DDoS attack against small bank

What do you mean the websites down, Oh Noes...

The number of companies that have been hit by DDoS attacks is simply astounding.  Now cyber criminals are using a new technique to take advantage of this old way of doing business.  The "Bank of the West" and contracting firm "Ascent Builders" found out the hard way that DDoS attacks are now being used to cover up actual financial fraud and theft.  The way it works is simple:

1)  Hack an account through either social engineering or a software exploit

2)  Access that account and give a fund transfer authorization

3)  Initiate a DDoS attack against the institution, thus making the website unusable for the victim and the bank

4)  Transfer the funds from the original account to another, then another, then another to prevent tracking

5) ???

6) Profit

Well, obviously that ??? isn't necessary but who doesn't like a good joke.  Unfortunately for Ascent Builders, this is not really a funny joke.  From the article DDoS Attack on Bank Hid $900,000 Cyberheist:

But a law enforcement source working the case and speaking on condition of anonymity confirmed that the bank was subjected to a DDoS attack at the time of the robbery. The law enforcement official added that Ascent may not have been the only victim that day at Bank of the West, and that several other businesses and banks in the local area had been similarly robbed on or around Christmas Eve.

Unfortunately for these victims, the DDoS attack makes it incredibly hard for the FBI to sort out the traffic on the banks website and identify the perpetrators.  Sadly, these DDoS attacks can be mitigated and you'd think that a financial institution would try to secure its website.  From DDoS attack methods and how to prevent or mitigate them

The easiest, although a costly way to defend yourself, is to buy more bandwidth. A denial of service is a game of capacity. If you have 10,000 systems sending 1 Mbps your way that means you’re getting 10 Gb of data hitting your server every second. That’s a lot of traffic. In this case, the same rules apply as for normal redundancy.

In addition from:  http://www.cisco.com/en/US/tech/tk59/technologies_white_paper09186a0080174a5b.shtml

Behind a [corrupt] Client is a person that orchestrate an attack. A Handler is a compromised host with a special program running on it. Each handler is capable of controlling multiple agents. An Agent is a compromised host that runs a special program. Each agent is responsible for generating a stream of packets that is directed toward the intended victim.

Attackers have been known to use these four programs to launch DDoS attacks:
Trinoo
TFN
TFN2K
Stacheldraht

In order to facilitate DDoS, the attackers need to have several hundred to several thousand compromised hosts. The hosts are usually Linux and SUN computers; but, the tools can be ported to other platforms as well.

It goes on to say that you can there are ways to tell if a computer is infected with these viruses, and deny traffic based on that.  These attacks can also be mitigated in other ways, such as:

1) Limiting the number of failed queries allowed by an ISP

2) Getting multiple DNS servers to help handle the increased capacity.  

3) Caching Servers also can help mitigate this by allowing your servers to not need to "exchange" even more information for every request.

4) Having traffic management be setup

Google, as always is a great resource, and googling DDoS or how to prevent a DDoS can get you valuable information.  In addition, security websites like dark reading, or local security professionals can help get you up to speed.  These are just a few ways to educate yourself, and obviously for people or businesses really serious about security, you should be contacting someone who is a professional to help you mitigate these attacks immediately.

The Rising Red Threat

China and the Rising Red Cyber Army

Recently we American's saw the president sign into action a new executive order authorizing our security personnel to counter attack or preemptively attack threats to American cyber security.  While we can definitely see wanting to protect our interests, why has this become a big enough issue that we've needed an executive order to protect us? Didn't the internet start out as a way to securely exchange information for the US military?  Unfortunately we're long past that.  Now attacks are no longer about money and trade secrets, now its much more serious:

This is no longer a business issue. For years, victimized American companies preferred to keep quiet, lest they expose their vulnerabilities. But now the government is less comfortable with that silence because the hackers are targeting firms responsible for the American power grid, water supply, and other pieces of critical infrastructure. In one case, “one target was a company with remote access to more than 60 percent of oil and gas pipelines in North America.”

