This morning, during my usual virtual promenade through my feeds, I came across a really interesting post from Stratsec, a subsidiary of Bae Systems.
The post unveils the details of an unprecedented experiment aimed to verify how easy and cheap is to setup a botCloud and how hard is for the Cloud providers to detect them (and consequently advise the victims).
As the name suggests, a botCloud is defined as a group of Cloud instances that are commanded and controlled by malicious entity to initiate cyber-attacks.
The research was carried on by subscribing to five common Cloud providers and setting up to 10 Cloud instances targeting a victim host, protected by traditional technologies such as IDS, and flooded with several common attack techniques (malformed traffic, non-RFC compliant packets, port scanning, malware traffic, denial of service, brute force, shellcode and web application attacks) in 4 scenarios:
- Victim host placed in a typical network scenario with a public IP, firewall and IDS;
- Victim host setup as a cloud instance inside the same cloud service provider then the attackers;
- Victim host setup as a cloud instance inside a different cloud service provider then the attackers;
- Same scenario as test 1 with a major duration (48 hours) to verify the impact of duration on the experiment;
The findings are not so encouraging, and confirm that the security posture of the cloud providers needs to be improved:
- No connection reset or connection termination on the outbound or inbound network traffic was observed;
- No connection reset or termination against the internal malicious traffic was observed;
- No traffic was throttled or rate limited;
- No warning emails, alerts, or phone calls were generated by the Cloud providers, with no temporary or permanent account suspensions;
- Only one Cloud provider blocked inbound and outbound traffic on SSH, FTP and SMTP, however these limitation was bypassed by running the above service on non-default port.
The other face of the coin is represented by the moderate easiness needed to setup an army of cloud-hidden zombie machined which can leverage the advantages of a Cloud infrastructure. In fact a botCloud
- Is relatively easy to setup and use;
- Needs significantly less time to build;
- Is Highly reliable and scalable;
- Is More effective;
- Has a Low cost.
Cloud Service Providers (and their customers), are advised…
October 2012 has deserved a bad surprise for the members of the famous rock band Garbage, who had their official Twitter account hacked from an unknown cybercrook who enjoyed posting bogus messages to their nearly 60k followers.
Unfortunately, among the music stars, they are not the only ones who have suffered this sad fate, and actually, since 2009 to present, the list is quite long.
Britney Spears opens this special chart, which also includes high-profile singers such as Lady Gaga, Justin Bieber and Kesha. Brit currently holds the unwelcome record to have been hacked twice, but the group of the victims is quite varied and covers different genres: pranksters and cybercrooks, at least from this point of view, have proven to be impartial.
The accounts have been hacked for different motivations: scam, hacktivism, or simple fun, and accessed via lost phones or by mean of brute-force or password-guessing techniques.
Famous singers are used to be on top of selling charts.I believe they willingly avoid to rank at the top of this unwelcome chart (after the jump you will find the related links).
If you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 (regularly updated), at the Cyber Attack Statistics, and follow @paulsparrows on Twitter for the latest updates.
On the wake of similar operations carried on by Hacktivists against Law Enforcement Agencies all over the World, the Italian Cell of the infamous collective Anonymous has decided to cross the line targeting the Italian Police with a clamorous Cyber Attack under the label of #Antisec movement.
On October, the 23rd, the Hactkivists have leaked more than 3500 private documents, claiming to own an additional huge amount of sensitive information such as lawful interception schemes, private files and e-mail accounts.
The Italian Police has indirectly confirmed the attack, downplaying its effects with a scant statement (in Italian) that (easily predictable) has raised a furious reaction by the Hacktivists. According to the above mentioned statement, no server was compromised, but the leaked data were just the consequence of several “illegitimate accesses” to private emails belonging to police officers (as to say that several compromised accounts are less severe than a hacked server).
Strictly speaking, this latest attack is not a surprise since in the past months, mainly after the infamous 50 days of Lulz of the LulzSec collective, Governments and Law Enforcement Agencies all over the world have become the preferred targets for Hacktivists under the Antisec shield. From a broader perspective this trend was apparently decreasing during 2012 because of several factors: the discovery of the double identity of Sabu (an hacktivist during the day and an FBI informant during the night), the arrest of W0rmer and ItsKahuna (two members of the CabinCr3w collective who left behind them a long trail of cyber-attacks against law enforcement agencies, and, last but not least, the arrest of the members of the Team Poison Collective.
