Tag Archives: ddos news

WordPress Security: Prevent Brute Force and DDoS Attacks

Earlier this year, a WordPress XML-RPC exploit was used to launch distributed denial-of-service (DDoS) and brute force attacks against WordPress websites. As WordPress continues to grow in popularity and gain an increasing share of the market for website content management systems (CMS), such attacks have proliferated and pose an ongoing security risk that WordPress developers and website owners must address. Distributed Denial-of-Service Attacks In the case of DDoS attacks, the intent of attackers is to disrupt a website or service by flooding it with information and traffic. According to the U.S. Computer Emergency Readiness Team (US-CERT): “In a denial-of-service (DoS) attack, an attacker attempts to prevent legitimate users from accessing information or services. By targeting your computer and its network connection, or the computers and network of the sites you are trying to use, an attacker may be able to prevent you from accessing email, websites, online accounts (banking, etc.), or other services that rely on the affected computer.” Typically, larger scale DDoS attacks involve the use of multiple computer systems, websites, and servers that have been compromised and can be controlled remotely by the attackers. These networks are known as botnets and can include hundreds or even thousands of compromised systems. However, a simpler denial-of-service attack (DoS) can be launched from a single computer and potentially disrupt a website or service with only a small-scale effort. In either case, WordPress sites can be compromised and used for this purpose, and, in one of the largest cases earlier this year, more than 162,000 WordPress sites were used in just a single DDoS attack. Brute Force Attacks In brute force attacks, the intent is to gain access to a website or service rather than disrupt it. Typically, attackers use various methods to automate the submission of login and authentication requests in an attempt to defeat a site or service’s security and gain access to user accounts, the administrative account, and ultimately the underlying server and architecture. According to the Open Web Application Security Project (OWASP): “A brute force attack can manifest itself in many different ways, but primarily consists in an attacker configuring predetermined values, making requests to a server using those values, and then analyzing the response. For the sake of efficiency, an attacker may use a dictionary attack (with or without mutations) or a traditional brute-force attack (with given classes of characters e.g.: alphanumeric, special, case (in)sensitive). Considering a given method, number of tries, efficiency of the system which conducts the attack, and estimated efficiency of the system which is attacked the attacker is able to calculate approximately how long it will take to submit all chosen predetermined values.” In WordPress brute force attacks, attackers can potentially identify a user’s password and use it to access the user’s account on the WordPress site and on other sites where the user may have the same ID and password. If the WordPress site contains any personal information, payment details for e-commerce, or other sensitive data tied to the user’s account, then attackers may be able to steal it. Worst of all, if attackers can gain access to the administrative account for a WordPress site, then they may be able to compromise, shut down, or delete the entire website, deploy malicious code, or steal or delete entire databases of sensitive information, including user logins and passwords. WordPress Vulnerability: Pingback and XML-RPC DDoS and brute force attacks against WordPress sites have involved a WordPress pingback exploit and the general vulnerability of WordPress XML-RPC. WordPress uses the XML-RPC interface to allow users to post to their site using many popular Weblog Clients. This functionality can be extended by WordPress plugins, and WordPress offers its own API and supports the Blogger API, metaWeblog API, Movable Type API, and Pingback API. Unfortunately, this same functionality provides exploits that attackers can use to launch attacks, starting with the pingback exploit. Pingback is a linkback method that WordPress site owners and authors can use to request notification when someone links to their posts or pages. When pingback is enabled and an author or administrator of a WordPress site posts content that links to another site, an XML-RPC request is sent to the other site, which automatically sends a pingback to the original site to verify that there is a live, incoming link. Once this is confirmed, the pingback is recorded. According to Daniel Cid, founder and CTO of Securi Inc., a website anti-virus and anti-malware firm, “Any WordPress site with Pingback enabled (which is on by