plug a zero-day vulnerability that has been exploited in the wild. The update was important because the exploit for the bug had been “weaponised” and bundled in widely available black-market hacking toolkits in the week prior to Oracle’s emergency out-of-band update.

In an advisory, Oracle explained that the update switched default Java security settings to “High” so that users will be prompted to allow cryptographically self-signed, or completely unsigned, Java applets to run.

The security flap generated plenty of publicity, especially after the US Department of Homeland Security warned that despite the updates, Java remained a weak target in browsers. Several antivirus firms, including F-Secure and Sophos, advised users to disable Java plugins for their main browser to minimise exposure to future attacks.

Metasploit founder HD Moore warned Oracle was still sitting on a backlog of Java flaws that will take up to two years to patch, even without the discovery of new flaws.

Oracle clearly doesn’t care much for this advice or observations. However the facts of the matter have limited it to stating that the vulnerability was limited to Java on the browser. It pointed out that server-side Java, desktop Java and embedded Java are immune from recent attacks, which broke the security seals on browser plugins and compromised victims’ computers.

In a somewhat delayed communications offensive, Oracle uploaded a recording of a conference call (click here to listen to the MP3) between the Java User Group and two techies: the head of security for Java at Oracle Milton Smith and Doland Smith from the OpenJDK (Open Java Development Kit) Group. The call covered “Java security, bundled software installers, openness, communication and the technical/journalistic quality of recent press coverage”.

We listened so that you don’t have to. You’re welcome

El Reg‘s security desk sat through the 52-minute-long call.

Milton Smith started off by saying: “The plan for Java security is really simple: it’s to get Java fixed up, number one, and then, number two, to communicate our efforts widely.”

The talk frequently branched off into procedural discussions about topics such as whether or not to have a security session at the Java One conference and how to communicate with consumers. It also covered the possibility of automatic updates and touched on Oracle’s much-criticised practice of bundling third-party crapware – such as a web search toolbar – with Java security updates.

Doland Smith sad he wasn’t able to discuss the pushing of the Ask Toolbar onto users nor related security updates appearing from McAfee minutes after the official Java security patch was issued as it was a commercially sensitive issue. He criticised the media for putting out the “loose” message to uninstall Java while admitting there was a security issue with the runtime in web browsers.

The software giant described the conference call as the “tip of the iceberg of what will be done on the Java Security and communication fronts”.

Security bods: Oracle has steep credibility hill to climb

Oracle’s first public admission that Java suffers security flaws was pretty stodgy fare that’s thus far failed to turn around the generally negative view held by many in the infosec community towards the software giant.

“Oracle’s public admission that they have a security problem with the Java browser plugin is a step forward,” said Andrew Storms, director of security operations for nCircle.

“It’s good to finally see Oracle acknowledge the seriousness of the situation. Unfortunately, we needed this admission a year ago before their customers started losing trust in Java security. Now Oracle has a very steep credibility hill to climb.”

Java has become an easy target for hackers. For example, the vulnerability recently patched by Oracle was exploited for five years in the high-profile Red October espionage against government agencies in the former Soviet Union.

But Oracle’s conference call failed to hint at these sorts of problems and lacked dynamism in general, said Storms.

“The content in the Java security discussion was pretty lacklustre,” he added.

“You’ve got to wonder what role the Oracle press team has had in the company’s response to all the security criticism they’ve had lately. I felt bad for the people representing Oracle on this call because they didn’t sound well-prepared.

“They didn’t sound like they had a clear idea of what to do, what to say or even exactly who they were speaking to.”

The historic antipathy between security researchers and Oracle is partially explained by the software giant’s often painfully slow acknowledgement of security problems as well as its staggered release of patches – both for Java and for its database software and other enterprise applications.

Rather than working together with security experts – such as David Litchfield – who discover and report dangerous programming flaws, Oracle has been, by several accounts, difficult, unresponsive and occasionally combative.

Oracle needs to take a leaf out of Microsoft’s book and play nice with researchers. A little engagement from its side would go a long way towards getting more outside input on bugs.

Robert “RSnake” Hansen, web application security guru and chief exec of CEO of Falling Rock Networks, joked: “At what point do we get to put Java on the stopbadware list?” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/30/oracle_java_security_analysis/

Hackers have been hard at work in Indonesia, defacing web sites left right and center in protest at the treatment of a local hacker who defaced the president’s web site earlier this month and could now face a 12 year jail term.

Internet café worker Wildan Yani Ashari, 22, was cuffed by police last Friday just over a fortnight after he replaced the home page of president Susilo Bambang Yudhoyono (SBY) with the message: “This is a PayBack From Jember Hacker Team”.

Ashari, who hails from the East Java district of Jember, has been charged under local laws which could land him 12 years in the slammer and a maximum fine of IDR 12bn (£784,000), according to local news site Detik.

As pointed out by TechInAsia, several sites including that of the Supreme Court remain hacked and defaced after Ashari supporters vented their frustration at his harsh treatment by the authorities.

The statement on the hacked Supreme Court site apparently calls on the government to engage more with the hacker community so that they can work together to improve web site security and respond to any intrusions from outside the country.

