Lily Hay Newman / Wired:
GitHub hit with the largest ever DDoS attack of 1.35Tbps on Feb. 28; attacker abused publicly accessible memcached instances, taking the site down for 6+ mins
On Wednesday, at about 12:15pm ET, 1.35 terabits per second of traffic hit the developer platform GitHub all at once. It was the most powerful distributed denial of service attack recorded to date—and it used an increasingly popular DDoS method, no botnet required.
GitHub briefly struggled with intermittent outages as a digital system assessed the situation. Within 10 minutes it had automatically called for help from its DDoS mitigation service, Akamai Prolexic. Prolexic took over as an intermediary, routing all the traffic coming into and out of GitHub, and sent the data through its scrubbing centers to weed out and block malicious packets. After eight minutes, attackers relented and the assault dropped off.
The scale of the attack has few parallels, but a massive DDoS that struck the internet infrastructure company Dyn in late 2016 comes close. That barrage peaked at 1.2 Tbps and caused connectivity issues across the US as Dyn fought to get the situation under control.
“We modeled our capacity based on fives times the biggest attack that the internet has ever seen,”
Akamai defended against the attack in a number of ways. In addition to Prolexic’s general DDoS defense infrastructure, the firm had also recently implemented specific mitigations for a type of DDoS attack stemming from so-called memcached servers. These database caching systems work to speed networks and websites, but they aren’t meant to be exposed on the public internet; anyone can query them, and they’ll likewise respond to anyone. About 100,000 memcached servers, mostly owned by businesses and other institutions, currently sit exposed online with no authentication protection, meaning an attacker can access them, and send them a special command packet that the server will respond to with a much larger reply.
memcached DDoS attacks don’t require a malware-driven botnet. Attackers simply spoof the IP address of their victim, send small queries to multiple memcached servers—about 10 per second per server—that are designed to elicit a much larger response. The memcached systems then return 50 times the data of the requests back to the victim.
Most of the memcached DDoS attacks CenturyLink has seen top out at about 40 to 50 gigabits per second, but the industry had been increasingly noticing bigger attacks up to 500 gbps and beyond.
The web monitoring and network intelligence firm ThousandEyes observed the GitHub attack on Wednesday. “This was a successful mitigation. Everything transpired in 15 to 20 minutes,” says Alex Henthorne-Iwane, vice president of product marketing at ThousandEyes. “If you look at the stats you’ll find that globally speaking DDoS attack detection alone generally takes about an hour plus, which usually means there’s a human involved looking and kind of scratching their head. When it all happens within 20 minutes you know that this is driven primarily by software. It’s nice to see a picture of success.”
BuzzFeed:
Many news reports blaming Russian Twitter bots, some of which are not Russian and others not bots, are based on a single source and are likely overblown
“I’m not convinced on this bot thing,” said one of the men behind the Russian bot thing.
By now you know the drill: massive news event happens, journalists scramble to figure out what’s going on, and within a couple hours the culprit is found — Russian bots.
Russian bots were blamed for driving attention to the Nunes memo, a Republican-authored document on the Trump-Russia probe. They were blamed for pushing for Roy Moore to win in Alabama’s special election. And here they are wading into the gun debate following the Parkland shooting. “[T]he messages from these automated accounts, or bots, were designed to widen the divide and make compromise even more difficult,” wrote the New York Times in a story following the shooting, citing little more than “Twitter accounts suspected of having links to Russia.”
This is, not to mince words, total bullshit.
The thing is, nearly every time you see a story blaming Russian bots for something, you can be pretty sure that the story can be traced back to a single source: the Hamilton 68 dashboard, founded by a group of respected researchers, including Clint Watts and JM Berger, and currently run under the auspices of the German Marshall Fund.
But even some of the people who popularized that metric now acknowledge it’s become totally overblown.
So that’s strike one: In what other world would we rely on a single source tool of anonymous provenance?
And then there’s strike two. Let’s say, despite that, you still really want to put your faith in those conclusions about Russian influence. Why would you do that?
And here we get to strike three. One of the hardest things to do — either with the accounts “linked to Russian influence efforts online,” whatever that means, or with the Internet Research Agency trolls who spent many months boosting Donald Trump and denigrating Hillary Clinton — is to measure how effective they really were. Did Russian troll efforts influence any votes? How do we even qualify or quantify that? Did tweets from “influencers” actually affect the gun debate in the United States, already so toxic and partisan before “bot” was a household word?
Even Watts thinks the “blame the bots” shtick has gotten out of control.
Further complicating the Russian bot narrative? The notion that plenty of automated social media influence campaigns are orchestrated right here in the United States. As BuzzFeed News has reported, MicroChip, “a notorious pro-Trump Twitter ringleader,” has and continues to orchestrate automated networks of Twitter accounts to help push trending topics and advance pro-Trump narratives
One of the most disorienting parts of today’s geopolitical information warfare is that all sides feel and act as if they’re winning, and it’s not hard to know who or what has the most influence.
The Great Bot Panic, for instance, poses a series of contradictions. It is true that bots are a serious problem. It is also true that the bot problem is exaggerated. It is true that Russian bots are a conspiracy theory that provides a tidy explanation for complicated developments. It is also true that Russian influence efforts may be happening before our eyes without us really knowing the full scope in the moment.
Alex Hern / The Guardian:
Facebook says it found no additional evidence of Russia-linked ads during Brexit campaign in 2016 after launching standalone investigation in January 2018
Updates released by the Internet Systems Consortium (ISC) for the Dynamic Host Configuration Protocol (DHCP) software patch two remotely exploitable vulnerabilities discovered by a researcher at Google.
Felix Wilhelm of the Google Security Team found that the DHCP Client (dhclient), which provides a means for configuring network interfaces, is affected by a buffer overflow vulnerability that allows a malicious server to cause the client to crash.
In some cases, exploitation of the flaw could also lead to remote code execution, ISC said in an advisory. The security hole is tracked as CVE-2018-5732 and rated high severity.
“Where they are present, operating system mitigation strategies such as address space layout randomization (ASLR) should make it difficult to leverage this vulnerability to achieve remote code execution but we can not rule it out as impossible. The safest course is to patch dhclient so that the buffer overflow cannot occur,” ISC said.
The second vulnerability, CVE-2018-5733, is a medium severity issue that can be exploited to exhaust the memory available to the DHCP daemon (dhcpd), resulting in a denial-of-service (DoS) condition to clients.
A threat actor apparently interested in inter-Korean affairs continues to launch highly targeted attacks using new pieces of malware and decoy documents referencing North Korean political topics.
The cyber espionage group, which experts believe is sponsored by a nation state, has been active for several years, but it managed to stay under the radar until last year, when researchers analyzed two of its main tools, namely SYSCON and KONNI. These pieces of malware had been leveraged in attacks aimed at organizations linked to North Korea.
The German government’s IT network is under an “ongoing” cyberattack”, the parliamentary committee on intelligence affairs said Thursday, without confirming a media report that Russian hackers were behind the assault.
“It is a real cyberattack on parts of the government system. It’s an ongoing process, an ongoing attack,” said Armin Schuster, chairman of the committee, adding that no further details could be given to avoid passing crucial information on to the attackers.
Interior Minister Thomas de Maiziere said the hacking was “a technically sophisticated attack that had been planned for some time”, adding that it had been brought under control.
– Russian hackers -
Top security officials had repeatedly warned during Germany’s 2017 general election campaign that Russian hackers may seek to influence or disrupt the polls.
While authorities did not have concrete proof, they have blamed the malware attack that crippled the Bundestag parliamentary network in 2015 for days on the APT28, also known as “Fancy Bear” or “Sofacy”.
The attack netted 17 gigabytes of data which, officials feared, could be used to blackmail MPs or discredit them.
The Russia-linked cyber espionage group Sofacy has been targeting foreign affairs agencies and ministries worldwide in a recently discovered campaign, Palo Alto Networks warns.
The hacking group, also known as APT28, Fancy Bear, Pawn Storm, Sednit, Tsar Team, and Strontium, has been highly active recently, and new evidence shows activity directly targeting diplomats in North America and Europe, including those at a European embassy in Moscow.
In a growing sign of the increased sophistication of both cyber attacks and defenses, GitHub has revealed that it weathered the largest-known DDoS attack in history this week.
GitHub is a common target — the Chinese government is widely-suspected to be behind a five-day-long attack in 2015 over its hosting of software to bypass its internet censorship system — and this newest assault tipped the scales at an incredible 1.35Tbps at peak.
A blog post retelling the incident, GitHub said the attackers hijacked something called ‘memcaching’ — a distributed memory system known for high-performance and demand — to massively amplify the traffic volumes they were firing at GitHub.
Policy-makers are working on the largest internet filter we’ve ever seen. An algorithm will decide which of your uploads will be seen by the rest of the world and which won’t. This is how the internet filter will rob you of your freedom of expression.
Filters don’t work
First of all: filters are really bad at recognising content. There are tons of examples
You can’t fight copyright violations with filters
The internet filter has been proposed in order to tackle copyright violations. But copyright is too complex for this wrecking ball-style solution. For instance: sometimes it’s perfectly legal to use copyrighted material in a citation or a work of parody, and sometimes it isn’t.
What can you do?
The following weeks are crucial. Tweet or e-mail your representatives that are part of the European Parliament’s Committee on Legal Affairs (JURI). On 26-27 March they will be deciding on the upload filter. Use the hashtag #CensorshipMachine or #filterfail
A week that begins with the repeal of regulation that prevents dictatorship in China is likely to be a busy one for the country’s censorship people, and so it has proven to be.
AdChoices
MenuTechCrunch
UK and Australian governments now use Have I Been Pwned
Posted 7 hours ago by Romain Dillet (@romaindillet)
Troy Hunt is turning Have I Been Pwned into an essential pwning monitoring service. The service monitors security breaches and password leaks so that you and your users remain secure. And now, the U.K. and Australian governments are monitoring their own domain names using the service.
Most people are familiar with the consumer-facing version of Have I Been Pwned. You go on Have I Been Pwned’s website and enter your email address. It shows you a list of services that you use and that have been hacked.
That’s why you should be using a different password on each online service. This way, if your password leaks, nobody can connect to another service. Everything is sandboxed, you can just change the password on the hacked service.
And because nothing is secure anymore, you should activate two-factor authentication wherever you can. A password simply doesn’t cut it anymore.
Anyone can monitor a domain name by proving that you actually own the domain name (otherwise it would be a potential security breach). Hunt is now working with governments to make it easier to monitor all government domain names for free.
Nathan Vanderklippe / Globe and Mail:
Human Rights Watch: China’s Xinjiang region uses big data on everyday habits and AI for predictive policing to send people to political re-education camps
Barely seven months ago, a senior Chinese official promised that artificial intelligence could one day help authorities spot crime before it happens.
In the country’s far western Xinjiang region, it’s already happening, with the establishment of a system that critics call “Orwellian” in scope and ambition, and which is being used to place people in political re-education.
Called the Integrated Joint Operations Platform, or IJOP, it assembles and parses data from facial-recognition cameras, WiFi internet sniffers, licence-plate cameras, police checkpoints, banking records and police reports made on mobile apps from home visits, a new report from Human Rights Watch finds.
If the system flags anything suspicious – a large purchase of fertilizer, perhaps, or stockpiles of food considered a marker of terrorism – it notifies police, who are expected to respond the same day and act according to what they find. “Who ought to be taken, should be taken,” says a work report located by the rights organization.
Another official report shows how reports generated by IJOP are used to send people to an “Occupational Skills and Education Training Centre” where political re-education is carried out.
Elements of the policing system in Xinjiang are being set in place elsewhere in China, too, including the collection of data and integration of systems. But Xinjiang appears to be unique in the use of artificial intelligence to detain people in political re-education.
At the Winter Olympics in South Korea, for example, Alibaba built a large pavilion to describe its capabilities and offer its services to the outside world. Its “ET City Brain,” for example, can be used to improve timing of traffic lights and employ artificial intelligence to quickly route emergency services to an accident.
