Here's an overview of some of last week's most interesting news and articles: Apache HTTP Server set to ignore IE10's Do Not Track request Microsoft's decision to make Internet Explorer 10 in Wi…
View article:
Week in review: Blackhole 2.0 is out, Windows 8 users open to Flash exploits, and botnet C&Cs hidden in the Tor network
Over the last few months, I’ve started to see a common refrain from new customers coming onboard, indicating that they were getting DDOS’d with an SQL injection and needed protection. Each of these customers would describe different circumstances and impact to their websites, and the only similarity was that they all had backend databases to their websites. It made me take a deeper look into the attacks targeting some of these customers, to see if there was more to SQL injection than what the current understanding indicates. Here’s what I discovered as the most common methods for attacking a website database a) Crafted Code Injection – this technique falls within the conventional understanding, where an attacker will inject SQL statements via user input, cookies or server variables, in an attempt to have the rogue command passed to the backend database. If the database is not secured properly, the command may get successfully executed and lead to devastating results (eg. Dump of the database, data corruption, shutdown, etc.) b) Resource Exhaustion –arguments and commands are passed at a high enough frequency to simply overwhelm the database so it cannot process legitimate transactions. The illegitimate arguments that are being passed may be invalid or just nonsensical, and therefore not executed upon, but they still require the database to review the input before discarding. By injecting a flood of these types of requests, the CPU load of the backend database starts to increase to the point it stops responding. What we’ve seen with the Resource Exhaustion style attacks is that it often doesn’t take much in terms of packets or bits per second to make some of these database servers keel over. For those of you familiar with UDP/ICMP/SYN floods, which can be 10+ Gb/s and millions of packets per second (pps), you’ll be surprised to hear that Resource Exhaustion SQL Injections can be small as 200 kb/s as well as being only a few hundred pps, to debilitate a database and effectively bring a site down. Regardless of what attack technique is employed, we here at DOSarrest have been able to keep customers databases operational and intact under our protection. With our ability to mitigate these types of incursions, by employing features such as: i) Managing Arguments – checking and sanitizing which arguments get passed through to our customer ii) User Agent Verification – validation of http header fields to ensure that request are coming from an accepted list of browsers iii) Client Validation – proprietary algorithm ensuring that a visitor to a site is in fact a real user session iv) Connection Rate Limiting – discarding connections from sources that trip custom defined thresholds as well as many more, we are able to provide solutions unique to each customers setup and requirements. While we have been extremely successful in helping out our customers during these attacks, we still advise our customers to take preventative measures and use best case practices in designing their website code. In the next article, our Security Operations Manager, Sean Power, will be providing some useful tips and tricks in designing secure connections from your website to your backend database Jag Bains CTO DOSarrest Internet Security
Original post:
Tactics of an SQL Injection Attack
Microsoft's Digital Crimes Unit has disrupted the functioning of yet another botnet by effecting a takedown of a domain which was also hosting over 500 different strains of malware and has been linked…
Excerpt from:
Microsoft's study into unsecure supply chains leads to botnet disruption
Over the years, botnet owners have tried out different tactics for keeping their C&C servers online, in contact with the zombie computers, and hidden from researchers and law enforcement agencies, …
GoDaddy, on of the biggest and most popular Internet domain registrars and web hosting companies in the world, has suffered an outage on Monday that left many of its customers' websites temporarily av…
Read the original:
Millions of GoDaddy sites go offline due to alleged DDoS attack
A massive DDoS attack struck GoDaddy’s name servers today, temporarily plunging thousands of websites into the internet abyss. “GoDaddy, the massive Web hosting company, went down on Monday, taking an untold number of websites with it,” reported CNN. Mashable.com reported, “The more problematic part is that any domain registered with GoDaddy that uses its nameservers and DNS records are also down. This means that even if you host your site elsewhere, using GoDaddy for DNS means it is inaccessible.” PC World reports: “In a YouTube video (http://www.youtube.com/watch?v=SPGBZWGUE2g), secretive hacking group Anonymous has taken credit for the outage, claiming the move is a reaction to the company’s support of the U.S. government’s efforts “to censor and control the Internet,” through its support of the Stop Online Privacy Act (SOPA).” But claiming Anonymous did this attack may be false, it turns out. The apparent attacker said, himself, that he was not affiliated with the Anonymous collective: “It is not Anonymous collective it’s only me. Don’t use Anonymous collective name on it, just my name,” wrote Twitter user Anonymous Own3r. (http://www.foxnews.com/tech/2012/09/10/every-godaddy-registered-site-…) Most likely scenario? A false flag cyber security attack in order to provide the excuse for Obama to sign a freedom-killing executive order focused on “cyber security.” The attack has taken down GoDaddy’s website, DNS servers, phone support and email accounts. It’s almost as if a nuclear bomb went off at GoDaddy headquarters. This attack appears to be hugely successful from the point of view of Anonymous hackers, although it’s not clear why GoDaddy was targeted in particular. GoDaddy manages 48 million domains spanning more than 9 million customers. The failure of its DNS likely means that millions of websites were taken offline. Domain Name Servers are a known vulnerability Domain Name Servers are a well-known vulnerability of the internet infrastructure. As this attack by Anonymous has masterfully demonstrated, DNS provides a centralized single point of attack that, if penetrated, can bring down literally millions of websites. DNS also provides a single point of government seizure, where rogue