Thursday, August 27, 2015

DD4BC are DDoS attack driving force, new report claims

According to the 'Distributed Denial of Service Trends Report - 2nd Quarter 2015' published by VeriSign today, between the period April 1 to June 30 there was increased activity from the DDoS For Bitcoin (DD4BC) attack group. This came not only in the form of ransom threats – the ransom being demanded in Bitcoin hence the name – but also in those threats not being paid off turning into actual attacks. Most DD4BC attacks have traditionally been, and largely remain, within the one to five Gbps size range. The report says that the second most targeted industry sector for all DDoS attacks was finance and payments which made up some 22 percent of those mitigated by VeriSign, and this was largely driven by the DD4BC attack group. The VeriSign conclusions appear to tie in with those from other recent Internet threat reports such as Akamai's 'State of the Internet - Q2 2015' which concurs that many DDoS attacks were fuelled by actors such as DD4BC and those copying their ransom tactics and attack methodologies. Akamai reckons that the group "expanded its extortion and DDoS campaigns during April and May" and it has found itself protecting "a growing number of customers" from DD4BC attacks as a result. Akamai says that several customers have received ransom demands threatening DDoS attacks of between 400-500 Gbps if the money was not paid, although it hadn't seen anything larger than 50 Gbps in reality up until the time the report was published. It would seem that DD4BC do not have quite the resources to pull off the size of attack that it threatens, considering that VeriSign has also not seen anything approaching three figures as of yet from it, so is DD4BC actually just a bunch of (albeit fairly successful) chancers?

Friday, August 21, 2015

Does Adblock Plus weaken Mac OSX security?

In a blog posting on Wednesday, a Webroot threat research analyst revealed how the use of ad-blocking software by Mac users could not only be leaving them with a false sense of security but actually putting them at risk. Devin Byrd explained how Mac users are often told that their chosen platform is safe from threats and malware, and a 'vast majority' still believe this despite plenty of proof to the contrary. "The magic myth of Mac immunity has long been disproven and really exploited in the past years with such concepts as Thunderstrike and root privilege exploits" Byrd says, adding "most of the malware that we come across for Mac has been adware." Although I wouldn't necessarily label adware as malware myself, I appreciate that it does try to get you to spend money, can point you towards malicious software downloads and is almost always unwanted by the person whose machine has it installed. It is therefore understandable that for many the answer to adware is a large dose of ad-blocking software, and Adblock Plus is amongst the most popular. I will put my hands up and admit I have been a happy user for many years myself, although on a Microsoft rather than Mac platform. Byrd, however, warns that adware companies know only too well that software is being used to block their wares, and have figured out a way of getting around the roadblocks.

Upon reflection, BitTorrent amplifies DDoS attacks

Distributed Denial of Service (DDoS) attacks are the plat du jour for cyber-criminals looking to deflect attention and resources from a breach elsewhere within the target enterprise, as well as hacktivists taking sites down with political or just plain malicious motivation alike. According to the Q2 2015 State of the Internet report from Akamai, the number of DDoS attacks has grown by 132 per cent compared to the same time last year. Not only is that a record high, or low depending upon which side of the security fence you are positioned, the number of 'almost indefensible' mega-attacks, those peaking in excess of 1,000Gbps/50Mpps, was also on the up. Anything that can help the bad guys to make a DDoS attack easier, bigger and more destructive is never good news; enter stage left, the villain of the piece in the shape of the Distributed Reflective DoS (DRDos) attack. Although DRDos attacks are not exactly new, new methods to launch them are always high on the agenda of both those out to cause problems, and to prevent them. So when we heard that a new DRDos attack using BitTorrent was being demonstrated, decided to investigate further.

