Home Tags Flooding

Tag: Flooding

Twitch unleashes scorched-earth attack to unveil malicious spambot creator

PayPal, CloudFlare, Shaw, and Whois “are involved” in attacks, Twitch claims.

365squared launches 365analytics to the MNO market

Macau, China, 23 March 2017 - 365squared, a premier value added services enabler to the mobile network operator (MNO) community, today introduced 365analytics to its portfolio of services. 365analytics is a real-time detection and traffic analytics software featuring a continually updated intelligence based on 365squared’s global intelligence database.

The product benefits by working alongside any SMS firewall and includes a 24/7 management service.The software provides detection of spam, faking, flooding and spoofing, as well as... Source: RealWire

Explaining the upside and downside of D-Wave’s new quantum computer

2,000 qubits, more closely connected and ready to calculate.

New York approves a 90 MW wind farm off the coast...

The Long Island coastline.Stanley Zimney reader comments 36 Share this story On Wednesday, New York Governor Andrew Cuomo announced that the state had approved a 90 MW offshore wind farm to be installed off the coast of Long Island.

That would make what will be called the South Fork Wind Farm the biggest offshore wind farm in the US.

The announcement comes just a month after Block Island, a facility off the coast of Rhode Island, became the first ever commercial offshore wind farm in the US to transmit electricity in late 2016. Deepwater Wind, the company that installed the turbines off Block Island, will also be supplying the turbines for South Fork.
In a press release, the New York governor’s office wrote that the turbines will be placed 30 miles southeast of Montauk and “out of sight from Long Island’s beaches.” The press release added that South Fork will provide electricity for 50,000 Long Island homes. Two weeks ago, Governor Cuomo announced that New York would commit to installing 2.4 GW of offshore wind by 2030.

That comes just as the state announced that Indian Point, a 2 GW nuclear energy facility just north of New York City, would close by 2021.

The state of New York celebrated the closure of Indian Point, claiming that the plant was unsafe and too close to a major metropolitan area.

But critics of the move said it would be difficult for New York to replace all of that greenhouse-gas-free energy with renewable energy. In his statement today, Governor Cuomo reiterated that New York was pushing to have 50 percent of its energy come from renewable sources by 2030. Elizabeth Bibi, Deputy Director of Media Relations for the governor's office, cited Superstorm Sandy, a violent storm that rocked New York in 2012 with devastating flooding and power outages, as a reason to expedite updating New York’s grid with renewable power.
South Fork would "provide greater reliability and resiliency for a part of the country very familiar with extreme weather events and outages," Bibi said. According to the New York Times, the wind farm will be situated on a 256-square-mile parcel that’s leased from the federal government.
It will initially have 15 turbines but could support up to 200 turbines. The Times also noted that the project is expected to cost $740 million, down from an earlier projection of $1 billion, which Deepwater Wind will finance with loans and equity investments.

The Long Island Power Authority said it would purchase all of South Fork Wind’s output for 20 years—the renewable electricity is expected to cost rate payers an extra $1.19 a month on average.

The DDoS vigilantes trying to silence Black Lives Matter

EnlargeSean Rayford/Getty Images / Aurich reader comments 116 Share this story “Through our e-mails and our social media accounts we get death threats all the time,” said Janisha Gabriel. “For anyone who’s involved in this type of work, you know that you take certain risks.” These aren’t the words of a politician or a prison guard but of a Web designer.

Gabriel owns Haki Creatives, a design firm that specializes in building websites for social activist groups like Black Lives Matter (BLM)—and for that work strangers want to kill her. When these people aren’t hurling threats at the site’s designer, they’re hurling attacks at the BLM site itself—on 117 separate occasions in the past six months, to be precise.

They’re renting servers and wielding botnets, putting attack calls out on social media, and trialling different attack methods to see what sticks.
In fact, it’s not even clear whether ‘they’ are the people publicly claiming to perform the attacks. I wanted to know just what it takes to keep a website like BlackLivesMatter.com online and how its opponents try to take it down. What I found was a story that involves Twitter campaigns, YouTube exposés, Anonymous-affiliated hacker groups, and a range of offensive and defensive software.

And it’s a story taking place in the background whenever you type in the URL of a controversial site. BlackLivesMatter.com Although the Black Lives Matter movement has been active since 2013, the group’s official website was set up in late 2014 after the shooting of Michael Brown in Ferguson, Missouri. Until that point, online activity had coalesced around the #BlackLivesMatter hashtag, but when the mass mobilizations in Ferguson took the movement into the public eye, a central site was created to share information and help members connect with one another. Since its creation, pushback against BLM has been strong in both the physical and digital world.