But Alibaba also boasts about the system’s value in “social governance and public security,”
Paul Mozur / New York Times:
China is prosecuting a citizen who shared a critical message on WhatsApp; message was likely obtained by hacking a phone or via spy in a WhatsApp group
Within its digital borders, China has long censored what its people read and say online. Now, it is increasingly going beyond its own online realms to police what people and companies are saying about it all over the world.
For years, China has exerted digital control with a system of internet filters known as the Great Firewall, which allows authorities to limit what people see online. To broaden its censorship efforts, Beijing is venturing outside the Great Firewall and paying more attention to what its citizens are saying on non-Chinese apps and services.
As part of that shift, Beijing has at times pressured foreign companies like Google and Facebook, which are both blocked in China, to take down certain content. At other times, it has bypassed foreign companies entirely and instead directly pushed users of global social media to encourage self-censorship.
This effort is accelerating as President Xi Jinping consolidates his power.
“And my 5-year-old daughter can just look up at the camera and get in. It’s good for kids because they often lose their keys.”
But for the police, the cameras that replaced the residents’ old entry cards serve quite a different purpose.
Now they can see who’s coming and going, and by combining artificial intelligence with a huge national bank of photos, the system in this pilot project should enable police to identify what one police report, shared with The Washington Post, called the “bad guys” who once might have slipped by.
Facial recognition is the new hot tech topic in China. Banks, airports, hotels and even public toilets are all trying to verify people’s identities by analyzing their faces. But the police and security state have been the most enthusiastic about embracing this new technology.
About 20 million CCTV cameras have been installed with AI technology in China
Such technology can be used to identify a person’s age, gender and clothes
Police can track down criminals using facial recognition and their database
German police deployed the first facial recognition cameras at a main railway station in Berlin on Tuesday, testing new technology that could help track and arrest crime and terrorism suspects.
Zack Whittaker / ZDNet:
Researchers describe 10 possible attacks on LTE networks that allow eavesdropping on texts and calls, taking devices offline, and spoofing of emergency alerts
A slew of newly discovered vulnerabilities can wreak havoc on 4G LTE network users by eavesdropping on phone calls and text messages, knocking devices offline, and even spoofing emergency alerts.
Ten attacks detailed in a new paper by researchers at Purdue University and the University of Iowa expose weaknesses in three critical protocol operations of the cellular network, such as securely attaching a device to the network and maintaining a connection to receive calls and messages.
Those flaws can allow authentication relay attacks that can allow an adversary to connect to a 4G LTE network by impersonating an existing user — such as a phone number.
Although authentication relay attacks aren’t new, this latest research shows that they can be used to intercept message, track a user’s location, and stop a phone from connecting to the network.
A major dust-up on an Internet discussion forum is touching off troubling questions about the security of some browser-trusted HTTPS certificates when it revealed the CEO of a certificate reseller emailed a partner the sensitive private keys for 23,000 TLS certificates. The email was sent on Tuesday by the CEO of Trustico, a UK-based reseller of TLS certificates issued by the browser-trusted certificate authorities Comodo and, until recently, Symantec…
In communications earlier this month, Trustico notified DigiCert that 50,000 Symantec-issued certificates Trustico had resold should be mass revoked because of security concerns. When Jeremy Rowley, an executive vice president at DigiCert, asked for proof the certificates were compromised, the Trustico CEO emailed the private keys of 23,000 certificates, according to an account posted to a Mozilla security policy forum. The report produced a collective gasp among many security practitioners who said it demonstrated a shockingly cavalier treatment of the digital certificates that form one of the most basic foundations of website security…
A major dust-up on an Internet discussion forum is touching off troubling questions about the security of some browser-trusted HTTPS certificates when it revealed the CEO of a certificate reseller emailed a partner the sensitive private keys for 23,000 TLS certificates.
The email was sent on Tuesday by the CEO of Trustico
In communications earlier this month, Trustico notified DigiCert that 50,000 Symantec-issued certificates Trustico had resold should be mass revoked because of security concerns.
When Rowley asked for proof the certificates were compromised, the Trustico CEO emailed the private keys of 23,000 certificates
Generally speaking, private keys for TLS certificates should never be archived by resellers, and, even in the rare cases where such storage is permissible, they should be tightly safeguarded. A CEO being able to attach the keys for 23,000 certificates to an email raises troubling concerns that those types of best practices weren’t followed. (There’s no indication the email was encrypted, either
In a statement, Trustico officials said the keys were recovered from “cold storage,” a term that typically refers to offline storage systems.
The discussion also raises new questions about Symantec’s adherence to industry-binding rules
“During our many discussions over the past week we put it to you that we believe Symantec to have operated our account in a manner whereby it had been compromised,” the Trustico officials wrote. They continued: “We believe the orders placed via our Symantec account were at risk and were poorly managed. We have been questioning Symantec without response as to concerning items for about a year. Symantec simply ignored our concerns and appeared to bury them under the next issue that arose.”
Unfortunately, the way the Internet’s TLS certificate issuance process works, a single point of failure is all it takes to create compromises that endanger the entire system. Readers can expect Google and Mozilla to spend considerable time and resources in the coming weeks unraveling the breakdown that came to light Wednesday.
Update: Several hours after this post went live, Trustico’s website went offline after a Web security expert posted a critical vulnerability on Twitter.
The European Union issued internet giants an ultimatum to remove illegal online terrorist content within an hour, or risk facing new EU-wide laws.
The European Commission on Thursday issued a set of recommendations for companies and EU nations that apply to all forms of illegal internet material, “from terrorist content, incitement to hatred and violence, child sexual abuse material, counterfeit products and copyright infringement. Considering that terrorist content is most harmful in the first hours of its appearance online, all companies should remove such content within one hour from its referral as a general rule.â The commission last year called upon social media companies, including Facebook, Twitter and Google owner Alphabet, to develop a common set of tools to detect, block and remove terrorist propaganda and hate speech. Thursday’s recommendations aim to “further step up” the work already done by governments and push firms to “redouble their efforts to take illegal content off the web more quickly and efficiently.”
EU lays out rules for firms to fight online illegal material
Facebook, Google among tech firms under pressure to react
The European Union issued internet giants an ultimatum to remove illegal online terrorist content within an hour, or risk facing new EU-wide laws.
The European Commission on Thursday issued a set of recommendations for companies and EU nations that apply to all forms of illegal internet material, “from terrorist content, incitement to hatred and violence, child sexual abuse material, counterfeit products and copyright infringement.”
Too Short
One hour to take down terrorist content is too short, the Computer & Communications Industry Association, which speaks for companies like Google and Facebook, said in a statement that criticized the EU’s plans as harming the bloc’s technology economy.
“Such a tight time limit does not take due account of all actual constraints linked to content removal and will strongly incentivize hosting services providers to simply take down all reported content,” the group said in a statement.
The EU stressed that its recommendations send a clear signal to internet companies that the voluntary approach remains the watchdog’s favorite approach for now and that the firms “have a key role to play.”
Memcached is a free and open source distributed memory object caching system. One can use it for speeding up dynamic web applications by mitigating database load. The Memcached server is an in-memory key-value store. This page shows how to secure memcached running on a Linux or Unix-like systems.
Memcached and DDoS attack
By default memcached server uses TCP/UDP port number 11211. A DDoS (Distributed Denial of Service) amplification attacks performed by exploiting Memcached servers exposed to the public Internet IPv4/IPv6 address. A significant increase in amplification attack vector – using the Memcached protocol, coming from UDP port 11211.
1. Configure a firewall
2. Disable UDP
3. Force memcached to listen on private LAN/VLAN IP address
Make sure that your Memcached firewalled and TCP/UDP ports closed from the public Internet. Only allow your web server/app to access Memcached server
As defined by the GDPR: Personal data is any data that allows an individual to be identified, including names, address, birthdate or identification number as well as IP address, location data or any type of pseudonymous data. This broadens the definition of personal data given in previous EU directives.
Under the GDPR, companies will be required to prove that they know where consumer data is across all their systems and all their businesses. Companies will be required to demonstrate who can access this data as well as when and how they are allowed to do so. GDPR will also require that organisations notify individuals and authorities of data breaches within 72 hours and address all resulting issues.
Personal data can be hidden in a wide range of places, including:
Customer data in hard-to-search free-text fields
Network files where employees have saved Excel files
Backup drives
Unstructured data, including website log-in information and social media data
THE IMPLEMENTATION OF GDPR WILL REQUIRE ORGANISATIONS TO RETHINK HOW THEY MANAGE PERSONAL DATA FROM THE POINT OF ORIGIN TO THE POINT OF CONSUMPTION—AND WHAT FRAMEWORKS WILL BE NEEDED TO COMPLY.
GDPR is not a matter of fix it and forget it. The new regulations mandate organisation-wide personal data awareness from data protection officers down to database administrators. GDPR will require ongoing governance
Mix / The Next Web:
Encrypted messaging services Signal and Telegram experienced worldwide outages for several hours — You might want to move your private chats to WhatsApp or Telegram for the time being: it appears popular encrypted messenger Signal is currently down globally, according to numerous reports from users.
You might want to move your private chats to WhatsApp or Telegram for the time being: it appears popular encrypted messenger Signal is currently down globally, according to numerous reports from users.
The company behind the private messaging platform, Open Whisper Systems, has yet to inform its users what is causing the server downtime.
Update: A spokesperson for Open Whisper Systems and Signal has since confirmed the issue to TNW, adding that their engineers are already working on a solution.
Update 2: It seems that encrypted messenger rival Telegram is also experiencing some server issues
Update 3: Both Signal and Telegram appear to be resuming functionality.
What’s claimed to be the first IPv6-based distributed denial-of-service attack has been spotted by internet engineers who warn it is only the beginning of what could become the next wave of online disruption.
Network guru Wesley George noticed the strange traffic earlier this week as part of a larger attack on a DNS server in an effort to overwhelm it. He was taking packet captures of the malicious traffic as part of his job at Neustar’s SiteProtect DDoS protection service when he realized there were “packets coming from IPv6 addresses to an IPv6 host.”
The attack wasn’t huge – unlike this week’s record-breaking 1.35Tbps attack on GitHub – and it wasn’t using a method that is exclusive to IPv6, but it was sufficiently unusual and worrying to flag to the rest of his team.
Computers behind 1,900 IPv6 addresses were attacking the DNS server as part of a larger army of commandeered systems, mostly using IPv4 addresses on the public internet. Anyone running an IPv6 network needs to, therefore, ensure they have the same level of network security and mitigation tools in place as their IPv4 networks – and fast.
“The risk is that if you don’t have IPv6 as part of your threat model, you could get blindsided,”
Everyone knew the MoviePass deal is too good to be true — and as is so often the case these days, it turns out you’re not the customer, you’re the product. And in this case they’re not even attempting to camouflage that. Mitch Lowe, the company’s CEO, told an audience at a Hollywood event that “we know all about you.”
“We get an enormous amount of information,” Lowe continued. “We watch how you drive from home to the movies. We watch where you go afterwards.”
It’s no secret that MoviePass is planning on making hay out of the data collected through its service.
A flight of new research papers show 4G LTE networks can be exploited for all sorts of badness
As ZDNet’s Zack Whittaker reports, researchers at Purdue University and the University of Iowa conducting tests of 4G LTE networks have uncovered 10 new types of attacks. They made this discovery as part of their evaluation of a proof-of-concept 4G LTE penetration testing toolset, called LTEInspector.
usable against many carrier networks, the collection of exploits could be used to track device owners, eavesdrop on texts and other sensitive data, and even pose as them on cellular networks and spoof location and other data. An attacker could even spoof warning messages like those used by government agencies and weather services—such as the false missile warning sent out by a Hawaii government employee.
The security of 4G LTE networks is largely based on obscurity—many of the implementations are proprietary “black boxes,” as the Purdue and Iowa researchers put it, which makes performing true security evaluations difficult. And because of the large range of sub-components that must be configured, along with the need to be able to handle devices configured primarily for another carrier, there is a lot of slush in LTE implementations and not a lot of transparency about network security. Recent IEEE-published research found that implementations of the “control plane” for various LTE networks varied widely—problems found on one network didn’t occur on others.
And that variation is true of security as well. In one case, the Purdue and Iowa researchers found that a carrier didn’t encrypt “control plane” messages at all, meaning an attacker could even eavesdrop on SMS messages and other sensitive data. That flaw has since been fixed by the carrier.
