Archive
DDoS and SQLi are the Most… Discussed Attack Techniques
Imperva has just published the results of its annual analysis on one of the largest-known hacker forums counting approximately 250,000 members.
The research (also made on other smaller forums) used the forum’s search engine capabilities to analyze conversations by topic using specific keywords. Unfortunately no details have been provided about the methodology used to collect the data, however the results show that SQL Injection and DDoS are the most discussed topic, both of them with the 19% of discussion volume (I am glad to see that the results are coherent with the findings of my Cyber Attack Statistics).
Of course the data must be taken with the needed caution since the analyzed sample could not be entirely consistent. As Imperva admits: “The site we examined is not a hardcore crime site, but it’s not entirely softcore. New hackers come to this site to learn and,on the other hand, more experienced hackers teach to gain “street cred” and recognition […]. Typically, once hackers have gained enough of a reputation, they go to a more hardcore, invitation-only forum.” This probably means that the incidence of the two attack techniques is overrated since one should expect a beginner hacker to approach the easiest and most common attack methods for which there are many tools available.
Anyway the events of the last months show that an attack does not deserve less attention only because it is carried on by a beginner, nor a beginner worries too much if he uses automated tools without full knowledge and awareness. A look to the infosec chronicles of the last period is sufficient to verify that DDoS and SQLi attacks are always in the first pages.
Sadly, Imperva estimates that only the 5% of the security budget is spent on thwarting SQL Injection attacks.
Other interesting findings of the research are: the fact that social networks pose a major interest for hackers since they are becoming a prominent source of information and potential monetary gain (Facebook was the most discussed social media platform, with 39%, immediately followed by Twitter at 37%), and also the fact that E-whoring is becoming one of the most common methods for beginner cyber criminals to gain easy money (more than 13,000 threads observed).
The Italian Job
The Italian Anonymous did it again and today have attacked for the second time in few days the vatican.va website. Actually this time their attack has apparently been deeper since the infamous collective also posted a small portion of a database claimed to have been leaked from radiovaticana.org, the website of the official Vatican Radio.
The inevitable statement on pastebin (so far only in Italian) quotes Imperva, the Israeli Company Focused on Application Security which claimed, few days ago, to have prevented, in August, a summer attack against the Vatican, using the collected information to profile a typical Anonymous DDoS attack.
Of course the pastebin suggests that this attack has been a kind of retaliation against the information disclosed by Israeli Security Company in their detailed report, nevertheless this has been only the last DDoS attack in Italy in this troubled weekend that has seen several websites falling under the LOIC shots: Saturday the Italian Railways have been hit (three domains), and yesterday Equitalia, the company owning the concession, on behalf of the Government, to collect taxes.
This (un)expected revamp of DDoS activity in Italy comes approximately nearly a couple of months after the LOIC attacks unchained by the MegaUpload shutdown, and nearly nine months after the waves of attacks which made the Italian Summer a very hot season for Information Security.
Besides, so far the preferred targets of The Anonymous in Italy have been Government and Politician Websites, targeting the Vatican Site, looks like this time the Anonymous crossed the line.
As a matter of fact I have decided to write down in a table all the hacktivism-led attacks carried on Italy from the 2011 onwards. I have collected the information on the attacks during the gathering of the necessary material to prepare my timelines for 2011 and 2012. In reading the list, please consider that several DDoS attacks were only claimed by the attackers, so it is really difficult discriminate if they were succesful or not, nevertheless I thought it appropriate to insert them all to provide a global view.
So far, you will notice that the Hackvism in Italy has passed three main phases: the summer phase, maybe interrupted by the wave of arrests in July; the winter phase, as quoted above, immediately after the Megaupload shutdown on the wake of the anti-SOPA/PIPA/ACTA movements; and the current phase (may we define it a spring phase?) triggered by the delicate internal sociopolitical situation….
