A host of investment banks and industry bodies will gather in a London location this afternoon to test their resilience to cyber attacks.

Operation Waking Shark 2 will last only a few hours, and will see how banks, law enforcement and industry groups including the Bank of England, would react to hacker attempts on their communications infrastructure.

It will not look at breaches of servers, or where customer data has been stolen, a spokesperson told TechWeekEurope, indicating the stress tests will look at kinds of denial of service attacks.

Bank cyber attacks

Around 100 people will be taking part, as cyber attack scenarios are thrown out to the separate teams. A report will be produced in the new year.

The operation follows the original Waking Shark tests from 2011, which looked at attacks surrounding the 2012 Olympic Games.

Industry experts believe banks need to do more than just look at communications security in the future. “With so many people and paper-based activity focusing on policies and procedures, this exercise may be more of a logistical planning exercise instead of a simulated practice run,” said John Yeo, EMEA director at Trustwave.

“What needs to be implemented are real world attack scenarios that truly test the businesses’ incident response plans.

“The more important issue is what are they communicating about, and what happens when an attack is more subversive, and not immediately obvious when it strikes.  In our experience, the majority of organisations that suffer a breach do not realise for some time that they have been hit, let alone where the attack originated from, and how it works.”

Banks continue to be battered by various kinds of attack. Throughout last year and in early 2013, distributed denial of service (DDoS) attacks against US banks were especially common, taking customer-facing services offline.

A Trend Micro report released this week showed banking malware had surged in the third quarter. Infection counts surpassed the 200,000 mark, the highest infection numbers since 2002.

Source: http://www.techweekeurope.co.uk/news/banks-cyber-attack-tests-131568


Researchers have uncovered software available on the Internet designed to overload the struggling Healthcare.gov website with more traffic than it can handle.

“ObamaCare is an affront to the Constitutional rights of the people,” a screenshot from the tool, which was acquired by researchers at Arbor Networks, declares. “We HAVE the right to CIVIL disobedience!”

In a blog post published Thursday, Arbor researcher Marc Eisenbarth said there’s no evidence Healthcare.gov has withstood any significant denial-of-service attacks since going live last month. He also said the limited request rate, the lack of significant distribution, and other features of the tool’s underlying code made it unlikely that it could play a significant role in taking down the site. The tool is designed to put a strain on the site by repeatedly alternating requests to the https://www.healthcare.gov and https:www.healthcare.gov/contact-us addresses. If enough requests are made over a short period of time, it can overload some of the “layer 7″ applications that the site relies on to make timely responses.

The screenshot below shows some of the inner workings of the unnamed tool.

The tool fits a pattern seen in the previous years of hacktivist software available for download that’s customized to take on a specific cause or support a particular ideology.

“ASERT has seen site specific denial of service tools in the past related to topics of social or political interest,” Eisenbarth wrote, referring to the Arbor Security Engineering and Response Team. “This application continues a trend ASERT is seeing with denial of service attacks being used as a means of retaliation against a policy, legal rulings or government actions.”

The full text of the screenshot reads:

Destroy Obama Care.

This program continually displays alternate page of the ObamaCare website. It has no virus, trojans, worms, or cookies.

The purpose is to overload the ObamaCare website, to deny service to users and perhaps overload and crash the system.

You can open as many copies of the program as you want. Each copy opens multiple links to the site.

ObamaCare is an affront to the Constitutional rights of the people. We HAVE the right to CIVIL disobedience!

Of course, there’s no way of knowing who wrote and posted the tool, which has been mentioned on social media sites. It’s certainly possible that it’s the work of critics of President Obama’s healthcare legislation. But until we learn more, there’s no way to rule out the possibility that it was developed by an Obamacare supporter with the hope of discrediting critics.

Source: http://arstechnica.com/security/2013/11/new-denial-of-service-attack-aimed-directly-at-healthcare-gov/

DDoS attacks

IBM’s recently discovered an alarming fact: distributed denial-of-service (DDoS) attacks are rapidly increasing. The company released a report that offers insight on the attacks and reasons to why they’re being performed. According to the IBM Cyber Security Intelligence Index the average number of attacks on a single organization in a week is 1,400 attacks, with an average of 1.7 incidents per week.