default) can be used in DDOS attacks against other sites.” Using a simple command and an XML-RPC request, an attacker can exploit pingback and potentially use thousands of otherwise legitimate and seemingly harmless WordPress sites to launch a DDoS attack. As reported in a blog post by Cid earlier this year, attackers have now begun using further XML-RPC vulnerabilities and the XML-RPC wp.getUsersBlogs function to conduct large-scale brute force attacks against WordPress sites. Due to the many calls in WordPress XML-RPC that require a username and password, attackers can use a method like wp.getUsersBlogs to test or guess as many passwords as possible and gain access to WordPress administrator accounts or other user accounts. XML-RPC provides a faster method to conduct brute force attacks than using the /wp-login.php to make login attempts, and using XML-RPC is harder to detect. How to Secure Your WordPress Site Against DDoS Attacks WordPress 3.9.2 included a fix that reduces the impact of some DDoS attacks, but, if pingback and XML-RPC are still enabled, they can be exploited. To protect your WordPress website against DDoS attacks, disable pingback and consider disabling XML-RPC entirely, especially if you do not need it or you want to ensure the strongest possible security for your site. WordPress offers instructions for how to globally disable pingback on your site, and two convenient plugins are also available to disable pingback and XML-RPC generally: https://wordpress.org/plugins/disable-xml-rpc-pingback/ https://wordpress.org/plugins/prevent-xmlrpc/ How to Secure Your WordPress Site Against Brute Force Attacks Disabling XML-RPC will remove the possibility of attackers using it to launch brute force attacks, but it does not address the vulnerabilities and risks of brute force attacks against /wp-login.php, and it does not solve the more serious problem of using passwords for user authentication in WordPress. Passwords create arguably the single greatest vulnerability in website and data security. They can be stolen or compromised through a variety of methods, such as brute force hacking, phishing, and malware, and they provide one of the primary incentives for attacks. As long as attackers are able to guess passwords through brute force or steal them in transit or from servers, they can potentially gain access to administrator or user accounts, compromise WordPress sites, and steal data or use them to launch further attacks. Moreover, the storage of passwords or other credentials, even in encrypted form, provides a huge incentive for attackers to target specific WordPress sites and the servers that host them. As Bill Gates declared at a security conference in 2004, passwords “just don’t meet the challenge for anything you really want to secure.” This realization has become more widespread in recent years, especially in the wake of high-profile cyberattacks against retailers like Target and Home Depot or financial institutions and online banking systems. As Google’s manager of information security, Heather Adkins, has put it: “Passwords are dead,” and “the game is over” for relying on passwords as the chief method to secure users and their data. According to WordPress founder Matthew Mullenweg, WordPress site administrators need to implement two-factor authentication in order to protect their sites from brute force attacks and other password vulnerabilities. However, as we explored in our previous blog article, “Choosing the Best and Safest Two-factor Authentication Method”, most solutions for two-factor authentication continue to use passwords as part of the login process, and this perpetuates the underlying problem of passwords. The best way to secure your WordPress site from brute force attacks is to remove passwords and other sensitive credentials from the login process and replace them with simple, mobile authentication that uses public key cryptography. With this approach, there are no passwords or credentials to guess, so brute force attacks are rendered obsolete, and there are no passwords or credentials entered or transmitted during the login process or stored on a server, so phishing and malware are also rendered obsolete. This eliminates the incentive and opportunity for attacks because there is physically nothing that attackers can potentially guess or steal in order to gain access to sites or accounts. As a minimum step toward the strongest possible security, WordPress administrators should enable this next-generation authentication method to protect access to their admin accounts. But the same level of security can be extended to all user accounts for a WordPress site, including self-enrollment that eliminates any need for the admin to set up two-factor authentication for other WordPress users. Source: https://www.secsign.com/wordpress-security-prevent-brute-force-ddos-attacks/

