Wednesday 14 August 2013

DDoS: Before, during and after. What should you do?

Back when I first began experimenting with technology the only term in my vocabulary was denial of service attack (DoS). I was a script kiddy using a small program called FateX on my parents AOL dial up. Using this program one could send an “IM Bomb” to other users of the service that were logged into IM. This would force a log out of the service and leads into the definition of this type of attack. “In computing, a denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a machine or network resource unavailable to its intended users” (“Denial-of-service attack,”).
Today we have what is known as a distributed denial of service attack – an attack that comes from multiple locations, not just a teenagers PC.
There are many ways of performing DoS and DDoS attacks against targets, Wikipedia has a great page on the various methods.
It is safe to assume that at some point your network will come under a DDoS attack, having a plan and incident response is highly recommended and almost a necessity today.

Before a DDoS

Every organization should have at least one individual that understands a DDoS attack. Whether it is the onsite tech guru of a small organization, the external tech service supplier for a small to medium company, or the IT security individual / group at larger organizations, they need to have an intermediate knowledge of how these attacks are performed and a plan of what to do when it happens.

The Plan

What can one do before a DDoS? Simple: plan. There are a few recommended techniques that will benefit the department overall.
1)      Establish a relationship with your ISPs. This does not mean the sales guy! Call your ISP and setup a meeting to discuss your account, request a technical rep be onsite as well. During this meeting discuss with them how they handle your traffic, what sits between your office, the hub you are connected to and their backbone. What are the numbers for the 24/7 NOC, who are the managers in charge of it? How do they help with DDoS attacks?
The purpose of this meeting is to get as much information from them as possible so during an attack your team has a quick reference sheet to turn to. This sheet should provide NOC numbers, escalation numbers, and how this ISP handles DDoS attacks (as well as other types of attacks). You would be surprised how many organizations know nothing of their ISP.
2)      Plan for as much capacity as possible. Not many organizations have the funds to do this, consider you lucky if yours does. After performing an analysis of the network traffic over a few months one can see how much capacity is needed, take the largest peak traffic and multiply it by 10. This is not a cure-all, but will ensure that the hardware can handle smaller attacks.
3)      Configure remote monitoring and alerting. Let us assume that you have internal monitoring that can detect DDoS or other anomalies, great! Unfortunately now that your links are saturated or your systems are offline, how will you get alerted? Your internal systems are either offline or too saturated to send that text message or email. Solution: remote monitoring. A client I have worked with in the past needed to ensure the highest uptime for their internal email system as well as receive alerts during outages. They configured remote monitoring of their service that alerted yahoo and gmail accounts of the department. Senior members of the team had their phones configured with the IT department accounts.
4)      Be active in the local IT Security community. Join the local chapter of the FBI InfraGuard, the HTCIA, etc… Contact the local police department, the state police department and the FBI. Meet with the cyber security people from each organization and ask what you should do during a cybercrime. Ensure that you have all of the appropriate contact information after these meetings.

During a DDoS

We have a plan in place and our worst fears our realized: an unknown organization has decided to begin a DDoS attack. The senior members of the IT team just received an email to the group yahoo and gmail accounts that all services are down. An onsite tech has been dispatched and has informed the team that we are receiving 30Gbps aggregated across all links which is bringing down certain network devices as well as systems.

The Plan

1)      Gather as much information about the attack as possible:
  1. What type of attack
  2. Can the source(s) of the traffic be identified
  3. Is a particular system being targeted
2)      Block the source IPs – be sure to keep a log of all of these as they may be legitimate IPs that are either spoofed, or the machine is a zombie.
3)      Immediately contact the ISPs. Pull out the ISP sheet let them know what is going on, provide as much info as possible and see if they can help identify and drop the traffic from their systems. If you are not getting the response you require, escalate to the senior members of their team.
4)      Continually check all systems to ensure that the DDoS is not a distraction for another attack or causing other issues with the affected systems.

