dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1709

La Luna
Fly With The Angels My Beloved Son Chris
Premium Member
join:2001-07-12
New Port Richey, FL

1 recommendation

La Luna

Premium Member

In Cyberattacks on Banks, Evidence of a New Weapon

October 5, 2012, 8:30 pm

In Cyberattacks on Banks, Evidence of a New Weapon

By NICOLE PERLROTH

How were amateur hackers able to take down some of Americas largest banks? And who were they?

Those were some of the bigger mysteries of last weeks cyberattacks on Wells Fargo, U.S. Bank, PNC, the New York
Stock Exchange and others, that caused intermittent Internet outages and delays in online banking.

A group claiming Middle Eastern ties, the Izz ad-Din al-Qassam Cyber Fighters, took credit for the attacks online. They claimed to have taken the Web sites down using basic online applications. But security researchers said those methods were far too amateur to have been effective.

Indeed, representatives for PNC, U.S. Bank and Wells Fargo all said that while they had systems in place to fend off such denial of service, or DDoS attacks in which hackers bombard a site with traffic until it falls offline; in this case, the volume of traffic was simply unprecedented.

They must have had help from other sources, said Jaime Blasco, a security researcher at AlienVault, who investigated the attacks.

Those sources, it turns out, were data centers around the world that had been infected with a sophisticated form of malware that can evade detection by antivirus solutions. The attackers used those infected servers to simultaneously fire at American financial services companies until they fell offline.

That method has never been used to this degree before, said Carl Herberger, a vice president at Radware, who has been investigating the attacks on behalf of many of the victims......


»bits.blogs.nytimes.com/2 ··· -weapon/

KodiacZiller
Premium Member
join:2008-09-04
73368

1 recommendation

KodiacZiller

Premium Member

Other experts close to the situation disagree that it was state-sponsored or even sophisticated at all.
quote:
"I don't think there's anything about these attacks that's so large or so sophisticated that it would have to be state sponsored," said Prince, the CloudFlare CEO. "This very well could be a kid sitting in his mom's basement in Ohio launching these attacks. I think it's dangerous to start speculating that this is actually state sponsored."
quote:
"Those are big attacks," he said, "but they're not so unprecedented that it's worth a press release."
Quoted from an ars technica article.

La Luna
Fly With The Angels My Beloved Son Chris
Premium Member
join:2001-07-12
New Port Richey, FL

La Luna

Premium Member

I thought it an interesting read nonetheless.
redwolfe_98
Premium Member
join:2001-06-11

redwolfe_98

Premium Member

said by La Luna:

I thought it an interesting read nonetheless

yes, la luna.. it explained, in part, how the ddos attacks were so powerful.. servers were hacked and then used for the ddos attacks..

i saw another article about hacked servers:

http://blog.unmaskparasites.com/2012/09/10/malicious-apache-module-injects-iframes/

"This attack injects invisible malicious iframes into some server responses of all web sites on compromised servers."

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

1 recommendation

Snowy to KodiacZiller

Premium Member

to KodiacZiller
said by KodiacZiller:

Other experts close to the situation disagree that it was state-sponsored or even sophisticated at all.

quote:
"I don't think there's anything about these attacks that's so large or so sophisticated that it would have to be state sponsored," said Prince, the CloudFlare CEO. "This very well could be a kid sitting in his mom's basement in Ohio launching these attacks. I think it's dangerous to start speculating that this is actually state sponsored."

That's as self serving a statement as possible & should be viewed in that context.
Of course CloudFlare wants the world to believe that a kid sitting in his mom's basement in Ohio could take down a hardened target, as if it's an easy, common task.

Why would CloudFlare engage in FUD such as that?
Because they sell "Protect your website from a range of online threats from spammers to SQL injection to DDOS."
»www.cloudflare.com/overview

Web site owners are generally not too concerned about having sophisticated/state sponsored attacks pointed at them but the fear, uncertainty & doubt that can come from believing that a single kid working from their parents basement in Ohio could adversely affect their site is a more real scenario, a more profitable scenario, especially if your CloudFlare.
daveinpoway
Premium Member
join:2006-07-03
Poway, CA

daveinpoway

Premium Member

If this article (»www.computerworld.com/s/ ··· 12-10-05 ) is true, more serious problems are on the way.

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

Snowy

Premium Member

"In an advisory Thursday, RSA said it has information suggesting the gang plans to unleash a little-known Trojan program to infiltrate computers belonging to U.S. banking customers and to use the hijacked machines to initiate fraudulent wire transfers from their accounts."