Unfortunately This cyber-attack changes the rules and brings the things back in time to Summer 2011. It looks similar to LulzSec’s Operation Chinga La Migra, targeting Arizona Border Patrol, and to another (nearly contemporary) cyber attack that allowed LulzSecBrasil (??) to leak 8 Gb of data from the Brazilian Police.
Hopefully this cyber-attack will change the rules in Italy, it has dramatically demonstrated the real risk for public institutions and the need for a greater level of security. As a consequence it cannot be absolutely underestimated.
Here’s the partial snapshot for the Cyber Landscape in October. I have deliberately decided not to include in the statistics the massive Cyber Attack against the Universities executed by Team Ghost Shell, since, in my opinion, it would not have been formally correct include into the sample, this wave of cyber attacks which have been distributed in several months, and disclosed all at once.
In any case, looking at the sample including all the other attacks collected in October, according to the Daily Trend they were mainly concentrated at the beginning of the month:
For what concerns the Motivations Behind Attacks chart, Cyber Crime ranks at number one, with nearly the 58%, approximately at the same level of September (when it was at 55%). Interesting to notice, for the first half of October, the rise of events related to Cyber Warfare, mainly related to what is happening in the Middle East, and in particular in Iran, that suffered a couple of noticeable cyber attacks. In this landscape, the events related to hacktivism appear in decrease with the 35% of the events.
Even if the events related to hacktivism seem to be decreasing, the Distribution Of Attack Techniques shows a revamp of DDoS (the favourite weapon of hacktivists), mainly due to the wave of DDoS Cyber Attacks against the U.S. banks. Even if approximately one-fourth of the attacks has an unknown origin, SQL is stable at rank number three with the 22.5% of occurrences. It also worth to mention the 5% gained by Targeted Attacks.
Last but not least, the Distribution Of Targets chart, that confirms the weakness of the targets belonging to Government, ranking at number one with nearly one-third of the occurrences. It does not matter if the reason is hacktivism or cyber crime, Governments keep on to be the preferred victims of cybercrooks, at least for this first half of October.
Again, I will never get tired of repeating that data must be taken very carefully since they do refer only to discovered attacks (the so-called tip of the iceberg), and hence do not pretend to be exhaustive but only aim to provide an high level overview of the “cyber landscape” of the considered period.
In any case, if you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 (regularly updated), at the Cyber Attack Statistics, and follow @paulsparrows on Twitter for the latest updates.
Also, feel free to submit remarkable incidents that in your opinion deserve to be included in the timelines (and charts).
(But in some cases may remain unknown for up to 2.5 years). A couple of days ago, two Symantec Researchers have published an interesting article (“Before We Knew It: An Empirical Study of Zero-Day Attacks In The Real World”) reporting the study of 0-Day Attacks between 2008 and 2001. They have analyzed 300 million files collected by 11 million hosts (a representative subset of the hosts running Symantec products) between March 2008 and February 2011.
These files were extracted from the the WINE environment (Worldwide Intelligence Network Environment, a platform for repeatable data intensive experiments aimed to share comprehensive field data among the research community) and correlated with three additional sources: the Open Source Vulnerability Database (OSVDB), Symantec’s Threat Explorer (the company database for the known malware samples) and an additional Symantec data set with dynamic analysis results for malware samples.
The purpose of the research was to execute a sort of automatic forensic analysis aimed to go back in time to look for 0-day attacks carried on during the analyzed period. The results are disarming.
The researchers were able to find 18 vulnerabilities exploited before disclosure, among which 11 were not previously known to have been deployed in 0-day attacks. Based on the data, a typical zero-day attack lasts on average 312 days, but in some cases may remain unknown for up to 2.5 years (think to what it means to have the enemy inside the gates for such a long time).
Just to confirm that 0-days are the cradle of targeted attacks, the data show that most zero-day attacks affect few hosts, with the exception of a few high-profile attacks (Do you remember Stuxnet?). Moreover, after vulnerabilities are disclosed, the volume of attacks exploiting them increases by up to 5 orders of magnitude (the number of variants increases “only” by up to 2 orders).
And this is not a mere coincidence since apparently the cyber criminals watch closely the vulnerability landscape, as exploits for 42% of all vulnerabilities employed are detected in field data within 30 days after the disclosure date.
A terribly worrying landscape, even considering a theoretical point of weakness of the research, that is the fact that the sample could be considered self-consistent referring only to malware strains collected by Symantec customers.