After a DDoS

The attack has either subsided or been successfully repelled. Now the tedious work begins.
Start by collecting all of the logs over the course of the attack. Review them to determine where the traffic was coming from and what type of traffic was being sent. Work with your ISPs to identify as much information about the attack as possible. Pull out the list of IPs and determine their location, let the abuse contact of each ISP know (through WHOIS).
Once all the information has been collected call your contact at the local police department. Let them know what happened, what information you have, if they can assist or if you should escalate to the State or FBI. Once it has been determined who you need to speak with pass all of the information you have to them and hope they can identify the source and cause.
Go through every system to ensure they are operating optimally. Check for any anomalous issues and verify that no system has been compromised. Change passwords.
Finally evaluate your response to the incident as there are always areas to improve. Fine tune the plan and bring all of your staff out for a few beers, you just survived your first DDoS.
Posted by at No comments:

OWSAP WebGoat - vulnerable web application Attack

WebGoat Week 9

Exploit Unchecked Email
This lesson has two steps: first you are to send a malicious script to the website admin and second you are to send a malicious script to a ‘friend’ from OWASP.
So the first thing you are going to do is put the input shown below into the Questions or Comments textbox and click send:
<script>alert(“XSS”)</script>


Next we need to send it to a ‘friend’ from OWASP.
Again put the script into the same textbox as before but before you click Send open up Tamer Data and start the tamper service. Intercept the request and change the to field to another email address.

You can see here that the email was going to webgoat.admin@owasp.org (40 is the ASCII for @, you need to put the % for URL encoding). So let’s send this to friend@owasp.org. You will need to enter this:
Friend%40owasp.org

Click the OK button and you should see this:

Bypass Client Side JavaScript Validation
For this lesson you are given seven JavaScript validation mechanisms, all of which must have valid values in to submit successfully. You are told that both client-side and server side validation occur on these mechanisms; break the client-side validation.

Open WebScarab and check off request intercepts make sure to have everything highlighted.  Now go the page and hit submit. Go to the WebScarab window and check the encoded url tabbed, and you will see the values. Simply modify them, in the screenshot below I simply added the @ to each field and then press accept.


Session Management Flaws
Hijack a Session
For this lesson you are attempting to gain access to a user’s session.
You will need the jhijack tool available at http://sourceforge.net/projects/jhijack/.  Go head and startup WebScarab and set your proxies. Turn on request intercepts, view hidden fields and finally launch the Jhijack.  Now reload the page and we will look at webscarab.

Let’s take a moment and configure out jHijack. We need put our Host, and port into it first.  In the example below we see the IP address of this particular VM and port number, yours maybe different. Now we need to find a success message of some kind. So far we have noticed in Webgoat, that every time we complete a mission we get a “Congratulations” so let’s use that in our Grep (it’s case sensitive).  The last part we need to fill in is the URL.  See below.

Now we need to go back to WebScarab and select the Session ID tab (if you don’t see it make sure you are using WebScarab in it’s full version. Select previous requests and choose the appropriate url (picture below).  Now select the cookie weakid and remove it.

Go to the bottom of the screen and hit test. You should receive this success message.

Now we need to collect some data. Set the fetch number to 50 and hit fetch. Go up to the Analysis tab and set the session ID and you should receive the list of cookies out there.  We want to look specifically at the Session ID numerical value. Not that it is incrementing by 1.  Now, there is a gap there, between 19400 and 19402. That’s an open session so let’s focus on that.

The second part of the values has a large gap between them so we need to “guess” at what that value is, but we have JjHijack to make this really simple. Copy out the one above and below the target and  paste them into a notepad. Doing this makes it easier to see and copy.  See the example below. Notice the [] is a range.

Now it’s simply filling in the missing information in jHijack. Go back to WebScarab and gather the JsessionID, parameters and  enter them in. Note we want to place a $ at the end of our WEAKID value. Finally, take the range and enter that in.  Then hit hijack. See below.

We refresh the page one last time and go back to the WebScarab intercept and swap out the weakid.

And hit accept and we have our congratulations message.

Spoof an Authentication Cookie
For this lesson you are told to login using either webgoat/webgoat or aspect/aspect as the username/password combination. Next you are told to edit the cookie to change your identity to alice.
So first off log in as webgoat and click the Login button.

On the top of the webgoat page you should see a link that says Show Cookies. Click on the Show Cookies option and you will see the cookie that was created when you logged in as webgoat.