The BLM website was taken down a number of times by DDoS attacks, which its original hosting provider struggled to deal with.
Searching for a provider that could handle a high-risk client, BLM site admins discovered MayFirst, a radical tech collective that specializes in supporting social justice causes such as the pro-Palestinian BDS movement, which has similarly been a target for cyberattacks. MayFirst refers many high-profile clients to eQualit.ie, a Canadian not-for-profit organization that gives digital support to civil society and human rights groups; the group’s Deflect service currently provides distributed denial of service (DDoS) protection to the Black Lives Matter site.
In a report published today, eQualit.ie has analyzed six months’ worth of attempted attacks on BLM, including a complete timeline, attack vectors, and their effectiveness, providing a glimpse behind the curtain at what it takes to keep such a site running. The first real attack came only days after BLM signed up with Deflect.

The attacker used Slowloris, a clever but dated piece of software that can, in theory, allow a single machine to take down a Web server with a stealthy but insistent attack.

Billed as “the low bandwidth yet greedy and poisonous http client,” Slowloris stages a “slow” denial of service attack.
Instead of aggressively flooding the network, the program makes a steadily increasing number of HTTP requests but never completes them.
Instead, it sends occasional HTTP headers to keep the connections open until the server has used up its resource pool and cannot accept new requests from other legitimate sources. Elegant as Slowloris was when written in 2009, many servers now implement rules to address such attacks.
In this case, the attack on BLM was quickly detected and blocked.

But the range of attack attempts was about to get much wider. Enlarge / The Slowloris tool running in a terminal. Anonymous “exposes racism” On May 2, 2016, YouTube channel @anonymous_exposes_racism uploaded a video called “Anonymous exposes anti-white racism.” The channel, active from eight months before this date, had previously featured short news clips and archival footage captioned with inflammatory statements (“Louis Farrakhan said WHITE PEOPLE DESERVE TO DIE”).

But this new video was original material, produced with the familiar Anonymous aesthetic—dramatic opening music, a masked man glitching across the screen, and a computerized voice speaking in a strange cadence: “We have taken down a couple of your websites and will continue to take down, deface, and harvest your databases until your leaders step up and discourage racist and hateful behavior.
Very simply, we expect nothing less than a statement from your leadership that all hate is wrong… If this does not happen we will consider you another hate group and you can expect our attention.” The “we” in question was presumably a splinter cell of Anonymous known as the Ghost Squad Hackers.

Three days previously, in a series of tweets on April 29, Ghost Sqaud’s self-styled admin “@_s1ege” claimed to have taken the BLM site offline.

Ghost Squad had a history of similar claims; shortly before this, it had launched an attack against a Ku Klux Klan website, taking it offline for a period of days. Dr.

Gabriella Coleman is an anthropologist and the author of Hacker, Hoaxer, Whistleblower, Spyconsidered the foremost piece of scholarship on Anonymous. (She also serves as a board member of eQualit.ie.) She said that Ghost Squad is currently one of the most prolific defacement and DDoS groups operating under the banner of Anonymous, but she also noted that only a few members have ever spoken publicly. “Unless you’re in conversation with members of a group, it’s hard to know what their culture is,” said Coleman. “I could imagine hypothetically that a lot of people who use the Ghost Squad mantle might not be for [attacking Black Lives Matter] but also might not be against it enough to speak out. You don’t know whether they all actively support it or just tolerate it.” Just as with Anonymous as a whole, this uncertainty is compounded by doubts about the identity of those claiming to be Ghost Squad at any given time—a fact borne out by the sometimes chaotic attack patterns shown in the traffic analytics. Enlarge / A screenshot of BlackHorizon in action. The April 29 attack announced by S1ege was accompanied by a screenshot showing a Kali Linux desktop running a piece of software called Black Horizon.

As eQualit.ie’s report notes, BlackHorizon is essentially a re-branded clone of GoldenEye, itself based on HULK, which was written as proof-of-concept code in 2012 by security researcher Barry Shteiman. All of these attack scripts share a method known as randomized no-cache flood, the concept of which is to have one user submit a high number of requests made to look like they are each unique.

This is achieved by choosing a random user agent from a list, forging a fake referrer, and generating custom URL parameter names for each site request.

