More Than a Third of Businesses Hit by DDoS Attack in 2012

May 10, 2013

Organizations hoping distributed denial of service (DDoS) attacks are no longer incidents du jour and are beginning to slow down can think again: there were more attacks in 2012 and they aren’t going away, according to Neustar.

A little over a third, or 35 percent, of organizations in the survey experienced some form of a disruptive DDoS attack in 2012, Neustar found in its second DDoS Survey, released Wednesday. Retailers and e-commerce businesses were among the top three industry sectors being targeted, accounting for 39 percent and 41 percent, respectively, of the attacks in 2012. Financial service organizations, many of whom battled waves of attacks last fall as part of Operation Ababil, were the most targeted, at 44 percent.

Back in February, Neustar surveyed 704 IT professionals in North America how their organizations managed DDoS attacks. When organizations are hit with distributed denial of service attack, organizations generally go into “crisis” mode, as everyone from the IT department to customer service does whatever is necessary to get past the threat.

“The consequences of being unprepared to mitigate a DDoS attack can be crippling to businesses, Alex Berry, a senior vice-president of enterprise services at Neustar, said in a statement.

Slightly more than a quarter of survey participants indicted that DDoS-related outages cost their organizations anywhere between $50 and $100,000 an hour, or up to $2.4 million a day, the study found. About 74 percent of users projected outage costs of $10,000 per hour, or $240,000 a day.

The damage isn’t just revenue loss, however, but “about erosion in trust, brand value, and reputation,” Berry said. Nearly a third of the respondents said DDoS mitigation required time and related expenses of six or more employees.

While large attacks, such as those serious enough to raise the specter of a DDoS Armageddon, grab headlines, more than 70 percent of the attacks were less than 100 Mbps in network size or less than 100 Kpps in packets, Neustar found. Only two percent of the attacks in 2012 approached SpamHaus levels, with more than 20 Gbps of malicious traffic targeting the network.

While about 63 percent of the attacks lasted less than a day, the remainder of the attacks lasted more than 24 hours, with 17 percent going between one and two days. More organizations are seeing attacks that last more than a week, according to the survey.

“A well-crafted, multi-vector attack of just 2Gbps can bring most Websites to their knees,” Neustar said.

While companies are increasingly investigating DDoS protection, they aren’t investing in the right solutions or doing it fast enough. Only 8 percent of IT administrators in Neustar’s survey admitted to not having some kind of protection in place, a dramatic difference from 25 percent reporting no protection last year.

About two-third of the companies use firewalls, routers, and switches to manage DDoS Attacks, the survey found. In fact, Neustar found a 10 percent increase year-over-year in organizations using firewalls, switches, and routers for DDoS defenses. These networking products are not intended to filter out and block an overwhelming volume of malicious traffic, and wind up creating bottlenecks which help the attacks succeed, Neustar said.

“Few have invested in purpose-built hardware or third party expertise,” Neustar said.

via More Than a Third of Businesses Hit by DDoS Attack in 2012: Survey | SecurityWeek.Com.

Leave a Comment » | Application Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , , , | Permalink
Posted by david ricketts

Bitcoin Exchange Bombarded By Another Massive Cyber Attack

April 15, 2013

The value of red-hot Bitcoin tumbled more than 20% overnight after one of the virtual currency’s key exchanges grappled with the most powerful cyber attack it has ever seen and the second major blitz in less than a week.

While the level of interest and value of Bitcoin continues to explode, the latest glitch draws further attention to potential downfalls of relying on a relatively new electronic currency.

Tokyo-based Mt. Gox, which calls itself the world’s most established Bitcoin exchange, said in a statement that it “has been suffering from its worst trading lag ever” due to a “major” distributed denial of service (DDoS) attack.

“It’s been an epic few days on Bitcoin,” Mt. Gox said. “However, there are many who will try to take advantage of the system. The past few days were a reminder of this sad truth.”

The cyber attack helped drive the value of one Bitcoin to as low as $115 overnight, representing a 22% decline from its peak of about $145 on Wednesday, according to bitcoincharts.com. Bitcoin quickly recovered, climbing back above $140 in recent trading.

“The sheer volume of this DDoS left us scrambling to fine-tune the system every few hours,” Mt. Gox said.

It’s unclear who is behind the DDoS attacks but Mt. Gox said it believes the hackers were aiming to destabilize Bitcoin and “abuse the system for profit.”

Daniel Friedberg, a financial-services attorney at Seattle law firm Graham & Dunn who has a Bitcoin client base, told FOX Business last week that any disruption creates customer complaints on Bitcoin.