The authorization cookie or the user webgoat is 65432ubphcfx as shown above.
Go ahead and click the Logout button and then login with aspec/aspect next:

Click on the Show Cookies link again (might have to click twice) and you should get your authorization cookie:

For this authorization cookie we see that aspect has a value of 65432udfqtb.
So the different between the two logins is the letters after 65432.
The key to this attack is that the username is a really basic cipher. Let’s take a look at these authorization cookies versus their usernames:

The first thing that I noticed was that both the aspect and webgoat ciphers both start with u as the first character. The second thing that I noticed is that both webgoat and aspect both end in t. Next you can see that the last character of the webgoat cipher is x and x is one letter ahead of w. Also u is one character ahead of t which explains why both ciphers tart with u. The cipher pattern is a reverse of the login name and all letters are shifted up one. Now that we know this we can begin editing the cookie to change our login name to alice.
To do this lets first do the cipher by hand:

Ok now open up Firebug and edit the cookie value so that it is 65432fdjmb
To do this right click on the AuthCookie value when the menu for it is expanded and click Edit:

You will see a popup window called Edit Cookie. Change the value to the one we determined for user alice:

Click the OK button and refresh the page.

 

Posted by at No comments:
Labels: , ,

Hacking Spree: Syrian Electronic Army Defaces NY Post’s Facebook Page, Multiple Prominent Twitter Accounts

The Syrian Electronic Army (SEA), a group of hackers, appeared to compromise the New York Post’s official Facebook page and a series of prominent Twitter accounts Tuesday afternoon, including the handles of three New York Post reporters and a Washington Post columnist.
In each case, the SEA tweeted “Syrian Electronic Army was Here.” In one case, a compromised user tweeted “f**k you @twitter.”
The SEA later posted a photo which appeared to show that they were able to gain access to these accounts by hacking into social media optimization platform Social Flow.
Social Flow Hacked
(Photo credit: @official_sea16)
Social Flow did concede their “Twitter and FB accounts were compromised” as a result of a “phishing attack,” but insisted none of their clients’ data was compromised.
“No customer access or data was compromised in this attack,” Social Flow tweeted. “As part of our security controls, we immediately took our service offline.”
“We are following our security protocols to restore service and are communicating with customer’s directly,” they continued in another tweet.
Social Flow’s website returned a “404 Not Found” error on Tuesday afternoon, following the attacks.
A spokesperson for the New York Post was not immediately available for comment to TheBlaze.
Multiple screenshots captured images of the hacks.
New York Post Facebook
(Photo credit: Techworm.in)
Social Flow Hack
(Photo credit: @NewsBreaker)
Mike Puma Twitter
(Photo credit: @NewsBreaker)
Jason Reid Twitter
Photo credit: @Newsbreaker
Brian Lewis Twitter
(Photo credit: @NYPost_Lewis)
Richard Johnson
(Photo credit: @HeadlineJohnson)
Posted by at No comments:

Russian pleads not guilty in biggest U.S. hacking case

NEWARK, New Jersey/SAN FRANCISCO (Reuters) - A Russian man accused of being part of the largest cybercrime ring ever prosecuted in the United States pleaded not guilty on Monday to charges that could send him to prison for decades.
Dmitriy Smilianets, 29, of Moscow, entered the plea during an afternoon hearing in federal court in Newark, New Jersey.
His attorney told Reuters that he would fight the charges and that he was looking into possible irregularities with the circumstances of his arrest last year in the Netherlands.
Smilianets wore an orange prison jumpsuit and stood with shackled hands and feet during the appearance with lawyer Bruce Provda before U.S. District Judge Jerome Simandle.
Smilianets is accused of conspiring with a team of hackers from Russia and the Ukraine to steal more than 160 million credit card numbers in a series of breaches that cost victim companies more than $300 million.
The companies infiltrated included financial firms such as NASDAQ and Heartland Payment Systems Inc, along with other well-known names including JetBlue Airways Corp and retailer J.C. Penney Co of Plano, Texas.
Prosecutors allege Smilianets sold the stolen data after it was taken by four other members of his team, including credit card data starting at $10 for an American number and $50 for a European number.
Smilianets was extradited to the United States in September 2012 and has remained in federal custody since. In Russia, he was most widely known as the founder of a championship electronic gaming team called Moscow 5, which traveled the world for competitions. Online, his handles included Dima Brave and Dima Bold.
If convicted, he faces up to 30 years for conspiracy to commit wire fraud, another 30 years for wire fraud and five years each for gaining unauthorized access to computers and conspiracy to gain access.
Also arrested in the Netherlands was Vladimir Drinkman, who remains there fighting extradition. Amid a general worsening of relations with Russia exacerbated by intelligence agency leaker Edward Snowden's flight there, prosecutors last month also unsealed an indictment against another alleged member of the ring still free in that country, Alexandr Kalinin.
YEARS-LONG PURSUIT
Authorities have been pursuing the hackers for years. Many of the breaches were previously reported, though it appeared the one involving Nasdaq OMX Group Inc was disclosed for the first time in July.
Prosecutors said each of the defendants had specialized tasks: Drinkman and Alexandr Kalinin hacked into networks, while Roman Kotov, 32, mined them for data. They allegedly hid their activities using anonymous web-hosting services provided by Mikhail Rytikov, 26, of Ukraine.
Rytikov has not been arrested, but an attorney for him, Arkady Bukh, attended Monday's hearing. Bukh said his client did not know Smilianets.
According to prosecutors, the five men hid their efforts by disabling victims' anti-virus software and storing data on multiple hacking platforms, prosecutors said. They sold payment card numbers to resellers, who then resold them on online forums or to "cashers" who encode the numbers onto blank plastic cards.
The indictment cited Albert Gonzalez as a co-conspirator. Gonzalez is already serving 20 years in prison after pleading guilty to helping mastermind one of the schemes.
Prosecutors say the defendants worked with Gonzalez before his arrest in Miami, then continued on a crime spree after his capture.
Kalinin and Drinkman were previously charged in New Jersey as "Hacker 1" and "Hacker 2" in a 2009 indictment charging Gonzalez in connection with five breaches.
The NASDAQ breach did not include the trading platform that allows NASDAQ customers to buy and sell securities, prosecutors said. Officials with NASDAQ declined to comment.
An official briefed on that incident said the group wasn't able to get any money from their NASDAQ access.
Other victims included Dow Jones, Wet Seal Inc and 7-Eleven Inc, according to prosecutors.
Dow Jones said in a statement that there was "no evidence" that information of Dow Jones or Wall Street Journal customers information was compromised as a result of the breaches.
Posted by at No comments:

Comment is free : Observe, Make, Hack: reflections on a hacker camp

The outdoors gathering sparked passionate debate and disagreement – but we all chose to be there to tackle the difficult conversations that will shape our future