ON WEDNESDAY, AT about 12:15 pm EST, 1.35 terabits per second of traffic hit the developer platform GitHub all at once. It was the most powerful distributed denial of service attack recorded to date—and it used an increasingly popular DDoS method
GitHub briefly struggled with intermittent outages as a digital system assessed the situation. Within 10 minutes it had automatically called for help from its DDoS mitigation service, Akamai Prolexic. Prolexic took over as an intermediary, routing all the traffic coming into and out of GitHub
“We modeled our capacity based on fives times the biggest attack that the internet has ever seen,” Josh Shaul, vice president of web security at Akamai told WIRED hours after the GitHub attack ended.
Akamai defended against the attack in a number of ways. In addition to Prolexic’s general DDoS defense infrastructure, the firm had also recently implemented specific mitigations for a type of DDoS attack stemming from so-called memcached servers.
About 100,000 memcached servers, mostly owned by businesses and other institutions, currently sit exposed online with no authentication protection, meaning an attacker can access them and send them a special command packet that the server will respond to with a much larger reply.
memcached DDoS attacks don’t require a malware-driven botnet. Attackers simply spoof the IP address of their victim
The infrastructure community has also started attempting to address the underlying problem, by asking the owners of exposed memcached servers to take them off the internet, keeping them safely behind firewalls on internal networks.
blocking memcached traffic if they detect a suspicious amount of it
“We are going to filter that actual command out so no one can even launch the attack,”
“We’ve seen about 300 individual scanners that are searching for memcached boxes, so there are at least 300 bad guys looking for exposed servers,”
Wednesday’s onslaught wasn’t the first time a major DDoS attack targeted GitHub.
“This was a successful mitigation. Everything transpired in 15 to 20 minutes,”
“If you look at the stats you’ll find that globally speaking DDoS attack detection alone generally takes about an hour plus, which usually means there’s a human involved looking and kind of scratching their head. When it all happens within 20 minutes you know that this is driven primarily by software. It’s nice to see a picture of success.”
“The duration of this attack was fairly short,” he says. “I think it didn’t have any impact so they just said that’s not worth our time anymore.”
it seems likely that attackers will give a DDoS of this scale another shot.
Windows Defender Advanced Threat Protection (Windows Defender ATP) is capable of detecting behavior associated with the sophisticated FinFisher spyware, Microsoft says, after performing an in-depth analysis of the malware’s infection process.
FinFisher is a lawful interception solution built by Germany-based FinFisher GmbH, which sells it exclusively to governments. Also referred to as FinSpy, the malware has been around for over half a decade and has been associated with various surveillance campaigns.
In September last year, after the malware was observed exploiting a .NET Framework zero-day (CVE-2017-8759) for infection, ESET warned that Internet service providers (ISPs) might be involved in FinFisher’s distribution process.
[UPDATED - New record set at 1.7Tbs] On Tuesday, February 27, three major DDoS mitigation service providers (Akamai, Cloudflare and Arbor) warned that they had seen spikes in a relatively rare form of reflection/amplification DDoS attack via Memcached servers. Each service provider warned that this type of reflection attack had the potential to deliver far larger attacks.
One day later, Wednesday, February 28, GitHub was hit by the largest DDoS attack that had ever been disclosed — more than twice the size of the Mirai attack of 2016, peaking at 1.3Tbps. And still the potential, in the short term at least, is for even larger attacks.
Memcached servers are particularly vulnerable to such a use whenever they are left accessible from the public internet. In theory, this should never — or at least very rarely — happen; in practice there are various estimates of between 50,000 and more than 100,000 vulnerable servers. Because the service was designed for use internally within data centers, it has no inbuilt security and can be easily compromised by attackers.
Researchers suggest, in theory, the reply could be up to 51,000 times the size of the request. This is the amplification side of the attack — the ability to amplify a 203-byte request into a 100-megabyte response.
The extortion note, which occurs in a line of Python code delivered by the compromised Memcached servers, demands payment of 50 XMR (the symbol for the Monero cryptocurrency). This would have been approximately $15,000.
There is no way of knowing whether any of the recent Memcached DDoS victims have paid a Monero ransom.
Memcached attacks are not entirely new, but have been relatively rare before the last ten days.
UPDATE – New record set at 1.7Tbps – As predicted, the Memcached DDoS methodology has already created a new world record. Netscout Arbor has today confirmed a 1.7Tbps DDoS attack against the customer of a U.S.-based service provider. This attack was recorded by Netscout Arbor’s ATLAS global traffic and threat data system, and is more than 2x the largest Netscout Arbor had previously seen. No further details are yet available.
Internet Traffic Modifications by ISPs After the Decision to End Net Neutrality Create a Huge Potential Attack Surface
A huge amount of ink has been spilled over the FCC decision to roll back Net Neutrality rules.
Many articles analyze which businesses will benefit and which will be harmed by the change, while others look at it from a political perspective. It is critical that we also understand the security implications of changes Internet Service Providers (ISPs) are likely to make under this deregulation.
As a general principle, Net Neutrality holds that the internet should be a passive conduit for data between any endpoints. It should not make any difference to a carrier who is initiating the connection and what service they are using.
The FCC decision ending net neutrality re-categorizes ISPs from being telecommunication systems governed by title II, to being information services under title I. As telecommunication systems, ISPs were prohibited from blocking, throttling, or providing paid prioritization. As telecommunication services which create, modify, store, or make information available, none of these restrictions apply. As important as the regulatory change is the signal this sends to the ISPs. The administration is clearly articulating a much more hands-off policy towards ISPs. This signaling is likely to embolden them to
Google has released its March 2018 set of security updates for Android to address numerous Critical and High severity vulnerabilities in the popular mobile operating system.
The majority of the Critical vulnerabilities addressed this month could allow an attacker to execute code remotely on affected devices. Impacted components include media framework, system, and kernel, Nvidia, and Qualcomm components.
A total of 16 vulnerabilities were addressed as part of the 2018-03-01 security patch level: 8 rated Critical severity and 8 considered High risk. The most severe of these vulnerabilities could allow a remote attacker using a specially crafted file to run arbitrary code with high privileges.
Just days before its annual Security Analyst Summit kicks off in Cancun, Mexico, Kaspersky Lab this week announced an extension to its bug bounty program and plans to pay rewards of up to $100,000 for severe vulnerabilities in some of its products.
Launched in August 2016, the HackerOne-powered bug bounty program initially promised a total of $50,000 in bounties and resulted in the discovery of more than 20 flaws in the first six months. To date, the program allowed Kaspersky to address more than 70 bugs in its products and services.
In April last year, the Moscow-based security firm announced the addition of Kaspersky Password Manager 8 to the bounty program, along with an increase in the maximum reward for remote code execution vulnerabilities from $2,000 to $5,000.
Cisco today announced the availability of identification of software vulnerabilities and exposures as part of the security capabilities of its Tetration platform.
Designed to offer workload protection for multi-cloud data centers through a zero-trust model that employs segmentation, the platform can now also detect vulnerabilities associated with software installed on servers.
With support for both on-premises and public cloud workloads, Tetration can now help identify security incidents faster, as well as contain lateral movement, in addition to reducing attack surface, Cisco says.
“Tetration is equipped to identify high severity security events such as Spectre and Meltdown using behavior-based anomalies,” Cisco notes.
Mobile malware is now targeting crypto-currencies with the intent of stealing victims’ funds, IBM says.
The immediate result of the massive increase in value that crypto-currencies have registered over the past year was the growth of malicious attacks attempting to steal coins from unsuspecting users. While most of these assaults involved PC malware so far, recent incidents have shown that mobile threats are picking up the pace as well.
Several weeks ago, IBM observed that the TrickBot Trojan was using webinjections to steal virtual coins from its victims by replacing legitimate addresses with those of the attacker. Working in a similar manner, mobile malware is now using screen overlays to trick victims into sending funds to the attacker instead, IBM’s security researchers discovered.
According to IBM, mobile malware targeting crypto-coins usually leverages malicious miners to collect coins, but the practice isn’t that profitable, given the limited processing power a mobile device has. Furthermore, users are more likely to discover a mining operation on a mobile device when observing overheating, low performance and faster battery drain.
“Crooks operating mobile banking Trojans don’t install miners on the device. Rather, they typically steal existing coins from unsuspecting owners using mobile malware that creates the same effect as webinjections: cybercriminals trick users with fake on-screen information, steal their access credentials and take over accounts to empty coins into their own wallets,” IBM notes.
Security researchers have discovered the sophisticated Triada Trojan in the firmware of more than 40 low-cost Android smartphone models.
Discovered in early 2016 and considered one of the most advanced mobile threats out there, Triada stands out in the crowd because it abuses the Zygote parent process to inject its code in the context of all software on the device. The Trojan uses root privileges to replace system files and resides mainly in the device’s RAM, which makes it difficult to detect.
There is a buffer overflow in base64d() of Exim MTA that allows an attacker to run code remotely. ALL versions of Exim MTA affected by overflow vulnerability i.e. CVE-2018-6789.
A remote attacker can take advantage of this flaw to cause a denial of service, or potentially the execution of arbitrary code via a specially crafted message. An issue was discovered in the base64d function in the SMTP listener in Exim before 4.90.1. By sending a handcrafted message, a buffer overflow may happen. This can be used to execute code remotely
FBI director Christopher Wray has addressed a cyber-security conference and again called for technologists to innovate their way around strong cryptography.
All the FBI wants, he said, is for “law enforcement’s own lawful need to access data be taken just as seriously.”
Wray told the conference he’s spent the last six months “catching up on all things cyber”, and that as a whole, the agency needs “more cyber and digital literacy in every program throughout the bureau”.
Wray reiterated his complaint regarding FBI’s inability to access the content of nearly 7,800 phones in fiscal 2017, “more than half the devices we attempted to access in that timeframe”, is “a major public safety issue”.
“This problem impacts our investigations across the board—human trafficking, counterterrorism, counterintelligence, gangs, organised crime, child exploitation, and cyber”, Wray said.
Taking public safety seriously means having the private sector “respond to lawfully issued court orders, in a way that is consistent with both the rule of law and strong cybersecurity. We need to have both, and can have both.”
Best Buy and the FBI have had a longstanding and very cosy relationship that incentivised Geek Squad techies to go hunting for porn on customers PCs, documents obtained under a Freedom of Information Act have shown.
US tech retailer Best Buy has always denied having a relationship with the Feds, but the documents reveal frequent contact between them, including a 2008 guided tour [PDF] of the companies largest repair facility in Kentucky.
Cisco released 22 security advisories yesterday, including two alerts for critical fixes, one of them for a hardcoded password that can give attackers full control over a vulnerable system.
Cisco released 22 security advisories yesterday, including two alerts for critical fixes, one of them for a hardcoded password that can give attackers full control over a vulnerable system.
The hardcoded password issue affects Cisco’s Prime Collaboration Provisioning (PCP), a software application that can be used for the remote installation and maintenance of other Cisco voice and video products. Cisco PCP is often installed on Linux servers.
Cisco says that an attacker could exploit this vulnerability (CVE-2018-0141) by connecting to the affected system via Secure Shell (SSH) using the hardcoded password.
Fraudsters operating on the dark web could buy a person’s entire identity (“fullz” in the cybercrook lingo) for just £820.
Bank account details, Airbnb profiles and even Match.com logins are worth money to bidders that reside on the murkier side of the internet, a study by virtual private network comparison site Top10VPN.com found.
While online bank details are currently worth around £168 to dark web bidders, and Paypal logins a higher price of about £280, passport details fetch as little as £40. Hacked web accounts – such as access to your Match.com profile, Facebook and even Deliveroo – give criminals a backdoor into identity theft for less than a fiver.
Even eBay accounts with their broad scope for fraud fetch just £26 on the dark web. Compromised PayPal accounts are among the most widely traded items.
Corero Network Security says they have discovered a “kill switch” to counteract the Memcached vulnerability that recently fueled some of the largest distributed denial-of-service (DDoS) attacks in history.
The company says it has disclosed the kill switch to national security agencies and also claims that the issue is more extensive than originally believed: an attacker exploiting it can also steal or modify data from vulnerable Memcached servers.