“Users of Bitcoin are not used to any ‘down time’ and have grown accustomed to being able to immediately convert the Bitcoin virtual currency into real legal tender, 24 hours a day, 7 days a week,” Friedberg said.

Mt. Gox, which suffered a similar cyber attack on March 28, noted that even more established players like NYSE Euronext (NYX) and Nasdaq OMX Group (NDAQ) suffer technical issues. “We can fix lag, but we cannot eradicate lag,” Mt. Gox said.

Despite the cyber attacks on the key exchange, Bitcoin is still clearly enjoying an explosion of interest, with its value of Bitcoin outstanding surpassing the $1 billion threshold last week.

The value of Bitcoin has skyrocketed as well, surging a ridiculous 635% since trading at about $20 in early February.

The virtual currency has benefited from a surge of interest triggered in part by the “bail in” of bank depositors in Cyprus last month, which bolstered concerns about the safety of traditional banks and currency.

Built in 2009 as an open-source software code, Bitcoin is highly decentralized, making it very appealing to those concerned about central-bank actions aimed at devaluing traditional currencies like dollars and euros.

via Bitcoin Exchange Bombarded By Another Massive Cyber Attack | Fox Business.

Related articles

Leave a Comment » | Managed Service Hosting, Marketing | Tagged: , , , , , , , , , | Permalink
Posted by david ricketts

How the biggest DDOS attack in history could have been easily avoided, or not

April 5, 2013

The recent DDOS attacks aimed at Spamhaus hammer home three very important points that we must learn in our new digital society:  1.) How dependent we are on digital communication, 2.) How interdependent our networks have become, and 3). How drastic the consequences are when basic “blocking and tackling” measures are not taken.

This particular attack is not only affected Spamhaus, it has also affected the internet speed and availability for millions of users and sites in the UK and in Europe.  According to an article by John Markoff and Nicole Perlroth in the New York Times, “a number of computer security specialists pointed out that the attacks would have been impossible if the world’s major Internet firms simply checked that outgoing data packets truly were being sent by their customers, rather than botnets.”

The article also discusses how the attack would have been much less successful (or not successful at all) if more internet providers followed the best practice guidance released 13 years ago (2000) by the IETF (Internet Engineering Task Force) in Bcp38.

While the article does a good job explaining the high level concepts of the attack, here is a little more detail on how the attack works, and how these attacks can be stopped:

Imagine some “attacker” can “spoof” your phone number so that your number shows up on other people’s phones when they call. Now imagine the attacker calls a bunch of people and hangs up before they answer— you’ll probably get a bunch of calls back from those people, because it looks like you called and hung up when you didn’t. Now imagine thousands of attackers doing this—you’d certainly have to change your phone number. With enough calls, the entire phone system would be impaired.

That’s similar to what’s happening in this DDOS attack. Attackers are spoofing Spamhaus’s IP addresses (IP addresses are like a phone number on the internet), sending traffic (let’s call this “stimulus”) to servers that they know will respond to this traffic, and these servers dutifully send their responses back to Spamhaus’ servers. Armed with the power of thousands of computers in a botnet, the attackers are sending a lot of stimulus. To make matters worse, the responses are much larger, in terms of size, than the stimulus. This means that for every packet of stimuli, there are many more response packets. (In our example above, imagine that all those hang up calls were to phone numbers that would automatically leave 3 minute messages on your voicemail or keep calling back over and over).

So what servers are drowning Spamhaus (and the rest of us) in response packets?  These servers are called domain name servers, or DNS, and perform a critical function—they match a human friendly name (e.g. google.com) with a machine friendly number (i.e. an IP address). Computers need to know each other’s IP addresses in order to communicate (or the IP address of the firewall that is protecting the computers).

DNS in friendly terms? When you try to browse to google.com, your computer queries a DNS to learn its IP address. If your computer can’t connect to a DNS, or the DNS can’t resolvegoogle.com to an IP address, you’re out of luck. You can see this in action by going to a command prompt or shell on your computer, and typing:

nslookup http://www.google.com

If successful, you’ll see one or more IP addresses for Google.

Without DNS, instead of typing http://www.google.com in our web browser, we’d be typing, “173.194.75.105” or something similar. I can’t even remember my own phone number anymore—imagine if we had to remember these?

Why is DNS so vulnerable? The primary protocol that DNS servers happen to use is called UDP (User Datagram Protocol). This is important because UDP is “connectionless,” meaning there is no “handshake” when the initial connection is set up. “Handshakes,” like those used in TCP communications, offer a reasonable amount of host authentication—in other words, with TCP connections, you can be reasonably certain that both computers are who they say they are. With UDP, you cannot be sure, especially with short bursts of communications like DNS queries.

