About these ads

Archive

Archive for October, 2012

BotClouds Still Hard to Detect (And Mitigate)

October 31, 2012 1 comment

This morning, during my usual virtual promenade through my feeds, I came across a really interesting post from Stratsec, a subsidiary of Bae Systems.

The post unveils the details of an unprecedented experiment aimed to verify how easy and cheap is to setup a botCloud and how hard is for the Cloud providers to detect them (and consequently advise the victims).

As the name suggests, a botCloud is defined as a group of Cloud instances that are commanded and controlled by malicious entity to initiate cyber-attacks.

The research was carried on by subscribing to five common Cloud providers and setting up to 10 Cloud instances targeting a victim host, protected by traditional technologies such as IDS, and flooded with several common attack techniques (malformed traffic, non-RFC compliant packets, port scanning, malware traffic, denial of service, brute force, shellcode and web application attacks) in 4 scenarios:

  1. Victim host placed in a typical network scenario with a public IP, firewall and IDS;
  2. Victim host setup as a cloud instance inside the same cloud service provider then the attackers;
  3. Victim host setup as a cloud instance inside a different cloud service provider then the attackers;
  4. Same scenario as test 1 with a major duration (48 hours) to verify the impact of duration on the experiment;

 The findings are not so encouraging, and confirm that the security posture of the cloud providers needs to be improved:

  • No connection reset or connection termination on the outbound or inbound network traffic was observed;
  • No connection reset or termination against the internal malicious traffic was observed;
  • No traffic was throttled or rate limited;
  • No warning emails, alerts, or phone calls were generated by the Cloud providers, with no temporary or permanent account suspensions;
  • Only one Cloud provider blocked inbound and outbound traffic on SSH, FTP and SMTP, however these limitation was bypassed by running the above service on non-default port.

The other face of the coin is represented by the moderate easiness needed to setup an army of cloud-hidden zombie machined which can leverage the advantages of a Cloud infrastructure. In fact a botCloud

  • Is relatively easy to setup and use;
  • Needs significantly less time to build;
  • Is Highly reliable and scalable;
  • Is More effective;
  • Has a Low cost.

Cloud Service Providers (and their customers), are advised…

DDoS and SQLi are the Most… Discussed Attack Techniques

October 30, 2012 Leave a comment

Imperva has just published the results of its annual analysis on one of the largest-known hacker forums counting approximately 250,000 members.

The research (also made on other smaller forums) used the forum’s search engine capabilities to analyze conversations by topic using specific keywords. Unfortunately no details have been provided about the methodology used to collect the data, however the results show that SQL Injection and DDoS are the most discussed topic, both of them with the 19% of discussion volume (I am glad to see that the results are coherent with the findings of my Cyber Attack Statistics).

Of course the data must be taken with the needed caution since the analyzed sample could not be entirely consistent. As Imperva admits: “The site we examined is not a hardcore crime site, but it’s not entirely softcore. New hackers come to this site to learn and,on the other hand, more experienced hackers teach to gain “street cred” and recognition […]. Typically, once hackers have gained enough of a reputation, they go to a more hardcore, invitation-only forum.” This probably means that the incidence of the two attack techniques is overrated since one should expect a beginner hacker to approach the easiest and most common attack methods for which there are many tools available.

Anyway the events of the last months show that an attack does not deserve less attention only because it is carried on by a beginner, nor a beginner worries too much if he uses automated tools without full knowledge and awareness. A look to the infosec chronicles of the last period is sufficient to verify that DDoS and SQLi attacks are always in the first pages.

Sadly, Imperva estimates that only the 5% of the security budget is spent on thwarting SQL Injection attacks.

Other interesting findings of the research are: the fact that social networks pose a major interest for hackers since they are becoming a prominent source of information and potential monetary gain (Facebook was the most discussed social media platform, with 39%, immediately followed by Twitter at 37%), and also the fact that E-whoring is becoming one of the most common methods for beginner cyber criminals to gain easy money (more than 13,000 threads observed).

About these ads

Anonymous leaks 3500 Private Docs From Italian Police

October 25, 2012 Leave a comment

On the wake of similar operations carried on by Hacktivists against Law Enforcement Agencies all over the World, the Italian Cell of the infamous collective Anonymous has decided to cross the line targeting the Italian Police with a clamorous Cyber Attack under the label of #Antisec movement.

On October, the 23rd, the Hactkivists have leaked more than 3500 private documents, claiming to own an additional huge amount of sensitive information such as lawful interception schemes, private files and e-mail accounts.

The Italian Police has indirectly confirmed the attack, downplaying its effects with a scant statement (in Italian) that (easily predictable) has raised a furious reaction by the Hacktivists. According to the above mentioned statement, no server was compromised, but the leaked data were just the consequence of several “illegitimate accesses” to private emails belonging to police officers (as to say that several compromised accounts are less severe than a hacked server).

Strictly speaking, this latest attack is not a surprise since in the past months, mainly after the infamous 50 days of Lulz of the LulzSec collective, Governments and Law Enforcement Agencies all over the world have become the preferred targets for Hacktivists under the Antisec shield. From a broader perspective this trend was apparently decreasing during 2012 because of several factors: the discovery of the double identity of Sabu (an hacktivist during the day and an FBI informant during the night), the arrest of W0rmer and ItsKahuna (two members of the CabinCr3w collective who left behind them a long trail of cyber-attacks against law enforcement agencies, and, last but not least, the arrest of the members of the Team Poison Collective.

Unfortunately This cyber-attack changes the rules and brings the things back in time to Summer 2011. It looks similar to LulzSec’s Operation Chinga La Migra, targeting Arizona Border Patrol, and to another (nearly contemporary) cyber attack that allowed LulzSecBrasil (??) to leak 8 Gb of data from the Brazilian Police.