This tricks the server into thinking it must return a new page each time instead of serving up a cached copy, maximizing server load with minimum effort from the attacker. But once details of the Ghost Squad attack were published on HackRead, a flurry of other attacks materialized, many using far less effective methods. (At its most basic, one attack could be written in just three lines of Python code.) Coleman told me that this pattern is typical. “DDoS operations can attract a lot of people just to show up,” she said. “There’ll always be a percentage of people who are motivated by political beliefs, but others are just messing around and trying out whatever firepower they have.” One group had first called for the attack, but a digital mob soon took over. Complex threats Civil society organizations face cyberattacks more often than most of us realize.
It’s a problem that these attacks exist in the first place, of course, but it’s also a problem that both successful and failed attempts so often happen in silence. In an article on state-sponsored hacking of human rights organizations, Eva Galperin and Morgan Marquis-Boire write that this silence only helps the attackers. Without publicly available information about the nature of the threat, vulnerable users lack the information needed to take appropriate steps to protect themselves, and conversations around effective defensive procedures remain siloed. When I spoke to Galperin, who works as a global policy analyst at the Electronic Frontier Foundation, she said that she hears of a civil society group being attacked “once every few days,” though some groups draw more fire and from a greater range of adversaries. “[BLM’s] concerns are actually rather complicated, because their potential attackers are not necessarily state actors,” said Galperin. “In some ways, an attacker that is not a nation state—and that has a grudge—is much more dangerous. You will have a much harder time predicting what they are going to do, and they are likely to be very persistent.

And that makes them harder to protect against.” By way of illustration, Galperin points to an incident in June 2016 when prominent BLM activist Deray Mckesson’s Twitter account was compromised despite being protected by two-factor authentication.

The hackers used social engineering techniques to trick Mckesson’s phone provider into rerouting his text messages to a different SIM card, an attack that required a careful study of the target to execute. Besides their unpredictability, persistence was also a defining feature of the BLM attacks.

From April to October of this year, eQualit.ie observed more than 100 separate incidents, most of which used freely available tools that have documentation and even tutorials online. With such a diversity of threats, could it ever be possible to know who was really behind them? Chasing botherders One morning soon after I had started researching this story, a message popped up in my inbox: “Hello how are you? How would you like to prove I am me?” I had put the word out among contacts in the hacking scene that I was trying to get a line on S1ege, and someone had reached out in response. Of course, asking a hacker to prove his or her identity doesn’t get you a signed passport photo; but whoever contacted me then sent a message from the @GhostSquadHack Twitter account, used to announce most of the team’s exploits, a proof that seemed good enough to take provisionally. According to S1ege, nearly all of the attacks against BLM were carried out by Ghost Squad Hackers on the grounds that Black Lives Matter are “fighting racism with racism” and “going about things in the wrong way.” Our conversation was peppered with standard-issue Anon claims: the real struggle was between rich and poor with the media used as a tool to sow division and, therefore, the real problem wasn’t racism but who funded the media. Was this all true? It’s hard to know.
S1ege’s claim that Ghost Squad was responsible for most of the attacks on BLM appears to be new; besides the tweets on April 29, none of the other attacks on BLM have been claimed by Ghost Squad or anyone else.

To add more confusion, April 29 was also the date that S1ege’s Twitter account was created, and the claim to be staging Op AllLivesMatter wasn’t repeated by the main Ghost Squad account until other media began reporting it, at which point the account simply shared posts already attributing it to them. Despite being pressed, S1ege would not be drawn on any of the technical details which would have proved inside knowledge of the larger attacks. Our conversation stalled.

The last message before silence simply read: “The operation is dormant until we see something racist from their movement again.” Enlarge / Number of connections per day to the Black Lives Matter website.

DDos attacks are the massive spikes. eQualit.ie Behind the mask As eQualit.ie makes clear, the most powerful attacks leveraged against the BLM website were not part of the wave announced back in April by Ghost Squad.
In May, July, September, and October, a “sophisticated actor” used a method known as WordPress pingback reflection to launch several powerful attacks on the site, the largest of which made upwards of 34 million connections. The attack exploits an innocuous feature of WordPress sites, their ability to send a notification to another site that has been linked to, informing it of the link.

The problem is that, by default, all WordPress sites can be sent a request by a third party, which causes them to give a pingback notification to any URL specified in the request.

Thus, a malicious attacker can direct hundreds of thousands of legitimate sites to make requests to the same server, causing it to crash. Since this attack became commonplace, the latest version of WordPress includes the IP address requesting the pingback in the request itself. Here’s an example: WordPress/4.6; http://victim.site.com; verifying pingback from 8.8.4.4 Sometimes these IP addresses are spoofed—for illustration purposes, the above example (8.8.4.4) corresponds to Google’s public DNS server—but when they do correspond to an address in the global IP space, they can provide useful clues about the attacker.
Such addresses often resolve to “botherder” machines, command and control servers used to direct such mass attacks through compromised computers (the “botnet”) around the globe. Enlarge eQualit.ie In this case, the attack did come with clues: five IP addresses accounted for the majority of all botherder servers seen in the logs.