Now that's a credible threat.
Trojanized home computers are a dime a dozen & it's only a matter of time before a large organized attack monetize the inventory.

KodiacZiller
Premium Member
join:2008-09-04
73368

KodiacZiller to Snowy

Premium Member

to Snowy
said by Snowy:

That's as self serving a statement as possible & should be viewed in that context.
Of course CloudFlare wants the world to believe that a kid sitting in his mom's basement in Ohio could take down a hardened target, as if it's an easy, common task.

Why would CloudFlare engage in FUD such as that?
Because they sell "Protect your website from a range of online threats from spammers to SQL injection to DDOS."
»www.cloudflare.com/overview

I don't have much respect for proprietary security vendors, but that still doesn't negate this guy's point. We have no idea who did this. Joe Lieberman is the one who floated the "Iran" angle out there, but he has ulterior motives for doing so (i.e. he wants to drum up support for a military attack on Iran).

There are numerous examples of people in the industry crediting Iran or China with cyber-attacks which turned out to be a kid or a group of kids in their basements. The hacks on GoDaddy a few years ago (where certificates were stolen) being one of the most noteworthy. The GoDaddy CEO said it was a highly advanced attack from Iran. Moxie Marlinspike, an independent researcher, proved that it was a single script kiddie who pulled it off using tools downloaded freely from the web (Moxie knows this because the IP address used in the attack downloaded tools he wrote from his website).

There is nothing hard about pulling off DDOS. Script kiddies can do it. There are all sorts of hacker tools written in shiny packages ready to point and click. You don't have to be sophisticated in 2012 to pull off most of these attacks.

Web site owners are generally not too concerned about having sophisticated/state sponsored attacks pointed at them but the fear, uncertainty & doubt that can come from believing that a single kid working from their parents basement in Ohio could adversely affect their site is a more real scenario, a more profitable scenario, especially if your CloudFlare.

Website owners are much more likely to face a threat from a script kiddie than from China or Iran.

Link Logger
MVM
join:2001-03-29
Calgary, AB

Link Logger to KodiacZiller

MVM

to KodiacZiller
Not even close to being a state-sponsored attack, just a run of the mill DDOS attack by hacker group with an agenda, not like there aren't a ton of those about.

Blake

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

1 recommendation

Snowy

Premium Member

said by Link Logger:

Not even close to being a state-sponsored attack, just a run of the mill DDOS attack by hacker group with an agenda, not like there aren't a ton of those about.

Claiming the attack was state sponsored is about as grounded as claiming that floods exceeding 60 gigabits per second is a run of the mill DDOS.
State sponsored - no way
Kid working alone in parents basement - no way
Run of the mill - no way
What does that leave?
An organized group with a focused mission & the wherewithal to pull it off, the major point being it wasn't an Ohio kid working alone in his parents garage, which is laughable if you stop & think about it for a second or two.
Snowy

Snowy to KodiacZiller

Premium Member

to KodiacZiller
said by KodiacZiller:

said by Snowy:

Web site owners are generally not too concerned about having sophisticated/state sponsored attacks pointed at them but the fear, uncertainty & doubt that can come from believing that a single kid working from their parents basement in Ohio could adversely affect their site is a more real scenario, a more profitable scenario, especially if your CloudFlare.

Website owners are much more likely to face a threat from a script kiddie than from China or Iran.

Yes, I struggled with clarity on that.
The point I tried to make is that CloudFlare tried to make it appear as if a script kiddy working alone in their parents garage 'could' have pulled off the attack when that simply isn't true in Sep-Oct 2012

La Luna
Fly With The Angels My Beloved Son Chris
Premium Member
join:2001-07-12
New Port Richey, FL

1 edit

1 recommendation

La Luna

Premium Member

....Indeed, representatives for PNC, U.S. Bank and Wells Fargo all said that while they had systems in place to fend off such “denial of service, or DDoS attacks in which hackers bombard a site with traffic until it falls offline; in this case, the volume of traffic was simply “unprecedented.”

“They must have had help from other sources,” said Jaime Blasco, a security researcher at AlienVault, who investigated the attacks.

Those sources, it turns out, were data centers around the world that had been infected with a sophisticated form of malware that can evade detection by antivirus solutions. The attackers used those infected servers to simultaneously fire at American financial services companies until they fell offline.....


