Defend Against DDoS Archive

Cybercriminal gangs wielding hoards of malware-infected zombie machines are primarily using them for massive spam campaigns aimed at pushing pharmaceuticals, herbal remedies and porn, but they are also often rented out for more nefarious purposes, say experts who monitor them.

Botnets can be used to conduct distributed denial-of-service attacks (DDoS), leveraging the power of infected systems to disrupt and wipe out websites. Botnets often spread malware, and are the main engine behind phishing campaigns or the fuel behind powerful clickjacking campaigns. What started as an amateur activity on Internet Relay Chat (IRC) networks — using the power of people connected to IRC to knock victims offline — quickly became a for-profit venture associated with cybercriminal fraud activities, said Joe Stewart, director of malware research at Dell SecureWorks. “Now we see you’ve got governments and hacktivists getting into the game for reasons that aren’t really just money related, Stewart said.”

Stewart and other security experts say many enterprises have zombie machines running on their networks without even realizing it. Rather than being aimed to disrupt systems, the malware is being remotely controlled to seek an enterprise’s most prized possession: intellectual property.

“They’re highly focused on companies and governments,” Stewart said. “Anything you can imagine that somebody might steal in the virtual world, somebody has a botnet that is probably doing it.”

Stewart and other security experts say many businesses are far too reliant on automated systems; big security appliances such as intrusion prevention and detection systems designed to monitor network traffic. They’re calling for enterprises to instead hire skilled IT security pros to proactively monitor those systems and investigate issues. The approach, they say, improves the security systems already deployed in most enterprises by addressing and isolating issues before they become a serious problem.

The good news is some of the malware associated with widely known botnets can be detected using most traditional security appliances and endpoint security software, including antivirus. But a much more serious threat is targeted attacks – particularly those hurled at enterprise employees – that use malware combined with techniques that are designed to evade detection. Once an endpoint machine is infected by stealthy malware, a Trojan embeds itself and then attempts to reach out to cybercriminals for orders. Enterprise network monitoring tools can detect the nefarious traffic and block some of it, but over the years, cybercriminals have become savvy at tunneling communications using strong encryption algorithms, timing communication drops for odd hours when systems aren’t being fully monitored or sending out tiny communication packets that assimilate with normal network traffic.

“You can hope your corporate antivirus [detects botnet infections] at the gateway or on the desktop, but we know from testing that those capabilities don’t have the highest rates of detection,” Stewart said. “If you move into the network realm you can pick up a lot of this activity because it doesn’t change its network fingerprint very often.”

Botnet size doesn’t matter
Stewart said the most powerful botnets are not necessarily the largest. The Flame malware toolkit for example, contained a botnet of less than 200 infected machines in Iran, yet it wielded a powerful arsenal for those behind it. The limited scope of the attack, believed to be a nation-state driven cyberespionage operation, enabled the botnet operators to stealthily eavesdrop on their victims, steal data and capture video for years.

By contrast, Stewart said larger botnets give cybercriminals the advantage of leveraging the computing power of infected computers to spread malware and other malicious activities. They can be used to amplify a denial-of-service attack to take down a website or quickly spread malware and steal account credentials.

The Zeus and SpyEye malware families make up massive botnets that have, for years, wreaked havoc on the financial industry. The botnets spread quickly due to the business model put in place by the cybercriminals behind the malware. Using automated attack toolkits, the cybercriminals set up an affiliate network, rewarding other cybercriminals for infecting machines. Zeus gained notoriety in 2006. The malware can be coded to spoof websites, steal account credentials and drain bank accounts. Security firms have tried to knock out portions of the botnets by disrupting the command-and-control servers associated with them, but despite those efforts, cybercriminals have built-in mechanisms to bring them back online. The most recent effort came from Microsoft, which used legal action to wipe out Zeus botnet servers in the United States.