All five were traceable back to DMZHOST, an “offshore” hosting provider claiming to operate from a “secured Netherland datacenter privacy bunker.” The same IP addresses have been linked by other organizations to separate botnet attacks targeting other groups.

Beyond this the owner is, for now, unknown. (The host’s privacy policy simply reads: “DMZHOST does not store any information / log about user activity.”) The eQualit.ie report mentions these details in a section titled “Maskirovka,” the Russian word for military deception, because hacking groups like Ghost Squad (and Anonymous as a whole) can also provide an ideal screen for other actors, including nation-states. Like terrorism or guerrilla combat, DDoS attacks and other online harassment fit into a classic paradigm of asymmetrical warfare, where the resources needed to mount an attack are far less than those needed to defend against it.

Botnets can be rented on-demand for around $60 per day on the black market, but the price of being flooded by one can run into the hundreds of thousands of dollars. (Commercial DDoS protection can itself cost hundreds of dollars per month. eQualit.ie provides its service to clients for free, but this is only possible by covering the operating costs with grant funding.) The Internet had long been lauded as a democratizing force where anyone can become a publisher.

But today, the cost of free speech can be directly tied to the cost of fighting off the attacks that would silence it. Corin Faife is a freelance journalist writing on the intersection of technology and politics. You can find him in one of the many bars of Montreal, Canada, or on Twitter at @corintxt.

Can ISPs step up and solve the DDoS problem?

Apply best routing practices liberally. Repeat each morning Solve the DDoS problem? No problem. We’ll just get ISPs to rewrite the internet.
In this interview Ian Levy, technical director of GCHQ’s National Cyber Security Centre, says it’s up to ISPs to rewrite internet standards and stamp out DDoS attacks coming from the UK.
In particular, they should change the Border Gateway Protocol, which lies at the heart of the routing system, he suggests. He’s right about BGP.
It sucks.

ENISA calls it the “Achilles’ heel of the Internet”.
In an ideal world, it should be rewritten.
In the real one, it’s a bit more difficult. Apart from the ghastly idea of having the government’s surveillance agency helping to rewrite the Internet’s routing layer, it’s also like trying to rebuild a cruise ship from the inside out. Just because the ship was built a while ago and none of the cabin doors shut properly doesn’t mean that you can just dismantle the thing and start again.
It’s a massive ship and it’s at sea and there are people living in it. In any case, ISPs already have standards to help stop at least one category of DDoS, and it’s been around for the last 16 years.

All they have to do is implement it. Reflecting on the problem Although there are many subcategories, we can break down DDoS attacks into two broad types.

The first is a direct attack, where devices flood a target with traffic directly. The second is a reflected attack. Here, the attacker impersonates a target by sending packets to another device that look like they’re coming from the target’s address.

The device then tries to contact the target, participating in a DDoS attack that knocks it out. The attacker fools the device by spoofing the source of the IP packet, replacing their IP address in the packet header’s source IP entry with the target’s address.
It’s like sending a letter in someone else’s name.

The key here is amplification: depending on the type of traffic sent, the response sent to the target can be an order of magnitude greater. ISPs can prevent this by validating source addresses and using anti-spoofing filters that stop packets with incorrect source IP addresses from entering or leaving the network, explains the Mutually Agreed Norms for Routing Security (MANRS).

This is a manifesto produced by a collection of network operators who want to make the routing layer more secure by promoting best practices for service providers. Return to sender One way to do this is with an existing standard from 2000 called BCP 38. When implemented in network edge equipment, it checks to see whether incoming packets contain a source IP address that’s approved and linked to a customer (eg, within the appropriate block of IPs).
If it isn’t, it drops the packet.
Simple.

Corero COO & CTO Dave Larson adds, “If you are not following BCP 38 in your environment, you should be.
If all operators implemented this simple best practice, reflection and amplification DDoS attacks would be drastically reduced.” There are other things that ISPs can do to choke off these attacks, such as response rate limiting.

Authoritative DNS servers are often used as the unwitting dupe in reflection attacks because they send more traffic to the target than the attacker sends to them.

Their operators can limit the number of responses using a mechanism included by default in the BIND DNS server software, for example, which can detect patterns in incoming traffic and limit the responses to avoid flooding a target. The Internet of Pings We’d better sort this out, because the stakes are rising.

