Monthly Archives: June 2012

Everyone’s talking about DDoS: Part One

Too much of anything is a bad thing. Too much sleep, too many drinks of cola, too much bad TV… even too much time at the gym, well, it’s not good. Excessiveness is just that: surplus to what is ideal, desirable and manageable.

In the IT sector, one of the things we can all do without are distributed denial of service (DDoS) attacks. Fair game it’s superfluous to requirements in that it’s malicious, not part of anything we do, something we never thought we’d have to contend with, a mutation that threatens network security and viability. But, it’s part of life.

DDoS attacks embody the notion of digital gluttony, as its modus operandi is predicated on the idea of disproportionate traffic as a means of disrupting and immobilising systems.

Such a bane is DDoS to industry that in a study by the Ponemon Institute entitled the Impact of Cybercrime on Business Report, IT professionals ranked it as one of the preeminent menaces to security. In the US, it is listed as the number one thing that induces unease.

With news that Checkpoint Software Technologies Ltd has produced the first in a number of solutions to protect businesses from DDoS attacks – in short, the ” appliance sits in front of an organization’s perimeter gateway and cleans the traffic from DDoS attacks before it reaches the main security gateway” – we thought we would look at some discussion points in this very topical subject matter.

Let’s start with controversy at its most extreme. In the Netherlands, D66, a political party that has a modest but nevertheless significant ten seats in the Dutch House of Representatives, five in the country’s Senate and three within the European Parliament, wants DDoS legalised. Yes, you read that correctly.

In its new election manifesto, the party, which has been in existence since 1966, considers such attacks, in some cases, done in the spirit of protest, digital remonstrations, hacktivism as we understand it. Now, they’re not calling for free reign, but for it to be regulated, similar to how real-life protests are.

InfoSecurity reports that where the idea gets its credibility from is in distinction. Where DDoS attacks are carried out to merely disrupt the online services of a business, like blocking the doors to, for example, a prominent supermarket, that falls within the law.

Where such attacks go deeper, actually breaking into the servers of that business, where sensitive information can be elicited, well, so argues D66, that is a line too far. Like, perhaps, protestors heading into the supermarket and destroying products and stealing money out of a till.

It’s certainly a punch in the dark, a wild suggestion, but one that is good for debate. We often need contrary, leftfield opinions to air themselves, not because we agree with them, but because they help us come up with ideas and solutions that were previously unattainable. In true, Socratic style, we leave you with that brilliantly provocative theme to mull over in interim, as we return with part two of this feature soon.

Google’s insight into online attacks

Google matters. It is central to our most people’s lives, a steadfast friend whose counsel is invaluable, whose knowledge is like the never-ending expanse of space, a trusty source to consult for information, facts, and entertainment.

Marissa Mayer, the American multinational company’s vice president of location and local services, perhaps said it best when compared Google to a Swiss Army knife: “Clean, simple, the tool you take everywhere.”

The company has just released a new report based on over half a decade of data, which it has analysed in-depth. It is part of its Safe Browsing service (malware and phishing protection), testament to its desire to be a “good company”.

One of the most astonishing things we observed in the report is this statistic: every day Google finds approximately 9,500 malicious websites. Such websites fall into two categories – one is innocent websites polluted – or compromised – by cyber criminals or those which are purpose-built to distribute malware or phishing. This is serious stuff.

“Many phishers go right for the money, and that pattern is reflected in the continued heavy targeting of online commerce sites like eBay & PayPal,” explained Niels Provos, of Google’s security team.

“Even though we’re still seeing some of the same techniques we first saw five-plus years ago, since they unfortunately still catch victims, phishing attacks are also getting more creative and sophisticated.”

Now while Google strives to offer as robust a security service as possible to counter such attacks, developing new software and strategies along the way, the last part of Mr Provos’ statement is telling. Threats continue to evolve and the problems they will bring will never end. It is a cat and mouse game. Still, a positive attitude to information security and risk management is always a plus.

Shifting the conversation to Malware, Mr Provos has observed an increase in social engineering over the last few years, reflective of the move towards an uber-connected age, where people live, work and engage in a virtual framework.