Detection: The human factor
There is no technology better than a skilled IT pro assigned to look for anomalies on the corporate network, said Johannes Ullrich, chief research officer at the SANS Institute. Skilled system administrators should be inspecting network traffic and system logs, applying creative thought in the process of flagging potential problems for further investigation, Ullrich said.  Packet analyzers and other filtering tools can help network security pros determine if suspicious traffic is malicious in nature.

“A lot of enterprises still rely on old, signature-based antivirus,” Ullrich said. “Particularly with [targeted] attacks and these kinds of botnets it depends on individuals at this point.”

The trend at many enterprises has been to outsource network monitoring activities, but Ullrich said that in his experience, outsourced security monitoring usually fails at detecting the targeted attacks and botnet infections that matter the most. Outsourced services follow a checklist and process a specific number of requests per hour, Ullrich said, adding that outsourced services would be better if they played a role in assisting a system administrator to “find the next new thing versus yesterday’s bot.”

“They don’t really understand the business and that’s why some enterprises are going through the expensive process of bringing it back in-house,” he said.

Endpoint security combined with network-based security such as host intrusion prevention (HIPS) technology and other reputation and filtering systems can help mitigate malware infections, said Mike Rothman, analyst and president of Phoenix, Ariz.-based security research firm Securosis LLC.  The firm recently concluded its malware detection series that focused on why detection is so challenging. Network security appliances can provide context on application and user behavior, but it requires adjusting and tuning to avoid a serious impact to end users, Rothman said in a blog post describing the firm’s research series.  The same goes for Web filtering and reputation-based. “Find a balance that is sufficiently secure but not too disruptive, navigating the constraints of device ownership and control, and workable across device locations and network connectivity scenarios,” Rothman wrote.

Source: http://searchsecurity.techtarget.com/news/2240159014/Botnet-infections-in-the-enterprise-have-experts-advocating-less-automation

Recorded Futureis the first temporal analytics engine enabling web intelligence, pulling open source information from the Internet and indexing it for analysis by event type and time, thereby allowing users to tap into the predictive power of the web. Recorded Future has proven capabilities to forecast unrest  demonstrated in a previous webcast and used by U.S. Southern Command, as well as the ability to analyze intelligence stored on a private cloud as shown in its analysis of the the Osama Bin Laden letters. Recorded Future also has wider, more unconventional applications, however, with monitoring and forecasting cyber attacks among the most interesting use cases.

Much of current commentary on cybersecurity treats attacks like unstoppable, unknowable forces of nature yet in reality, many of the attacks driving up the statistics are automated adversaries scanning networks or spamming inboxes. The most dangerous and costly attacks outside of insider threats tend to be targeted and often politically motivated. In this regard, they resemble physical security threats like protests, crime waves, and terrorist attacks, and Recorded Future can analyze them in the same way as demonstrated in a past webcast.

As with all open source intelligence today, cybersecurity analysts face information overload due to a massive volume of intelligence to aggregate, organize, and assess. Recorded Future automates the first two steps of this process so that you can focus on the third, where skilled analysts really shine. Let’s take the example of tracking hacktivist activity. Recorded Future can raise your situational awareness by aggregating relevant articles, blog posts, and tweets on hacktivism and arranging incidents, including predicted future events, chronologically so analysts can get a picture of threats at a given point in time. Recorded Future also lets you see incidents based on source type so you can filter for events talked about on blogs or the major media sources.

Recorded Future also aids in the analysis itself. It recognizes entities to map out the relationships and connections between different actors such as attackers and targets, as well as the attack vectors used or threatened in each case. It also tracks momentum, which tells you when there was the most buzz around a group or attack and whether that buzz is growing or declining. For example, if the momentum for Distributed Denial of Service attacks is increasing, you can assume that they are a growing threat and prepare for them. Recorded Future also helps with monitoring, allowing analysts to create a real time alerting system or a dashboard for events of interest such as threats, breaches, and attacks or future events such as new laws and court rulings that tend to draw a hacktivist response.