Thanks to the Internet of Things, we’re seeing attackers forklift large numbers of dumb devices such as IP cameras and DVRs, pointing them at whatever targets they want. Welcome to the Internet of Pings. We’re at the point where some jerk can bring down the Internet using an army of angry toasters.

Because of the vast range of IP addresses, it also makes things more difficult for ISPs to detect and solve the problem. We saw this with the attack on Dyn in late October, which could well be the largest attack ever at this point, hitting the DNS provider with pings from tens of millions of IP addresses.

Those claiming responsibility said that it was a dry run. Bruce Schneier had already reported someone rattling the Internet’s biggest doors. “What can we do about this?” he asked. “Nothing, really.” Well, we can do something. We can implore our ISPs to pull their collective fingers out and start implementing some preventative technology. We can also encourage IoT manufacturers to impose better security in IoT equipment. Let’s get to proper code signing later, and start with just avoiding the use of default login credentials first. When a crummy malware strain like Mirai takes down half the web using nothing but a pre-baked list of usernames and passwords, you know something’s wrong. How do we persuade IoT vendors to do better? Perhaps some government regulation is appropriate.
Indeed, organizations are already exploring this on both sides of the pond. Unfortunately, politicians move like molasses, while DDoS packets move at the speed of light.
In the meantime, it’s going to be up to the gatekeepers to solve the problem voluntarily. ® Sponsored: Want to know more about PAM? Visit The Register's hub

Lad cuffed after iOS call exploit knocks out Arizona 911 center

Meet's L337 feat brings heat An Arizona teen is facing three felony tampering charges after the cops said code he wrote to exploit an iOS security hole downed a 911 call center. According to the Maricopa County Sheriff's Office, 18-year-old Meetkumar ("Meet") Hiteshbhai Desai found a vulnerability in Apple's mobile operating system and crafted a proof-of-concept exploit to prove it. However, that tool wound up flooding an emergency call center with more than 100 hang-up calls within a "matter of minutes" earlier this week, it is alleged. It all started when Desai and a friend found a way to remotely spawn pop-up alerts, open installed applications, or start a phone call on a victim's iThing, it is claimed. Hoping to cash in on Apple's bug bounty program, the pair set up a webpage that exploits the flaw as their proof-of-concept, we're told. They then directed Desai's Twitter followers to click on a link to that booby-trapped page and, according to the police, launch the exploit from Desai's own website, meetdesai.com, which has since been taken down. Desai also, apparently, spread the link via his YouTube channel, "The Hackspot." It's alleged that Desai's webpage caused phones to dial emergency numbers that the callers couldn't hang up. As a result, police say, those who clicked on the links unintentionally ended up flooding 911 centers in and around the Phoenix, Arizona, area with calls. Apparently, Desai meant to upload a script that simply opened a pop-up alert on the handhelds. Desai describes himself as an iOS developer and a jailbreak theme tweaker. "Meet stated that although he did add that feature to the bug he had no intention of pushing it out to the public, because he knew it was illegal and people would 'freak out'," the office said. "Meet stated that he may have accidentally pushed the harmful version of the (911) bug out to the Twitter link instead of the less-annoying bug that only caused pop-ups, dialing to make peoples' devices freeze up and reboot." The flood of calls from smartphones and tablets was eventually traced to Desai's personal site hosted in San Francisco, California; the cops managed to get the plug pulled on the site. The teen was arrested, taken to jail, and booked on three charges of computer tampering. A search warrant was also carried out at his home. MCSO Cyber Crimes Unit makes arrest on attack reference 911 system, read more https://t.co/K0WD4F6Y2h pic.twitter.com/iJIsp7YpZW — @SgtJEnriquez (@DeputyEnriquez) October 27, 2016 No word was given on whether he will be able collect the bug bounty from Apple. ®

