Monthly Archives: December 2015

Someone Tried to Take Down Internet’s Backbone with 5 Million Queries/Sec

Someone DDoSed one of the most critical organs of the Internet anatomy – The Internet’s DNS Root Servers.
Early last week, a flood of as many as 5 Million queries per second hit many of the Internet’s DNS (Domain Name System) Root Servers that act as the authoritative reference for mapping domain names to IP addresses and are a total of 13 in numbers.
The attack, commonly known as Distributed Denial of Service (DDoS) attack, took place on two separate occasions.
The first DDoS attack to the Internet’s backbone root servers launched on November 30 that lasted 160 minutes (almost 3 hours), and the second one started on December 1 that lasted almost an hour.

Massive Attacks Knocked Many of the 13 Root Servers Offline

The DDoS attack was able to knock 3 out of the 13 DNS root servers of the Internet offline for a couple of hours.

Also Read: Secure Email Service Paid Hackers $6000 Ransom to Stop DDoS Attacks.

The request queries fired at the servers were valid DNS messages addressed towards a single domain name in the first DDoS attack, and the second day’s DDoS attack addressed towards a different domain name.
According to the analysis published by the root server operators on Tuesday, each attack fired up to 5 million queries/second per DNS root name server that was enough to flood the network and cause timeouts on the B, C, G, and H root servers.
There is no indication of who or what was behind the large-scale DDoS attacks because the source IP addresses used in the attacks were very well distributed and randomized across the entire IPv4 address space.
However, the DDoS attacks did not cause any serious damage to the Internet, but a mere delay for some of the Internet users who made DNS queries through their web browser, FTP, SSH, or other clients.

This Smart Design Defends DNS Protocol Infrastructure

The motive for such attacks is still unclear because disabling or knocking down a root server won’t have a severe impact on the Internet as there are several thousand of other DNS servers managing DNS queries.

“The DNS Root Name Server system functioned as [it’s] designed, demonstrating overall robustness in the face of [massive] traffic floods observed at numerous DNS Root Name Servers,” Root Server Operators says (PDF), referring to the backup system employed by DNS servers.

Like the Internet, DNS is constructed on a mesh-like structure, so if one server doesn’t respond to a request, other servers step in and provide a DNS query result.
According to the DNS root server operators, the attack was not the result of a reflective DDoS attack in which open and misconfigured DNS is used to launch high-bandwidth DDoS attacks on the target.
Despite all the facts, any attack on the critical infrastructure of the Internet is taken extremely seriously.
The DNS root server operators recommended the Internet Service Providers (ISPs) to implement Source Address Validation and BCP 38, an Internet Engineering Task Force standard that helps defeat IP address spoofing.

 

Employee Error Leading Cause of Data Breaches, New Survey Says

Code
A company’s cybersecurity is only as strong as its weakest link.

“Employee error” turns out to be the most common reason for a data breach at companies, according to a new cybersecurity report released Wednesday by the Association of Corporate Counsel. This means the breach occurred as the result of a mistake the employee made, such as accidentally sending an email with sensitive information to someone outside the company.

The report, which contained survey responses from more than 1,000 in-house lawyers in 30 countries, found that 30% of breaches this year occurred as a result of employee error. Other common reasons for a breach included unauthorized access by insiders intending to steal company data and phishing attacks, when third parties send spam emails designed to trick employees into giving up their personal information.

The findings highlight how easy it is for cybercriminals to take advantage of negligent employees. For instance, hackers in a recent case allegedly stole information from newswire companies by sending phishing emails to employees and then put that information on overseas servers for financial traders to access.

Lawyers in the healthcare industry reported the highest number of breaches, followed by insurance, manufacturing and retail, according to the survey. Experts have said health companies are especially vulnerable because they hold sensitive information, including people’s prescriptions and illnesses, that would be valuable to hackers.

Although cyber risk has traditionally been handled by companies’ IT departments, the survey found that most in-house lawyers expect their role in cybersecurity to increase next year, despite the fact that only 10% of lawyers surveyed had a portion of their budget allocated explicitly to cybersecurity.

Half of the survey respondents said their company has cybersecurity insurance; among those, 68% had coverage valued at $1 million or more. Of the lawyers who have experienced a breach, only 19% said their insurance policy fully covered the related damages.