In late February, however, web protection companies warned that the protocol can be abused for DDoS amplification, after the first attacks using it started to emerge. Within days, record-setting 1.3Tbps and 1.7Tbs DDoS attacks were observed.
Browsers are the single most used application today. Everyone uses at least one browser, whether in the office or at home. But not everyone realizes just how much personal data is left hanging around inside their browsers; nor how easy it is for third-parties to extract it.
Benson used a modified version of OpenWPM (a web privacy measurement framework) and Firefox to visit the Alexa Top 1000 websites, navigating to three links on each site to simulate normal user browsing. The purpose here was to look for evidence of device identification and geolocation — and Benson found evidence that 56 websites recorded geolocation details, and 56 websites recorded the user’s IP address.
An analysis of leaked tools believed to have been developed by the U.S. National Security Agency (NSA) provides a glimpse into the methods used by the organization to detect the presence of other state-sponsored actors on hacked devices, and it could help the cybersecurity community discover previously unknown threats.
Over the past few years, a mysterious hacker group calling itself Shadow Brokers has been leaking tools allegedly created and used by the Equation Group, a threat actor widely believed to be linked to the NSA. The Shadow Brokers have been trying to sell Equation Group tools and exploits, but without much success. They say their main goal has been to make money, but many doubt their claims.
The Bad Packets Report site reports on web security and the news is alarming. Now, the site says that the code of nearly 50,000 sites has some tricks that will allow users to participate in cryptographic mining.
In the Bad Packer Report study, cryptolouwers were searched for public internet sites. Nearly 50,000 sites were found in the study, with the javascript code coined by Coinhive or a similar malicious code. However, the coin-share accounts for over 80%.
Malicious actors may be able to abuse voice-based virtual assistants to hack into enterprise systems and researchers proved it through an attack that targets Microsoft Cortana.
Independent researchers Amichai Shulman, former CTO and co-founder of Imperva, and Tal Be’ery, former VP of research at Microsoft-acquired security firm Aorato, have found a way to conduct an evil maid attack that abuses the Cortana voice assistant to install malware onto a locked computer. The researchers are detailing their findings on Friday at Kaspersky Lab’s Security Analyst Summit (SAS) in Cancun, Mexico.
In Windows 10, if default settings are not changed, any user can interact with Cortana by saying “Hey Cortana,” and it works even if the device is locked.
Morphisec security researchers warn of a newly discovered attack vector that allows attackers to bypass Microsoft’s Code Integrity Guard (CIG) in order to load malicious libraries into protected processes.
Dubbed CIGslip, the new attack vector relies on manipulating the manner in which CIG functions, thus bypassing its controls without the need to inject unsigned image code pages into memory. With a low footprint on the targeted system and likely to go unnoticed, the attack has great damaging potential.
CANCUN – KASPERSKY SECURITY ANALYST SUMMIT – The hackers behind the recent Olympic Destroyer attack planted sophisticated false flags inside their malware in an effort to trick researchers, Kaspersky Lab revealed on Thursday.
The Olympic Winter Games in Pyeongchang, South Korea, was hit by a cyberattack that caused temporary disruption to IT systems, including the official Olympics website, display monitors, and Wi-Fi connections. The attack involved Olympic Destroyer, a piece of malware designed to wipe files and make systems inoperable, and steal passwords from browsers and Windows. Compromised credentials are used to spread to other machines on the network.
Kaspersky has also spotted infections at several ski resorts in South Korea. The malware, which leverages a leaked NSA exploit known as EternalRomance to spread via the SMB protocol, temporarily disrupted ski gates and lifts at the affected resorts.
Several cybersecurity firms launched investigations into the Olympic Destroyer attack shortly after the news broke, and while they mostly agreed on the malware’s functionality, they could not agree on who was behind the operation. Some pointed the finger at North Korea, while others blamed China or Russia, leading some industry professionals to warn against this type of knee-jerk attribution.
The security firm has found a unique “fingerprint” associated with the notorious Lazarus Group, which has been linked to North Korea and blamed for high profile attacks such as the one on Sony, the WannaCry campaign, and various operations targeting financial organizations.
This fingerprint was a 100% match to known Lazarus malware components and it did not appear in any other files from Kaspersky’s database. While this piece of evidence and the type of attack suggested that Olympic Destroyer could be the work of North Korea, other data gathered by researchers as a result of an on-site investigation at a South Korean target revealed inconsistencies.
Experts determined that the unique fingerprint was likely a sophisticated false flag planted by the attackers to throw investigators off track.
Corero Network Security says they have discovered a “kill switch” to counteract the Memcached vulnerability that recently fueled some of the largest distributed denial-of-service (DDoS) attacks in history.
The company says it has disclosed the kill switch to national security agencies and also claims that the issue is more extensive than originally believed: an attacker exploiting it can also steal or modify data from vulnerable Memcached servers.
Memcached is a free and open source memory caching system that can work with a large number of open connections. Memcached servers allow connections via TCP or UDP on port 11211, with access requiring no authentication, which is why the system wasn’t designed to be accessible from the Internet.
With over 95,000 servers worldwide allowing connections on TCP or UDP port 11211 from the Internet, the potential for abuse by attackers is significant.
With no authentication required, an attacker can issue a simple debug command to retrieve the data. What’s more, the weakness can also be exploited to maliciously “modify the data and reinsert it into the cache,” the security company says.
The ‘kill switch’ that Corero has discovered would send a command back to an attacking server to suppress the DDoS exploitation. The countermeasure, the company explains, invalidates a vulnerable server’s cache, meaning that any potentially malicious payload that attackers might have planted will become useless.
The security firm claims it has tested the countermeasure quench packet on live attacking servers and that it proved fully effective, without causing collateral damage.
“Ironically, the Memcached utility was intended to cache frequently-used web pages and data to boost legitimate performance. But this utility has now been weaponized to exploit its performance boosting potential for illegitimate purposes,” Ashley Stephenson, CEO at Corero Network Security, commented.
The root cause of the problem, of course, is the poor security practices when setting up Memcached servers. Exposing them to the Internet is like leaving the front door open and expecting burglars not to barge in.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
We are a professional review site that has advertisement and can receive compensation from the companies whose products we review. We use affiliate links in the post so if you use them to buy products through those links we can get compensation at no additional cost to you.OkDecline
227 Comments
Tomi Engdahl says:
Lily Hay Newman / Wired:
GitHub hit with the largest ever DDoS attack of 1.35Tbps on Feb. 28; attacker abused publicly accessible memcached instances, taking the site down for 6+ mins
GitHub Survived the Biggest DDoS Attack Ever Recorded
https://www.wired.com/story/github-ddos-memcached
On Wednesday, at about 12:15pm ET, 1.35 terabits per second of traffic hit the developer platform GitHub all at once. It was the most powerful distributed denial of service attack recorded to date—and it used an increasingly popular DDoS method, no botnet required.
GitHub briefly struggled with intermittent outages as a digital system assessed the situation. Within 10 minutes it had automatically called for help from its DDoS mitigation service, Akamai Prolexic. Prolexic took over as an intermediary, routing all the traffic coming into and out of GitHub, and sent the data through its scrubbing centers to weed out and block malicious packets. After eight minutes, attackers relented and the assault dropped off.
The scale of the attack has few parallels, but a massive DDoS that struck the internet infrastructure company Dyn in late 2016 comes close. That barrage peaked at 1.2 Tbps and caused connectivity issues across the US as Dyn fought to get the situation under control.
“We modeled our capacity based on fives times the biggest attack that the internet has ever seen,”
Akamai defended against the attack in a number of ways. In addition to Prolexic’s general DDoS defense infrastructure, the firm had also recently implemented specific mitigations for a type of DDoS attack stemming from so-called memcached servers. These database caching systems work to speed networks and websites, but they aren’t meant to be exposed on the public internet; anyone can query them, and they’ll likewise respond to anyone. About 100,000 memcached servers, mostly owned by businesses and other institutions, currently sit exposed online with no authentication protection, meaning an attacker can access them, and send them a special command packet that the server will respond to with a much larger reply.
memcached DDoS attacks don’t require a malware-driven botnet. Attackers simply spoof the IP address of their victim, send small queries to multiple memcached servers—about 10 per second per server—that are designed to elicit a much larger response. The memcached systems then return 50 times the data of the requests back to the victim.
Most of the memcached DDoS attacks CenturyLink has seen top out at about 40 to 50 gigabits per second, but the industry had been increasingly noticing bigger attacks up to 500 gbps and beyond.
The web monitoring and network intelligence firm ThousandEyes observed the GitHub attack on Wednesday. “This was a successful mitigation. Everything transpired in 15 to 20 minutes,” says Alex Henthorne-Iwane, vice president of product marketing at ThousandEyes. “If you look at the stats you’ll find that globally speaking DDoS attack detection alone generally takes about an hour plus, which usually means there’s a human involved looking and kind of scratching their head. When it all happens within 20 minutes you know that this is driven primarily by software. It’s nice to see a picture of success.”
Tomi Engdahl says:
BuzzFeed:
Many news reports blaming Russian Twitter bots, some of which are not Russian and others not bots, are based on a single source and are likely overblown
Stop Blaming Russian Bots For Everything
https://www.buzzfeed.com/miriamelder/stop-blaming-russian-bots-for-everything?utm_term=.fhdJVWQoB#.kiPXg0Lod
“I’m not convinced on this bot thing,” said one of the men behind the Russian bot thing.
By now you know the drill: massive news event happens, journalists scramble to figure out what’s going on, and within a couple hours the culprit is found — Russian bots.
Russian bots were blamed for driving attention to the Nunes memo, a Republican-authored document on the Trump-Russia probe. They were blamed for pushing for Roy Moore to win in Alabama’s special election. And here they are wading into the gun debate following the Parkland shooting. “[T]he messages from these automated accounts, or bots, were designed to widen the divide and make compromise even more difficult,” wrote the New York Times in a story following the shooting, citing little more than “Twitter accounts suspected of having links to Russia.”
This is, not to mince words, total bullshit.
The thing is, nearly every time you see a story blaming Russian bots for something, you can be pretty sure that the story can be traced back to a single source: the Hamilton 68 dashboard, founded by a group of respected researchers, including Clint Watts and JM Berger, and currently run under the auspices of the German Marshall Fund.
But even some of the people who popularized that metric now acknowledge it’s become totally overblown.
So that’s strike one: In what other world would we rely on a single source tool of anonymous provenance?
And then there’s strike two. Let’s say, despite that, you still really want to put your faith in those conclusions about Russian influence. Why would you do that?
And here we get to strike three. One of the hardest things to do — either with the accounts “linked to Russian influence efforts online,” whatever that means, or with the Internet Research Agency trolls who spent many months boosting Donald Trump and denigrating Hillary Clinton — is to measure how effective they really were. Did Russian troll efforts influence any votes? How do we even qualify or quantify that? Did tweets from “influencers” actually affect the gun debate in the United States, already so toxic and partisan before “bot” was a household word?
Even Watts thinks the “blame the bots” shtick has gotten out of control.
“When Julian Assange says something, Russian influence networks always repeat it,” Watts said.
Further complicating the Russian bot narrative? The notion that plenty of automated social media influence campaigns are orchestrated right here in the United States. As BuzzFeed News has reported, MicroChip, “a notorious pro-Trump Twitter ringleader,” has and continues to orchestrate automated networks of Twitter accounts to help push trending topics and advance pro-Trump narratives
One of the most disorienting parts of today’s geopolitical information warfare is that all sides feel and act as if they’re winning, and it’s not hard to know who or what has the most influence.
The Great Bot Panic, for instance, poses a series of contradictions. It is true that bots are a serious problem. It is also true that the bot problem is exaggerated. It is true that Russian bots are a conspiracy theory that provides a tidy explanation for complicated developments. It is also true that Russian influence efforts may be happening before our eyes without us really knowing the full scope in the moment.
