Tag Archives: ddos

2017 predictions: US isolationism, DDoS, data sharing

Without a doubt, 2016 was the year of the DDoS. The year came to a close with a major DDoS attack on DNS provider Dyn, which took down several major internet sites on the Eastern US seaboard. This attack was different – not so much in terms of its volume or its technique, but in the fact that instead of being directed at its intended target, it was targeted at network infrastructure used by the target. I think we are likely to see more DDoS attacks in 2017, both leveraging amplification attacks and direct traffic generated by the Internet of Things. However, we will also see a growing number of incidents in which not just the target experiences outages, but also the networks hosting the sources of the DDoS, as they also need to support significant outbound traffic volumes. This is likely to lead to increasing instability – until such a time as network operators start seeing DDoS as an issue they need to respond to. In this sense, the issue of DDoS is likely to increasingly self-correct over time. The other main trends and developments that I foresee for the year ahead are as follows: ? I think we are likely to see the first few cases where attribution of nation states accountable for attacks starts to backfire. Over the past few years, corporations and nation states have published a lot of theories on espionage campaigns. One issue with these incidents is the fact that often, contrary to human intelligence, the malware and tools that are used in these attacks leave the intent of the attack open to interpretation.  Was the goal to spy on the development of a country and its international relations?  Was it to steal information for economic gain?  Or was the attack intended to result in sabotage?  Those are the all-important questions that are not always easy to answer. The risk of one country inadvertently misunderstanding an attack, and taking negative action in response, is increasing. When a nation’s critical infrastructure suddenly fails, after the country has been publicly implicated in an attack, was it a counterattack or a simple failure? ? In the new policy environment being introduced by President-elect Donald Trump, there is some risk that the United States may start to withdraw from the international policy engagement that has become the norm in cyber security. This would be unfortunate. Cyber security is not purely a domestic issue for any country, and that includes the United States. Examples of great cyber security ideas hail from across the world. For instance, recent capture-the-flag competitions show that some of the best offensive cyber security talent hails from Taiwan, China and Korea. In addition, some tools such as Cyber Green, which tracks overall cyber health and makes international security measurable, originate in Japan rather than the United States. Withdrawing from international cooperation on cyber security will have a number of negative implications.  At a strategic level it is likely to lead to less trust between countries, and reduce our ability to maintain a good channel of communications when major breaches are uncovered and attributed.  At a tactical level it is likely to result in less effective technical solutions and less sharing around attacks. ? Meanwhile, across the pond, Presidential elections in France, a Federal election in Germany, and perhaps a new president taking power in Iran will all lead to more changes in the geopolitical arena. In the past, events of major importance such as these have typically brought an increase in targeted attack campaigns gathering intelligence (as widespread phishing) and exploiting these news stories to steal user credentials and distribute malware. ? Companies will become more selective about what data they decide to store on their users. Historically, the more data that was stored, the more opportunities there were for future monetisation. However, major data breaches such as we have seen at Yahoo! and OPM have highlighted that storing data can lead to costs that are quite unpredictable. Having significant data can result in your government requesting access through warrants and the equivalent of national security letters. It can also mean that you become the target of determined adversaries and nation states. We have started seeing smaller companies and services, such as Whisper Systems, move towards a model where little data is retained. Over time, my expectation is that larger online services will at least become a little bit more selective in the data they store, and their customers will increasingly expect it of them. ? We will see significant progress in the deployment of TLS in 2017. Let’s Encrypt, the free Certificate Authority, now enables anyone to enable TLS for their website at little cost. In addition, Google’s support for Certificate Transparency will make TLS significantly more secure and robust. With this increased use of encryption, though, will come additional scrutiny by governments, the academic cryptography community, and security researchers. We will see more TLS-related vulnerabilities appear throughout the year, but overall, they will get fixed and the internet will become a safer place as a result. ? I expect that 2017 will also be the year when the security community comes to terms with the fact that machine learning is now a crucial part of our toolkit. Machine learning approaches have already been a critical part of how we deal with spam and malicious software, but they have always been treated with some suspicion in the industry. This year it will become widely accepted that machine learning is a core component of most security tools and implementations. However, there is a risk here as well. As the scale of its use continues to grow, we will have less and less direct insight into the decisions our security algorithms and protocols make. As these new machine learning systems need to learn, rather than be reconfigured, we will see more false positives. This will motivate protocol implementers to “get things right” early and stay close to the specifications to avoid detection by overzealous anomaly detection tools. Source: http://www.itproportal.com/features/2017-predictions-us-isolationism-ddos-data-sharing/