More here:
WordPress Security: Prevent Brute Force and DDoS Attacks

18 Election Websites Offline During the U.S. Midterm Elections possible DDoS attack

On the day of the U.S. midterm elections, the Contra Costa County Department of Elections website for was inaccessible starting at 7:20 a.m. local time. And it wasn’t alone, the Bay Area News Group reported that 18 election websites run by Florida-based SOE Software across the country were down for most of the election day. According to local news reports, Contra Costa County officials said the hosting of the website was contracted to SOE Software, which was also offline at the time. Election officials said SOE Software was working trying to fix the problem, and the sites were back online this week. The main function of election websites is to provide information on where voters can find polling stations, but they also provide features such as Vote by Mail ballot registration. Officials recommended that voters needing to find their polling station visit Get to the Polls, a website sponsored by the Pew Charitable Trust and others. It’s possible that the election websites were unprepared for the amount of traffic they would get on election day, but it’s also likely that a Distributed Denial of Service attack flooded SOE Software’s servers with requests, blocking legitimate traffic from reaching the websites it hosts. Source: http://www.thewhir.com/web-hosting-news/least-18-election-websites-offline-u-s-midterm-elections

100 Bitcoin bounty slapped onto head of blackmailer who DDoS attack Bitalo site

On Saturday, an attacker and blackmailer “DD4BC” sent a note to the Bitalo Bitcoin exchange threatening distributed denial of service (DDoS). DD4BC demanded 1 Bitcoin (about £206, $326) as protection money and for “info on how I did it and what you need to do to prevent it”. Hello Your site is extremely vulnerable to ddos attacks. I want to offer you info how to properly setup your protection, so that you can’t be ddosed! My price is 1 Bitcoin only. Right now I will star small (very small) attack which will not crash your server, but you should notice it in logs. Just check it. I want to offer you info on how I did it and what you have to do to prevent it. If interested pay me 1 BTC to [Bitcoin address] Thank you. Bitalo CEO Martin Albert eschewed the offer for lessons on avoiding DDoS. Instead, the exchange slapped a bounty on DD4BC’s head, to the tune of 100x the ransom money. That price may seem steep, but this is serious business to Albert, who told Motherboard that his company wants to show that it’s serious. He noted that while its users’ funds were never at risk because of Bitalo’s multi-signature setup, extortionists like DD4BC nonetheless threaten the smaller startups that complete the global Bitcoin community. These kind of people can do much more harm to the community than any government by regulation or something like that, in my opinion. Fear and uncertainty take their toll as well: Bitcoin value plummeted after the fall of Mt. Gox. DD4BC’s DDoS attack on Bitalo lasted two days. Albert said that the company soon found out that the same attacker was behind threats to others: Immediately we figured out it was not an unknown guy; it was this guy who also threatened many other people. The list of DD4BC’s targets include exchange CEX.io and Bitcoin sportsbook Nitrogen Sports, Albert said. Now, the company is offering 100 BTC – about $32,859 or £20,599 at Tuesday’s exchange rates – through the Bitcoin Bounty Hunter site. This isn’t the first bounty for a Bitcoin burglar, but it’s the biggest by far. Other bounties include: ?37.6875 (approx. $12,331, £7,710) For help in catching whomever broke into the email accounts of Satoshi Nakamoto – the person or people who created the Bitcoin protocol and reference software – and Bitcoin angel investor, evangelist, the founder himself of the Bitcoin Bounty Hunter site, and a man known by some as the “Bitcoin Jesus”, Roger Ver. ?2.1249 (approx. $698, £434) For help in catching whomever’s behind the missing 600K BTC from Mt. Gox. Ver told Motherboard that he started the bounty site in September after somebody got into an old email account and started making threats: Somebody hacked an old email account of mine and then was claiming they were going to steal my identity. [They also demanded] that I pay them $20,000 worth of bitcoin or they were going to ruin my life and ruin my family’s life, and they made all sorts of nasty threats. At the time, Ver offered a 37 BTC reward in a Facebook post for “information leading [to] the arrest of the hacker.” The problem was that he didn’t know what to do with the information people sent him, he said, some of which appeared legitimate but some of which were clearly a joke. Thus was Bitcoin Bounty Hunter born: a site that allows anyone to offer information and claim a bounty anonymously. It relies on the site proofofexistence.com, which requires informants to send in details in a manner that proves that they know something without revealing what it is that they know. In order to claim any of the bounties, the culprit has to be arrested and convicted. Why not just go to the cops? Ver told Motherboard that when he’s been targeted by theft in the past, he had to track down the stolen parts himself before the police became interested. The police in California did absolutely nothing to help, they didn’t even lift a finger. Going to the police, traditionally, they don’t do much of anything to help at all. By providing a bounty I think you can provide an incentive to have anybody – including the police – to actually do the right thing and help victims of crimes. Albert said there haven’t been any real tips on the Bitalo attacker yet, but the company’s also analysing traffic to try to get at the blackmailer’s identity. Source: http://nakedsecurity.sophos.com/2014/11/05/100-bitcoin-bounty-slapped-onto-head-of-blackmailer-who-ddosed-bitalo/

Taken from:
100 Bitcoin bounty slapped onto head of blackmailer who DDoS attack Bitalo site