Boffins exploit Intel CPU weakness to run rings around code defenses

Branch buffer shortcoming allows hackers to reliably install malware on systems US researchers have pinpointed a vulnerability in Intel chips – and possibly other processor families – that clears the way for circumventing a popular operating-system-level security control. ASLR (address space layout randomization) is widely used as a defense against attempts by hackers to exploit software vulnerabilities to take control of computers. By randomising the locations of kernel and application components in memory, ASLR limits the ability for evil code, injected into a system, to reliably exploit programming flaws to hijack the attacked application or operating system. Hackers need to know where key components lie in memory in order to successfully exploit a bug, a process that ASLR frustrates. For example, take a booby-trapped PNG file that exploits a bug in an image editor. The software opens the PNG and is tricked into handing control of the processor to code smuggled within the picture – but the exploit code is now running blind. It cannot assume the location of key components that are needed to pivot from basic exploitation to a full compromise of the application and, next, the whole system. ASLR has juggled the libraries and other dependencies around at random, so an algorithm is needed to work out where things have been hidden. The Intel chip flaw can be abused by hackers to bypass this protection, thus ensuring their attacks are much more effective. In order to pull off this technique, miscreants must be able to at least start running their malicious code within an application or operating system on the target machine – this isn't a remote attack, it's a local attack. The hack takes advantage of the CPU's branch target buffer, a mechanism present in many microprocessor architectures including Intel Haswell CPUs. Exploiting the buffer was demonstrated by the researchers on a Haswell-powered PC running Linux, and this attack is potentially effective against other platforms. The BTB provides a history of branches taken by the processor as it runs through its code: after the CPU is told to make a decision, it usually jumps to another part of the program based on the outcome of that decision. For example, if something fetched from memory has a value greater than zero, then jump to location A or jump to location B if not. If a jump location is in the history buffer then the CPU knows this branch is usually taken so can start priming itself with instructions from the jump landing point. That means branches routinely taken execute with minimal delay. By flooding the BTB with a range of branch targets, hackers can observe the BTB refilling with values of regularly taken jumps. This allows the miscreants to work out where in memory the operating system has randomly placed the application's vital components. It takes a few tens of milliseconds to perform, we're told. The eggheads says this allows an “attacker to identify the locations of known branch instructions in the address space of the victim process or kernel.” Their research, Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR, by boffins at State University of New York at Binghamton and the University of California, Riverside, can be found here [PDF]. Alfredo Pironti, senior security consultant at IOActive, said the vulnerability shows that the security of physical IT (including chips) needs to considered alongside more commonplace and less esoteric software flaws. “Software isn’t always the easiest point of entry, particularly for those hackers that have a deeper knowledge of hardware and its vulnerabilities,” said Pironti, who added that the ASLR bypass attack is an example of a hardware side-channel attack, an already recognised class of assault. “These attacks are often more expensive and time consuming to conduct, compared to classical software attacks,” Pironti explained. “Usually they also have stricter conditions, such as running a specific software on the victim’s machine and being able to collect CPU metrics. However, this doesn’t mean that we shouldn’t be vigilant. Cybercriminals are more sophisticated, well-funded and – worst of all – patient than ever before, and are always looking for new and surprising ways to infiltrate. “This is why it is vital that companies have their chips pen-tested during the development stage, as the cost and complexity of re-mediating an attack of this kind is enormous,” Pironti concluded. ®

Telnet, SSH prod of death smashes Cisco broadband boxes offline

Plus: Login into a stranger's Cisco Meeting account and chat away as them Cisco has issued six software updates to address security vulnerabilities in its networking products, ranging from denial of service conditions to authentication bypasses. The most serious of the flaws is the authentication bypass hole in the Cisco Meeting Server.

Cisco warns that, due to improper handling of XMPP messaging, a remote unauthenticated attacker could exploit the vulnerability to gain access to another user's account, and log in to the server with their permissions and chat away as them.

The vulnerability, which is exposed in Meeting Server versions 2.0.6 and earlier with XMPP enabled, has been rated as a "critical" risk. On the Unified Communications Manager (UCM) platform, a patch has been issued to address poor handing of iframe code that potentially allows an attacker to re-route user traffic for clickjacking or phishing attacks. For companies running Wide Area Application Services (WAAS), Cisco has posted an update to address a denial of service vulnerability in the WAN platform.

An attacker can exploit the flaw by flooding the vulnerable appliances with SSL traffic, thanks to a lack of file size limits. The Cisco cBR-8 Converged Broadband Routers have been found to contain a flaw that allows an attacker to disrupt connections by constantly pinging the router with Telnet and SSH connection requests. Those who use the Cisco Prime Infrastructure and Evolved Programmable Network Manager for SQL will want to patch up a SQL injection flaw that allowed an attacker to use SQL queries to access stored data or trigger a denial of service. The Cisco Finesse Agent remote administration software has been updated with a fix for a cross-site request forgery.
Should an attack exploit the flaw via a malicious link, the attacker would have access to the target system with the current user's permissions. Cisco says it is not aware of any attacks in the wild targeting any of the patched vulnerabilities. ®

JSA10762 – 2016-10 Security Bulletin: Junos: IPv6 denial of service vulnerability...