Taken from:
2017 predictions: US isolationism, DDoS, data sharing

Trump must focus on cyber security

When Donald Trump takes the oath of office on Jan. 20, he’ll face an urgent and growing threat: America’s vulnerability to cyberattack. Some progress has been made in fortifying the nation’s digital defenses. But the U.S. is still alarmingly exposed as it leaps into the digital age. If the 45th president wants to make America great again, he needs to address this growing insecurity. Three areas — energy, telecommunications and finance — are especially vital and vulnerable. The government must commit itself to defending them. And it must recognize that the risks posed to all three are increasing as more and more parts of our lives are connected to the Internet. Start with energy. There is already malware prepositioned in our national power grid that could be used to create serious disruptions. It must be cleaned up. Last December, three of Ukraine’s regional power-distribution centers were hit by cyberattacks that caused blackouts affecting at least 250,000 citizens. The U.S. is just as vulnerable, because the malware used in that attack is widespread and well placed here. It would be a federal emergency if any region or city were to lose power for an extended period, and it could easily happen — taking down much of our critical infrastructure in the process. The government historically has taken steps to ensure the availability of communications in an emergency (for instance, the 911 system). It should do the same for power. In particular, Trump should direct the Federal Emergency Management Agency to use the Homeland Security Grant Program to improve cyber resilience at state and local power facilities. These efforts must be focused on removing malware and fielding better defenses, beginning with the highest-risk facilities crucial to the centers of our economic and political power. Next, protect telecommunications. The integrity our telecommunications system is essential for the free flow of goods, services, data and capital. Yet the U.S. is home to highest number of “botnets,” command-and-control servers and computers infected by ransomware in the world. Compromised computers are being used to launch paralyzing distributed denial of service (or DDoS) attacks against a wide range of companies. In October, such an attack knocked numerous popular services offline, including PayPal, Twitter, the New York Times, Spotify and Airbnb. Thousands of citizens and businesses were affected. To address this problem, the next president should start a national campaign to reduce the number of compromised computers plaguing our systems. This campaign should be managed like the Y2K program — the largely successful effort, led by the White House in tandem with the private sector, to fix a widespread computer flaw in advance of the millennium. With the same sense of urgency, the government should require that internet service providers give early warning of new infections and help their customers find and fix vulnerabilities. Just as water suppliers use chlorine to kill bacteria and add fluoride to make our teeth stronger, ISPs should be the front line of defense. Third, the U.S. must work with other countries to protect the global financial system. In recent years, financial institutions have experienced a wide range of malicious activity, ranging from DDoS attacks to breaches of their core networks, resulting in the loss of both money and personal information. In the past year, a number of breaches at major banks were caused by security weaknesses in the interbank messaging system known as SWIFT. The entire financial system is at risk until every connected institution uses better security, including tools to detect suspicious activities and hunt for the malicious software that enables our money to be silently stolen. The U.S. should work with China and Germany — the current and future leaders of the G-20 — to deploy better cyberdefenses, use payment-pattern controls to identify suspicious behavior and introduce certification requirements for third-party vendors to limit illicit activity. The Treasury Department should work with its global partners and U.S. financial institutions to set metrics and measure progress toward improving the trustworthiness and security of the financial ecosystem. All these problems, finally, may be exacerbated by the rise of the Internet of Things. As more and more devices are connected to the internet, it isn’t always clear who’s responsible for keeping them secure. Without better oversight, the Internet of Things will generate more botnets, command-and-control servers, and computers susceptible to ransomware. Flawed products will disrupt businesses, damage property and jeopardize lives. When medical devices can be subject to serious e-security flaws, and when vulnerable software in security cameras can be exploited to knock businesses off-line, government intervention is required. Manufacturers, retailers and others selling services and products with embedded digital technology must be held legally accountable for the security flaws of their wares. We need to put an end to the “patch Tuesday” approach of fixing devices after they’re widely dispersed. A better approach is an Internet Underwriters Laboratory, akin to the product-testing and certification system used for electrical appliances. Such a system could help ensure that internet-connected devices meet a minimum level of security before they’re released into the marketplace. Trump should make it clear in his first budget proposal that these four steps are vital priorities. The digital timer on our national security is ticking. Source: http://www.postandcourier.com/opinion/commentary/trump-must-focus-on-cyber-security/article_0bc1d57c-c88f-11e6-840b-13562fd923b9.html

Continued here:
Trump must focus on cyber security

Education Ministry website is under DDoS-attacks

Website of the Ministry of Education and Science does not work due to DDoS-attack. As noted by Interfax-Ukraine, citing the press service of the department, the attack on the portal has been made yesterday. “The attack was made on the weekend, and as a result of it the website is down”, noted in the department. According to the ministry, at the moment the attack has been finished, the work to restore the website is underway, but they have not completed it yet. Earlier the websites of the Ministry of Finance, the State Treasury and the Pension Fund also suffered from the hacker attacks. Source: http://112.international/society/education-ministry-website-is-under-ddos-attacks-12465.html