Friday, August 14, 2015

Securing the Smart City

Some would argue that our cities are already pretty smart. Glasgow has street lighting that brightens automatically as pedestrians or cyclists approach. Bristol is installing machine-to-machine sensors to supply superfast networks with data about energy use, air quality and traffic flow. Songdo in South Korea even has a waste disposal system that does away with garbage trucks and sucks your rubbish out of the kitchen via an underground tunnel network directly to the waste processing center. So what actually defines a smart city? According to the British Standards Institution (BSI) the answer is “an effective integration of physical, digital and human systems in the built environment to deliver a sustainable, prosperous and inclusive future for its citizens.” Unfortunately, explains Dr Gordon Fletcher, co-director of the Centre for Digital Business at Salford Business School, there are an awful lot of alternative definitions out there: “A straightforward summary is that [smart cities] all fall onto a continuum, from a light version which interconnects residences individually with various city systems (typically councils), through to a completely integrated system of residents, visitors and the various private and public organizational systems.” What is on the ground now looks less futuristic than we might imagine. But if we were to let that imagination fly, what might we expect in terms of the positives of a truly smart city?

Cross-site scripting vulnerability uncovered in Salesforce cloud

Researchers at cloud application security vendor Elastica have published details of a Cross-Site Scripting (XSS) vulnerability within a Salesforce subdomain providing the potential for attackers to use a trusted Salesforce application as a platform for end-user credential gathering attacks. Disclosed in early July, Salesforce finally patched the vulnerability on Monday just two days before Elastica went public with the disclosure. Admittedly, XSS vulnerabilities are not the most exciting of attack vectors, but that doesn't mean they are not dangerous. Nor does it mean that organisations shouldn't know better when it comes to detecting them. Heck, the Salesforce developer pages themselves even have a section dedicated to preventing XSS attacks which states "Most applications that display dynamic Web pages without properly validating the data are likely to be vulnerable. Attacks against the website are especially easy if input from one user is intended to be displayed to another user. Some obvious possibilities include bulletin board or user comment-style websites, news, or email archives." Oh the irony. XSS is becoming both more frequent and more dangerous as an attack vector year on year. Frequent because XSS vulnerabilities are pretty easy to spot (oh the irony again) and dangerous as they are also easy to exploit, and exploit with similar outcomes to SQL injection attacks for example. The bad guys would rather take the easiest route on offer, and for many that appears to be XSS right now.

Thursday, August 13, 2015

Fingerprints only ever part of the solution, whether Android or Apple

Fingerprint scanning on smartphones came under the spotlight at the Black Hat conference this year, with researchers highlighting vulnerabilities on certain Android devices - which places a question mark over the real security value of such biometric measures. FireEye researchers discovered that HTC smartphones were storing data from fingerprint scans, necessary to enable biometric security on the devices, as unencrypted .bmp image files where any attacker could easily find them. The researchers point out, for example, that the HTC One Max X device stored the fingerprint as /data/dbgraw.bmp having a 0666 permission setting which equates to being 'world readable' and so any unprivileged process or app could read it at will. If that were not bad enough, every time the fingerprint sensor was used to unlock the handset or access a protected app then that bitmap file was refreshed. As a consequence, an attacker would be able to collect every swipe the user made and so the chances of getting a good image that could be used for nefarious purposes was very high indeed. HTC says it was just the HTC One Max that was vulnerable, and that vulnerability has now been fixed. However, the FireEye researchers insist that the fingerprint sensors used by vendors including HTC and Samsung are vulnerable courtesy of it being exposed to attackers. "Although the ARM architecture enables isolating critical peripherals from being accessed outside the TrustZone" they wrote "most vendors fail to utilise this feature to protect fingerprint sensors." Specific handsets said to be at risk included the HTC One Max and Samsung Galaxy S5, and both HTC and Samsung along with other as yet unidentified vendors are said to have rolled out fixes for this issue as well. However, with support for fingerprint scanners being incorporated into Android, and services such as Android Pay and Apple Pay utilising fingerprints to secure payments, the biometric sensors along with the data they collect are sure to come under increasing scrutiny from cyber-criminals. So, the question is: are fingerprints up to scratch in the world of mobile security?