Given Indonesia’s robust attitudes to law enforcement and sentencing, such pleas are unlikely to persuade the authorities to go easy on Ashari, who police say has been up to mischief in the past. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/30/hacker_indonesia_sby_arrest/

Security startup NetCitadel is tackling the problem of automatically applying security policies across physical and virtual environments with a cloud-based approach.

NetCitadel’s OneControl Security Orchestration Platform enables the application of network security policy changes across cloud, virtual and physical environments in minutes rather than days or weeks. The technology is designed to automate a policy change process that is sometimes manual and therefore both time consuming as well as subject to human error.

OneControl is a virtual appliance that ensures that applications are subject to the same security controls whether they are executed on servers on a corporation’s premises or in the cloud. The technology can be tuned to users, applications and workloads as well as the current threat environment.

The technology creates a central panel to manage security policies across different applications and workloads between sources (such as VMware vCenter and Amazon AWS) and security infrastructure (such as Cisco ASA and Juniper SRX devices). Device connectors allow the technology to apply security policies by making changes to the configuration of firewallls, routers and switches from a single interface.

NetCitadel chief exec Mike Horn told El Reg that both Cisco and Juniper have management tools but they are vendor specific, unlike NetCitadel’s tech – which supports a mixed environment. He compared the technology to a conductor in an orchestra that, instead of introducing new instruments into the movement of a overture can recognise and provision a new server in Amazon. Security policies can be applied that are appropriate for this server’s use as either an application server or web server, for example.

“You need a conductor because networks are becoming more dynamic, which the need to set up new servers and users in real time,” Horn explained.

As well as ease of provision NetCitadel’s technology offers the potential to minimise firewall configuration flaws, which sometimes lie at the root cause of security breaches. The firm hopes its technology will give customers the confidence to move sensitive workloads to the cloud without running into concerns about compliance.

NetCitadel OneControl ships as a virtual appliance and provides modular security options, including the Virtual Security Module and the Cloud Security Module which are sold as add ons. Pricing starts at $25,000 for up to 25 security devices, and increases depending on the number of additional devices supported. Pricing for the Virtual Security Module and Cloud Security Module starts at $7,500 each.

The release of the technology sees NetCitadel emerging from stealth mode for the first time. NetCitadel is initially targeting larger business and managed service providers. Its 25 staff come from stints at varied tech heavyweights including Avistar, Neoteris, Google, VMWare, FireEye and Cisco.

NetCitadel is rolling out with a direct sales model on its home turf but is keen to work with partners to secure international sales.

Horn said that future development plans include extending the orchestration tool with interfaces to talk to security event management (SIEM) and logging tools that collate warnings from firewalls and intrusion prevention devices. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/30/netcitadel_security_policy_orcestration/

Exploit research has found over 6,900 networked devices from 1,500 manufacturers that are open to attack because of a flawed use of the Universal Plug and Play (UPnP) protocol, and IT managers and home users are being warned to check their networks for three major holes.

“The results were shocking to the say the least. Over 80 million unique IPs were identified that responded to UPnP discovery requests from the internet,” said the report’s author HD Moore, creator of Metasploit and currently CTO at vulnerability testers Rapid7.

He explained to The Register that the scale of vulnerabilities out there was surprisingly high, and everyone from ISPs, businesses and home users should check their hardware. While the attacks are somewhat complex in nature at the moment, they are likely to be picked up and automated by malware writers in the future.

UPnP support is built into everything from digital cameras to media servers these days, but the research found flaws in both the UPnP discovery protocol (SSDP) and its HTTP and SOAP implementations that can allow attackers to crash hardware and install malicious code on affected devices, given a certain amount of time and processing power.

More worrying, in 17 million instances the researchers found a third flaw in which the UPnP control interface (SOAP) was exposed via XML, which could potentially allow an attacker to set up an open port in a network firewall – although this depends on the access privileges of a target device.

After nearly six months of sending out UPnP discovery requests to IPv4 addresses, the Rapid7 research team got 81 million responses from systems. Between 40 and 50 million of these are vulnerable to one or more of these problems, and in some cases patches are unlikely to be forthcoming.

The researchers coordinated the paper’s release with CERT to allow vendors and SDK developers to be pre-warned about the issue. CERT has done excellent work, Moore said, and Belkin and other major vendors are on the job, but of the 1,500 vendors out there, only a few hundred had been in contact – and some were unidentifiable.

“Given the huge range of products that use the protocol, you may as well flip a coin to see if it’s vulnerable,” he said. “Checking with CERT might help, but your best bet is to test the devices yourself.”

In all, 73 per cent of problems occur with products based on four SDKs, the report found. These are Portable SDK for UPnP Devices; MiniUPnP; a third, commercial stack that is likely developed by Broadcom; and another commercial SDK that could not be tracked to a specific developer.

Rapid7 has made a free ScanNow UPnP tool available for Windows users to check for the flaws so that vulnerable equipment can be identified and locked down. Linux and Mac users can get the same tool from Metasploit directly.

IT managers are advised to block inbound traffic on UDP port 1900 and on specific TCP ports as an immediate workaround, and to check for network printers, IP cameras, storage systems, and media servers that might be open inside the network. ISPs should also check to ensure that vulnerable equipment is not being shipped to customers. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/29/hdmoore_upnp_flaw_rapid7/