Blocking DDoS Archive

Today, the OpenSSL project has issued an advisory for two high-severity vulnerabilities CVE-2021-3449 and CVE-2021-3450 lurking in OpenSSL products.

OpenSSL is a commonly used software library for building networking applications and servers that need to establish secure communications.

These flaws include:

  • CVE-2021-3449: A Denial of Service (DoS) flaw due to NULL pointer dereferencing which only impacts OpenSSL server instances, not the clients.
  • CVE-2021-3450: An improper Certificate Authority (CA) certificate validation vulnerability which impacts both the server and client instances.

DoS vulnerability fixed by a one-liner

The DoS vulnerability (CVE-2021-3449) in OpenSSL TLS server can cause the server to crash if during the course of renegotiation the client sends a malicious ClientHello message.

“If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack,” states the advisory.

The vulnerability only impacts OpenSSL servers running versions between 1.1.1 and 1.1.1j (both inclusive) that have both TLSv1.2 and renegotiation enabled.

However, because this is the default configuration on these OpenSSL server versions, many of the active servers could be potentially vulnerable. OpenSSL clients are not impacted.

Fortunately, all it took to fix this DoS bug was a one-liner fix, which comprised setting the peer_sigalgslen to zero.

One line fix for CVE-2021-3449
One line fix for NULL pointer issue leading to DoS, CVE-2021-3449
Source: GitHub

The vulnerability was discovered by engineers Peter Kästle and Samuel Sapalski of Nokia, who also offered the fix shown above.

Non-CA certificates cannot issue certificates!

The Certificate Authority (CA) certificate validation bypass vulnerability, CVE-2021-3450, has to do with the X509_V_FLAG_X509_STRICT flag.

This flag is used by OpenSSL to disallow use of workarounds for broken certificates and strictly requires that certificates be verified against X509 rules.

However, due to a regression bug, OpenSSL versions 1.1.1h and above (but excluding the fixed release 1.1.1k) are impacted by this vulnerability, as this flag is not set by default in these versions.

“Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check.”

“An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten,” states the advisory.

In effect, this means OpenSSL instances fail to check that non-CA certificates must not be the issuers of other certificates, therefore opening up the possibilities for attackers to exploit this miss.

On March 18th, 2021, Benjamin Kaduk from Akamai reported this flaw to the OpenSSL project.

The vulnerability was discovered by Xiang Ding and others at Akamai, with a fix having been developed by Tomáš Mráz.

Neither vulnerabilities impact OpenSSL 1.0.2.

Both vulnerabilites are fixed in OpenSSL 1.1.1k and users are advised to upgrade to this version to protect their instances.

As reported by BleepingComputer, DHS-CISA had urged system administrators in December 2020 to patch another OpenSSL DoS vulnerability.

Users should therefore protect themselves from security flaws like these by applying timely updates.

 

Source: https://www.bleepingcomputer.com/news/security/openssl-fixes-severe-dos-certificate-validation-vulnerabilities/

A distributed denial of service attack can turn a retailer’s holiday season from merry to miserable. Learn how to protect yourself.

No, Virginia, there’s no denying there is a Santa Claus. There’s also no denying the threat that distributed denial of service (DDoS) presents to retailers and eCommerce sites during the holidays.

Nothing says “happy holidays” like a multivector DDoS attack against your digital properties during the busiest shopping season of the year. Like holiday spending activity, industry DDoS attack metrics are difficult to predict. Volumes can trend upward and then mysteriously die off. The trends are only obvious after the attack campaigns have ended.

As part of our Holiday 2019 retail series, Researcher Madeline Cyr interviewed Forrester security and risk analysts David Holmes and Joseph Blankenship to help retailers understand the threat of DDoS attacks during the upcoming holiday retail season.

Q. Last year, DDoS attacks on eCommerce sites peaked during Black Friday weekend. Could a DDoS attack wipe out Black Friday/Cyber Monday online sales?

Joseph: DDoS attacks happen against eCommerce digital properties every year, though it’s usually impossible to predict who the exact victims will be.
We’ve heard from DDoS service protection vendor Radware that the typical reasons for service outages involving retailers/eCommerce include:

  • Self-inflected DoS: that is, simply not having the proper resources to deal with a burst of natural traffic
  • DDoS: Criminal attack to prevent/restrict access under ransom denial of service (RDoS) threat
  • DDoS: Criminal attack to impact sales
  • DDoS: Criminal attack to divert shoppers to other sites during an outage
  • DDoS: Hacktivist attack for political reasons that are direct or indirect
  • Bots: Criminals trying to purchase an item and flood system resources in the process; prevents others from checking out

Q. What strategy and technology protections do retailers need to have in place now to thwart DDoS attacks?

David: The most important advice is that retailers should seek a DDoS protection agreement before an attack occurs and to work with the service to set up your clean traffic tunnels during business as usual. Trying to combat a DDoS attack with no protection in place is a stress-inducing nightmare that no IT team wants to contemplate during peak season. There’s also the potential impact on sales if a site is unresponsive or slow during the critical buying season. And many DDoS protection providers charge a five-figure premium to put protections in place during an attack; configuring the protection is much more difficult when the retail services cannot be reached.