DDoS Attacks? What Are Those?
You might be wondering, what exactly is a DDoS attack? And what’s the difference between attacks and incidents? IBM defines attacks as security events that correlation and analytic tools identify as malicious activity trying to collect, degrade, or destroy information system resources or the data itself. This includes URL tampering, denial of service, and spear phishing. Incidents, on the other hand, are attacks that human security analysts review and deem a problem worthy of deeper investigation.

Who’s Targeted and Why
Malicious codes and sustained probes are the two most common attacks that make up for over 60 percent of incidents. A sustained scan is reconnaissance activity that’s designed to gather information, like operating systems or open ports, about targeted systems. Malicious codes can be Trojan software, keyloggers, or droppers. It is software created to gain unauthorized access into systems and gather information.

The manufacturing industry is the number one targeted industry with 26.5 percent of DDoS attacks directed towards it. Almost 21 percent of attacks are directed at finance and insurance, and 18.7 percent at information and communication. Health and social services and retail and wholesale are targeted 7.3 and 6.6 percent of the time, respectively.

There are a handful of reasons perpetrators execute their invasions. Nearly half of all attacks are opportunistic, meaning that they takes advantage of existing vulnerabilities without any motivation other than to do damage. Twenty three percent are done because of industrial espionage, terrorism, financial crime, or data theft. Perpetrators discontented with their employers or job account for 15 percent of attacks, while only seven percent constitute attacks done in the name of social activism or civil disobedience.

How Do We Stop the Attacks?
Humans are the number one cause of vulnerability in organizations. Forty-two percent of the breaches that happen are due to misconfigured systems or applications. End-use errors make up 31 percent of the breaches, while 6 percent is because of both vulnerable codes and targeted attacks. It’s important to crack down on online security protocol with employees to prevent your business from falling victim to these attacks.

IBM offers two essential pieces of advice to help organizations prevent incidents: building a risk-aware culture and managing incidents and response. There should be no tolerance if colleagues are careless about security; it is the management’s job to enforce stricter regulations on company security and to track company progress. It is crucial to implement company-wide intelligent analytics and automated response capabilities. Enterprises can easily monitor and respond to systems that are automated and unified.

Click on the image below to view the full infographic.

new DDoS full

Back in July, domain name registrar giant Network Solutions experienced a significant Distributed Denial of Service (DDoS) attack. As I noted at the time, given that this was the second time in recent months they had been a target, and given they are such an inviting one because of the critical place they occupy in how the Internet functions, they seemed to be ill-prepared. This included a lack of preparation before the attack to assure rapid remediation, a lack of transparency during the attack in terms of keeping customers informed, and what appears to be a lack of ability to learn from their mistakes in anticipation of what had to be assumed would be continued testing by those with malicious intent.

Unfortunately, if you are not painfully aware already, it should come as no surprise that Network Solutions is once again experiencing problems, and as baseball sage Yogi Berra is famously quoted as saying, “It is , Déjà vu all over again!:

First let go to the Twitter feed of the company #netosl.

Let’s just say frustration abounds now that we appear to be roughly in hour three of the as-yet -unidentified problem.

I think one tweet from the website I like when three are such problems, isitdownrightnow.com kind of says it all.

In fact, here is the latest from www.isitdownrightnow.com.

Worst of all, and this is what is so disturbing is the current view from www.networksolutions.com. To save you a visit and disappointment there is NOTHING there to indicate there is a problem. In fact, indulge yourself in a little exercise and go to Twitter #netsol again and click the other links for getting company info. It might compel you to send a few words.

It appears that things are getting back to normal for most if not all Network Solutions customers, and that is a good thing. What is not so good, and I am trying hard to give the company the benefit of the doubt given that they are dealing with this in real-time and may not have a complete view of why the outage occurred, is the continued lack of customer engagement.