All together, these capabilities allow an organization to forecast more accurately whether they will be the target of a major cyber attacks and what threat vectors they should most worry about. Within minutes, analysts could see if there has been a trend of attacks against similar organizations, any threats reported online, or events likely to trigger attacks coming up. They can drill down into coverage by blogs or trade journals if they find the mainstream media insufficient or misleading, and map out the interactions and relationships between hacking groups, companies, government agencies, and law enforcement. While Recorded Future can’t tell you who will attack you and when, it makes open source intelligence intelligence analysis for cybersecurity easier, faster, and more effective. Since cyber defenders need every advantage they can get, Recorded Future can make a major difference in your organization’s cybersecurity.

Source: ctovision

Myanmar websites and Bangladesh websites have been attacked by two groups of heckers from Bangladesh and some heckers from Myanmar.

Two groups of heckers of Bangladesh are Bangladesh Cyber Army and Bangladesn Black HAT Hackers. They both are DDos( Distributed Denial of Service)and other security-illed or weak websites. Bangladesh Cyber Army attacked Myanmar website, www.myanmar.gov.mm and websites of Myanmar Tourism.

Facebook pages of Bangladesh Cyber Army has told as Myanmar heckers attacked theirs and so they have to attack back.

June 18, 6PM,MST they attacked websites of Myanmar Teleport and Communication, www.mpt.net.mm.

Blink Hecker Group who attacked Bangladesh’s sites has told as they attacked only Rohinjar’s sites.Then continued to attacked bangladesh goverbment’s sites for they attacked.

In this cyber war, some of Bangladesh people helped.

Source: groundreport

When two computers wish to communicate, they have to acknowledge that they are ready to communicate, and this process is sort of like talking to a friend by text messages. Say you want to talk to Billy: you send Billy a text message saying you want to talk. Billy gets this message from you, which is good, because he also knows that you-to-Billy communication works — this is sort of a big deal, because you and Billy live in a world where cell phone providers aren’t very reliable.

Billy now has to let you know that you got his message, and that Billy-to-you communication is works, so he replies with another text message, saying “Looks like I can get your messages, and I’m attending my phone now” You get this message, and everything looks cheery, so you send him a last text message saying “I can get yours too. Let’s start talking!” where you and Billy can now carry on a friendly chat.

This is how computers communicate with each other; it’s called handshaking, and it’s used to do two things: acknowledge the desire to communicate with each other, and to make sure the lines of communication are working well. It’s harder to prove the latter, because in the example above, Billy might not have gotten your last text message, and you’d never know, so it would be reassuring if he acknowledged if he got it by sending you another confirmation, before you start wasting a ton of money through sending him a bunch of text messages that he might not even get! Of course, then you’d have to confirm that you got his confirmation, and he’d have to confirm that confirmation, and so forth. As reassuring as it is, we can’t keep doing this indefinitely, and network engineers have had to come up with a solution to this problem, known as The Two Generals’ Problem. In the end, they settled on the protocol as mentioned above.

Now, say you want to chat with Billy, so you send him a text message to see if he’s there. He confirms that he’s there, but the text message gets dropped because of a bad cell phone tower. Now both of you are stuck at a stalemate; you’re waiting for his confirmation, and he’s waiting for yours. This is a bad situation! So, in order to avoid this, Billy tries to resend his reply after a certain amount of time, after not hearing from you, because he doesn’t know whether it’s your cell phone tower that’s bad, or his. And, after he still doesn’t get a reply from you, he gives up, and determines that the cell phone towers are conspiring against your friendship.

A Denial-of-Service takes advantage of this protocol, to allow you to, well, troll Billy. How it works is as concisely explained in the comic strip — you send Billy a message saying you want to talk, and he sends you a message back saying that he’s ready to talk, but you “pretend” like you never got his message, keeping him busy for a few minutes until he gives up. Then you poke him again, saying you want to talk again, and pretending like you just can’t hear him, and he’ll always put in a full effort to try to start a conversation with you. This causes Billy a lot of aggravation, especially if you get a lot of people to do this to Billy! Eventually, he won’t be able to keep sending all these confirmations to all the people that he thinks genuinely want to talk to him, and he spends every waking minute replying to these phony text messages, leaving him no time to start conversations with people who actually want to talk to him. Thus, you’re denying anyone who wants to actually talk to Billy the service of Billy’s conversation.