2016-10 Security Bulletin: Junos: IPv6 denial of service vulnerability due to resource exhaustion (CVE-2016-4921)Product Affected:This issue can affect any product or platform running Junos OS with IPv6 enabled. Problem:By flooding a router with specially crafted IPv6 traffic, all available resources can be consumed, leading to the inability to store next hop information for legitimate traffic.  In extreme cases, the crafted IPv6 traffic may result in a total resource exhaustion and kernel panic.  The issue is triggered by traffic destined to the router.  Transit traffic does not trigger the vulnerability.This issue only affects devices with IPv6 enabled and configured.

Devices not configured to process IPv6 traffic are unaffected by this vulnerability.This issue was found during internal product security testing.Juniper SIRT is not aware of any malicious exploitation of this vulnerability.This issue has been assigned CVE-2016-4921. Solution:The kernel panic (PR 1017099) has been addressed in Junos OS 11.4R13, 12.1X44-D45, 12.1X46-D30, 12.1X47-D20, 12.3R9, 13.3R5, and all software releases listed below.  However, a more complete IPv6 resource management improvement (PR 1037225) has addressed these resource exhaustion issues in the following software releases: 12.3X48-D30, 13.3R10*, 14.1R8, 14.1X53-D40, 14.2R6, 15.1F2-S5, 15.1F5-S2, 15.1F6, 15.1R3, 15.1X49-D40, 15.1X53-D70, 16.1R1, and all subsequent releases.The two fixes for this issue are being tracked as PRs 1037225 and 1017099 which are visible on the Customer Support website.KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies.*Available end of Q4/2016. Workaround:Limit the exploitable attack surface of critical infrastructure networking equipment. Use access lists or firewall filters to limit access to the router via IPv6 only from trusted, administrative networks or hosts. Implementation:How to obtain fixed software:Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version.
In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame.

For these cases, Service Releases are made available in order to be more timely.
Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release.

Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request.Modification History: 2016-10-12: Initial publication Related Links:CVSS Score:7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Risk Level:High Risk Assessment:Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." Acknowledgements:

DDoS attacks: For the hell of it or targeted – how...

Cloud-based DDoS defences introduce delays Distributed Denial of Service (DDoS) attacks can be painful and debilitating. How can you defend against them? Originally, out-of-band or scrubbing-centre DDoS protection was the only show in town, but another approach, inline mitigation, provides a viable and automatic alternative. DDoS attacks can be massive, in some cases reaching hundreds of Gbits/sec, but those mammoths are relatively rare.

For the most part, attackers will flood companies with around 1 Gbit/sec of traffic or less.

They’re also relatively short affairs, with most attacks lasting 30 minutes or less.

This enables attackers to slow down computing resources or take them offline altogether while flying under the radar, making it especially difficult for companies to detect and stop them. This shows up in industry statistics.
In May 2015 the Ponemon Institute published a report on cyberthreats in the financial industry that found it took an average of 27 days for financial institutions to detect a denial of service attack.

Then, it took 13 days to mitigate it. These attacks are often highly costly.

Another Ponemon report showed an average cost of $1.5m in DDoS costs, almost a third of which was down to the cessation of customer-facing services. Yet a DDoS attack costs about $38 per hour (PDF) to mount on average.

Time to get some protection, then. Inline vs out-of-band The industry initially evolved with out-of-band DDoS protection.
In this model, the appliance sits on the network independently of the router that is passing through traffic from the Internet.

The router will send samples of metadata describing that traffic to the appliance, which then raises the alert if it detects suspicious packets that point to an emerging DDoS attack. Conversely, in-band DDoS protection puts itself in front of the firehose, sitting directly in the stream of traffic, analysing it, processing it, and determining whether to drop the attack traffic or pass the good user traffic along. Inline systems see the traffic on its way from one point on the network to another, enabling them to filter and process traffic in real time.

Conversely, out-of-band appliances are seeing sparse samples of traffic that is already being passed to its destination. “Out-of-band analysis allows for more complex analysis of traffic without impacting traffic flow, however there is a delay between the detection of an attack and the application of rules to defend against it,” explained Nick LeMesurier, security consultant at consulting firm MWR Infosecurity.

For this reason, out-of-band solutions tend to react more slowly to DDoS patterns.

They also aren’t in a position to do anything about it themselves, but must alert another system to take action. Dave Larson, COO and CTO at Corero Network Security, explains: “Deploying an in-line, automatic DDoS mitigation solution allows security teams to stay one step ahead of attackers.

By the time traffic is swung over to an out-of-band DDoS mitigation service, usually after at least 30 minutes of downtime, the damage has already been done.