March 2011
| 04/03/2011 | finmeccanica.it | DDOS | Military Industry |
| 04/03/2011 | eni.it | DDOS | Energy |
| 04/03/2011 | unicredit.it | DDOS | Finance |
June 2011
| 21/06/2011 | ilpopolodellalibertà.it | DDoS | Political Parties |
| 21/06/2011 | governoberlusconi.it | DDoS | Political Parties |
| 21/06/2011 | pdl.it | DDoS | Political Parties |
| 21/06/2011 | governoberlusconi.it | DDoS | Political Parties |
| 21/06/2011 | silvioberlusconifansclub.org | DDoS | Political Parties |
| 21/06/2011 | forzasilvio.it | DDoS | Political Parties |
| 22/06/2011 | governo.it | DDoS | Government |
| 22/06/2011 | camera.it | DDoS | Government |
| 22/06/2011 | senato.it | DDoS | Government |
| 22/06/2011 | interno.it | DDoS | Government |
| 22/06/2011 | regione.campania.it | DDoS | Government |
| 22/06/2011 | pdl.it | DDoS | Political Parties |
| 22/06/2011 | renatobrunetta.it | DDoS | Political Parties |
| 22/06/2011 | innovazionepa.gov.it | DDoS | Government |
| 23/06/2011 | governo.it | DDoS | Government |
| 23/06/2011 | agcom.it | DDoS | Government |
| 23/06/2011 | leganord.org | DDoS | Political Parties |
| 24/06/2011 | governo.it | DDoS | Government |
| 24/06/2011 | giustizia.it | DDoS | Government |
| 28/06/2011 | agcom.it | DDOS | Government |
| 29/06/2011 | camera.it | DDoS | Government |
| 29/06/2011 | pdl.it | DDoS | Government |
| 29/06/2011 | mediaset.it | DDoS | Entertainment |
| 30/06/2011 | telecomitalia.it | DDoS | ISP |
| 30/06/2011 | poste.it | DDoS | |
| 30/06/2011 | borsaitaliana.it | DDoS | Finance |
July 2011
| 01/07/2011 | leganord.org | DDoS | Political Parties |
| 01/07/2011 | agcom.it | DDoS | Government |
| 02/07/2011 | innovazionepa.gov.it | DDoS | Government |
| 02/07/2011 | governo.it | DDoS | Government |
| 03/07/2011 | agcom.it | DDoS | Government |
| 04/07/2011 | agcom.it | DDoS | Government |
| 06/07/2011 | 19 Universities: unisi.it unisa.it uniroma1.it anotonianum.eu econoca.it uniba.it unibocconi.it unifg.it unime.it unimib.it uniurb.it unibo.it unipv.it unina2.it unile.it polimi.it unito.it unimo.it |
SQLi? | Education |
| 31/07/2011 | vitrociset.it | Defacement | Contractor |
August 2011
| 03/08/2011 | vitrociset.it | Defacement | Contractor |
| 06/08/2011 | sappe.it | Defacement | Law Enforcement Agencies |
September 2011
| 02/09/2011 | Undisclosed Bank | ? | Finance |
November 2011
| 29/11/2011 | fiocchigfl.it | Defacement | Military Industry |
December 2011
| 06/12/2011 | torino-lione.it | Defacement | Transportation |
| 06/12/2011 | ghiglia.it | Defacement | Political Parties |
| 19/12/2011 | fabriziocorona.it | Defacement | Entertainment |
| 19/12/2011 | costantinovitaliano.it | Defacement | Entertainment |
January 2012
| 10/01/2012 | leganord.org | Defacement | Political Parties |
| 13/01/2012 | italia.gov.it | DDoS | Political Parties |
| 22/01/2012 | siae.it | DDoS | Entertainment |
| 22/01/2012 | universalmusic.it | DDoS | Entertainment |
| 22/01/2012 | copyright.it | DDoS | Entertainment |
| 22/01/2012 | giannifava.org | DDoS | Political Parties |
| 22/01/2012 | leganord.org | DDoS | Political Parties |
| 24/01/2012 | giustizia.it | DDoS | Government |
| 26/01/2012 | italia.gov.it | DDoS | Government |
February 2012
| 11/02/2012 | circondarialetorino.it | Defacement | Law Enforcement Agencies |
| 17/02/2012 | rivagroup.com | DDoS | Military Industry |
| 17/02/2012 | enel.it | DDoS | Energy |
| 18/02/2012 | mauriziopaniz.it | Defacement | Political Parties |
| 22/02/2012 | binetti.it | Defacement | Political Parties |
| 27/02/2012 | polizia.it | DDoS | Law Enforcement Agencies |
| 27/02/2012 | carabinieri.it | DDoS | Law Enforcement Agencies |
March 2012
| 07/03/2012 | vatican.va | DDoS | Religion |
| 10/03/2012 | trenitalia.it | DDoS | Transportation |