Q. If you are hit with an attack, how do you get your site back online?

David: Most modern eCommerce retailers will have migrated to a cloud service or content delivery network (CDN), and these services usually have integrated DDoS protection. In some cases, the attached protection services are gratis, though Forrester has heard that their quality can be inconsistent.

Source: https://www.zdnet.com/article/retailers-prepare-wisely-ddos-remains-a-holiday-threat/

Infosec vigilantism can cause serious harm in the era of industrial IoT and connected medical devices.

For several years now, security experts have been trying to bring attention to the growing threat that insecure Internet of Things (IoT) devices pose to networks around the world. The enormous growth in popular connected devices like webcams, DVRs, and smart watches has made it possible for hackers to amass huge botnets that can launch devastating distributed denial-of-service (DDoS) attacks.

Unfortunately, some vigilante hackers have tried to solve this problem with “bricker” malware that infects and destroys insecure IoT devices before they can become part of a botnet. This might seem like a positive on the surface, but this tactic creates serious, sometimes life-threatening risks as more IoT devices are used in industrial networks and healthcare organizations.

Let’s start at the beginning. IoT security became a top-of-mind issue in late 2016 thanks to the record-breaking DDoS attacks by the Mirai botnet and its subsequent source code release. In a perfect world, this should have been the wake-up call to improve IoT security. Unfortunately, slim profit margins and rapid development times kept IoT security considerations on the back burner and led some individuals to take matters into their own hands. The first instance of IoT vigilantism was in 2017 when a strain of malware known as BrickerBot began making its rounds.

Similar to the Mirai botnet, BrickerBot exploited flaws like insecure, hard-coded passphrases to log in to vulnerable IoT devices. But once it connected to a device, it didn’t add it to a massive botnet. Instead, it deleted files, corrupted the system storage, and disconnected the device from the Internet, effectively making it unusable. While it is possible to restore the device to factory defaults, the average IoT user likely doesn’t have the technical skills to do this. The author of BrickerBot, known by the pseudonym Janit0r, explained in an interview that his malware was intended to prevent devices from being infected by Mirai. Janit0r believed that if IoT manufacturers and owners weren’t going to take security seriously, then the devices shouldn’t exist to begin with.

In the end, BrickerBot destroyed over 10 million devices in just nine months before Janit0r retired it from service. While that may sound like a lot, it’s still less than one-tenth of 1% of the estimated 14 billion IoT devices online worldwide.

But the end of BrickerBot wasn’t the end of IoT bricking malware. In early 2019, a new variant of IoT bricking malware called Silex began infecting devices worldwide. Within a few hours, Silex had infected thousands of devices, deleting system file and firewall rules, and effectively rendering them useless. With the Mirai source code public, it’s not a stretch to think there are other similar malware variants lurking undiscovered in the wild today. Thankfully, individual IoT owners can also protect themselves from both botnets and brickers by changing the default passwords on their IoT devices, not exposing the telnet port (which BrickerBot uses to infect devices) and performing basic network segmentation and monitoring.

Bricker malware is dangerous because it doesn’t discriminate between different types of IoT devices. Almost every industry is incorporating IoT technology in some way. “Smart city” technology is becoming widely adopted across the globe, with municipalities connecting everything from power grids to traffic lights to networks. Healthcare is another sector that’s quickly adopting IoT technology, with the Internet of Medical Things projected to reach $136.8 billion worldwide by 2021. While some might question the need for refrigerators to connect to the Internet, there is no arguing that the ability to quickly share data from an ECG/EKG machine could be the difference between life and death. As widespread IoT adoption continues to grow within these sectors and overall, bricking malware can have some devastating consequences.

The problem is that many of these new IoT applications exhibit the same security lapses as consumer IoT devices, but with significantly higher risks if they fail. A rash of bricked industrial IoT sensors could cause widespread power outages, and an infusion pump or medical monitor that unexpectedly shuts off could put patients’ lives at risk. The authors of BrickerBot and Silex might not have been so ready to claim their work was for the good of the Internet if they truly considered the serious collateral damage that they might cause along the way.

There are other options to improve IoT security that don’t involve such a high degree of risk. Security researchers can work on raising awareness about connected device security, participating in public education initiatives and trying to drum up consumer demand for secure devices. Just last year the state of California, the fifth-largest economy in the world by GDP compared with other sovereign nations, passed Senate Bill 327, which mandates that manufacturers of connected devices equip their products with reasonable security features by January 2020. While the bill will have little effect on the masses of inexpensive IoT devices imported from foreign countries every year, it’s a step in the right direction that can be built upon with future legislation.

There is no denying the IoT industry needs to fundamentally change its approach to security, but vigilantism is not the answer. There are less destructive ways to convince both manufacturers and consumers that developing and deploying secure devices is worth the investment.