View article:
Education Ministry website is under DDoS-attacks

Group that attacked Tumblr threatens to DDoS Xbox for Christmas

A new hacking group is taking credit for a distributed denial-of-service (DDoS) attack that took down Tumblr this week. But so far, little is known about R.I.U. Star Patrol other than its motive of attacking for fun. Tumblr went down for more than two hours Wednesday afternoon and R.I.U. Star Patrol contacted Mashable to explain its reason for attacking: “There is no sinister motive,” the group told Mashable.”It’s all for light hearted fun.” The site was first reported offline shortly after 3:15pm ET. The service said on Twitter that some users were experiencing “latency”. Mashable reported that the site was back up for a few minutes around 3:52pm ET but went back down, returning at around 4:22pm ET. Full service was restored around 5:45pm ET. The Mirai connection Some in the security community believe the group carried out the attack using Mirai, malware tied to a record 620Gpbs attack on the website of noted journalist Brian Krebs and the coordinated assault against DNS hosting provider Dyn last fall. That DDoS crippled such major sites as Twitter, Paypal, Netflix and Reddit and shifted the world’s attention to threats against the so-called Internet of Things (IoT) – everyday devices and appliances connected to the web. What happened to Tumblr was a more typical DDoS, but it demonstrates how easy it has become to launch attacks since the source code for Mirai was openly published. In such attacks, a hacker attempts to overload or shut down a service so that legitimate users can no longer access it. Typical DoS attacks target web servers and aim to make websites unavailable. No data is stolen or compromised, but the interruption to the service can be costly for an organization. The most common type of DoS attack involves sending more traffic to a computer than it can handle. There are a variety of methods for DoS attacks, but the simplest and most common is to have a botnet flood a web server with requests. This is called a distributed denial-of-service attack (DDoS). What we know about R.I.U. Star Patrol so far A scouring of the internet produced few details about this hacking group. From what we can tell, its Twitter account (@StarPatrolling) came online on December 13 and that its self-described leader goes by the Twitter handle @ ANTIPEACESP . Gaming news site 7421Max conducted an interview with @StarPatrolling and published it on Youtube. Those interviewed said they plan to launch coordinated attacks against Xbox on Christmas day. Asked about their motive, the hackers said, “We do it because we can.” They claim they are not motivated by money. “We have not been paid a single dollar for what we do,” one of the hackers said. On December 19, 7421Max reported that the group had taken down League of Legends and Warframe servers, and warned in a follow-up tweet that R.I.U. Star Patrol plans to knock down PSN and Xbox Live for Christmas 2016. The group confirmed this in the Youtube video: The threat is going to sting for users who remember the Christmas 2014 DDoS blockage of PlayStation and Xbox systems.   Parents of kids who hope to play their new Christmas presents on Sunday might want to brace themselves for some tears. Source: https://nakedsecurity.sophos.com/2016/12/23/group-that-attacked-tumblr-threatens-to-ddos-xbox-for-christmas/