“As companies have designed browsers and plugins to be more secure over time, malware purveyors have also employed social engineering, where the malware author tries to deceive the user into installing malicious software without the need for any software vulnerabilities,” he noted.

“A good example is a “Fake Anti-Virus” alert that masquerades as a legitimate security warning, but it actually infects computers with malware. While we see socially engineered attacks still trailing behind drive by downloads in frequency, this is a fast-growing category likely due to improved browser security.”

What does all this mean? The most straightforward answer is that we’re shifting into a new era of threats. The landscape, so to speak, is transforming in a very dramatic way, characterised by highly motivated cyber criminals. As Google has noted, a lot of these people are more than happy to engage in such fraudulent activities because of the financial pay-off. That is a hard thing to discourage.

The only saving grace is that the enthusiasm, energy and drive in putting a stop to such behaviour is equally powerful and just as hard to distinguish. Google’s commitment and investment in its Safe Browsing team is testament to that. Cyber criminals, you have been warned.

Mad Hulk does good

The Hulk is an iconic comic character created by Stan Lee and Jack Kirby, a brutal superhero who only manifests himself when his alter-ego Dr Bruce Banner loses control of his rage or is put in a position when his life is in danger. In the Marvel Comic universe, that is more often than not. Nobody wants to see Dr Banner sipping on coffee while meditating. Where’s the excitement in that?

A sort of digital manifestation of Hulk has materialised, aptly called the HTTP Unbearable Load King (the acronym being HULK), and what does it do? Well, “HULK get mad, HULK smash” is perhaps an apt explanation.

The back story to the origin of this denial of service (DoS) attack tool, which has managed to become the buzz topic of the moment, is that it was developed without malicious intent by a network security researcher.

Yes, you read right, its origins are entirely altruistic. You see, the gentleman in question produced the script to HULK as an “educational proof of concept”, a proactive exploration into exposing weaknesses on web servers, a form of penetration testing if you would.

The fascinating aspect of the story – if that wasn’t sufficiently amazing – was the fact that Barry Shteiman, a self-confessed nerd, who works for an application security company, posted the script on his website for everyone to use.

With a disclaimer of course: “The tool is meant for educational purposes only and should not be used for malicious activity of any kind.”

“What makes HULK dangerous is the fact that a single malicious actor with a single computer could feasibly take down a small, unhardened web server in minutes. We’ve tested the tool internally and it is functional,” commented Neal Quinn, chief operating officer at Prolexic.

“Fortunately, this is not a very complex DoS tool. We were quickly able to dissect its approach and stop it dead in its tracks. It is fairly simple to stop HULK attacks and neutralise this vulnerability with the proper configuration settings and rules.”

Commenting on his website, one enthusiastic user, going by the name of UnderPL, was amazed that a “single dos” could bring down his website. It indicates, perhaps, what it can be used for in a negative context, which can arguably be used as a criticism against Mr Shteiman’s openness and willingness to share, but this would be a mistake.

His creativity, which stems from a genuine interest in this field of study, as well as being a product of a curios disposition, of wanting to think outside the box, is an attribute to applaud, one that has led him to come up with a strategy that might have been developed by a cyber criminal in the foreseeable future and used to full effect without anyone knowing how to deal with it. Now we know the problem, we can strategise.

He therefore embodies characteristics that all IT experts need to have in being the best of the best. This isn’t Hulk gone mad, but “Dr Banner done a very good thing”. As Mr Quinn observed, in this instance, we can all relax.

“There is a lot at stake for businesses online – whether it’s a matter of money, reputation, regulatory compliance or business continuity. No one wants to be down for a second, let alone hours or days,” he expanded.

“Consequently, any threat can cause panic. While many DDoS threats are very real and severe, in the case of HULK, panic is not necessary. PLXsert is happy to share our practical, effective mitigation method that can be implemented on any WAF or content switch, and transform the HULK back into Dr Banner.”

Maybe we were wrong in the intro. Sometimes Dr Banner is much better company in some circumstances. Especially when all we want is a nice brew.

What LinkedIn’s security breach tells us

It’s a rule of law that the mightier you are the harder the fall will be, which is to say in this 24/7 age of interconnectivity, wired-up to the internet every single second of the day, with everyone effectively an IT practitioner, any shortcomings, big or small, will be most visible.