This is really getting repetitive and management should take a good hard look in the mirror and figure out if they would put up with such behavior from a “trusted” vendor.


image via shutterstock

As King Henry V intones in his famous, “Cry God for Harry, England, and Saint George!” speech in William Shakespeare’s play Henry V, Act III (penned in 1598), “Once more into the breach!”

We will let you know what’s known about the outage once there is clarity. Hopefully, that will be sooner rather than later.

Source: http://www.techzone360.com/topics/techzone/articles/2013/10/22/357640-network-solutions-down-once-more-it-deja-vu.htm

“Headless” browsers pummeled a trading platform’s website this past week in a rare form of distributed denial-of-service (DDoS) attack that lasted for 150 hours.

The attack employed some 180,000 IP addresses — and as of today continues to rebound in smaller pockets — according to cloud-based DDoS mitigation service provider Incapsula, which discovered and mitigated the massive attack for its customer.

The company declined to name the targeted organization, only saying it was a trading platform and that the attackers were likely motivated for competitive reasons. “The order of magnitude was significant,” says Marc Gaffan, co-founder of Incapsula. “No one has 180,000 IPs at their disposal unless it’s an amalgamation of separate botnets they are using interchangeably. This was a sophisticated and thought-out process.”

DDoS attacks increasingly have moved up the stack to the application layer, mainly for more targeted purposes, such as disrupting transactions or access to databases, for instance. According to new data from Arbor Networks, DDoS attacks in general are getting more powerful but their duration is declining: the average DDoS attack size thus far is 2.64 Gbps for the year, an increase of 78 percent from 2012, and some 87 percent of attacks last less than one hour.

That makes the recent headless browser attack even more unusual, given that its duration was so long. “That’s pretty long. Obviously, someone was upset at them,” says Marc Eisenbarth, manager of research for Arbor.

The attack also was unusual in that it employed a version of the Phantom JS headless browser toolkit, which is a Web app developer’s tool for testing and simulating user browsing of an application. “This was the first time we saw this technology in a DDoS attack,” Gaffan says. “It mimics human behavior so effectively that it’s a challenge for mitigation services to deal with.”

Phantom JS is basically test tool that uses a bare-bones or “headless” browser – no buttons, address bar, etc. – with an API so programmers can test-run and automate their apps. “They can do a load test to websites simulating browser behavior and run JavaScript and accept cookies,” for example, Gaffan says.

Arbor’s Eisenbarth says he rarely sees Phantom JS being abused the way Incapsula has described this DDoS attack on its customer. “We don’t see Phantom JS as much. What we do see are attackers creating hidden IE [Internet Explorer] browsers that actually are full-function browsers and are even more sophisticated at bypassing detection mechanisms,” Eisenbarth says.

The attackers also employed some 861 different variants of the headless browser, and were generating some 700 million hits per day on the targeted website, according to Incapsula. “It’s really an evasion technique. We try to catch what they are doing, and they try to evade us,” Gaffan says. “Our job is to filter out the good guys [legitimate visitors] and let them pass … the site still needs to operate. And then keep the bad traffic out.”

Dan Holden, director of security research at Arbor Networks, says these Layer 7 DDoS attacks take more effort to execute. “There’s got to be something financial” motivating the attackers here, he says. “These are more common when you’ve got very focused and targeted attacks.”

Incapsula’s Gaffan says application-layer DDoS attacks are becoming more popular, and often accompany network-layer attacks. “That leaves you scrambling on all fronts,” he says. “An application-layer attack is easier to perpetrate because it requires less resources, but you need expertise” to pull it off, he says.

The victim organization’s business in the end suffered little impact since Incapsula was able to mitigate the attack, he says. But the DDoS hasn’t disappeared yet, either: “It started last week, and to some extent, it’s still ongoing,” Gaffan says. “There’s an ongoing process [by the attackers] of updating and changing” the headless browsers in the attack, he says.

Source: http://www.darkreading.com/attacks-breaches/ddos-attack-used-headless-browsers-in-15/240162777