| 10/03/2012 | RFI.it | DDoS | Transportation |
| 10/03/2012 | viaggaintreno.it | DDoS | Transportation |
| 11/03/2012 | equitalia.it | DDoS | Services |
| 12/03/2012 | vatican.va | DDoS | Religion |
| 12/03/2012 | radiovaticana.org | Defacement | Religion |
Related articles
- DDoS: When Size Matters… Or Not? (hackmageddon.com)
- Anonymous hacks Vatican again (zdnet.com)
- Reviewing HOIC: A New Anonymous DDoS Tool (imperva.com)
Advanced Persistent Threats and Human Errors
In these days many people are asking me what they can do to stop an Advanced Persistent Threat. Although security firms are running fast to develop new technologies to thwart these attack vectors (sophisticated SIEMs and a new breed of network security devices, the so called Next Generation IPSs), unfortunately I am afraid the answer is not so easy. I might spend thousands of words to figure out the answer, but I would not be able to give a better representation than this cartoon I found a couple of days ago in the Imperva Blog.
Intentional or unintentional the human error is always the first vector an Advanced Persistent Threat exploits to enter the organization: as a matter of fact all the APT attacks recorded in 2011 (and unluckily examples abound in the news), have a point in common: the initial gate which allowed the attack to enter, that is the user.
The last resounding example is not an exception to this rule: on Friday November, the 17th Norway’s National Security Authority (NSM) confirmed that systems associated with the country’s oil, gas, and energy sectors were hit with a cyber attack, resulting in a loss of sensitive information. If we look at the information available for this attack, it is really easy to find all the ingredients of a typical APT Attack: virus spread via malware-infected emails sent to “selected individuals”, sophisticated malware designed to avoid detection by anti-virus solutions, and, last but not least, sophisticated malware designed to steal information from the victim’s computer: documents, drawings, username and password.
So at the end which is the key to face an APT, before the technology itself is able to catch it? The answer (and the technology) spins around the user which is the first firewall, IPS, anomaly detector, who can stop an APT. Of course exactly like security devices must be configured to stop the intrusion attempts, analogously users must be configured educated not to accept virtual candies from strangers, hence acting as unintentional gates for the threats to enter the organizations. This often happens because of shallow behaviors or also because of behaviors in clear contrast with the internal policy (yes the infamous AUP). I use to say that security is a mindset, quite similar to distrust: you have it since you are naturally born with it, or you may simply be educated to embrace it.
Keep in mind the central role of the user inside the security process since 2012 will be the year of APTs… Would you ever buy (and heavily pay) an armored door for your home and give the key to people you do not trust?
Related articles
- Are You Ready For The Next Generation IPS? (paulsparrows.wordpress.com)
- Advanced Persistent Threats and Security Information Management (paulsparrows.wordpress.com)
About The Author
Support My Work!
Share:
News
08/13/2011 - My Post on Android Malware Mentioned on Engadget.
04/14/2011 - The Article Smart Grid: L'ultima Frontiera del Cybercrime published on ICT Security Magazine May 2011.
03/14/2011 - Security Summit 2011: Paolo Passeri guest at Round Table "Mobile Security: Rischi, Tecnologie, Mercato"
02/14/2011 - The Article Gears of Cyberwar published on ICT Security Magazine January 2011.
Visitors from…