Pro-democracy Hong Kong sites DDoS’d with Chinese cyber-toolkit

Now we’re not saying it was the Chinese government, but… Hacking attacks against organisations promoting democracy in Hong Kong were run using the same infrastructure previously linked to Chinese cyber-espionage attacks, according to new research from security firm FireEye.…

More:
Pro-democracy Hong Kong sites DDoS’d with Chinese cyber-toolkit

Shellshock Being Used to Build a DDoS Botnet to launch DDoS attacks

The advisory alerts enterprises to a DDoS botnet-building operation by attackers taking advantage of the Shellshock Bash bug in Linux-based, Mac OS X and Cygwin systems. Failure to take action can result in a vulnerable system being used to propagate a DDoS botnet, launch DDoS attacks, exfiltrate confidential data and run programs on behalf of attackers. “PLXsert has observed the DDoS botnet-building operation of an attacker using Shellshock to gain access to and control Linux-based systems.” said Stuart Scholly, senior vice president and general manager, Security Business Unit, Akamai. “We are sharing this information to help enterprises patch their systems to prevent unauthorised access and use by this botnet. Akamai customers have multiple options to minimise the risk of a breach and to mitigate DDoS attacks enabled by this vulnerability.” Attackers breach vulnerable systems Malicious actors are using the Bash bug vulnerability, which is reportedly present in GNU Bash versions 1.03 through 4.3, to download and execute payloads on victim machines. These payloads include executable files and script files written in programming languages such as Perl, Python or PHP. The dropped files are capable of launching DDoS attacks, stealing sensitive information and moving laterally across internal networks to breach other systems. In addition, malicious attackers have implemented backdoor functionality to gain unrestricted access to victim machines in the future. DDoS botnet uses Internet Relay Chat IRC for communication PLXsert recorded an actual IRC conversation of a botnet-building operation that uses the Shellshock vulnerability to add new bots to a botnet. The observed botnet involved 695 bots. IRC channels #p and #x were used to issue commands, and new bots were requested to join channel #new. Web applications at high risk Web applications that use the Common Gateway Interface (CGI) method to serve dynamic content are at risk for the Bash bug. It is important to check internal and external web servers for this type of application and others that may potentially pass input to Bash. The Shellshock vulnerability has also been exploited in OpenSSH (OpenBSD Secure Shell), a set of computer programs that provides encrypted communication sessions. In this case the vulnerability is exploited after authentication, which lowers the risk of exploitation but should still be considered high risk. Enterprises need to patch (and re-patch) vulnerable hosts Enterprises must update and patch vulnerable hosts as soon as possible. Some of the earlier patches were insufficient. It is important to obtain and apply the latest patch from the operating system developer. Fully patched, remote exploitation attempts of this type will be unsuccessful. PLXsert anticipates further infestation and the expansion of this DDoS botnet. Get the Shellshock DDoS Botnet Threat Advisory to learn more In the Bash bug advisory, PLXsert shares its analysis and details, including: Vulnerable Bash versions DDoS building capabilities of binary payloads Types of DDoS attacks IRC conversation from within the DDoS botnet How to mitigate this vulnerability DDoS mitigation Source: http://www.australiansecuritymagazine.com.au/2014/11/akamai-observes-shellshock-used-build-ddos-botnet/