From: http://www.newyorker.com/online/blogs/evanosnos/2013/02/china-hacking-and-north-korea.html#ixzz2LOBjbL3N

The fact that an attack from the internet could deny an area water or electricity, often a life or death matter, is simply unacceptable.  This is why action is being taken.  Most recently the Chinese have attacked the New York Times and other big american businesses.   It used to be that firms wouldn't disclose an attack as they believed it would make them look weak, and typically it was only firms with trade secrets the Chinese wanted.  Now however, it is obviously far worse. Its gotten bad enough that the cyber attacks have spill over into the media, with the Chinese making a press statement with the following:

A Chinese ministry spokesperson said claims are "unfounded accusations based on preliminary results," and that "China resolutely opposes hacking actions and has established relevant laws and regulations, and taken strict law enforcement measures to defend against online hacking activities.''

From: http://www.cnbc.com/id/100470478

Many people are unbelieving of this denial... for logical reasons.  To have thousands of attacks come from the same area as a unit of P.L.A. cyber soldiers is a pretty big coincidence, especially in a country known for its "great firewall".  A top security firm, the one that discovered where all the attacks came from responded with:

Mandia even said, "China has a controlled Internet access, everything people do on the Internet is monitored there... So it's hard to believe ... that the Chinese government does not notice thousands of attacks coming from a neighborhood that happens to be co-located with units 61398, it's hard to believe they don't notice."  The long story short becomes, if china has laws that dis-allow these types of attacks, why hasn't it cracked down on cyber terrorists in the SAME AREA as its own cyber army.

From: http://www.cnbc.com/id/100470478

The next few weeks should give us more and more clarity in terms of how the cyber war is going to shape up.  I for one am hopeful that its going to turn into a cold war... rather than computer world war I.

Adobe drops the ball, again...

Feb. 15th 2013

  The recent zero-day attacks on adobe reader and acrobat have left many wondering, especially after the recent flash player exploit, is adobe capable of making a secure product?  Fire eye, a private security firm, reported the malicious attack after observing it on multiple deployments of adobe:  9.5.3, 10.1.5, 11.0.1.  This attack bypasses a built in sandbox, a program developed to contain and limit the privileges of the adobe program.

  This is being bypassed with a .pdf that loads two .dlls onto the target computer.  The first opens adobe reader and displays a false error message; the second opens the malicious .pdf file in the back ground. At this point, the remote user has access to remote control some processes on the computer.   The company is working quickly to address this, but they are not sure when a fix is going to be finished.

  However, the adobe representative note that they are still investigating the breach, and there is no official way to deal with it at the moment.  Security experts warn not to open any unknown PDF files at this time (not that its EVER a good idea to open an unknown PDF).  The part that shocked this author was the response to this hack even occuring: 

Botezatu believes that bypassing the Adobe Reader sandbox is a difficult task, but he expected this to happen at some point because the large number of Adobe Reader installations makes the product an attractive target for cybercriminals. "No matter how much companies invest in testing, they still can't ensure that their applications are bug free when deployed on production machines,"

From: http://www.computerworld.com/s/article/9236751/Zero_day_PDF_exploit_affects_Adobe_Reader_11_and_earlier_versions_researchers_say?taxonomyId=17&pageNumber=2

The fact that this is just normal everyday business for an exploit that allows remote control of a system is shocking and honestly, I'll be using foxit reader, sumatra reader, or another alternative since Adobe has been so slow in responding.   Even now that they've responded to the hack with the following:

Adobe late yesterday confirmed that two "critical" newly discovered flaws -- CVE-2013-0640, CVE-2013-0641 -- in Adobe Reader and Acrobat XI (11.0.01 and earlier), Acrobat X (10.1.5 and earlier), and Acrobat 9.5.3 and earlier for both Windows and Macintosh could let an attacker wrest control of the victim's machine after crashing the application. The attacks send users an email with a rigged PDF file, bypass the sandbox feature in Adobe Reader 10, and bypass the Protected Mode sandbox in Reader XI.

The software vendor is working on an emergency fix; in the meantime, it recommends that users enable the Protected View setting in Adobe Reader XI and Acrobat XI for Windows.