governments that hate free speech can take control over websites by commandeering their DNS records. For these reasons, you need to know how to reach NaturalNews.com even if DNS is compromised There is a workaround to DNS. You can bypass it and go straight to NaturalNews by simply entering the following “IP address” into your browser: 174.132.185.226 This is the equivalent of typing “NaturalNews.com” into your browser and it will work even if Domain Name Servers are being hacked or seized. This IP address will take you right to our website. It is our “digital address” recognized by all web browsers. WRITE THIS NUMBER DOWN on a piece of paper and carry it in your wallet or purse. Even if the Domain Name Servers are illegally seized by the government in an assault on the freedom of the press — or if they’re brought down by hackers as was demonstrated today — you can still use the IP address to reach us. If NaturalNews.com appears to be unreachable during a crisis event, revert to using the numbers instead of the name, and the site will likely respond. An even better way: Subscribe to our email newsletter An even better way to make sure you can hear from us is to subscribe to our FREE email newsletter (see subscription form below). Email is virtually impossible for anyone to block. Unless there’s a nuclear holocaust or something, we will always be able to email you with the latest alerts and information, even if our web servers are hacked or physically taken offline. Even if you don’t want to read our email newsletter each day, simply staying subscribed is valuable because we will be able to reach you with urgent alerts about what’s really happening. We don’t sell email addresses to anyone. Your privacy is completely protected, and you can unsubscribe at any time. Subscribing to our email newsletter is your way of allowing us to reach you even in a crisis, a seizure, or a hack attack. For fast DDoS protection against your eCommerce site click here . Source: http://www.naturalnews.com/037140_DDoS_attack_GoDaddy_Domain_Name_Servers.html
View article:
DDoS attack on GoDaddy takes down millions of websites
A Scots teenager who admitted hacking into the websites of the Serious Organised Crime Agency (Soca) and other prominent organisations said life is “serene” without access to the internet. Jake Davis, 19, admitted conspiring to carry out a “denial of service” attack on the crime agency at Southwark Crown Court in June. He also admitted hacking the NHS website. Davis, from the island of Yell, faced five charges following a Met Police investigation into the hacking groups LulzSec and Anonymous. The groups have been linked to a number of cyber-attacks on government agencies and multi-national companies. LulzSec has also been linked to hacking attempts on Sony and The Sun newspaper. Davis told the Observer newspaper: “The last time I was allowed to access the internet was several moments before the police came through my door in the Shetland Isles, over a year ago. One of my co-defendants and I have also been indicted with the same charge in the United States, where we may possibly be extradited, and if found guilty I could face several decades in an American prison. “Now I am on conditional bail and have to wear an electronic tag around my ankle. I’m forbidden from accessing the internet. “I’m often asked: what is life like without the net? It seems strange that humans have evolved and adapted for thousands of years without this simple connectivity, and now we in modern society struggle to comprehend existence without it. In a word, life is serene. “I now find myself reading newspapers as though they weren’t ancient scrolls; entering real shops with real money in order to buy real products, and not wishing to Photoshop a cosmic being of unspeakable horror into every possible social situation. Nothing needs to be captioned or made into an elaborate joke to impress a citizenry whose every emotion is represented by a sequence of keystrokes.” He added: “Things are calmer, slower and at times, I’ll admit, more dull. I do very much miss the instant companionship of online life, the innocent chatroom palaver, and the ease with which circles with similar interests can be found. Of course, there are no search terms in real life – one actually has to search. However, there is something oddly endearing about being disconnected from the digital horde. “It is not so much the sudden simplicity of daily life – as you can imagine, trivial tasks have been made much more difficult – but the feeling of being able to close my eyes without being bombarded with flashing shapes or constant buzzing sounds, which had occurred frequently since my early teens and could only be attributed to perpetual computer marathons. “Sleep is now tranquil and uninterrupted and books seem far more interesting. The paranoia has certainly vanished. I can only describe this sensation as the long-awaited renewal of a previously diminished attention span.” He said people’s attentions spans had suffered since the advent of the internet. “A miracle cure or some kind of therapeutic brilliance are not something I could give, but I can confidently say that a permanent lack of internet has made me a more fulfilled individual. And as one of many kids glued to their screens every day, I would never before have imagined myself even thinking those words. “Before, the idea of no internet was inconceivable, but now – not to sound as though it’s some kind of childish and predictable revelation spawned as a result of going cold turkey – I look back on the transcripts of my online chats (produced as legal evidence in my case, in great numbers) and wonder what all the fuss was about.” He added that he hoped others involved in the hacker community could take a short break from the internet to see if they could feel similar effects adding he had “forgotten how easy it was simply to close a laptop lid”. For fast DDoS protection against your eCommerce site click here . Source: http://news.stv.tv/north/189464-teenager-who-hacked-major-websites-says-life-is-serene-without-web-access/
See the original post:
Teenager who launched Distributed Denial of Service ‘DDoS’ attack on high profile websites says life is ‘serene’ offline
Joshua Schichtel was sentenced to 30 months in prison for selling command-and-control access to and use of thousands of malware-infected computers. In addition to his prison term, Schichtel was ordere…
Originally posted here:
Arizona man goes to prison for selling access to botnets
A US hacker, who sold access to thousands of hijacked home computers, is jailed for 30 months.