So, using a botnet, the attackers are sending millions of DNS queries that appear to be from the victim’s computer (“spoofing” the victim’s IP addresses), and the much larger responses from the DNS servers actually go to the victim’s computers. It’s kind of the ultimate “crank call.”

How can these attacks be stopped? Follow the guidance in BCP38, which explains how internet providers can filter out spoofed traffic. The idea is simple— every router (the devices that connect the internet) understands which addresses should be coming from which direction (interface, in router terms). If a packet arrives that says it’s coming from an IP address that shouldn’t be arriving from that interface, the packet should be dropped.

Why is this hard? It’s not. So why haven’t internet providers taken these simple steps?

Actually, most of them have—according to research by the MIT ANA Spoofer Project, cited in anarticle on Senki written in June of 2012, 80% of internet providers had already implemented the recommendations in BCP38, and were already blocking spoofed traffic. It’s the remaining 20% that remain responsible for allowing “spoofed” traffic.

We’re seeing more and more that when fundamental blocking and tackling is missing, our interdependence shows – when a few parties don’t take basic security measures, other parties suffer. Just like on the road, where a few (or many) distracted or careless drivers can cause harm to countless others, a group of sloppily configured routers can allow attackers to disrupt critical infrastructure that we’ve come to depend on.  80% just isn’t good enough.

We can’t turn off DNS. Though it’s theoretically possible to make everyone use TCP instead of UDP for DNS queries (which would make these queries much more difficult to spoof), so many people would be adversely affected during the transition that this might make things worse than just living with the DDOS attacks.

Our best choice is to create a culture of security and responsible computing, where it becomes unacceptable to be in the remaining 20%. Imagine if 20% of the drivers on the road didn’t obey traffic signals—it would no longer be safe to drive. It should be equally unacceptable that so many computers are now in botnet armies that can do such tremendous damage—80% isn’t really good enough there, either. If 20% of the computers in the world are allowed to become part of a botnet, we’re going to have much bigger problems. The culture of security and responsible computing needs to extend to internet providers, and internet users.

Leave a Comment » | Application Hosting, Managed Service Hosting, Marketing | Tagged: , , , , , , , , , | Permalink
Posted by david ricketts

Report Highlights Costs of Mitigating Top Cyber Threats

March 18, 2013

Organizations can spend as much as $6,500 an hour to recover from distributed denial of service (DDoS) attacks and $3,000 a day recovering from malware infections, according to a new report from Solutionary.
In its 2013 Global Threat Intelligence Report, Solutionary identified sophisticated malware, DDoS attacks, the bring-your-own-device (BYOD) trend, and Web application security, as the top four security issues and threats organizations are concerned about. However, the report didn’t stop with just identifying the threats. It also attempted to quantify the costs for mitigating these four threats.

Solutionary also attempted to quantify the costs to mitigate the four top threats identified in the report. What was clear from the report was that there were significant costs associated with not having, updating, or testing a proper incident response plan.

“Cyber criminals are targeting organizations with advanced threats and attacks designed to siphon off valuable corporate IP and regulated information, deny online services to millions of users and damage brand reputation,” Don Gray, chief security strategist for Solutionary, said in a statement.

Organizations that take the time to have a proper incident response plan are more likely to spend less money on incident response when the unthinkable happens, Rob Kraus, director of research at Solutionary, told SecurityWeek.
Solutionary’s report is based on real-world cases from its global customer base and reflects actual incidents and expenses, Kraus. The costs of incident response include hiring third-party consultants and incident response teams, beefing up staff after an attack, and buying new mitigation technologies.

Other figures relating to lost productivity, downtime in the event of a DDoS attack, and lost revenue were not included in the numbers, which means organizations would likely incur even higher costs after a security incident to mitigate the threats.

In the report, Solutionary found that 54 percent of malware samples can get past antivirus and endpoint security tools, and 44 percent of all phishing emails have banking themes. Nearly 45 percent of malware attack attempts target financial customers and 35 percent go after retail customers, Solutionary said. Most of the attacks take the form of phishing emails with malicious links and attachments.

Solutionary also examined the most targeted applications, and concluded Java now surpassed Adobe PDF as the one under heaviest attack. Nearly 40 percent of all exploits analyzed by Solutionary’s team of researchers were based on Java vulnerabilities, Gray told SecurityWeek.