Miscellaneous Facts: The “text messages” that computers send to each other are called packets. It’s exactly like what it sounds like — a small parcel of information, wrapped nicely with a stamped address, date, return address, and all the good stuff.

The initial packet in the handshaking protocol is called a SYN packet, short for synchronize. The receiving computer sends back an ACK packet, short for acknowledge, as well as another SYN packet. The original conversation-starter replies to the SYN packet with a final ACK, and then conversation can begin. The computer who sends both the SYN and the ACK at the same time sends a combined packet, usually referred to as SYN/ACK. This makes the protocol a three-packet protocol: SYN, SYN/ACK, then lastly, ACK.

Source: http://pbjbreaktime.com/2011/01/what-is-ddos-denial-of-service-attack-explained-in-laymens-terms/

http://www.reddit.com/user/ProggitExplainer

News of the recent LinkedIn security breach that compromised 6.4 million user accounts must have sent shivers down the spines of users who heavily make use of the website. While LinkedIn has since reset its systems, it could take days to complete investigations into how security was breached on the site that helps matchmake potential employers with employees.

According to a Reuters report, at least two security experts who examined the files, believed to contain the stolen LinkedIn passwords, said the company had failed to use best practices for protecting the data.

They claimed that LinkedIn used a basic method for encrypting passwords, which allows hackers to quickly unscramble all passwords after they figure out the formula by which any single password has been encrypted.

However, Mark Smith, managing director, Asia, Savvis, asserts that no system is completely foolproof. “Security breaches can happen and no system is 100 per cent secure,” he says. Savvis is a company that helps build cloud infrastructure and host IT solutions for enterprises. Mr Smith believes that effective communication to customers after a security breach still remains a challenge.

He points out that putting together a formal communication process can reduce fear among the public and increase their confidence in the company and he applauded LinkedIn’s swift action in providing members with an update that answered some frequently asked questions and letting them know what they could do to protect their information.

Turning to the industry, Mr Smith observes that there is a constant and growing threat of viruses, worms, spyware, and denial-of-service attacks that can corrupt, steal, or even destroy critical corporate information. These attacks have become widespread and complex and many businesses find it challenging to prevent zero-day attacks.

Network security comes down to the tiers of security that are applied to the business. “Service providers should layer security services to protect against breaches. This means they can expand security coverage accordingly, as businesses grow,” he explains.

One of the fastest growing threats today is a Distributed Denial-of-Service (DDoS) attack. In many cases, a DDoS attack could be caused by hundreds, or thousands, of compromised computers controlled by a single perpetrator.

During an attack, the perpetrator instructs these infected computers to “flood” a business site with requests, rendering it incapable of functioning properly. This ultimately brings the site down and causes financial losses, for instance, in the case of bank websites.

A common security breach usually occurs from within the organisation, sometimes due to human error, or to malicious employees. Mr Smith notes that a wrong configuration of applications is another cause of security breaches.

Employees handling company security may be trained in general security, but are not specialised in specific aspects of security, leading to human error.

“Many companies whose core business is not deploying security end up deploying security and this increases the probability of a potential security breach,” he explains.

Malicious damage could also result in security breaches. Many companies find it difficult to control internal access.

Mr Smith says: “We regularly see news articles about service failures and anonymous taking down of websites like government services and some of the biggest brands in the world. DDoS mitigation, layering security levels, and outsourcing infrastructure to experts can help provide against such incidents.”

Source: http://business.asiaone.com/Business/SME%2BCentral/Tete-A-Tech/Story/A1Story20120618-353593.html