Read this article:
Botnet ‘controller’ jailed in US
Network professionals know that distributed denial-of-service attacks are an ever-growing danger. The recent assault on Twitter is just the latest evidence. Using a mushrooming array of advanced tools, including pay-per-use services and mobile devices, attackers are taking down websites, DNS and email servers, often using these tools to destroy a company’s online revenue, customer service and brand reputation. But the technology is only half the story. The thinking that shapes attacks an evolving blend of careful planning, probing and improvisation is often the difference between duds and strikes that leave victims begging for mercy. So who launches DDoS attacks and why? The most common profiles: extortionists, ruthless competitors and “hacktivists,” those attacking not for money, but in the name of social or political protest. The latter gets the most press, thanks to the media-savvy tactics of groups that have punished the likes of Bank of America and the US Chamber of Commerce. However, even though reliable statistics about attacks are hard to find, it’s likely that money, not justice, is the main motive. Regardless of the attacker’s identity or incentive, criminals use common tools and tactics in varying combinations. Many of these tools are cheap or free and easily available. They also require no more specialised skill than typing in the target’s name and hitting “enter.” The low-orbit ion cannon (LOIC), for example, is an open-source DDoS application which floods a server with enough UDP or TCP packets to disrupt service. The LOIC even offers multiple attack vectors. Attackers can send anything from packets with the text of their choice to random HTTP GET requests which imitate legitimate application-layer traffic. The future of malware The means to launch an assault doesn’t stop there though, as there are many other resources for attackers to use. If someone rents a server from a hosting company, but doesn’t secure it, an attacker could obtain administrative rights to the server, load scripts onto it and execute them at will. This is known as accessing a “shell booter.” There are also remote-access Trojans and DDoS bots, both forms of malware that infect PCs and mobile phones, letting criminals control them remotely to execute attacks. A group of such computers is a “botnet” and each computer infected is a “zombie.” Each family of malware has its own destructive capabilities. The most advanced the ones that avoid detection the longest and support the most types of attacks are often sold as software or as a complete pay-by-the-hour service. Attackers can also infect mobile phones to be used as extra resources. It’s the same idea as launching attacks with other people’s computers in a botnet. However, the added benefit is that there are billions of smartphones in use all around the world. And unlike desktop computers and laptops which are shut off for hours each day, mobile phones are always on, connected and able to abet attacks. In the DDoS world, it’s all about how much traffic you can generate, which depends on the number of hosts under your control. Mobile phones are simply too tempting to resist, and a new weapon that network security personnel have to keep an eye out for. However, before going through choosing a weapon and firing, the smartest attackers do their homework first. After all, there’s a ton of public information available about any business, including yours. For instance, a simple DNS look-up can reveal a lot of information about your public-facing assets. Attackers will also check your infrastructure for open ports, protocols, applications and firewalls. By doing recon on your infrastructure and understanding what it’s built to support ecommerce, customer service or public information, let’s say the bad guys will assess what’s at risk and will look for the best ways to exploit these weak spots in your infrastructure. In the ramp-up to an attack, you might notice bursts of heavier traffic in key areas of your network. The attacker is probing, trying to find a way in. While some will simply try to flood you, others will try to find a little crack in your network defenses, some piece of infrastructure too tempting to ignore. If you’re a retailer, for example, and someone succeeds in bringing down your point-of-sale applications, the pain could be acute. For the attacker, it’s well worth the time investment and ensures that your entire organization will take notice of the attack. Know your network and security inside-out Everything’s not all doom and gloom though. While criminals have many tools at their disposal, understanding what’s at risk, and how it will be attacked, allows you to understand how to take the first steps in order to protect it. For starters, make sure your team knows not only your network inside-out but also your security set-up. Conduct a security assessment, either in-house or with third-party experts who can give independent validation. Use these findings to help optimize your systems. It’s also critical to monitor traffic, so you know what’s normal and what’s not. With a clear baseline, you’ll be able to spot and mitigate DDoS attacks faster. Maybe most important of all, devise a DDoS response plan to counteract some of the tactics described here, listing procedures to follow and which team members are responsible for what. And practice executing this plan regularly. If you have to dust it off in the midst of an attack, you’re inviting chaos. Run regular drills including simulated communications with customers, so you can become adept at managing their expectations. At the end of the day, it’s not only attackers whose thinking makes a difference. Companies that invest more brainpower in understanding how DDoS attacks work, to better protect themselves are also more skilled in deploying the technologies designed to keep their online presences safe. For DDoS protection against your e-commerce site click here . Source: http://features.techworld.com/security/3378864/how-cybercriminals-hacktivists-use-ddos-tools-attack/
Read the original:
How cybercriminals and hacktivists use DDoS tools to attack