City of Phoenix Computers Under DDoS Attack

Police computer communication went down for almost an hour An attack targeting the computer systems of the public services in Phoenix, Arizona, affected the city’s activity for a period of almost an hour. Police work was also impacted, as officers were not able to search for information about suspects from the computers in their cars. According to information from inside sources, the attack had been carried out for days in a row, culminating with a disruption of the system on Saturday. No sensitive information was stolen There is no information about the identity of the attackers or their purpose, but Randell Smith, City CISO (Chief Information Security Officer), said in an interview for Fox 10 that he believed the goal to be gaining access to the network and obtaining as much personally identifiable information (PII) as possible; this is generally used for financial gains. No other possible reason was given by the CISO, who told the TV station that the defense tactics had held and no data could be exfiltrated. Over the weekend, the city’s servers received a heavy DDoS blow resulting in a 45-minute outage, and the public safety systems could not send information to police officers requesting details about names, license plates, and checking criminal records. Radio is the main communication system, which means that officers can still deliver details from the field to their colleagues. Important to note is that the entire computer system of the public service is affected, and the cybercriminals do not focus on a particular department. The city of Phoenix contacted the FBI along with technology partners to help put an end to the attacks. DDoS attack services can be rented At the moment, the City of Phoenix website is available intermittently until midnight Tuesday, for maintenance reasons and probably for analyzing any clues the crooks may have left behind. The current situation was uncovered by Fox 10, who managed to obtain internal letters containing references to the attack. In one of them, a deputy city manager wrote that the city could be under a coordinated denial of service (DoS) attack, given its intensity and persistence. Although it may appear a difficult task to pull, DSoS attacks can be easily carried out, even by those with little technical knowledge. The criminal market provides such services that can be sustained for a week, for as little as $100 / €79. Depending on the level of protection of the target system and the size of the attack, the price goes up. Still, for strong servers or websites with better protection in place, the cost is about $500 / €394 for a week-long incident. Source: http://news.softpedia.com/news/City-of-Phoenix-Computers-Under-DDoS-Attack-463286.shtml

Continue Reading:
City of Phoenix Computers Under DDoS Attack

Register for DDoS Protection and Response Strategies Webinar!

As cyber-criminals innovate and develop new techniques to tackle defensive methods, it has never been more important for information security professionals to have strong, proactive defense and remediation strategies in place. During this webinar, the speakers will share insight on how to address the risks and respond to attacks. Hear about the evolution of and motivations behind DDoS attacks and the attack vectors exploited Discover how to implement multi-layered DDoS defense Identify best practice detection and classification techniques Discover how to implement resilient DDoS incident response practices Date: November 12th 2014 Time: 10:00AM EST/15:00 GMT Click here to register !

See more here:
Register for DDoS Protection and Response Strategies Webinar!

#OpOrwahHammad – DDoS attack on Israeli Government Websites for Killing 14-Year-Old Orwah Hammad

Online hacktivist collective Anonymous has knocked 43 Israeli government websites offline in response to the killing of 14-year-old Palestinian-American boy Orwah Hammed by the Israeli Defense Forces (IDF). Conducted under the banner #OpOrwahHammad, the cyber-attacks knocked some of the main Israeli government websites offline using distributed denial of service (DDoS) attacks. Among the websites affected were those of the IDF, Office of the Prime Minister, Israel Ministry of Foreign Affairs, Israel Securities Authority , Ministry of Industry and Trade, State of Israel Mail and Israeli Immigration. Anonymous said in a statement published to coincide with the attacks: #?OpOrwahHammad has officially kicked-off now, and Israeli government websites are feeling it. Anonymous is targeting Israeli government websites in protest of the killing of young Orwah Hammad and many Palestinians alike. The world will not stand by such brutality. Israeli Government beware for you should have Expected Us. The hacktivist group also published a list of 43 websites it claims were knocked offline during the attack. At the time of writing, some of the websites on the list remain offline (such as the Ministry of Defence website) while others are back online (including the IDF website). Orwah Hammad The cyber-attacks were carried out in the name of Hammad, a 14-year-old boy who was shot in the head in the village of Silwad, north of Ramallah, on 24 October. The shooting of the Palestinian-American teenager led the US State Department to call for a “speedy and transparent investigation ” into the death. An Israeli army spokesman told Reuters Israeli forces “managed to prevent an attack when they encountered a Palestinian man hurling a molotov cocktail at them on the main road next to Silwad. They opened fire and they confirmed a hit”. The shooting happened during clashes in Arab areas in and around Jerusalem, in which several other people were injured. Source: http://www.ibtimes.co.uk/anonymous-shuts-down-israeli-government-websites-retaliation-killing-14-year-old-orwah-hammad-1471874

View article:
#OpOrwahHammad – DDoS attack on Israeli Government Websites for Killing 14-Year-Old Orwah Hammad