The report also found that United States organizations actually are at greater risk from domestic threats than they are from foreign threats. In fact, 83 percent of attacks against US organizations came from US-based IP addresses, the report found. Around 23 percent of US organizations attacked via US IP addresses were government agencies, the report said.

The shift away from the nation-state narrative runs counter to a lot of the hysteria surrounding Mandiant’s report last month detailing attack strategies employed by a group based in China, and allegedly associated with the Chinese military.

To be fair, the second largest source of attacks in Solutionary’s report was China, but the country accounts for a mere 6 percent of attacks against US businesses.

The heavy concentration of U.S. based attack IP addresses may also be tied to the high number of machines infected and unknowingly recruited into a botnet.

Another interesting finding showed that attackers from different countries tended to focus on different industry verticals. Most, or 90 percent, of China-based activity targeted the business services, technology, and financial sectors, while 85 percent of Japan-based attacks was focused on the manufacturing industry, Solutionary found.
Attacks targeting the financial sector appear originated “fairly evenly from attackers in many countries across the world,” the company said. Attack techniques also varied by country, with Chinese attackers taking advantage of already-compromised devices, and Japanese and Canadian attackers focused on exploiting Web applications. Attacks from Germany generally involved more botnets and command-and-control activity. “The Solutionary GTIR provides actionable intelligence and strategic recommendations that will allow readers to make smart decisions, strengthen their organizations’ cyber defenses and maximize the value of their security programs,” Gray said.
The report also offers a Security Self-Assessment, which allows security and risk professionals to rank their cyber-security posture based on multiple criteria. They can use the rankings to determine strengths and weaknesses in the organization’s security posture.

A section on “The Future” offers in-depth insights into the global threat landscape and a predictive look at how things will change. This may cover how malware authors will continue to evade anti-virus software, and how exploit kits will evolve.

The “Getting the Most from Threat Intelligence” section arms organizations with details on how to use threat intelligence to make decisions and take actions that will reduce overall security risks.

Thanks to the threatvector

Leave a Comment » | Managed Service Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , , , , , , , | Permalink
Posted by david ricketts

Increasing Militarization Of The Internet

March 6, 2013

The rise of Stuxnet, Flame, Gause, the Olympic Games operations and Shamoon have all shed light on the issue of nation-state driven cyberwarfare and cyberespionage activities. Now that we are in cyberspace, we have another domain for humans to occupy and dominate, according to Ed Skoudis, founder of Counter Hack Challenges.

Skoudis told RSA Conference 2013 attendees that he worries about some of the risks of taking action over the Internet. Many of the nation-state driven activities could have a tremendous impact on the private sector, he said. “It could have a cascading impact,” he said. “It is possible that every cyberaction could cause bigger problems than people think.” Some of the techniques outlined by Skoudis and Johannes Ullrich, chief research officer at the SANS Institute are not new, but they are being ramped up by cybercriminals to become a serious problem.

Here’s a look at the five most dangerous new hacking techniques that concern top security experts Ullrich and Skoudis.

Rise Of Offensive Forensics

Anti-forensics is the process of cybercriminals getting into a targeted environment and hacking the forensics tools themselves. Offensive forensics is taking forensics techniques and analyzing file systems and memory in-depth then combing them for information assets and extracting them.

Mis-Attribuiton

The industrial processes used to build Stuxnet and other malware provides unique fingerprints for malware analysis investigators to categorize it. Coding styles down to machine level language can indicate a specific threat actor. A nation-state backed cybercriminal that doesn’t want to get noticed may place phony clues in malware to shake off investigators, Skoudis said. The catastrophic attack on Saudi Aramco via Shamoon infections on that company’s workstations had some technical information that made investigators think it clearly wasn’t the work of a nation-state. But, researchers at Kaspersky Lab provided evidence linking some specific characteristics to the Flame malware, an cyberespionage attack toolkit.

Computer Attacks Resulting In Kinetic Impact

Historically we have worked to protect PII and PHI, bank records and trade secrets, but companies haven’t had a good track record, Skoudis said. But, attackers are now targeting physical infrastructure such as industrial control systems and SCADA systems.

“Some of it is just mischief, but it could be a harbinger of much bigger things to come,” Skoudis said. “We are rapidly moving into the area where cyberattacks cause kinetic impact.”

Smaller systems are now at risk, such as automobiles, water distribution systems and traffic light control systems, which have buffer overflows, SQL injection flaws and other coding problems that can be exploited, he said. Attackers can infiltrate the devices and gain command and control of the infrastructure.