Tomi Engdahl says:
Alex Hern / The Guardian:
Facebook says it found no additional evidence of Russia-linked ads during Brexit campaign in 2016 after launching standalone investigation in January 2018
Facebook finds no substantial evidence of Russian meddling in EU referendum
https://www.theguardian.com/technology/2018/mar/01/facebook-evidence-russian-meddling-eu-referendum
Investigation uncovers no coordinated Russian-linked activity in addition to the 71p of ad spend reported in December
Tomi Engdahl says:
New computers could delete thoughts without your knowledge, experts warn
http://www.independent.co.uk/news/science/delete-thoughts-read-your-mind-without-your-knowledge-neurotechnology-new-human-rights-laws-a7701661.html
New human rights laws are required to protect sensitive information in a person’s mind from ‘unauthorised collection, storage, use or even deletion’
Tomi Engdahl says:
Remotely Exploitable Flaws Patched in DHCP
https://www.securityweek.com/remotely-exploitable-flaws-patched-dhcp
Updates released by the Internet Systems Consortium (ISC) for the Dynamic Host Configuration Protocol (DHCP) software patch two remotely exploitable vulnerabilities discovered by a researcher at Google.
Felix Wilhelm of the Google Security Team found that the DHCP Client (dhclient), which provides a means for configuring network interfaces, is affected by a buffer overflow vulnerability that allows a malicious server to cause the client to crash.
In some cases, exploitation of the flaw could also lead to remote code execution, ISC said in an advisory. The security hole is tracked as CVE-2018-5732 and rated high severity.
“Where they are present, operating system mitigation strategies such as address space layout randomization (ASLR) should make it difficult to leverage this vulnerability to achieve remote code execution but we can not rule it out as impossible. The safest course is to patch dhclient so that the buffer overflow cannot occur,” ISC said.
The second vulnerability, CVE-2018-5733, is a medium severity issue that can be exploited to exhaust the memory available to the DHCP daemon (dhcpd), resulting in a denial-of-service (DoS) condition to clients.
Tomi Engdahl says:
New Malware Used in Attacks Aimed at Inter-Korean Affairs
https://www.securityweek.com/new-malware-used-attacks-aimed-inter-korean-affairs
A threat actor apparently interested in inter-Korean affairs continues to launch highly targeted attacks using new pieces of malware and decoy documents referencing North Korean political topics.
The cyber espionage group, which experts believe is sponsored by a nation state, has been active for several years, but it managed to stay under the radar until last year, when researchers analyzed two of its main tools, namely SYSCON and KONNI. These pieces of malware had been leveraged in attacks aimed at organizations linked to North Korea.
Tomi Engdahl says:
Cyberattack ‘Ongoing’ Against German Government Network
https://www.securityweek.com/cyberattack-ongoing-against-german-government-network
The German government’s IT network is under an “ongoing” cyberattack”, the parliamentary committee on intelligence affairs said Thursday, without confirming a media report that Russian hackers were behind the assault.
“It is a real cyberattack on parts of the government system. It’s an ongoing process, an ongoing attack,” said Armin Schuster, chairman of the committee, adding that no further details could be given to avoid passing crucial information on to the attackers.
Interior Minister Thomas de Maiziere said the hacking was “a technically sophisticated attack that had been planned for some time”, adding that it had been brought under control.
– Russian hackers -
Top security officials had repeatedly warned during Germany’s 2017 general election campaign that Russian hackers may seek to influence or disrupt the polls.
While authorities did not have concrete proof, they have blamed the malware attack that crippled the Bundestag parliamentary network in 2015 for days on the APT28, also known as “Fancy Bear” or “Sofacy”.
The attack netted 17 gigabytes of data which, officials feared, could be used to blackmail MPs or discredit them.
Tomi Engdahl says:
Russia-linked Hackers Directly Targeting Diplomats: Report
https://www.securityweek.com/russia-linked-hackers-directly-targeting-diplomats-report
The Russia-linked cyber espionage group Sofacy has been targeting foreign affairs agencies and ministries worldwide in a recently discovered campaign, Palo Alto Networks warns.
The hacking group, also known as APT28, Fancy Bear, Pawn Storm, Sednit, Tsar Team, and Strontium, has been highly active recently, and new evidence shows activity directly targeting diplomats in North America and Europe, including those at a European embassy in Moscow.
Tomi Engdahl says:
The world’s largest DDoS attack took GitHub offline for less than ten minutes
https://techcrunch.com/2018/03/02/the-worlds-largest-ddos-attack-took-github-offline-for-less-than-tens-minutes/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook
In a growing sign of the increased sophistication of both cyber attacks and defenses, GitHub has revealed that it weathered the largest-known DDoS attack in history this week.
GitHub is a common target — the Chinese government is widely-suspected to be behind a five-day-long attack in 2015 over its hosting of software to bypass its internet censorship system — and this newest assault tipped the scales at an incredible 1.35Tbps at peak.
A blog post retelling the incident, GitHub said the attackers hijacked something called ‘memcaching’ — a distributed memory system known for high-performance and demand — to massively amplify the traffic volumes they were firing at GitHub.
February 28th DDoS Incident Report
https://githubengineering.com/ddos-incident-report/
Tomi Engdahl says:
European internet filter will destroy your freedom of expression: Stop it now!
https://edri.org/european-internet-filter-will-destroy-freedom-expression-stop-it-now/
Policy-makers are working on the largest internet filter we’ve ever seen. An algorithm will decide which of your uploads will be seen by the rest of the world and which won’t. This is how the internet filter will rob you of your freedom of expression.
Filters don’t work
First of all: filters are really bad at recognising content. There are tons of examples
You can’t fight copyright violations with filters
The internet filter has been proposed in order to tackle copyright violations. But copyright is too complex for this wrecking ball-style solution. For instance: sometimes it’s perfectly legal to use copyrighted material in a citation or a work of parody, and sometimes it isn’t.
What can you do?
The following weeks are crucial. Tweet or e-mail your representatives that are part of the European Parliament’s Committee on Legal Affairs (JURI). On 26-27 March they will be deciding on the upload filter. Use the hashtag #CensorshipMachine or #filterfail
Tomi Engdahl says:
China’s web censors go into overdrive as President Xi Jinping consolidates power
https://techcrunch.com/2018/02/26/china-web-censors-go-into-overdrive/?utm_source=tcfbpage&sr_share=facebook
A week that begins with the repeal of regulation that prevents dictatorship in China is likely to be a busy one for the country’s censorship people, and so it has proven to be.
Tomi Engdahl says:
UK and Australian governments now use Have I Been Pwned
https://techcrunch.com/2018/03/02/uk-and-australian-governments-now-use-have-i-been-pwned/?utm_source=tcfbpage&sr_share=facebook
AdChoices
MenuTechCrunch
UK and Australian governments now use Have I Been Pwned
Posted 7 hours ago by Romain Dillet (@romaindillet)
Troy Hunt is turning Have I Been Pwned into an essential pwning monitoring service. The service monitors security breaches and password leaks so that you and your users remain secure. And now, the U.K. and Australian governments are monitoring their own domain names using the service.
Most people are familiar with the consumer-facing version of Have I Been Pwned. You go on Have I Been Pwned’s website and enter your email address. It shows you a list of services that you use and that have been hacked.
That’s why you should be using a different password on each online service. This way, if your password leaks, nobody can connect to another service. Everything is sandboxed, you can just change the password on the hacked service.
And because nothing is secure anymore, you should activate two-factor authentication wherever you can. A password simply doesn’t cut it anymore.
Anyone can monitor a domain name by proving that you actually own the domain name (otherwise it would be a potential security breach). Hunt is now working with governments to make it easier to monitor all government domain names for free.
Tomi Engdahl says:
Nathan Vanderklippe / Globe and Mail:
Human Rights Watch: China’s Xinjiang region uses big data on everyday habits and AI for predictive policing to send people to political re-education camps
China using big data to detain people before crime is committed: report
https://www.theglobeandmail.com/news/world/china-using-big-data-to-detain-people-in-re-education-before-crime-committed-report/article38126551/
Barely seven months ago, a senior Chinese official promised that artificial intelligence could one day help authorities spot crime before it happens.
In the country’s far western Xinjiang region, it’s already happening, with the establishment of a system that critics call “Orwellian” in scope and ambition, and which is being used to place people in political re-education.
Called the Integrated Joint Operations Platform, or IJOP, it assembles and parses data from facial-recognition cameras, WiFi internet sniffers, licence-plate cameras, police checkpoints, banking records and police reports made on mobile apps from home visits, a new report from Human Rights Watch finds.
If the system flags anything suspicious – a large purchase of fertilizer, perhaps, or stockpiles of food considered a marker of terrorism – it notifies police, who are expected to respond the same day and act according to what they find. “Who ought to be taken, should be taken,” says a work report located by the rights organization.
Another official report shows how reports generated by IJOP are used to send people to an “Occupational Skills and Education Training Centre” where political re-education is carried out.
Elements of the policing system in Xinjiang are being set in place elsewhere in China, too, including the collection of data and integration of systems. But Xinjiang appears to be unique in the use of artificial intelligence to detain people in political re-education.
At the Winter Olympics in South Korea, for example, Alibaba built a large pavilion to describe its capabilities and offer its services to the outside world. Its “ET City Brain,” for example, can be used to improve timing of traffic lights and employ artificial intelligence to quickly route emergency services to an accident.
But Alibaba also boasts about the system’s value in “social governance and public security,”
Tomi Engdahl says:
Paul Mozur / New York Times:
China is prosecuting a citizen who shared a critical message on WhatsApp; message was likely obtained by hacking a phone or via spy in a WhatsApp group
China Presses Its Internet Censorship Efforts Across the Globe
https://www.nytimes.com/2018/03/02/technology/china-technology-censorship-borders-expansion.html
Within its digital borders, China has long censored what its people read and say online. Now, it is increasingly going beyond its own online realms to police what people and companies are saying about it all over the world.
For years, China has exerted digital control with a system of internet filters known as the Great Firewall, which allows authorities to limit what people see online. To broaden its censorship efforts, Beijing is venturing outside the Great Firewall and paying more attention to what its citizens are saying on non-Chinese apps and services.
As part of that shift, Beijing has at times pressured foreign companies like Google and Facebook, which are both blocked in China, to take down certain content. At other times, it has bypassed foreign companies entirely and instead directly pushed users of global social media to encourage self-censorship.
This effort is accelerating as President Xi Jinping consolidates his power.
Tomi Engdahl says:
Book 1984 was not supposed to be an instruction manual!
Orwell was optimist?
Beijing bets on facial recognition in a big drive for total surveillance
https://www.washingtonpost.com/news/world/wp/2018/01/07/feature/in-china-facial-recognition-is-sharp-end-of-a-drive-for-total-surveillance/?utm_term=.af58ed65a619
“And my 5-year-old daughter can just look up at the camera and get in. It’s good for kids because they often lose their keys.”
But for the police, the cameras that replaced the residents’ old entry cards serve quite a different purpose.
Now they can see who’s coming and going, and by combining artificial intelligence with a huge national bank of photos, the system in this pilot project should enable police to identify what one police report, shared with The Washington Post, called the “bad guys” who once might have slipped by.
Facial recognition is the new hot tech topic in China. Banks, airports, hotels and even public toilets are all trying to verify people’s identities by analyzing their faces. But the police and security state have been the most enthusiastic about embracing this new technology.
Big brother is watching you! China installs ‘the world’s most advanced video surveillance system’ with over 20 million AI-equipped street cameras
http://www.dailymail.co.uk/news/article-4918342/China-installs-20-million-AI-equipped-street-cameras.html
About 20 million CCTV cameras have been installed with AI technology in China
Such technology can be used to identify a person’s age, gender and clothes
Police can track down criminals using facial recognition and their database
Tomi Engdahl says:
German police test facial recognition cameras at Berlin station
https://www.reuters.com/article/us-germany-security/german-police-test-facial-recognition-cameras-at-berlin-station-idUSKBN1AH4VR
German police deployed the first facial recognition cameras at a main railway station in Berlin on Tuesday, testing new technology that could help track and arrest crime and terrorism suspects.