The DDoS Protections Services Landscape

As the Director of Sales for DOSarrest Internet Security I have the opportunity to speak with many prospects looking for DDoS protection service for their corporate website. What I have learned is that there are many competitors offering what I would call a “bare bones vanilla offering”. Some offer free service to service ranging in price from $200 – $300/month. These plans offer a very basic protection. They also advertise an Enterprise offering that has an expense starting point can really turn into being quite costly depending on your circumstances. The Enterprise service is the offering that any company that is serious about protecting their website should consider. There are a few issues with each of these offerings that I’d like to point out. These competitors claim they have a very large number of clients utilizing their services but fail to mention that 80-85% of them are using their free service. Roughly 10 -15% of their customers are using their $200-$300/month service which again is really just a basic protection with limited protection capabilities. When a company witnesses a large attack, which is completely out of their control, they are told they should upgrade to their enterprise offering. I hear from prospects quite often that this $200 – $300/month service does not offer adequate protection nor customer support. In most cases there is no phone support included at all! Also they will charge the client based on the size of the attack? How can a client control the size of an attack they are experiencing! This uncertainty makes it virtually impossible for a company to budget costs. Let’s not be mistaken, their goal is to get you onto their Enterprise offering which will cost you in excess of a thousand dollars per month. Alternately at DOSarrest Internet Security we offer a single Enterprise level service for all of our clients. The service includes full telephone and email access to our 24/7 support team with our service. This provides you direct access to system experts. We do not operate a tiered support service given the criticality of the service. Also we protect our clients from all DDoS attacks regardless of size without the need to pay us additional depending on the size of an attack. We also include an external monitoring account with our service called DEMS which stands for our D OSarrest E xternal M onitoring S ervice . This allows our 24/7 support team to monitor your website from 8 sensors in 4 geographical regions. We proactively inform our clients if we notice any issues with their website. Most of our competitors do not offer this service and if they do it is not included free of charge to their clients. DOSarrest has been providing DDoS protection services since 2007. Globally we were one of the very first DDoS protection providers and have successfully mitigated thousands of real world attacks. This is a not an “add on product” for us. Our team has the experience and the protection of a client’s website is our #1 priority. Please visit our newly revamped website and take a look at the testimonials page to see what some of our current customers are saying about their experience with us. Please feel free to reach out to me directly or anyone on our sales team at sales@dosarrest.com for further information on our service. Brian Mohammed Director of Sales for DOSarrest Internet Security LTD.

See original article:
The DDoS Protections Services Landscape

DDoS Attacks: Legitimate Form of Protest or Criminal Act?

A basic premise of a democratic society gives its citizens rights to participate in debate and effect change by taking to the streets to demonstrate. In the U.S., this is enshrined in the Bill of Rights under the First Amendment. But what happens when we all effectively live, work, shop, date, bank and get into political debates online? Because online, as Molly Sauter points out in her book The Coming Swarm , there are no streets on which to march. “Because of the densely intertwined nature of property and speech in the online space, unwelcome acts of collective protest become also acts of trespass.” Sauter argues that distributed denial of service (DDoS) attacks are a legitimate form of protest. Or at least one that needs to be examined in a larger context of lawful activism, rather than hastily and disastrously criminalized under the Patriot Act. Sauter is currently doing her Ph.D. at McGill University in Montreal after completing her Masters at MIT. Prior to attending MIT she worked as a researcher at the Berkman Center for Internet and Society at Harvard. So she’s been thinking about civil disobedience and digital culture for a while, although she admitting during a recent phone interview that “adapting and re-writing a Masters thesis into a book during the first year of doctorate study is not recommended.” As Sauter examines in The Coming Swarm , DDoS campaigns are not new. In fact they’ve been used for almost 20 years in support of various political movements from pro-Zapatista mobilization to immigration policy in Germany and, most notably, at 2010 G20 in Toronto. “Guiding this work is the overarching question of how civil disobedience and disruptive activism can be practiced in the current online space,” she told PCMag. “Actions that take place in the online sphere can only ever infringe on privately held property. The architecture of the network does not, as of yet, support spaces held in common.” The book also delves into extensive technical discussion on the evolution of simple denial-of-service attacks, where a single computer and Internet connection breaches a firewall, floods a server with packets, and overloads the system so that it malfunctions and shuts down. According to Sauter, it was the switch to distributed denial-of-service attacks that really got the authorities’ attention. Mainly because the distributed nature of attack, using zombie machines to hide the original source of the activists’ IP addresses and often effect malware, made detection almost impossible. It was then that the nature of digital debate was re-framed as a criminal act rather than civil disobedience. Source: http://www.pcmag.com/article2/0,2817,2469400,00.asp

More:
DDoS Attacks: Legitimate Form of Protest or Criminal Act?