Large Scale DDoS Attacks

U.S. banks have spent a lot of time investing substantial resources to defend distributed denial-of-service (DDoS) attacks. They are simple and don’t require a lot of resources.

While the attacks are not new, businesses and attackers have been playing a cat and mouse game, said Johannes Ullrich, chief research officer at the SANS Institute, told RSA Conference attendees. Attack tools are getting better at tricking DNS anti-DDoS defenses, he said. Attacks are getting larger, up to over 40 gigabits per second. The attacker only needs 2,000 bots to carry them out, Ullrich said.

Password Breach, Password Leaks

The advice given to organizations is to salt and hash passwords, but the process of salting and hashing only slows an attacker down, Ullrich said. Dedicated password crackers only cost a few thousand dollars, he said. For now user education and better protection of databases that contain passwords is the only answer. Until an alternative to the pass phrase emerge, the problem will persist. Two-factor authentication is expensive and used by only a small percentage of security-minded organizations, Ullrich said. Some experts are looking to the smartphone as an authenticator, but token stealing malware, as evidenced by the Zitmo/Eurograbber Android Trojan, defeats SMS-based tokens and will likely continue to be a target of attacks.

Thanks to The Threat Vector:

http://thethreatvector.wordpress.com/2013/03/05/increasing-militarization-of-the-internet/

 

3 Comments | Application Hosting, Managed Service Hosting, Marketing | Tagged: , , , , , , , , , , , | Permalink
Posted by david ricketts

Ernst & Young’s IT Security Survey Highlights

October 31, 2012

Many CIOs and chief information security officers are struggling to adapt security practices to a changing environment that includes cloud computing, social media and tablets , according to a survey of 1,850 such IT pros.

The Ernst & Young 2012 Global Information Security Survey published today found cloud computing to be one of the main drivers of business model innovation and IT service delivery, with 59% of respondents saying they use or plan to use cloud services. But 38% admitted they have not taken any measures to mitigate risks.

Use of social media in business is prevalent, but 38% of the CIOs and CISOs surveyed say they don’t have a coordinated approach to address risks, such as defending the organization’s brand or determining how employees use work time to engage in social media.

The Ernst & Young survey indicated that 31% of respondents said they saw an increase in the number of security incidents compared to the previous year.

SECURITY: DDoS attacks against banks raise question: is this cyberwar?

Another technology game-changer, use of mobile devices, such as tablets and smartphones, is compelling “policy adjustments,” according to over half of these IT professionals who hail from the financial industry, insurance, high-tech, government, and various industrial, retail and utility sectors from all around the world.

More than one-third say that company-owned mobile devices have been adopted but use of personal devices is not allowed for business. The survey found that 36% have acquired mobile-device management software and 31% now have a “governance process to manage the use of mobile applications.” Encryption plays a central role for 40% of CIOs and CISOs surveyed.

In terms of budgets for the next 12 months, 30% said they expect information security funding increasing from 5% to 15%, while 9% of respondents anticipate a budget increase of 25% or more. Security budgets are expected to remain the same for 44%. About a third said they spend at least $1 million per year on information security.

Just over half said the area of highest priority for them is business continuity, including management and disaster recovery. But one surprise, the report states, is that the second-highest priority is “a fundamental redesign of their information security program.”

This appears to reflect on the security gaps that these CIOs and CISOs acknowledge exist in their organizations adopting cloud computing and tablet adoption. 55% said they plan to spend more to secure new technologies, while 63% acknowledged that they felt they had “no formal architecture framework in place, nor are they necessarily planning on using one.” The Ernst & Young study indicated these IT professionals may feel they have “a patchwork of non-integrated, complex and fragile defenses” that creates gaps in their security.

Those that did have a defined security architecture pointed to the Open Group Architecture Framework, the ANSI/IEEE 1471:ISO/IEC 42010 standards, and other references such as defense department frameworks defined in the U.S. and the United Kingdom.

A major complaint from 43% of respondents is that they can’t find the right people with the right skills and training to handle information security jobs. And when asked what threats or vulnerabilities have most increased risk over the last 12 months, the answer at the top of the list was “careless or unaware employees,” followed by “cyber attacks to steal financial information.”

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: emessmer@nww.com.
Read more: http://www.pcadvisor.co.uk/news/network-wifi/3407599/ernst-youngs-it-security-survey-shows-struggle-control-cloud-computing-social-media-mobile-risks/#ixzz2Arf70Dov

Leave a Comment » | Managed Service Hosting | Tagged: , , , , , , , | Permalink
Posted by david ricketts

Follow

Get every new post delivered to your Inbox.

Join 752 other followers