Excerpt from:
Group that attacked Tumblr threatens to DDoS Xbox for Christmas

Four evolved cyber-threats APAC organisations must pay attention to in 2017

US$81 million stolen from a Bangladesh bank. 500 million Yahoo! accounts swiped. A DDoS attack that brought down much of the internet. 2016’s cyber-attack headlines proved more than ever that companies have a visibility problem – they cannot see what is happening beneath the surface of their own networks. Based on Darktrace’s observations, the following predictions demonstrate the need for a new method of cyber defence – an immune system approach, to keep up with the fast-evolving threats that await us in 2017. 1. Attackers Will Not Just Steal Data – They Will  Change  It Today’s most savvy attackers are moving away from pure data theft or website hacking, to attacks that have a more subtle target – data integrity. We’ve seen ex-students successfully hack college computers to modify their grades. In 2013, Syrian hackers tapped into the Associated Press’ Twitter account and broadcasted fake reports that President Obama had been injured in explosions at the White House. Within minutes the news caused a 150-point drop in the Dow Jones. In 2017, attackers will use their ability to hack information systems not to just make a quick buck, but to cause long-term, reputational damage to individuals or groups, by eroding trust in data itself. The scenario is worrying for industries that rely heavily on public confidence. A laboratory that cannot vouch for the fidelity of medical test results, or a bank that has had account balances tampered with, are examples of organisations at risk. Governments may also fall foul of such attacks, as critical data repositories are altered, and public distrust in national institutions rises. These ‘trust attacks’ are also expected to disrupt the financial markets. An example of this is falsifying market information to cause ill-informed investments. We have already glimpsed the potential of disrupted M&A activity through cyber-attacks – is it a coincidence that the recent disclosure of the Yahoo hack happened while Verizon was in the process of acquiring the company? These attacks even have the power to sway public opinion. Hillary Clinton’s election campaign suffered a blow when thousands of emails from her campaign were leaked. An even graver risk would not be simply leaked emails but manipulation to create a false impression that a candidate has done something illegal or dishonourable. 2. More Attacks and Latent Threats Will Come from Insiders Insiders are often the source of the most dangerous attacks. They are harder to detect, because they use legitimate user credentials. They can do maximum damage, because they have knowledge of and privileged access to information required for their jobs, and can hop between network segments. A disgruntled employee looking to do damage stands a good chance through a cyber-attack. But insider threats are not just staff with chips on their shoulders. Non-malicious insiders are just as much of a vulnerability as deliberate saboteurs. How many times have links been clicked before checking email addresses? Or security policy contravened to get a job done quicker, such as uploading confidential documents on less secure public file hosting services? We can no longer reasonably expect 100 percent of employees and network users to be impervious to cyber-threats that are getting more advanced – they won’t make the right decision, every time. Organisations need to combat this insider threat by gaining visibility into their internal systems, rather than trying to reinforce their network perimeter. We don’t expect our skin to protect us from viruses – so we shouldn’t expect a firewall to stop advanced cyber-threats which, in many cases, originate from the inside in the first place. Just in the past year, immune system defence techniques have caught a plethora of insider threats, including an employee deliberately exfiltrating a customer database a week before handing in his notice; a game developer sending source code to his home email address so that he could work remotely over the weekend; a system administrator uploading network information to their home broadband router – the list goes on. Due to the increasing sophistication of external hackers, we are going to have a harder time distinguishing between insiders and external attackers who have hijacked legitimate user credentials. 3. The Internet of Things Will Become the Internet of Vulnerabilities According to IDC, 8.6 billion connected things will be in use across APAC in 2020, with more than half of major new business processes incorporating some element of IoT. These smart devices are woefully insecure in many cases – offering a golden opportunity for hackers. 2016 has seen some of the most innovative corporate hacks involving connected things. In the breach of DNS service Dyn in October, malware spread rapidly across an unprecedented number of devices including webcams and digital video recorders. In Singapore and Germany, we saw smaller but similar incidents with StarHub and Deutsche Telekom. Many of this year’s IoT hacks have gone unreported – they include printers, air conditioners and even a coffee machine. These attacks used IoT devices as stepping stones, from which to jump to more interesting areas of the network. However, sometimes the target is the device itself. One of the most shocking threats that we saw was when the fingerprint scanner that controlled the entrance to a major manufacturing plant was compromised – attackers were caught in the process of changing biometric data with their own fingerprints to gain physical access. In another attack, the videoconferencing unit at a sports company was hacked, and audio files were being transferred back to an unknown server in another continent. Want to be a fly on the wall in a FTSE100 company’s boardroom? Try hacking the video camera. 4. Artificial Intelligence Will Go Dark Artificial intelligence is exciting for many reasons – self-driving cars, virtual assistants, better weather forecasting etc. But artificial intelligence will also be used by attackers to wield highly sophisticated and persistent attacks that blend into the noise of busy networks. We have already seen the first glimpses of these types of attack. Polymorphic malware, which changes its attributes mid-attack to evade detection, has reinforced the obsoleteness of signature-based detection methods. What is emerging is a next generation of attacks that use AI-powered, customised code to emulate the behaviours of specific users so accurately as to fool even skilled security personnel. In 2017, we can expect AI to be applied to all stages of a cyber-attacker’s mission. This includes the ability to craft sophisticated and bespoke phishing campaigns that will successfully dupe even the most threat-conscious employee. Next year’s attacker can see more than your social media profile – they know that your 10am meeting with your supplier is being held at their new headquarters. At 9:15am, as you get off the train, an email with the subject line ‘Directions to Our Office’ arrives in your inbox, apparently from the person that you are meeting. Now, do you click the map link in that email? Source: http://www.mis-asia.com/tech/security/four-evolved-cyber-threats-apac-organisations-must-pay-attention-to-in-2017/?page=3

Originally posted here:
Four evolved cyber-threats APAC organisations must pay attention to in 2017