To keep up with the growing problem of increasingly sophisticated and damaging DDoS attacks, effective solutions need to automatically remove the threats as they occur and provide real-time visibility into the network.” Commercial issues Redirection is a key feature in out-of-band systems, said Nathan Dornbrook, chief technology officer at IT and security consulting firm ECS. Traffic must be redirected from the router to the DDoS appliance so that it can conduct a deep-dive packet analysis, he explains.
If you’re a big company and you have two ISPs instead of one for load balancing purposes, that redirection entails one service provider letting the other one inject routes into its core, he warned, calling it a “big no-no”. “It can cause instability to let one of your competitors screw with your routing tables,” he warned. “In addition you’re talking about carrying a lot of bad traffic across your core.” All that creates headaches for the service providers and the customer, who just wants to secure their traffic. Handling sophisticated attacks Inline mitigation has developed as a worthy alternative, but this too can be implemented in different ways, points out Dornbrook. “There are other guys that do DDoS protection where they have a content distribution network and some kind of filtering capability and they filter the traffic and pass it on to you and they do it inline,” he said. “Those services definitely have a role to play but they’re better for smaller customers.” In its paper on withstanding DDoS attacks, the SANS Institute points out that cloud-based services may not protect companies as readily from "low and slow" DDoS attacks, in which incoming packets are consume server resources as a way to starve out legitimate traffic without heavily flooding the network. These attacks, typified by attack tools like RUDY and Slowloris, focus on bringing a target down quietly by creating a relatively low number of connections over time.

They will often operate at at the application level of the network stack, which is layer seven in the OSI model. “The layer seven attacks are the ones that are the trickiest to pick up on because they tend to exploit weaknesses that are architected into systems when the site is developed,” said Andy Shoemaker, CEO at DDoS research and simulation consulting firm Nimbus DDoS. “It may not use up the network resources but it uses the compute resources.
It hits the database, authentication services and so on.” These attacks can be particularly troublesome, as attackers can bring down a web server unobtrusively, sometimes with a single machine, making these attacks easily mountable and difficult to detect. In addition, to these concerns, Cloud-based DDoS services, which are by definition out-of-band, can also introduce delays in protection, which can result in service outages, the SANS paper warns. If you’re planning an inline solution, you’ll want to be sure that you can scale it to suit your traffic needs. Performance is critical as any inline solution with performance limitations could itself be exploited and become a traffic bottleneck. Right-sizing your traffic flow is a must-have skill here.

Choose a line-rate solution that you can cluster to increase performance. And hopefully, some jerk won’t be able to take your company down for profit – or just for the hell of it.

35,000 ARRIS cable modems at risk from firmware dumper bot

Backdoor-within-a-backdoor enables significant naughtiness Hackers have exploited a back door in more than 35,000 ARRIS modems, making off with firmware and certificates, according to security researcher Bernardo Rodrigues. ARRIS makes cable modems and associated home networking kit.
It recently shipped a patch to address 2015 zero day which at the time of disclosure impacted 600,000 ARRIS modems. The remaining as-yet-un-patched modems are located across the United States, Mexico, and Brazil, but the number of infected devices could be much higher, according to Rodrigues, since the Luabot malware used in the attacks shutters external access to lock out rival attackers and researchers. Rodrigues identified the vulnerability which involved twin flaws, essentially a backdoor in a backdoor. His bug took the form of a shell within a hidden administrator feature that used a hardcoded password based on a known seed. Hackers could enter the default SSH root user password of 'arris' and then punch in the password of the day in the subsequent spawned mini_cli shell. The second-tier backdoor was based on the modem's serial number and was initially hosed-down by Arris as a low-risk flaw. Youtube Video Professional box-popper Rodrigues cooked up a keygen, complete with a chiptune, which would generate passwords for the backdoor-backdoor. He now says VXers have been exploiting the vulnerability using the LuaBot malware, first detailed earlier this month by Hendrik Adrian, author of industry blog Malware Must Die. "I received some reports that malware creators are remotely exploiting those devices in order to dump the modem's configuration and steal private certificates," Rodrigues says. "Some users also reported that those certificates are being sold for Bitcoin to modem cloners all around the world. "The report from [Adrian] also points that the LuaBot is being used for flooding and Distributed denial of service attacks." Luabot has a detection rating on Virus Total of three from 55 anti virus engines. The Luabot author told known French security researcher x0rz he was a programmer not affiliated with any hacking group. He says he does not like the attention on his malware and says reverse engineers often bork analysis due to cross-pollination with other infections on routers. The hacker has included comments of "happy reversing" in his binaries as a note to security researchers, and claims he is not attempting to cause harm to router owners. "Internet-of-things botnets are becoming a thing: manufacturers have to start building secure and reliable products, ISPs need to start shipping updated devices and firmware, and the final user has to keep his home devices patched and secured," Rodrigues says. ®