Germany’s new facial recognition technology reminiscent of Cold War surveillance for some
Officials are looking for ways to improve security in the wake of recent terror attacks and threats
http://www.cbc.ca/news/world/stasi-museum-germany-surveillance-1.4364771
Tomi Engdahl says:
Zack Whittaker / ZDNet:
Researchers describe 10 possible attacks on LTE networks that allow eavesdropping on texts and calls, taking devices offline, and spoofing of emergency alerts
New LTE attacks can snoop on messages, track locations and spoof emergency alerts
http://www.zdnet.com/article/new-lte-attacks-eavesdrop-on-messages-track-locations-spoof-alerts/?ftag=COS-05-10aaa0g&utm_campaign=trueAnthem:+Trending+Content
A slew of newly discovered vulnerabilities can wreak havoc on 4G LTE network users by eavesdropping on phone calls and text messages, knocking devices offline, and even spoofing emergency alerts.
Ten attacks detailed in a new paper by researchers at Purdue University and the University of Iowa expose weaknesses in three critical protocol operations of the cellular network, such as securely attaching a device to the network and maintaining a connection to receive calls and messages.
Those flaws can allow authentication relay attacks that can allow an adversary to connect to a 4G LTE network by impersonating an existing user — such as a phone number.
Although authentication relay attacks aren’t new, this latest research shows that they can be used to intercept message, track a user’s location, and stop a phone from connecting to the network.
https://www.documentcloud.org/documents/4392401-4G-LTE-attacks-paper.html
One of the ten attacks can create “artificial chaos” by sending fake emergency alerts to a large number of devices.
Tomi Engdahl says:
23,000 HTTPS Certs Axed After CEO Emails Private Keys
https://it.slashdot.org/story/18/03/04/0547232/23000-https-certs-axed-after-ceo-emails-private-keys
A major dust-up on an Internet discussion forum is touching off troubling questions about the security of some browser-trusted HTTPS certificates when it revealed the CEO of a certificate reseller emailed a partner the sensitive private keys for 23,000 TLS certificates. The email was sent on Tuesday by the CEO of Trustico, a UK-based reseller of TLS certificates issued by the browser-trusted certificate authorities Comodo and, until recently, Symantec…
In communications earlier this month, Trustico notified DigiCert that 50,000 Symantec-issued certificates Trustico had resold should be mass revoked because of security concerns. When Jeremy Rowley, an executive vice president at DigiCert, asked for proof the certificates were compromised, the Trustico CEO emailed the private keys of 23,000 certificates, according to an account posted to a Mozilla security policy forum. The report produced a collective gasp among many security practitioners who said it demonstrated a shockingly cavalier treatment of the digital certificates that form one of the most basic foundations of website security…
23,000 HTTPS certificates axed after CEO emails private keys
Flap that goes public renews troubling questions about issuance of certificates.
https://arstechnica.com/information-technology/2018/03/23000-https-certificates-axed-after-ceo-e-mails-private-keys/
A major dust-up on an Internet discussion forum is touching off troubling questions about the security of some browser-trusted HTTPS certificates when it revealed the CEO of a certificate reseller emailed a partner the sensitive private keys for 23,000 TLS certificates.
The email was sent on Tuesday by the CEO of Trustico
In communications earlier this month, Trustico notified DigiCert that 50,000 Symantec-issued certificates Trustico had resold should be mass revoked because of security concerns.
When Rowley asked for proof the certificates were compromised, the Trustico CEO emailed the private keys of 23,000 certificates
Generally speaking, private keys for TLS certificates should never be archived by resellers, and, even in the rare cases where such storage is permissible, they should be tightly safeguarded. A CEO being able to attach the keys for 23,000 certificates to an email raises troubling concerns that those types of best practices weren’t followed. (There’s no indication the email was encrypted, either
In a statement, Trustico officials said the keys were recovered from “cold storage,” a term that typically refers to offline storage systems.
The discussion also raises new questions about Symantec’s adherence to industry-binding rules
“During our many discussions over the past week we put it to you that we believe Symantec to have operated our account in a manner whereby it had been compromised,” the Trustico officials wrote. They continued: “We believe the orders placed via our Symantec account were at risk and were poorly managed. We have been questioning Symantec without response as to concerning items for about a year. Symantec simply ignored our concerns and appeared to bury them under the next issue that arose.”
Unfortunately, the way the Internet’s TLS certificate issuance process works, a single point of failure is all it takes to create compromises that endanger the entire system. Readers can expect Google and Mozilla to spend considerable time and resources in the coming weeks unraveling the breakdown that came to light Wednesday.
Update: Several hours after this post went live, Trustico’s website went offline after a Web security expert posted a critical vulnerability on Twitter.
Tomi Engdahl says:
EU Warns Tech Giants To Remove Terror Content in 1 Hour — or Else
https://tech.slashdot.org/story/18/03/01/1825224/eu-warns-tech-giants-to-remove-terror-content-in-1-hour—-or-else
The European Union issued internet giants an ultimatum to remove illegal online terrorist content within an hour, or risk facing new EU-wide laws.
The European Commission on Thursday issued a set of recommendations for companies and EU nations that apply to all forms of illegal internet material, “from terrorist content, incitement to hatred and violence, child sexual abuse material, counterfeit products and copyright infringement. Considering that terrorist content is most harmful in the first hours of its appearance online, all companies should remove such content within one hour from its referral as a general rule.â The commission last year called upon social media companies, including Facebook, Twitter and Google owner Alphabet, to develop a common set of tools to detect, block and remove terrorist propaganda and hate speech. Thursday’s recommendations aim to “further step up” the work already done by governments and push firms to “redouble their efforts to take illegal content off the web more quickly and efficiently.”
EU Warns Tech Giants to Remove Terror Content in 1 Hour—or Else
https://www.bloomberg.com/news/articles/2018-03-01/remove-terror-content-in-1-hour-or-else-eu-warns-tech-giants
EU lays out rules for firms to fight online illegal material
Facebook, Google among tech firms under pressure to react
The European Union issued internet giants an ultimatum to remove illegal online terrorist content within an hour, or risk facing new EU-wide laws.
The European Commission on Thursday issued a set of recommendations for companies and EU nations that apply to all forms of illegal internet material, “from terrorist content, incitement to hatred and violence, child sexual abuse material, counterfeit products and copyright infringement.”
Too Short
One hour to take down terrorist content is too short, the Computer & Communications Industry Association, which speaks for companies like Google and Facebook, said in a statement that criticized the EU’s plans as harming the bloc’s technology economy.
“Such a tight time limit does not take due account of all actual constraints linked to content removal and will strongly incentivize hosting services providers to simply take down all reported content,” the group said in a statement.
The EU stressed that its recommendations send a clear signal to internet companies that the voluntary approach remains the watchdog’s favorite approach for now and that the firms “have a key role to play.”
Tomi Engdahl says:
Rise of the ‘Hivenet’: Botnets That Think for Themselves
https://registrations.darkreading.com/DR0305_Vulnerabilities?_mc=DRWP18_0305&cid=DRWP18_0305&elq_mid=83547&elq_cid=14916437&accessToken=
These intelligent botnet clusters swarm compromised devices to identify and assault different attack vectors all at once.
Tomi Engdahl says:
Secure memcached server to avoid DDoS amplification attacks
https://www.cyberciti.biz/faq/secure-memcached-server-avoid-ddos-amplification/
Memcached is a free and open source distributed memory object caching system. One can use it for speeding up dynamic web applications by mitigating database load. The Memcached server is an in-memory key-value store. This page shows how to secure memcached running on a Linux or Unix-like systems.
Memcached and DDoS attack
By default memcached server uses TCP/UDP port number 11211. A DDoS (Distributed Denial of Service) amplification attacks performed by exploiting Memcached servers exposed to the public Internet IPv4/IPv6 address. A significant increase in amplification attack vector – using the Memcached protocol, coming from UDP port 11211.
1. Configure a firewall
2. Disable UDP
3. Force memcached to listen on private LAN/VLAN IP address
Make sure that your Memcached firewalled and TCP/UDP ports closed from the public Internet. Only allow your web server/app to access Memcached server
Tomi Engdahl says:
NEW DATA PROTECTION LAWS PROVIDE OPPORTUNITY TO INNOVATE AND SEIZE COMPETITIVE ADVANTAGE
https://expectexceptional.economist.com/privacy-personal-data-protection-gdpr-world.html
As defined by the GDPR: Personal data is any data that allows an individual to be identified, including names, address, birthdate or identification number as well as IP address, location data or any type of pseudonymous data. This broadens the definition of personal data given in previous EU directives.
Under the GDPR, companies will be required to prove that they know where consumer data is across all their systems and all their businesses. Companies will be required to demonstrate who can access this data as well as when and how they are allowed to do so. GDPR will also require that organisations notify individuals and authorities of data breaches within 72 hours and address all resulting issues.
Personal data can be hidden in a wide range of places, including:
Customer data in hard-to-search free-text fields
Network files where employees have saved Excel files
Backup drives
Unstructured data, including website log-in information and social media data
THE IMPLEMENTATION OF GDPR WILL REQUIRE ORGANISATIONS TO RETHINK HOW THEY MANAGE PERSONAL DATA FROM THE POINT OF ORIGIN TO THE POINT OF CONSUMPTION—AND WHAT FRAMEWORKS WILL BE NEEDED TO COMPLY.
GDPR is not a matter of fix it and forget it. The new regulations mandate organisation-wide personal data awareness from data protection officers down to database administrators. GDPR will require ongoing governance
Tomi Engdahl says:
Mix / The Next Web:
Encrypted messaging services Signal and Telegram experienced worldwide outages for several hours — You might want to move your private chats to WhatsApp or Telegram for the time being: it appears popular encrypted messenger Signal is currently down globally, according to numerous reports from users.
Signal and Telegram are down for many users [Update: they’re coming back]
https://thenextweb.com/apps/2018/03/05/signal-messenger-many-users-globally/
You might want to move your private chats to WhatsApp or Telegram for the time being: it appears popular encrypted messenger Signal is currently down globally, according to numerous reports from users.
The company behind the private messaging platform, Open Whisper Systems, has yet to inform its users what is causing the server downtime.
Update: A spokesperson for Open Whisper Systems and Signal has since confirmed the issue to TNW, adding that their engineers are already working on a solution.
Update 2: It seems that encrypted messenger rival Telegram is also experiencing some server issues
Update 3: Both Signal and Telegram appear to be resuming functionality.
Tomi Engdahl says:
DDoS Attack Against Dyn Managed DNS
https://www.dynstatus.com/incidents/nlr4yrr162t8
Tomi Engdahl says:
It’s begun: ‘First’ IPv6 denial-of-service attack puts IT bods on notice
Internet engineers warn this is only the beginning
https://www.theregister.co.uk/2018/03/03/ipv6_ddos/
What’s claimed to be the first IPv6-based distributed denial-of-service attack has been spotted by internet engineers who warn it is only the beginning of what could become the next wave of online disruption.
Network guru Wesley George noticed the strange traffic earlier this week as part of a larger attack on a DNS server in an effort to overwhelm it. He was taking packet captures of the malicious traffic as part of his job at Neustar’s SiteProtect DDoS protection service when he realized there were “packets coming from IPv6 addresses to an IPv6 host.”
The attack wasn’t huge – unlike this week’s record-breaking 1.35Tbps attack on GitHub – and it wasn’t using a method that is exclusive to IPv6, but it was sufficiently unusual and worrying to flag to the rest of his team.
Computers behind 1,900 IPv6 addresses were attacking the DNS server as part of a larger army of commandeered systems, mostly using IPv4 addresses on the public internet. Anyone running an IPv6 network needs to, therefore, ensure they have the same level of network security and mitigation tools in place as their IPv4 networks – and fast.
“The risk is that if you don’t have IPv6 as part of your threat model, you could get blindsided,”
Tomi Engdahl says:
MoviePass CEO proudly says the app tracks your location before and after movies
https://techcrunch.com/2018/03/05/moviepass-ceo-proudly-says-the-app-tracks-your-location-before-and-after-movies/?utm_source=tcfbpage&sr_share=facebook
Everyone knew the MoviePass deal is too good to be true — and as is so often the case these days, it turns out you’re not the customer, you’re the product. And in this case they’re not even attempting to camouflage that. Mitch Lowe, the company’s CEO, told an audience at a Hollywood event that “we know all about you.”