Cyber criminals compromising virtual machines in cloud to increase scale of DDoS

The recently released Microsoft’s latest Security Intelligence Report states that cyber-criminals are compromising virtual machines in the cloud as a way to vastly increase the scale of Distributed Denial of Service Attacks (DDoS). Microsoft has warned of many new cyber risks faced by IT companies in the report. It says that hackers have learned how to use compromised virtual machines running in the cloud to launch massive cyber-attacks. The report says: “In the cloud weaponisation threat scenario, an attacker establishes a foothold within a cloud infrastructure by compromising and taking control of a few virtual machines. The attacker can then use these virtual machines to attack, compromise, and control thousands of virtual machines—some within the same public cloud service provider as the initial attack, and others inside other public cloud service providers.” Attackers can easily issue commands to launch DDoS attacks that cripple online services and websites or flood the internet with spam. Microsoft’s cloud computing platform, Azure, has witnessed attempts to exploit the cloud to establish communications with malicious IP addresses and brute force RDP, the Remote Desktop Protocol used by Microsoft to allow users to access their desktops over a network, representing 41% and 25.5% of all outbound attacks, respectively. Spam followed at just over 20% and DDoS attempts made up 7.6% of attacks. The company is also warning IT administrators to be on the lookout for targeted threats aimed at taking control of an email account that has a high probability of containing credentials that can be used to gain access to the public cloud administrator portal. If successful, the threats may open both their on-premises and cloud infrastructures to attack. The attacker, after logging into the administrator portal, can gather information and make changes to gain access to other cloud-based resources, execute ransomware, or even pivot back to the on-premises environment. They are also keeping tabs on GitHub and other public code repositories, hoping that developers will accidentally publish secret keys that can potentially grant access to cloud accounts and services. Microsoft has further warned of “Man in the Cloud” (MitC) attacks wherein victims are tricked into downloading and installing malware, typically with an email containing a malicious link. Once active, the malware searches for a cloud storage folder and replaces the victim’s synchronisation token with that of the attacker’s. After this, whenever a user adds a file to their cloud storage accounts each time, a copy is delivered to the attacker. http://www.cloudcomputing-news.net/news/2016/dec/16/cyber-criminals-compromising-virtual-machines-cloud-increase-scale-ddos/ http://www.eweek.com/security/microsoft-report-says-hackers-weaponizing-cloud-virtual-machines.html Source: https://www.ddosattacks.net/wp-admin/post-new.php

Continue Reading:
Cyber criminals compromising virtual machines in cloud to increase scale of DDoS

Battlefield 1: Are servers up after DDoS attack by The Phantom Squad?

It seems that the servers of popular first-person-shooter game Battlefield 1 have fallen victim to an attack by a hacker group which is said to have resorted to employing the Distributed Denial of Service aka DDoS attack. Plenty of Battlefield 1 gamers have taken to social media forums to report the non-playability of Battlefield 1. Therefore, you can let us know in case the game servers are offline thus momentarily not allowing you play Battlefield 1. It seems that the mastermind of the latest attack on battlefield 1 servers is the Phantom Squad who has claimed responsibility for the attack. “We will be keeping Battlefield 1 servers down. We are waiting for starskids to have an autistic breakdown,” state the hacker group in an official tweet. At this juncture, developers Electronic Arts are yet to issue official comments on the reported DDoS attack on the Battlefield 1 servers by The Phantom Squad. Therefore, you are advised to check for the online game mode in Battlefield 1 and let us know if the game works for you. As soon as the Battlefield 1 servers were ‘attacked’, gamers took to micro-blogging site Twitter to vent their angst. Source: http://www.ibtimes.co.in/are-battlefield-1-servers-after-ddos-attack-by-phantom-squad-can-you-play-game-now-708831

View original post here:
Battlefield 1: Are servers up after DDoS attack by The Phantom Squad?

Parliament website brought down by DDoS attack ‘just ten minutes’

House of Representatives Secretary General Surasak Pianwej Friday expressed confidence that the Parliament website has been effectively guarded against DDoS attack, saying the attack by angry Internet users brought down the site just ten minutes Thursday night. Surasak dismissed claimed by the group of “Citizens Against Single Gateway: Thailand Internet Firewall” that a DDoS attack organized by the group brought the down the webiste for an hour at 8:55 pm Thursday. “The system went down just 10 minutes and it resumed,” Surasak said. The group has urged Thai Internet users to join another DDoS attack at 2 pm Friday. Surasak said the officials will step up measures to prevent the attack. The group staged the attack after the National Legislative Assembly refused to abort the final reading of the new computer crime bill. Source: http://www.nationmultimedia.com/news/breakingnews/30302233

Read the original:
Parliament website brought down by DDoS attack ‘just ten minutes’