It doesn't appear to be your run of the mill DDoS attack. When was the last time servers "around the world" were infected AND involved in an attack like this, with so much traffic generated?

Edit: clarity
La Luna

1 recommendation

La Luna to Link Logger

Premium Member

to Link Logger
said by Link Logger:

Not even close to being a state-sponsored attack, just a run of the mill DDOS attack by hacker group with an agenda, not like there aren't a ton of those about.

Blake

A group claiming Middle Eastern ties, the Izz ad-Din al-Qassam Cyber Fighters, took credit for the attacks online. They claimed to have taken the Web sites down using basic online applications. But security researchers said those methods were far too amateur to have been effective.

Indeed, representatives for PNC, U.S. Bank and Wells Fargo all said that while they had systems in place to fend off such “denial of service, or DDoS attacks
in which hackers bombard a site with traffic until it falls offline;....


Apparently, the banks say they could defend against simple DDoS attack, but this was something more. That's what I get out of it anyway.

Blackbird
Built for Speed
Premium Member
join:2005-01-14
Fort Wayne, IN

1 recommendation

Blackbird to La Luna

Premium Member

to La Luna
So... a kid in Ohio links up with a handful of kids in other basements in other states or countries via IRC and they agree it'd be cool to take down some bank sites. That becomes an "organized group". If some of the "kids" are adults who never quite grew up beyond their teen predilection to vandalize and their naive idealism about how the world is organized, that provides a focused mission. Wherewithal to pull it off simply comes from number of players and experience. Given enough of the latter, they might even become sponsored (or employed) by a state whose interests in causing havoc coincide with the little group's.

My point is that in the real world, it can be a continuum... there aren't necessarily causes A, B, or C to choose from. Nor does it necessarily matter. A technique exploited by a kid is a technique exploitable by a nation state... that is, it is a weakness or vulnerability. The only relevant question in my mind is whether there's anything new (either qualitative or quantitative) in what is being done.

La Luna
Fly With The Angels My Beloved Son Chris
Premium Member
join:2001-07-12
New Port Richey, FL

La Luna

Premium Member

True. If you look at all scenarios, anything is possible.

Could kids, maybe with help pull this off and would they? Possible, but in my mind not likely. To me, there is something more nefarious going on here. But that's JMHO.

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

Snowy to Blackbird

Premium Member

to Blackbird
said by Blackbird:

My point is that in the real world, it can be a continuum...

Absolutely.
For all the possibilities that presents...
What it isn't though is
"said Prince, the CloudFlare CEO. "This very well could be a kid sitting in his mom's basement in Ohio launching these attacks."

An anti-DDOS vendor publicly making that claim need to be publicly called on it.

Link Logger
MVM
join:2001-03-29
Calgary, AB

Link Logger to La Luna

MVM

to La Luna
The deal is more bots, and more bots with fatter pipes equals better DDOS attack, so the first issue here isn't that they attacked and dropped banks, the first issue is this bot crew was able to comprise and add to their bot army sites with bigger pipes which tends to indicate their initial attacks have gotten better as they are owning more commercial/active sites sites. Toss in some aspects around smarter proxy usage and bingo better and more difficult to stop DDOS attacks.

Years ago you would dream of owning a University because they had nice fat juicy pipes, but now just about every Tom, Dick and Jane has a ample pipe connecting them from home such that even if nothing else changed (ie number of systems involved etc), DDOS attacks will only ever get bigger.

I would be very entertaining to track back the systems involved in the attack and see how many are in China for example (only implying that systems are easier to own in China then elsewhere and not that that this is a Chinese state sponsored attacks).

Blake
redwolfe_98
Premium Member
join:2001-06-11

4 edits

redwolfe_98 to La Luna

Premium Member

to La Luna
i saw where someone speculated that the ddos attacks may have been used to cover up other nefarious activity..

if someone had all of these servers hacked, with malware that was undetectable, as the article says, it doesn't really make sense that they would expose their malware, and that the servers had been hacked, just for a ddos attack, which wouldn't do much, the way that i see it..

i have wondered if it might have been an extortion scheme, where people wanted money from the banks in exchange for freeing up their networks..

i suspect that there is more to this story and i want to know what the rest of the story is.. i also would like to hear more about the supposedly "undetectable" malware on the servers..

on the other hand, the person, or persons, responsible for the ddos attacks could have been trying to do something good by exposing the vulnerability of the cyberworld, today, so that something would be done to improve things.. that is a possibility..

there is one good thing, hearing all these stories about problems relating to malware, and that is that we can hope that there are people who are taking countermeasures to combat the problem..

also, hopefully politicians will become aware of the problem and, so, governments will use their resources to try to combat the problem..