When the professional social networking site LinkedIn was revealed to have experienced a network security breach, resulting in millions of users’ passwords being uploaded to a website, the online world and media outlets from around the globe went into heated discussion.

Now while LinkedIn isn’t unique in being targeted by cyber criminals, a lot of criticism towards the popular company – it has approximately 161 million users – is justified in the sense that a lot of weaknesses and vulnerabilities have been identified.

One would expect a big company to have a seriously robust system of security, but something has clearly gone amiss. However, it would be too easy to say that this is the product of the fact it has no chief information officer, someone who has the skill, tact and knowledge to “beef up” and monitor security.

That’s because it does have a security team, a world-class one in fact, as its director Vicente Silveira was keen to articulate. This typified by experts like Ganesh Krishan, the former vice president and chief information security officer at Yahoo! and David Henke, senior vice president of operations, who oversees all areas of this.

LinkedIn wasn’t the only one being hit – eHarmony and Last.fm were also targeted. In January of this year it was reported that Facebook, the giant of social media networks, had been breached, with 45,000 passwords being stolen. Hackers had deployed a ramnit worm.

As the Financial Times noted recently, cyber criminals are preying on social networks – it’s the new playground so to speak. The significance of the LinkedIn story is the scale of it. When you get into the millions you know you’re into unchartered territory.

One of the reasons for the shift, explained Graham Cluley, senior technology at the security research firm Sophos, is that the anti-spam features on these websites are “nowhere as mature as places like Hotmail and Gmail”.

Furthermore, the openness of such websites, in terms of sharing information, developing applications and becoming friends – as a status thing (the more people you have, the more “popular” you are) and a strategic thing (the more reach you have, the more exposure you have to services and products) – makes them more culpable of been breached.

No doubt that the likes of Facebook, Twitter, LinkedIn and new kid on the block Pinterest will be evaluating their policies and considering how they respond to this new era. They owe it to the collective millions of users who give them the very digital air they need to breathe to ensure that they are safe and protected. If not, users will walk away, and then where will they be?

Mobile security and cloud computing important to business continuity

You can plan for natural disasters. Through technological advances and constant monitoring, the damage done by floods, earthquakes, hurricanes and tornados is far lower than it would be otherwise. Of course, it goes without saying that the capricious nature of some natural disasters is beyond human control – sometimes things unfold in the moment and we can thus only be reactive. It’s part of the reality of life.

We’re talking about such events because a new study from AT&T, a well-known multinational telecommunications company, has revealed that, as the US prepares itself for hurricane season, organisations have transformed the way they put together their business continuity and risk management plans. As of late, this has involved including mobile security services and cloud computing in their strategies.

The report found 60 per cent of bosses have invested in mobile security services, as they grow to appreciate that operating on such platforms is becoming the norm. The main reason for investing in such services is for fear that they will be breached. Information risk is a key worry.

With regards to cloud computing, the report found that it is becoming a “critical element” of business continuity because of security, performance and savings costs. Professionals will understand this. In the event of a natural disaster, where physical devices and data storage units can be damaged, the cloud offers an “impenetrable space”. All you need to do is access a computer and, to all intents, you can get your business running again.

“There’s certainly no shortage of potential threats or disasters around the world and it’s evident that executives are taking the necessary measures to ensure their business continuity plans are in place and actionable,” said Chris Costello, assistant vice president, Offer Management, Cloud Services at AT&T.

“We’ve seen a strong emphasis on IT security and continued growth in areas of cloud and mobile applications; implying that companies are embracing the tools and services needed to continue operational activities despite potential threats and disasters.”

Interestingly, a business continuity plan now also caters for “virtual events” – disasters that are not physical. Two-thirds of IT executives stated that this is something that they want to plan for – a security breach of this kind can be extremely devastating not only to a business’s infrastructure but also to its reputation.

It’s good to see that organisations are keeping on top of their business continuity plans (63 per cent said they had fully tested their plans in the last year alone) and adapting to changes in the world of IT. It’s also good to see such companies making, for example, relatively new areas like cloud computing and mobile security central to such plans, whether that’s ensuring they remain secure and operational in the aftermath of a disaster. Adaptation is key.