34 People Arrested in Global Crackdown on DDOS Attack Service Users

Today’s topics include the arrest of 34 individuals in 13 countries charged with using online services that provide denial-of-service attacks to order, Apple’s security patch for its macOS and iOS, the release of Facebook’s Certificate Transparency Monitoring tool and Google’s improvements to its machine learning technology through its Embedding Projector technology. International law enforcement agencies in more than dozen countries arrested 34 individuals in a cyber-crime sweep that focused on customers of online services that provide denial-of-service attacks to order. In the United States, the FBI arrested a 26-year-old University of Southern California graduate student allegedly linked to distributed denial-of-service (DDoS) attack that knocked a San Francisco chat-service company offline. The suspect, Sean Sharma, was charged on Dec. 9 with purchasing a DDoS tool used to mount the attack, the FBI stated in a release. Since last week, the FBI’s International Cyber Crime Coordination Cell, or IC4, and other law enforcement agencies—including Europol and the U.K.’s National Crime Agency—have arrested 34 suspects and conducted interviews with 101 individuals. Apple is updating both its desktop macOS Sierra and iOS mobile operating systems for multiple security vulnerabilities. The iOS 10.2 update was officially released on Dec. 12, while the macOS 10.12.2 update followed a day later on Dec. 13. Among the items fixed in iOS 10.2 is a vulnerability that was first publicly disclosed in a YouTube video on Nov. 16 that can enable a potential attacker to access a user’s photos and contacts from the iPhone’s lock screen. The vulnerability is identified as CVE-2016-7664 and was reported by Miguel Alvarado of iDeviceHelp. On Dec. 13, Facebook announced the launch of its freely-available Certificate Transparency Monitoring tool, providing users with a simple way to search for recently issued certificates and to be alerted when a new certificate is issued for a specific domain. SSL/TLS is the encryption standard used across the internet to secure websites. A best practice for SSL/TLS is for the security certificates to be issued by a known Certificate Authority (CA) to help guarantee authenticity and integrity. Defective Certificates can be accidentally or maliciously issued, which is a risk that the Certificate Transparency effort aims to help mitigate. Google initiated the Certificate Transparency initiative, which involves Certificate Authorities publishing newly issued certificates to a Certificate Transparency (CT) log. Facebook’s tool enables users to search CT logs for certificates as well as provides a mechanism to subscribe to alerts on domains. Google has open sourced its Embedding Projector, a web application that gives developers a way to visualize data that’s being used to train their machine learning systems. Embedding Projector is part of TensorFlow, the machine learning technology behind some popular Google services like image search, Smart Reply in Inbox and Google Translate. In a technical paper, Google researchers described the Embedding Projector as an interactive visualization tool that developers can use to interpret machine-learning models that rely on what are known as “embeddings.” “With the widespread adoption of ML systems, it is increasingly important for research scientists to be able to explore how the data is being interpreted by the models,” Google engineer Daniel Smilkov said in Google’s open source blog. Source: http://www.eweek.com/video/34-people-arrested-in-global-crackdown-on-ddos-attack-service-users.html?=large-video-widget

Read the original post:
34 People Arrested in Global Crackdown on DDOS Attack Service Users