Source: https://www.darkreading.com/iot/why-bricking-vulnerable-iot-devices-comes-with-unintended-consequences-/a/d-id/1336009

More than 70% of websites now use SSL encryption. The Google Transparency Report statistics below show a very rapid rise in adoptions of HTTPS for Chrome browser users worldwide.

Unfortunately, the security provided by SSL/TLS is also misused to attack applications by injecting malicious content and hide malware. SSL is also being used to facilitate data leakage from within an organization. HTTPS floods are now frequently used in many DDoS attack campaigns.

A Double Edged Sword

As more and more
applications and websites use end-to-end encryption and adopt HTTP/S and TLS
1.3, the ability to inspect traffic has become an important element of the
security posture. However, the encryption of traffic has made visibility
challenging.

Most DDoS mitigation services do not actually inspect SSL traffic, as doing so would require decrypting the traffic. Gaining visibility to SSL/TLS traffic also requires extensive server resources. Mitigating SSL attacks thus poses several challenges, including the burden of implementing encryption and decryption mechanisms at every point where traffic needs to be inspected.

Encryption and decryption at many different points in the traffic data path not only adds latency to the traffic, but is also expensive and problematic to scale.

However, despite all the
challenges, SSL/TLS remain the standards for ensuring secure communications and
commerce on the web.

In order to detect any application security issues before your customers experience them, it is essential to have an end-to-end monitoring capability that provides actionable insights and alerts through visualization.

As application delivery controllers are deployed at the intersection of the network and applications, ADCs can act in conjunction with your edge protection solutions to detect and mitigate an encrypted security attack or prevent leakage of proprietary information.

Conclusion

Even though you may be protected by the most
advanced firewall technology, your existing security mechanisms may still fail
to see into encrypted SSL/TLS traffic. You should deploy enterprise security
solutions that enhances your existing security posture to gain visibility into
the encrypted traffic and prevent encrypted attacks on your organization.

Source: https://securityboulevard.com/2019/09/visibility-do-you-know-whats-in-your-network/

IoT networks can both amplify and be the targets of distributed denial of service (DDoS) or botnet attacks. Architect resilient solutions to properly secure your devices.

Cybercriminals have many different ways of exploiting network vulnerabilities and weak spots in our cyber defenses. Considering that the number of devices we use on a daily basis is growing, more avenues of exploitation will be open to cybercriminals — unless we close those pathways.

Distributed Denial of Service, or “DDoS,” attacks on IoT networks via botnets have been especially alarming and difficult to counter. Let’s have a closer look at DDoS attacks, botnets and ways of protecting against them.

The Anatomy of a DDoS Attack

A simple principle governs a “denial-of-service” attack: attackers attempt to deny service to legitimate users. Some typical examples might include attackers overwhelming a server or cluster with requests, disrupting everyone’s access to the site or focusing the attack on a particular target who will be denied access.

With DDoS, the attacker usually has one of three goals:

  1. To cause destruction or destructive change to network components
  2. To destroy configuration information
  3. To consume non-renewable or limited resources

DDoS attacks can be performed on their own or as part of a more massive attack on an organization. It usually targets bandwidth or processing resources like memory and CPU cycles. However, the type of DDoS attacks where we often see IoT devices used is a botnet attack.

What Makes a Botnet Attack So Destructive?

A botnet is a group of connected computers that work together on performing repetitive tasks, and it doesn’t necessarily have a malicious purpose. Unfortunately, it’s possible for an attacker to take control of a botnet by infecting a vulnerable device with malware. Then they can use the network as a group of devices to perform DDoS attacks that can be much more dangerous, depending on the number of mechanisms involved. What’s more, since IoT devices often interact in the physical world in ways that other IT devices don’t, it’s difficult to monitor and safeguard them.

If we strive to protect IoT devices the same way we protect our conventional IT devices, there will invariably be faults in the system that cybercriminals might exploit. To eliminate vulnerabilities, we must think of IoT protection in its own terms and take into account the various types of IoT use when we do.

Defending Against an IoT Botnet Attack

Even though the threat of botnets can’t wholly be eradicated, there are still ways to limit the impact and the scope of these attacks by taking preventative actions. One of them is placing IoT devices on a segmented network protected from external traffic. It’s also crucial to start monitoring the systems and invest in developing intrusion detection processes which would go a long way in warning a user that the system is being compromised.

How can each layer of your IoT solution stack be architected not to trust any other part naively? Think about that as you design your solution. Find ways to make your network more resilient. Model botnet attacks and test disaster scenario responses.

In addition to network segmentation and testing, we also shouldn’t forget fundamental security measures, such as timely firmware and software patching and the ability to control who can access a particular device, which every IoT solution should take care of.

The Search for a One-Size-Fits-All Security Solution

IoT is a developing technology that we must make as secure as possible, tempering its frenetic evolution with necessary security protocols and standards. Considering how quickly it’s being woven into our everyday lives, businesses and homes, IoT developers, manufacturers, distributors and consumers must work together to eliminate common IoT vulnerabilities and ensure that each device is as secure as it can be from emerging threats.

Source: https://www.iotforall.com/iot-botnets-ddos-attack-architecture/