festcal
The lights of the Observe, Make, Hack festival. Photograph: @micahflee
Last week marked Observe, Make, Hack – the largest outdoor gathering of hackers, academics, activists and spooks descending upon a campsite in The Netherlands for a week once every four years.
Wandering around the paddocks on the first night of camp, the laser lights and smoke in an empty space known as Rainbow Island at the edge of the camp caught my attention.
“A bit sad isn’t it? That huge space, filled with lights and nobody dancing ...”, I said. Hacktivist Jason Gulledge paused beside me before answering: “Imagine it as a practice run. We all live in our dreams of what could be.”
I fell into crowd-sourcing news back in 2009, sharing thousands of articles about Wikileaks, hackers, the Pirate Bay, Anonymous, Lulzsec and mass surveillance. I eventually took a professional role crowd-sourcing news from online social media on behalf of print media outlets.
I’ve seen some fairly shocking images scrolling down my screen in those years – bloated corpses of Syrian babies, teenagers murdered in Bahrain, Occupy protesters pepper sprayed and beaten: the 24/7 gore of the journalism sausage. And in that time, many of the digital dissidents myself and many others followed and interacted with – Barrett Brown, Jeremy Hammond, Anakata, Jake Davis and more – have one-by-one been prosecuted, persecuted and jailed.
And we’ve been witnessing the never-ending ramp-up of military contractors, constantly clamoiring for billions to take military action over claims of cyber war. That’s not to say there aren’t online threats, but it’d be nice if our governments were as willing to put their dollars into defending critical infrastructure as opposed to launching offensive attacks.
Frankly, news in recent years have been a little depressing, which is how I came to book a spur of the moment, round-ticket from Australia to Europe, desperate to find a thread to hold onto – a belief that the future holds something more than the dystopian reality that has rushed up on us, fermented into a pervasive Big Brother regime of NATO-state condoned totalitarian surveillance. And so in the background of all this gathered perhaps some of the most interesting people alive on the planet.
There was Thomas Drake, NSA whistleblower; Jesselyn Radack, a US department of justice whistleblower; the geeks behind GlobalLeaks, the the first open-source whistleblowing framework; Christopher Schwartz, the young editor in chief behind New Eurasia (one of the only English-speaking news websites featuring activists from Central Asia); the hackers of La Quadrature Du Net such as Jérémie Zimmermann, who led the fight against ACTA and members of hacker collective Telecomix, who slipped across the Turkish border to collect information on the Syrian government surveillance.
In the first mass hacker camp in Europe since the revelations of NSA-whistleblower Edward Snowden, international theory and politics were furiously debated.
Julian Assange, founder of Wikileaks, spoke via video link, discussing the new international body politic being thrashed out in online, hyper-connected networks reaching far beyond beyond the civil society we once knew
Eleanor Saitta also prodded the future of humanity, not only poking at whether democracy really requires rough men doing evil deed into the night to preserve its sanctity, but also questioning the reliance of nation states on surveillance to survive.
Ex-Wikileaks volunteers Herbert Snorasson and Smári McCarthy talked of societal cybernetics; former-CIA agent Ray McGovern took to the stage wearing a "ARREST BUSH & OBAMA" t-shirt; and of course there was Vinjay Gupta, who announced “we’re fighting for free software running on top of hardware that was manufactured by slaves.”
Don’t get me wrong. It was wasn’t some utopian little coffee-house philosophy club gathering. The spooks and the freedom fighters were jammed shoulder against shoulder, and boy was there friction.
FoxIT, a contractor for the Dutch national intelligence agency, attended and quickly found their tent graffitied with red spray-paint. Similarly, the whistle-blowing panel, hosted next to a session on remote SIM-card hacking, made more than a few people squirm.
Yes, it was difficult at times – a strange mix of people. But we chose to be in that space together, because opting out meant more than just opting out of a camp in a sheep paddock in the Netherlands; it would have meant opting out of practicing the difficult conversations that shape our future.
On the last night of the camp, the Italian hackers cracked open 40 liters of brain-scorching grappa, and suddenly there was drunken, twisted dancing amongst the pyrotenics and lighting effects practiced to precision for days before the crowds converged. The Party at the End of the Universe, built on dreams of what the future could hold, was well worth the wait.
Posted by at No comments:

The Cisco 2013 Annual Security Report & Security Intelligence Operations


Posted by at No comments:

Networks Strain to Keep Pace with Data Explosion

In one minute, Facebook logs 6 million pages views, Google handles 2 million-plus search queries, Twitter adds more than 320 accounts and the data explosion threatens to overwhelm network infrastructure.

Network infrastructure as a topic lacks the sex appeal of slick mobile devices, cool social and location apps, streaming music or viral videos. Yet without the fast-flow of data a robust network infrastructure supports, they all come to a grinding halt. We’ve looked before at the strain our collective appetite for mobile devices and video places on networks. This infographic demonstrates the enormity of the need for network capacity beyond just mobile and video uses and forecasts a future that assures that network providers will be scrambling to keep pace.
Data Explosion - What Happens in Internet Minute
Right now, almost 640 Terabytes of data move across global IP networks in a single minute. Smartphone and social networking application usage comprise much of that data tidal wave.
In one minute…
Today’s data volume challenges network providers to keep pace with an insatiable hunger for bandwidth, yet the future promises to make the demand more acute. The number of networked devices now approximately equals the global population, but by 2015 it’s projected to double. Just 3 years from now, it will take 5 years to view all the video crossing IP networks in one second.

 

Posted by at No comments:

Sony Playstation Hack Timeline


Sony Playstation Network Hack

Posted by at No comments:
Subscribe to: Posts (Atom)