The DDoS vigilantes trying to silence Black Lives Matter

The Web lets anyone be a publisher—or a vigilante “Through our e-mails and our social media accounts we get death threats all the time,” said Janisha Gabriel. “For anyone who’s involved in this type of work, you know that you take certain risks.” These aren’t the words of a politician or a prison guard but of a Web designer. Gabriel owns Haki Creatives , a design firm that specializes in building websites for social activist groups like Black Lives Matter (BLM)—and for that work strangers want to kill her. When these people aren’t hurling threats at the site’s designer, they’re hurling attacks at the BLM site itself—on 117 separate occasions in the past six months, to be precise. They’re renting servers and wielding botnets, putting attack calls out on social media, and trialling different attack methods to see what sticks. In fact, it’s not even clear whether ‘they’ are the people publicly claiming to perform the attacks. I wanted to know just what it takes to keep a website like BlackLivesMatter.com online and how its opponents try to take it down. What I found was a story that involves Twitter campaigns, YouTube exposés, Anonymous-affiliated hacker groups, and a range of offensive and defensive software. And it’s a story taking place in the background whenever you type in the URL of a controversial site. BlackLivesMatter.com Although the Black Lives Matter movement has been active since 2013, the group’s official website was set up in late 2014 after the shooting of Michael Brown in Ferguson, Missouri. Until that point, online activity had coalesced around the #BlackLivesMatter hashtag, but when the mass mobilizations in Ferguson took the movement into the public eye, a central site was created to share information and help members connect with one another. Since its creation, pushback against BLM has been strong in both the physical and digital world. The BLM website was taken down a number of times by DDoS attacks, which its original hosting provider struggled to deal with. Searching for a provider that could handle a high-risk client, BLM site admins discovered MayFirst , a radical tech collective that specializes in supporting social justice causes such as the pro-Palestinian BDS movement, which has similarly been a target for cyberattacks . MayFirst refers many high-profile clients to eQualit.ie , a Canadian not-for-profit organization that gives digital support to civil society and human rights groups; the group’s Deflect service currently provides distributed denial of service (DDoS) protection to the Black Lives Matter site. In a report published today , eQualit.ie has analyzed six months’ worth of attempted attacks on BLM, including a complete timeline, attack vectors, and their effectiveness, providing a glimpse behind the curtain at what it takes to keep such a site running. The first real attack came only days after BLM signed up with Deflect. The attacker used Slowloris , a clever but dated piece of software that can, in theory, allow a single machine to take down a Web server with a stealthy but insistent attack. Billed as “the low bandwidth yet greedy and poisonous http client,” Slowloris stages a “slow” denial of service attack. Instead of aggressively flooding the network, the program makes a steadily increasing number of HTTP requests but never completes them. Instead, it sends occasional HTTP headers to keep the connections open until the server has used up its resource pool and cannot accept new requests from other legitimate sources. Elegant as Slowloris was when written in 2009, many servers now implement rules to address such attacks. In this case, the attack on BLM was quickly detected and blocked. But the range of attack attempts was about to get much wider. Anonymous “exposes racism” On May 2, 2016, YouTube channel @anonymous_exposes_racism uploaded a video called “ Anonymous exposes anti-white racism . ” The channel, active from eight months before this date, had previously featured short news clips and archival footage captioned with inflammatory statements (“Louis Farrakhan said WHITE PEOPLE DESERVE TO DIE”). But this new video was original material, produced with the familiar Anonymous aesthetic—dramatic opening music, a masked man glitching across the screen, and a computerized voice speaking in a strange cadence: “We have taken down a couple of your websites and will continue to take down, deface, and harvest your databases until your leaders step up and discourage racist and hateful behavior. Very simply, we expect nothing less than a statement from your leadership that all hate is wrong… If this does not happen we will consider you another hate group and you can expect our attention.” The “we” in question was presumably a splinter cell of Anonymous known as the Ghost Squad Hackers. Three days previously, in a series of tweets on April 29, Ghost Sqaud’s self-styled admin “@_s1ege” claimed to have taken the BLM site offline. Ghost Squad had a history of similar claims; shortly before this, it had launched an attack against a Ku Klux Klan website , taking it offline for a period of days. Dr. Gabriella Coleman is an anthropologist and the author of Hacker, Hoaxer, Whistleblower, Spy — considered the foremost piece of scholarship on Anonymous. (She also serves as a board member of eQualit.ie.) She said that Ghost Squad is currently one of the most prolific defacement and DDoS groups operating under the banner of Anonymous, but she also noted that only a few members have ever spoken publicly. “Unless you’re in conversation with members of a group, it’s hard to know what their culture is,” said Coleman. “I could imagine hypothetically that a lot of people who use the Ghost Squad mantle might not be for [attacking Black Lives Matter] but also might not be against it enough to speak out. You don’t know whether they all actively support it or just tolerate it.” Just as with Anonymous as a whole, this uncertainty is compounded by doubts about the identity of those claiming to be Ghost Squad at any given time—a fact borne out by the sometimes chaotic attack patterns shown in the traffic analytics. The April 29 attack announced by S1ege was accompanied by a screenshot showing a Kali Linux desktop running a piece of software called Black Horizon. As eQualit.ie’s report notes, BlackHorizon is essentially a re-branded clone of GoldenEye , itself based on HULK , which was written as proof-of-concept code in 2012 by security researcher Barry Shteiman. All of these attack scripts share a method known as randomized no-cache flood, the concept of which is to have one user submit a high number of requests made to look like they are each unique. This is achieved by choosing a random user agent from a list, forging a fake referrer, and generating custom URL parameter names for each site request. This tricks the server into thinking it must return a new page each time instead of serving up a cached copy, maximizing server load with minimum effort from the attacker. But once details of the Ghost Squad attack were published on HackRead , a flurry of other attacks materialized, many using far less effective methods. (At its most basic, one attack could be written in just three lines of Python code.) Coleman told me that this pattern is typical. “DDoS operations can attract a lot of people just to show up,” she said. “There’ll always be a percentage of people who are motivated by