“We get an enormous amount of information,” Lowe continued. “We watch how you drive from home to the movies. We watch where you go afterwards.”
It’s no secret that MoviePass is planning on making hay out of the data collected through its service.
Tomi Engdahl says:
LTE security flaws could be used for spying, spreading chaos
https://arstechnica.com/information-technology/2018/03/even-more-bugs-in-lte-networks-allow-eavesdropping-fake-emergency-messages/
A flight of new research papers show 4G LTE networks can be exploited for all sorts of badness
As ZDNet’s Zack Whittaker reports, researchers at Purdue University and the University of Iowa conducting tests of 4G LTE networks have uncovered 10 new types of attacks. They made this discovery as part of their evaluation of a proof-of-concept 4G LTE penetration testing toolset, called LTEInspector.
usable against many carrier networks, the collection of exploits could be used to track device owners, eavesdrop on texts and other sensitive data, and even pose as them on cellular networks and spoof location and other data. An attacker could even spoof warning messages like those used by government agencies and weather services—such as the false missile warning sent out by a Hawaii government employee.
The security of 4G LTE networks is largely based on obscurity—many of the implementations are proprietary “black boxes,” as the Purdue and Iowa researchers put it, which makes performing true security evaluations difficult. And because of the large range of sub-components that must be configured, along with the need to be able to handle devices configured primarily for another carrier, there is a lot of slush in LTE implementations and not a lot of transparency about network security. Recent IEEE-published research found that implementations of the “control plane” for various LTE networks varied widely—problems found on one network didn’t occur on others.
And that variation is true of security as well. In one case, the Purdue and Iowa researchers found that a carrier didn’t encrypt “control plane” messages at all, meaning an attacker could even eavesdrop on SMS messages and other sensitive data. That flaw has since been fixed by the carrier.
Tomi Engdahl says:
GITHUB SURVIVED THE BIGGEST DDOS ATTACK EVER RECORDED
https://www.wired.com/story/github-ddos-memcached/
ON WEDNESDAY, AT about 12:15 pm EST, 1.35 terabits per second of traffic hit the developer platform GitHub all at once. It was the most powerful distributed denial of service attack recorded to date—and it used an increasingly popular DDoS method
GitHub briefly struggled with intermittent outages as a digital system assessed the situation. Within 10 minutes it had automatically called for help from its DDoS mitigation service, Akamai Prolexic. Prolexic took over as an intermediary, routing all the traffic coming into and out of GitHub
“We modeled our capacity based on fives times the biggest attack that the internet has ever seen,” Josh Shaul, vice president of web security at Akamai told WIRED hours after the GitHub attack ended.
Akamai defended against the attack in a number of ways. In addition to Prolexic’s general DDoS defense infrastructure, the firm had also recently implemented specific mitigations for a type of DDoS attack stemming from so-called memcached servers.
About 100,000 memcached servers, mostly owned by businesses and other institutions, currently sit exposed online with no authentication protection, meaning an attacker can access them and send them a special command packet that the server will respond to with a much larger reply.
memcached DDoS attacks don’t require a malware-driven botnet. Attackers simply spoof the IP address of their victim
The infrastructure community has also started attempting to address the underlying problem, by asking the owners of exposed memcached servers to take them off the internet, keeping them safely behind firewalls on internal networks.
blocking memcached traffic if they detect a suspicious amount of it
“We are going to filter that actual command out so no one can even launch the attack,”
“We’ve seen about 300 individual scanners that are searching for memcached boxes, so there are at least 300 bad guys looking for exposed servers,”
Wednesday’s onslaught wasn’t the first time a major DDoS attack targeted GitHub.
“This was a successful mitigation. Everything transpired in 15 to 20 minutes,”
“If you look at the stats you’ll find that globally speaking DDoS attack detection alone generally takes about an hour plus, which usually means there’s a human involved looking and kind of scratching their head. When it all happens within 20 minutes you know that this is driven primarily by software. It’s nice to see a picture of success.”
“The duration of this attack was fairly short,” he says. “I think it didn’t have any impact so they just said that’s not worth our time anymore.”
it seems likely that attackers will give a DDoS of this scale another shot.
Tomi Engdahl says:
Windows Defender ATP Detects Spyware Used by Law Enforcement: Microsoft
https://www.securityweek.com/windows-defender-atp-detects-spyware-used-law-enforcement-microsoft
Windows Defender Advanced Threat Protection (Windows Defender ATP) is capable of detecting behavior associated with the sophisticated FinFisher spyware, Microsoft says, after performing an in-depth analysis of the malware’s infection process.
FinFisher is a lawful interception solution built by Germany-based FinFisher GmbH, which sells it exclusively to governments. Also referred to as FinSpy, the malware has been around for over half a decade and has been associated with various surveillance campaigns.
In September last year, after the malware was observed exploiting a .NET Framework zero-day (CVE-2017-8759) for infection, ESET warned that Internet service providers (ISPs) might be involved in FinFisher’s distribution process.
Tomi Engdahl says:
Largest Ever 1.3Tbps DDoS Attack Includes Embedded Ransom Demands
https://www.securityweek.com/largest-ever-13tbps-ddos-attack-includes-embedded-ransom-demands
[UPDATED - New record set at 1.7Tbs] On Tuesday, February 27, three major DDoS mitigation service providers (Akamai, Cloudflare and Arbor) warned that they had seen spikes in a relatively rare form of reflection/amplification DDoS attack via Memcached servers. Each service provider warned that this type of reflection attack had the potential to deliver far larger attacks.
One day later, Wednesday, February 28, GitHub was hit by the largest DDoS attack that had ever been disclosed — more than twice the size of the Mirai attack of 2016, peaking at 1.3Tbps. And still the potential, in the short term at least, is for even larger attacks.
Memcached servers are particularly vulnerable to such a use whenever they are left accessible from the public internet. In theory, this should never — or at least very rarely — happen; in practice there are various estimates of between 50,000 and more than 100,000 vulnerable servers. Because the service was designed for use internally within data centers, it has no inbuilt security and can be easily compromised by attackers.
Researchers suggest, in theory, the reply could be up to 51,000 times the size of the request. This is the amplification side of the attack — the ability to amplify a 203-byte request into a 100-megabyte response.
The extortion note, which occurs in a line of Python code delivered by the compromised Memcached servers, demands payment of 50 XMR (the symbol for the Monero cryptocurrency). This would have been approximately $15,000.
There is no way of knowing whether any of the recent Memcached DDoS victims have paid a Monero ransom.
Memcached attacks are not entirely new, but have been relatively rare before the last ten days.
UPDATE – New record set at 1.7Tbps – As predicted, the Memcached DDoS methodology has already created a new world record. Netscout Arbor has today confirmed a 1.7Tbps DDoS attack against the customer of a U.S.-based service provider. This attack was recorded by Netscout Arbor’s ATLAS global traffic and threat data system, and is more than 2x the largest Netscout Arbor had previously seen. No further details are yet available.
Tomi Engdahl says:
Security Implications of the End of Net Neutrality
https://www.securityweek.com/security-implications-end-net-neutrality
Internet Traffic Modifications by ISPs After the Decision to End Net Neutrality Create a Huge Potential Attack Surface
A huge amount of ink has been spilled over the FCC decision to roll back Net Neutrality rules.
Many articles analyze which businesses will benefit and which will be harmed by the change, while others look at it from a political perspective. It is critical that we also understand the security implications of changes Internet Service Providers (ISPs) are likely to make under this deregulation.
As a general principle, Net Neutrality holds that the internet should be a passive conduit for data between any endpoints. It should not make any difference to a carrier who is initiating the connection and what service they are using.
The FCC decision ending net neutrality re-categorizes ISPs from being telecommunication systems governed by title II, to being information services under title I. As telecommunication systems, ISPs were prohibited from blocking, throttling, or providing paid prioritization. As telecommunication services which create, modify, store, or make information available, none of these restrictions apply. As important as the regulatory change is the signal this sends to the ISPs. The administration is clearly articulating a much more hands-off policy towards ISPs. This signaling is likely to embolden them to
Tomi Engdahl says:
Android’s March 2018 Patches Fix Critical, High Risk Flaws
https://www.securityweek.com/androids-march-2018-patches-fix-critical-high-risk-flaws
Google has released its March 2018 set of security updates for Android to address numerous Critical and High severity vulnerabilities in the popular mobile operating system.
The majority of the Critical vulnerabilities addressed this month could allow an attacker to execute code remotely on affected devices. Impacted components include media framework, system, and kernel, Nvidia, and Qualcomm components.
A total of 16 vulnerabilities were addressed as part of the 2018-03-01 security patch level: 8 rated Critical severity and 8 considered High risk. The most severe of these vulnerabilities could allow a remote attacker using a specially crafted file to run arbitrary code with high privileges.
Tomi Engdahl says:
Kaspersky Lab Offers $100,000 for Critical Vulnerabilities
https://www.securityweek.com/kaspersky-lab-offers-100000-critical-vulnerabilities
Just days before its annual Security Analyst Summit kicks off in Cancun, Mexico, Kaspersky Lab this week announced an extension to its bug bounty program and plans to pay rewards of up to $100,000 for severe vulnerabilities in some of its products.
Launched in August 2016, the HackerOne-powered bug bounty program initially promised a total of $50,000 in bounties and resulted in the discovery of more than 20 flaws in the first six months. To date, the program allowed Kaspersky to address more than 70 bugs in its products and services.
In April last year, the Moscow-based security firm announced the addition of Kaspersky Password Manager 8 to the bounty program, along with an increase in the maximum reward for remote code execution vulnerabilities from $2,000 to $5,000.
Tomi Engdahl says:
Cisco Adds Vulnerability Identification to Tetration Platform
https://www.securityweek.com/cisco-adds-vulnerability-identification-tetration-platform
Cisco today announced the availability of identification of software vulnerabilities and exposures as part of the security capabilities of its Tetration platform.
Designed to offer workload protection for multi-cloud data centers through a zero-trust model that employs segmentation, the platform can now also detect vulnerabilities associated with software installed on servers.
With support for both on-premises and public cloud workloads, Tetration can now help identify security incidents faster, as well as contain lateral movement, in addition to reducing attack surface, Cisco says.
“Tetration is equipped to identify high severity security events such as Spectre and Meltdown using behavior-based anomalies,” Cisco notes.
Tomi Engdahl says:
Mobile Banking Trojans Targeting Crypto-Currencies
https://www.securityweek.com/mobile-banking-trojans-targeting-crypto-currencies
Mobile malware is now targeting crypto-currencies with the intent of stealing victims’ funds, IBM says.
The immediate result of the massive increase in value that crypto-currencies have registered over the past year was the growth of malicious attacks attempting to steal coins from unsuspecting users. While most of these assaults involved PC malware so far, recent incidents have shown that mobile threats are picking up the pace as well.
Several weeks ago, IBM observed that the TrickBot Trojan was using webinjections to steal virtual coins from its victims by replacing legitimate addresses with those of the attacker. Working in a similar manner, mobile malware is now using screen overlays to trick victims into sending funds to the attacker instead, IBM’s security researchers discovered.
According to IBM, mobile malware targeting crypto-coins usually leverages malicious miners to collect coins, but the practice isn’t that profitable, given the limited processing power a mobile device has. Furthermore, users are more likely to discover a mining operation on a mobile device when observing overheating, low performance and faster battery drain.
“Crooks operating mobile banking Trojans don’t install miners on the device. Rather, they typically steal existing coins from unsuspecting owners using mobile malware that creates the same effect as webinjections: cybercriminals trick users with fake on-screen information, steal their access credentials and take over accounts to empty coins into their own wallets,” IBM notes.
Tomi Engdahl says:
Triada Trojan Pre-Installed on Low Cost Android Smartphones
https://www.securityweek.com/triada-trojan-pre-installed-low-cost-android-smartphones
Security researchers have discovered the sophisticated Triada Trojan in the firmware of more than 40 low-cost Android smartphone models.
Discovered in early 2016 and considered one of the most advanced mobile threats out there, Triada stands out in the crowd because it abuses the Zygote parent process to inject its code in the context of all software on the device. The Trojan uses root privileges to replace system files and resides mainly in the device’s RAM, which makes it difficult to detect.