Blackbird
Built for Speed
Premium Member
join:2005-01-14
Fort Wayne, IN

Blackbird

Premium Member

said by redwolfe_98:

... also, hopefully politicians will become aware of the problem and, so, governments will use their resources to try to combat the problem.

Please excuse my cynicism, but if "politicians will become aware of the problem", their "solutions" (without exception) will involve massive pork-barrel expenditures funded by new taxes and licensing fees, coupled with all manner of costly and restrictive registration, record-keeping and regulation. None of it will work as expected, though the distortions it introduces will remain forever, and the end result will be worse than the current situation. All politicians can do, by nature, is attempt to use policy and legislation to restrict and control - they cannot truly create anything. What is needed are creative, sound, scientific, technically-consistent solutions to the problem, incorporated by those in the field because they know it will work. And such solutions will never emanate from either politicians or governments.

KodiacZiller
Premium Member
join:2008-09-04
73368

KodiacZiller to Link Logger

Premium Member

to Link Logger
said by Link Logger:

The deal is more bots, and more bots with fatter pipes equals better DDOS attack, so the first issue here isn't that they attacked and dropped banks, the first issue is this bot crew was able to comprise and add to their bot army sites with bigger pipes which tends to indicate their initial attacks have gotten better as they are owning more commercial/active sites sites. Toss in some aspects around smarter proxy usage and bingo better and more difficult to stop DDOS attacks.

Yeah, since many of these higher end servers are running Linux or another Unix variant, sometimes the admins get complacent with security. The truth is, you don't need root access to utilize the box for a DDOS. All you need to do is compromise the server software (Apache) or some other unprivileged process. From there you just put your bot code in userspace and you're good to go.

This is why I think MAC systems should be mandatory on a server, especially a high value server. If you are a Linux server admin and aren't running SELinux or AppArmor you're stupid. These days it is not about getting root, thus you have to secure userspace too.

jcliff
join:2012-10-09

jcliff to Snowy

Member

to Snowy
said by Snowy:

Why would CloudFlare engage in FUD such as that?
Because they sell "Protect your website from a range of online threats from spammers to SQL injection to DDOS."
»www.cloudflare.com/overview

Web site owners are generally not too concerned about having sophisticated/state sponsored attacks pointed at them but the fear, uncertainty & doubt that can come from believing that a single kid working from their parents basement in Ohio could adversely affect their site is a more real scenario, a more profitable scenario, especially if your CloudFlare.

You raise a good point. I've had dedicated web servers on 1GBPS+ connections taken down by "bored teenagers". A lot of web hosts place you on a California style 3 strike warning. If you get DDoSed 3 times they cancel your account.

You're often left wondering how to combat mediocre things like a bored teenager. Not worrying about Iran targeting you!

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

Snowy

Premium Member

said by jcliff:

You're often left wondering how to combat mediocre things like a bored teenager. Not worrying about Iran targeting you!

Welcome to the site!
There's no question that there's a legitimate need for the type of services CloudFlare offers.
The exception I took with the CloudFlare's statement is how they took an event focused on a few high visibility targets & tried to attribute it to a bored teenager sitting in his parents Ohio basement when they certainly knew that wasn't the case.
Dumbing it down to make it relevant to the masses is what that was about.

jcliff
join:2012-10-09

3 edits

jcliff

Member

said by Snowy:

Welcome to the site!
There's no question that there's a legitimate need for the type of services CloudFlare offers.
The exception I took with the CloudFlare's statement is how they took an event focused on a few high visibility targets & tried to attribute it to a bored teenager sitting in his parents Ohio basement when they certainly knew that wasn't the case.
Dumbing it down to make it relevant to the masses is what that was about.

Hi and thanks!

Yes it doesn't surprise me web hosting companies will do what you mention to increase customers. I just wanted to say that the kid in the basement in Ohio can certainly do a lot of damage if he controls a botnet. :P A lot of the time though unless you are on some specialized service a kid with just a couple of "fat connections" can mess up a site.

I don't necessarily like cloudfare type services, in the past I have used Amazon EC2 instances as a proxy to the actual site to get around DDoS and DoS.