political beliefs, but others are just messing around and trying out whatever firepower they have.” One group had first called for the attack, but a digital mob soon took over. Complex threats Civil society organizations face cyberattacks more often than most of us realize. It’s a problem that these attacks exist in the first place, of course, but it’s also a problem that both successful and failed attempts so often happen in silence. In an article on state-sponsored hacking of human rights organizations, Eva Galperin and Morgan Marquis-Boire write that this silence only helps the attackers . Without publicly available information about the nature of the threat, vulnerable users lack the information needed to take appropriate steps to protect themselves, and conversations around effective defensive procedures remain siloed. When I spoke to Galperin, who works as a global policy analyst at the Electronic Frontier Foundation, she said that she hears of a civil society group being attacked “once every few days,” though some groups draw more fire and from a greater range of adversaries. “[BLM’s] concerns are actually rather complicated, because their potential attackers are not necessarily state actors,” said Galperin. “In some ways, an attacker that is not a nation state—and that has a grudge—is much more dangerous. You will have a much harder time predicting what they are going to do, and they are likely to be very persistent. And that makes them harder to protect against.” By way of illustration, Galperin points to an incident in June 2016 when prominent BLM activist Deray Mckesson’s Twitter account was compromised despite being protected by two-factor authentication. The hackers used social engineering techniques to trick Mckesson’s phone provider into rerouting his text messages to a different SIM card , an attack that required a careful study of the target to execute. Besides their unpredictability, persistence was also a defining feature of the BLM attacks. From April to October of this year, eQualit.ie observed more than 100 separate incidents, most of which used freely available tools that have documentation and even tutorials online. With such a diversity of threats, could it ever be possible to know who was really behind them? Chasing botherders One morning soon after I had started researching this story, a message popped up in my inbox: “Hello how are you? How would you like to prove I am me?” I had put the word out among contacts in the hacking scene that I was trying to get a line on S1ege, and someone had reached out in response. Of course, asking a hacker to prove his or her identity doesn’t get you a signed passport photo; but whoever contacted me then sent a message from the @GhostSquadHack Twitter account, used to announce most of the team’s exploits, a proof that seemed good enough to take provisionally. According to S1ege, nearly all of the attacks against BLM were carried out by Ghost Squad Hackers on the grounds that Black Lives Matter are “fighting racism with racism” and “going about things in the wrong way.” Our conversation was peppered with standard-issue Anon claims: the real struggle was between rich and poor with the media used as a tool to sow division and, therefore, the real problem wasn’t racism but who funded the media. Was this all true? It’s hard to know. S1ege’s claim that Ghost Squad was responsible for most of the attacks on BLM appears to be new; besides the tweets on April 29, none of the other attacks on BLM have been claimed by Ghost Squad or anyone else. To add more confusion, April 29 was also the date that S1ege’s Twitter account was created, and the claim to be staging Op AllLivesMatter wasn’t repeated by the main Ghost Squad account until other media began reporting it, at which point the account simply shared posts already attributing it to them. Despite being pressed, S1ege would not be drawn on any of the technical details which would have proved inside knowledge of the larger attacks. Our conversation stalled. The last message before silence simply read: “The operation is dormant until we see something racist from their movement again.” Behind the mask As eQualit.ie makes clear, the most powerful attacks leveraged against the BLM website were not part of the wave announced back in April by Ghost Squad. In May, July, September, and October, a “sophisticated actor” used a method known as WordPress pingback reflection to launch several powerful attacks on the site, the largest of which made upwards of 34 million connections. The attack exploits an innocuous feature of WordPress sites, their ability to send a notification to another site that has been linked to, informing it of the link. The problem is that, by default, all WordPress sites can be sent a request by a third party, which causes them to give a pingback notification to any URL specified in the request. Thus, a malicious attacker can direct hundreds of thousands of legitimate sites to make requests to the same server, causing it to crash. Since this attack became commonplace, the latest version of WordPress includes the IP address requesting the pingback in the request itself. Here’s an example: WordPress/4.6; http://victim.site.com; verifying pingback from 8.8.4.4 Sometimes these IP addresses are spoofed—for illustration purposes, the above example (8.8.4.4) corresponds to Google’s public DNS server—but when they do correspond to an address in the global IP space, they can provide useful clues about the attacker. Such addresses often resolve to “botherder” machines, command and control servers used to direct such mass attacks through compromised computers (the “botnet”) around the globe. In this case, the attack did come with clues: five IP addresses accounted for the majority of all botherder servers seen in the logs. All five were traceable back to DMZHOST , an “offshore” hosting provider claiming to operate from a “secured Netherland datacenter privacy bunker.” The same IP addresses have been linked by other organizations to separate botnet attacks targeting other groups. Beyond this the owner is, for now, unknown. (The host’s privacy policy simply reads: “DMZHOST does not store any information / log about user activity.”) The eQualit.ie report mentions these details in a section titled “Maskirovka,” the Russian word for military deception, because hacking groups like Ghost Squad (and Anonymous as a whole) can also provide an ideal screen for other actors, including nation-states. Like terrorism or guerrilla combat, DDoS attacks and other online harassment fit into a classic paradigm of asymmetrical warfare, where the resources needed to mount an attack are far less than those needed to defend against it. Botnets can be rented on-demand for around $60 per day on the black market, but the price of being flooded by one can run into the hundreds of thousands of dollars. (Commercial DDoS protection can itself cost hundreds of dollars per month. eQualit.ie provides its service to clients for free, but this is only possible by covering the operating costs with grant funding.) The Internet had long been lauded as a democratizing force where anyone can become a publisher. But today, the cost of free speech can be directly tied to the cost of fighting off the attacks that would silence it. Source: http://arstechnica.com/security/2016/12/hack_attacks_on_black_lives_matter/

Read the article:
The DDoS vigilantes trying to silence Black Lives Matter