Hopefully this cyber-attack will change the rules in Italy, it has dramatically demonstrated the real risk for public institutions and the need for a greater level of security. As a consequence it cannot be absolutely underestimated.

1-15 October 2012 Cyber Attack Statistics

October 22, 2012 Leave a comment

Here’s the partial snapshot for the Cyber Landscape in October. I have deliberately decided not to include in the statistics the massive Cyber Attack against the Universities executed by Team Ghost Shell, since, in my opinion, it would not have been formally correct include into the sample, this wave of cyber attacks which have been distributed in several months, and disclosed all at once.

In any case, looking at the sample including all the other attacks collected in October, according to the Daily Trend they were mainly concentrated at the beginning of the month:

For what concerns the Motivations Behind Attacks chart, Cyber Crime ranks at number one, with nearly the 58%, approximately at the same level of September (when it was at 55%). Interesting to notice, for the first half of October, the rise of events related to Cyber Warfare, mainly related to what is happening in the Middle East, and in particular in Iran, that suffered a couple of noticeable cyber attacks. In this landscape, the events related to hacktivism appear in decrease with the 35% of the events.

Even if the events related to hacktivism seem to be decreasing, the Distribution Of Attack Techniques shows a revamp of DDoS (the favourite weapon of hacktivists), mainly due to the wave of DDoS Cyber Attacks against the U.S. banks. Even if approximately one-fourth of the attacks has an unknown origin, SQL is stable at rank number three with the 22.5% of occurrences. It also worth to mention the 5% gained by Targeted Attacks.

Last but not least, the Distribution Of Targets chart, that confirms the weakness of the targets belonging to Government, ranking at number one with nearly one-third of the occurrences. It does not matter if the reason is hacktivism or cyber crime, Governments keep on to be the preferred victims of cybercrooks, at least for this first half of October.

Again, I will never get tired of repeating that data must be taken very carefully since they do refer only to discovered attacks (the so-called tip of the iceberg), and hence do not pretend to be exhaustive but only aim to provide an high level overview of the “cyber landscape” of the considered period.

In any case, if you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 (regularly updated), at the Cyber Attack Statistics, and follow @paulsparrows on Twitter for the latest updates.

Also, feel free to submit remarkable incidents that in your opinion deserve to be included in the timelines (and charts).

A 0-Day Attack Lasts On Average 10 Months

October 19, 2012 Leave a comment

(But in some cases may remain unknown for up to 2.5 years). A couple of days ago, two Symantec Researchers have published an interesting article (“Before We Knew It: An Empirical Study of Zero-Day Attacks In The Real World”) reporting the study of 0-Day Attacks between 2008 and 2001. They have analyzed 300 million files collected by 11 million hosts (a representative subset of the hosts running Symantec products) between March 2008 and February 2011.

These files were extracted from the the WINE environment (Worldwide Intelligence Network Environment, a platform for repeatable data intensive experiments aimed to share comprehensive field data among the research community) and correlated with three additional sources: the Open Source Vulnerability Database (OSVDB), Symantec’s Threat Explorer (the company database for the known malware samples) and an additional Symantec data set with dynamic analysis results for malware samples.

The purpose of the research was to execute a sort of automatic forensic analysis aimed to go back in time to look for 0-day attacks carried on during the analyzed period. The results are disarming.

The researchers were able to find 18 vulnerabilities exploited before disclosure, among which 11 were not previously known to have been deployed in 0-day attacks. Based on the data, a typical zero-day attack lasts on average 312 days, but in some cases may remain unknown for up to 2.5 years (think to what it means to have the enemy inside the gates for such a long time).

Just to confirm that 0-days are the cradle of targeted attacks, the data show that most zero-day attacks affect few hosts, with the exception of a few high-profile attacks (Do you remember Stuxnet?). Moreover, after vulnerabilities are disclosed, the volume of attacks exploiting them increases by up to 5 orders of magnitude (the number of variants increases “only” by up to 2 orders).

And this is not a mere coincidence since apparently the cyber criminals watch closely the vulnerability landscape, as exploits for 42% of all vulnerabilities employed are detected in field data within 30 days after the disclosure date.

A terribly worrying landscape, even considering a theoretical point of weakness of the research, that is the fact that the sample could be considered self-consistent referring only to malware strains collected by Symantec customers.

1-15 October 2012 Cyber Attacks Timeline

October 17, 2012 Leave a comment

Apparently October has shown a decrease in the number of Cyber Attacks. At least from a mere numerical perspective. It is not a coincidence that I used the term “Apparently” since if we consider the most important event of the month: the massive leak from Worldwide universities executed by Team GhostShell inside their ProjectWestWind operation, things are well different.

The one carried on by Team Ghost Shell (approximately 120k accounts leaked) is for sure the most important operation of the current month which has also shown the first virtual hacking operation (at least as far as I remember): the massive death of avatars inside World of Warcraft.

Other remarkable events in the first half of October concern the attack to Playspan (possibly millions of users affected), the new waves of DDoS cyber attacks against US banks, and an alleged hijacking to the Irish domains of Google and Yahoo!.

It worth to mention also the breach of University of Georgia (8,500 users affected) and  the 400,000 bucks stolen by unknown hackers to the City of Burlington.

If you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 and the related statistics (regularly updated), and follow @paulsparrows on Twitter for the latest updates.

Also, feel free to submit remarkable incidents that in your opinion deserve to be included in the timelines (and charts).

Read more…

Follow

Get every new post delivered to your Inbox.

Join 3,197 other followers