Tomi Engdahl says:
400K+ Exim MTA affected by overflow vulnerability on Linux/Unix
https://www.cyberciti.biz/security/exim-mta-affected-overflow-vulnerability-on-linux-unix/
There is a buffer overflow in base64d() of Exim MTA that allows an attacker to run code remotely. ALL versions of Exim MTA affected by overflow vulnerability i.e. CVE-2018-6789.
A remote attacker can take advantage of this flaw to cause a denial of service, or potentially the execution of arbitrary code via a specially crafted message. An issue was discovered in the base64d function in the SMTP listener in Exim before 4.90.1. By sending a handcrafted message, a buffer overflow may happen. This can be used to execute code remotely
Tomi Engdahl says:
FBI chief asks tech industry to build crytpo-busting not-a-backdoor
‘You guys can build anything if you put your mind to it’ is the gist of the argument
https://www.theregister.co.uk/2018/03/08/fbi_director/
FBI director Christopher Wray has addressed a cyber-security conference and again called for technologists to innovate their way around strong cryptography.
All the FBI wants, he said, is for “law enforcement’s own lawful need to access data be taken just as seriously.”
Wray told the conference he’s spent the last six months “catching up on all things cyber”, and that as a whole, the agency needs “more cyber and digital literacy in every program throughout the bureau”.
Wray reiterated his complaint regarding FBI’s inability to access the content of nearly 7,800 phones in fiscal 2017, “more than half the devices we attempted to access in that timeframe”, is “a major public safety issue”.
“This problem impacts our investigations across the board—human trafficking, counterterrorism, counterintelligence, gangs, organised crime, child exploitation, and cyber”, Wray said.
Taking public safety seriously means having the private sector “respond to lawfully issued court orders, in a way that is consistent with both the rule of law and strong cybersecurity. We need to have both, and can have both.”
Tomi Engdahl says:
Fresh docs detail 10-year link between Geek Squad informers and Feds
Best Buy red-faced after earlier denials
https://www.theregister.co.uk/2018/03/07/new_docs_detail_the_tenyear_relationship_between_geek_squad_informers_and_feds/
Best Buy and the FBI have had a longstanding and very cosy relationship that incentivised Geek Squad techies to go hunting for porn on customers PCs, documents obtained under a Freedom of Information Act have shown.
US tech retailer Best Buy has always denied having a relationship with the Feds, but the documents reveal frequent contact between them, including a 2008 guided tour [PDF] of the companies largest repair facility in Kentucky.
Tomi Engdahl says:
Hardcoded Password Found in Cisco Software
https://it.slashdot.org/story/18/03/08/145209/hardcoded-password-found-in-cisco-software?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
Cisco released 22 security advisories yesterday, including two alerts for critical fixes, one of them for a hardcoded password that can give attackers full control over a vulnerable system.
Hardcoded Password Found in Cisco Software
https://www.bleepingcomputer.com/news/security/hardcoded-password-found-in-cisco-software/
Cisco released 22 security advisories yesterday, including two alerts for critical fixes, one of them for a hardcoded password that can give attackers full control over a vulnerable system.
The hardcoded password issue affects Cisco’s Prime Collaboration Provisioning (PCP), a software application that can be used for the remote installation and maintenance of other Cisco voice and video products. Cisco PCP is often installed on Linux servers.
Cisco says that an attacker could exploit this vulnerability (CVE-2018-0141) by connecting to the affected system via Secure Shell (SSH) using the hardcoded password.
Tomi Engdahl says:
Your entire ID is worth £820 to crooks on dark web black market
Fullz and their money are soon parted
https://www.theregister.co.uk/2018/03/08/dark_web_market_price_index/
Fraudsters operating on the dark web could buy a person’s entire identity (“fullz” in the cybercrook lingo) for just £820.
Bank account details, Airbnb profiles and even Match.com logins are worth money to bidders that reside on the murkier side of the internet, a study by virtual private network comparison site Top10VPN.com found.
While online bank details are currently worth around £168 to dark web bidders, and Paypal logins a higher price of about £280, passport details fetch as little as £40. Hacked web accounts – such as access to your Match.com profile, Facebook and even Deliveroo – give criminals a backdoor into identity theft for less than a fiver.
Even eBay accounts with their broad scope for fraud fetch just £26 on the dark web. Compromised PayPal accounts are among the most widely traded items.
Tomi Engdahl says:
Memcached DDoS Attack ‘Kill Switch’ Found
https://www.securityweek.com/memcached-ddos-attack-kill-switch-found
Corero Network Security says they have discovered a “kill switch” to counteract the Memcached vulnerability that recently fueled some of the largest distributed denial-of-service (DDoS) attacks in history.
The company says it has disclosed the kill switch to national security agencies and also claims that the issue is more extensive than originally believed: an attacker exploiting it can also steal or modify data from vulnerable Memcached servers.
In late February, however, web protection companies warned that the protocol can be abused for DDoS amplification, after the first attacks using it started to emerge. Within days, record-setting 1.3Tbps and 1.7Tbs DDoS attacks were observed.
Tomi Engdahl says:
Exploiting the User PII Held in Everyone’s Web Browser
https://www.securityweek.com/exploiting-user-pii-held-everyones-web-browser
Browsers are the single most used application today. Everyone uses at least one browser, whether in the office or at home. But not everyone realizes just how much personal data is left hanging around inside their browsers; nor how easy it is for third-parties to extract it.
Benson used a modified version of OpenWPM (a web privacy measurement framework) and Firefox to visit the Alexa Top 1000 websites, navigating to three links on each site to simulate normal user browsing. The purpose here was to look for evidence of device identification and geolocation — and Benson found evidence that 56 websites recorded geolocation details, and 56 websites recorded the user’s IP address.
Tomi Engdahl says:
NSA Used Simple Tools to Detect Other State Actors on Hacked Devices
https://www.securityweek.com/nsa-used-simple-tools-detect-other-state-actors-hacked-devices
An analysis of leaked tools believed to have been developed by the U.S. National Security Agency (NSA) provides a glimpse into the methods used by the organization to detect the presence of other state-sponsored actors on hacked devices, and it could help the cybersecurity community discover previously unknown threats.
Over the past few years, a mysterious hacker group calling itself Shadow Brokers has been leaking tools allegedly created and used by the Equation Group, a threat actor widely believed to be linked to the NSA. The Shadow Brokers have been trying to sell Equation Group tools and exploits, but without much success. They say their main goal has been to make money, but many doubt their claims.
Tomi Engdahl says:
Chrome 65 Patches 45 Vulnerabilities
https://www.securityweek.com/chrome-65-patches-45-vulnerabilities
Tomi Engdahl says:
The Bad Packets Report site reports on web security and the news is alarming. Now, the site says that the code of nearly 50,000 sites has some tricks that will allow users to participate in cryptographic mining.
In the Bad Packer Report study, cryptolouwers were searched for public internet sites. Nearly 50,000 sites were found in the study, with the javascript code coined by Coinhive or a similar malicious code. However, the coin-share accounts for over 80%.
Source: http://www.etn.fi/index.php/13-news/7676-50-000-saitille-on-ujutettu-kryptolouhija
Tomi Engdahl says:
Cortana Can Expose Enterprises to Attacks, Researchers Warn
https://www.securityweek.com/cortana-can-expose-enterprises-attacks-researchers-warn
Malicious actors may be able to abuse voice-based virtual assistants to hack into enterprise systems and researchers proved it through an attack that targets Microsoft Cortana.
Independent researchers Amichai Shulman, former CTO and co-founder of Imperva, and Tal Be’ery, former VP of research at Microsoft-acquired security firm Aorato, have found a way to conduct an evil maid attack that abuses the Cortana voice assistant to install malware onto a locked computer. The researchers are detailing their findings on Friday at Kaspersky Lab’s Security Analyst Summit (SAS) in Cancun, Mexico.
In Windows 10, if default settings are not changed, any user can interact with Cortana by saying “Hey Cortana,” and it works even if the device is locked.
Tomi Engdahl says:
New Attack Bypasses Microsoft’s Code Integrity Guard
https://www.securityweek.com/new-attack-bypasses-microsofts-code-integrity-guard
Morphisec security researchers warn of a newly discovered attack vector that allows attackers to bypass Microsoft’s Code Integrity Guard (CIG) in order to load malicious libraries into protected processes.
Dubbed CIGslip, the new attack vector relies on manipulating the manner in which CIG functions, thus bypassing its controls without the need to inject unsigned image code pages into memory. With a low footprint on the targeted system and likely to go unnoticed, the attack has great damaging potential.
Tomi Engdahl says:
Sophisticated False Flags Planted in Olympic Destroyer Malware
https://www.securityweek.com/sophisticated-false-flags-planted-olympic-destroyer-malware
CANCUN – KASPERSKY SECURITY ANALYST SUMMIT – The hackers behind the recent Olympic Destroyer attack planted sophisticated false flags inside their malware in an effort to trick researchers, Kaspersky Lab revealed on Thursday.
The Olympic Winter Games in Pyeongchang, South Korea, was hit by a cyberattack that caused temporary disruption to IT systems, including the official Olympics website, display monitors, and Wi-Fi connections. The attack involved Olympic Destroyer, a piece of malware designed to wipe files and make systems inoperable, and steal passwords from browsers and Windows. Compromised credentials are used to spread to other machines on the network.
Kaspersky has also spotted infections at several ski resorts in South Korea. The malware, which leverages a leaked NSA exploit known as EternalRomance to spread via the SMB protocol, temporarily disrupted ski gates and lifts at the affected resorts.
Several cybersecurity firms launched investigations into the Olympic Destroyer attack shortly after the news broke, and while they mostly agreed on the malware’s functionality, they could not agree on who was behind the operation. Some pointed the finger at North Korea, while others blamed China or Russia, leading some industry professionals to warn against this type of knee-jerk attribution.
The security firm has found a unique “fingerprint” associated with the notorious Lazarus Group, which has been linked to North Korea and blamed for high profile attacks such as the one on Sony, the WannaCry campaign, and various operations targeting financial organizations.
This fingerprint was a 100% match to known Lazarus malware components and it did not appear in any other files from Kaspersky’s database. While this piece of evidence and the type of attack suggested that Olympic Destroyer could be the work of North Korea, other data gathered by researchers as a result of an on-site investigation at a South Korean target revealed inconsistencies.
Experts determined that the unique fingerprint was likely a sophisticated false flag planted by the attackers to throw investigators off track.
Tomi Engdahl says:
Memcached DDoS Attack ‘Kill Switch’ Found
https://www.securityweek.com/memcached-ddos-attack-kill-switch-found
Corero Network Security says they have discovered a “kill switch” to counteract the Memcached vulnerability that recently fueled some of the largest distributed denial-of-service (DDoS) attacks in history.
The company says it has disclosed the kill switch to national security agencies and also claims that the issue is more extensive than originally believed: an attacker exploiting it can also steal or modify data from vulnerable Memcached servers.
Memcached is a free and open source memory caching system that can work with a large number of open connections. Memcached servers allow connections via TCP or UDP on port 11211, with access requiring no authentication, which is why the system wasn’t designed to be accessible from the Internet.
With over 95,000 servers worldwide allowing connections on TCP or UDP port 11211 from the Internet, the potential for abuse by attackers is significant.
With no authentication required, an attacker can issue a simple debug command to retrieve the data. What’s more, the weakness can also be exploited to maliciously “modify the data and reinsert it into the cache,” the security company says.
The ‘kill switch’ that Corero has discovered would send a command back to an attacking server to suppress the DDoS exploitation. The countermeasure, the company explains, invalidates a vulnerable server’s cache, meaning that any potentially malicious payload that attackers might have planted will become useless.
The security firm claims it has tested the countermeasure quench packet on live attacking servers and that it proved fully effective, without causing collateral damage.
“Ironically, the Memcached utility was intended to cache frequently-used web pages and data to boost legitimate performance. But this utility has now been weaponized to exploit its performance boosting potential for illegitimate purposes,” Ashley Stephenson, CEO at Corero Network Security, commented.
The root cause of the problem, of course, is the poor security practices when setting up Memcached servers. Exposing them to the Internet is like leaving the front door open and expecting burglars not to barge in.