From: http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/240148632/new-zero-day-attacks-cheat-key-security-features-in-adobe-reader-acrobat.html

Telling users to use protected view is a good idea, however, the fact that it took this long for even a partial work around is shocking.   Another article: Thanks, Adobe. Protection for critical zero-day exploit not on by default, details how irresponsible this is:

Sadly, as sophisticated as the exploit is, Adobe engineers could have prevented it from succeeding against default configurations of Reader XI had they enabled protected view. Instead, they chose to turn that feature off by default, so the only way users can avail themselves of its benefits is to delve deep into the application settings and manually enable it.

I can't help comparing the move to a car manufacturer that installs airbags in one of its models, but then requires customers to flip a switch before the bags actually inflate during a high-impact crash. Security mitigations are great, but only if they're easily used by the masses.

I especially enjoy that second quote, because essentially its true. Lets hope Ford doesn't do the same thing with its cars... and lets hope Adobe gives us a reason to have faith, because as is I'm just about out of it.

President Obama's Cyber Soldiers

Legal Review of President's Cyber Authority: Can he protect us?

02/14/2013

 The future of American security could rest on the presidents shoulders, or at least, so a recent review of Obama's authority over cyber weapons would have us believe.  However, while this may allow us to stave off large scale attacks, similar to DDOS, how does a cyber attack stave off a virus that does not need a coordinated network of computers to function?  Can it?  This quote is from the article Broad Powers Seen for Obama in Cyberstrikes from the New York Times.

The rules will be highly classified, just as those governing drone strikes have been closely held.John O. Brennan, Mr. Obama’s chief counterterrorism adviser and his nominee to run the Central Intelligence Agency, played a central role in developing the administration’s policies regarding both drones and cyberwarfare, the two newest and most politically sensitive weapons in the American arsenal.

As you can see from the quote above, many details as to the presidents authority, and by virtue ability to protect the public from attacks are not public information.  While secrecy does help in terms of not allowing our enemies to prepare, it cripples at least my, and I would imagine, the public confidence.   The fact that the military is looking out for public interest is touching, but how much can it do about rogue skilled hackers?   The public needs to know, especially in terms of an open source resource like the internet, what the president is doing or planning on doing, so it can give our approval over a shared resources treatment.  Having the non-specific details given to the public, or at least something like the american IEEE, for feedback would be extremely comforting to the public in my opinion.  Unfortunately given the current state of affairs, there is no way for the public to educate themselves on american cyber-military protocols, because there isn't any real information on them.  A quote from google news article:  US military review backs pre-emptive cyber strikes

The military and top civilian officials examined scenarios for offensive cyber ops while updating "rules of engagement" for the armed forces, adding the digital realm to the standard battle areas of air, land, sea and space.

"They're trying to normalize cyber as a domain," the official added.

Even the military does not know how its going to handle all of this at the moment, its finalizing its policies. While it is comforting that the military wants to protect us, having a public resource suddenly policed is going to be quite a shock.  For example, what if we released a targeted virus on Chinese server clusters, and the virus didn't stay targeted.  If a nasty virus created by the US got into the wild, what would be done about the damage?  Would there be reparations?  What if the US caused a large section of the internet to crash, and fail.  What if your small business was linked through that portion of the net?  What would happen? Again from the New York Times:

While many potential targets are military, a country’s power grids, financial systems and communications networks can also be crippled. Even more complex, nonstate actors, like terrorists or criminal groups, can mount attacks, and it is often difficult to tell who is responsible. Some critics have said the cyberthreat is being exaggerated by contractors and consultants who see billions in potential earnings.

This type of attack could EASILY have collateral damage, so the question isn't really a what if, so much as a when.  Its a question that we should all be concerned with, and that none of us really can afford to ignore.  The better question here, is not just what can we do to attack our enemies online, but how to protect ourselves from said attacks.  I urge you to read up on modern issues, even if it something as simple as reading Google technology news.  Contact your senators or congressmen, let them know what you think.  An informed country is a better country.