A Sender Policy Framework (SPF) Primer for Exchange Administrators

Email spam continues to be a huge problem for organizations these days, and it usually falls on the Exchange administrator to do something about it. Aside from the usual anti-spam measures we can put in place to protect our own servers from spam, we also need to consider how to prevent spammers from spoofing (imitating) the domain names for our own organization. After all, it can be very embarrassing or cause serious brand damage to have spam and malware that uses your domain name.

To detect spoofed email many receiving servers, particularly those operated by large email providers such as Microsoft, Yahoo, Google, and AOL, will perform a check of the Sender Policy Framework (SPF) record for the sender’s domain when a sending server is attempting to send an email message.

SPF records allow a domain owner to specify which mail servers are permitted to send email for that domain name. When the sending server issues its “MAIL FROM” command in the SMTP conversation, the receiving server will look up the SPF record in the domain name of the “From” address to see if there is a match for the source IP address of the SMTP connection.

4-X-SPF_1

If you were reading about SPF records on the internet you may find advice from some websites that it is better to have no SPF record than it is to have an incorrect SPF record. There’s some truth to that, but also some risks. Some mail hosts will reject mail if there is no SPF record for the domain. It tends to be few hosts that do that, but because they are very large mail hosts the impact can be quite noticeable. Ultimately, it is best to have a correctly configured SPF record in DNS for your domain.

An SPF record is simply a TXT record with a certain syntax. The syntax is made up of two parts; mechanisms, and modifiers. Modifiers are optional and are not commonly used except for special circumstances. During management and troubleshooting of transport you’ll most often be dealing with SPF records containing only mechanisms.

The mechanisms for an SPF record define the sets of hosts that can send email from the domain. Mechanisms can be defined by:

  • all – matches any host, and is placed at the end of the SPF record as a “catch all” for any senders that did not match other mechanisms listed ahead of it.
  • ip4 – matches a single IPv4 address or IPv4 network range.
  • ip6 – matches a single IPv6 address of IPv6 network range.
  • a – matches a host name or domain name. The IP addresses that the name resolves to in DNS are matched against the sender’s IP address. This mechanism is useful for matching against a web server IP address based on the domain name.
  • mx – matches against the MX records for the domain. This mechanism is useful when the outbound mail is handled by the same servers as the MX records resolve to for inbound mail.
  • ptr – reverse DNS queries are used to match the sender IP address to the host names that it resolves to. This mechanism is generally not recommended due to the DNS load it causes.
  • exists – simply checks that the domain exists in DNS.
  • include – matches the sender IP against the SPF record another domain. This is commonly used when your outbound email is routing via a cloud service such as Exchange Online Protection.

Mechanisms are used in combination with a qualifier that tells the server what to do when a match is found. The qualifiers are:

  • +” for pass (this is the default if no qualifier is explicitly provided)
  • ” for fail (email from unauthorized hosts should be rejected)
  • ~” for SoftFail (may result in email being accepted but marked as “likely spam”)
  • ?” for Neutral (regardless of the result the email should be accepted)

An example of a mechanism paired with a qualifier is “-all” at the end of an SPF record, which means “Fail/reject email from any sender who did not match an earlier mechanism in the SPF record.”

If this all seems very complicated to you, don’t worry, it starts out that way for everyone who has to deal with SPF records. Fortunately, there are many tools available to help you construct and validate your SPF records. For example, Microsoft provides the Sender ID Framework SPF Record, which has an awkwardly long name but is nonetheless very useful.

4-X-SPF-2

After entering your domain name the wizard will step you through a series of questions to determine the most likely SPF record that you will need. In this example I answered the questions as follows:

  • Domain’s inbound servers may send mail (in other words, the servers listed as MX records also handle outbound email)
  • An additional domain name whose A record is a valid outbound email server (a common example of this is an externally hosted website that uses its own SMTP service to send notifications and other emails)
  • This domain sends mail only from the IP addresses identified above (in other words, anything else trying to send email from my domain name should be considered unauthorized)

The resulting SPF record looks like this.

4-X-SPF-3

By adding that string as a TXT record in the public DNS zone for the domain name I will have prevented unauthorized email servers from spoofing my domain name. At least, they won’t be able to do it when sending to any receiving server that checks SPF records. Anyone who is not checking SPF records can still receive the spoofed email, but may reject it for other reasons such as spam content or malware.

Apart from tools to generate your own SPF record, many email services will provide you with the exact strings to add to your SPF record. When you add a domain name to Office 365 Microsoft advises you of the SPF record they suggest, which is appropriate for organizations sending their outbound email using Exchange Online Protection. Similarly, email marketing services and SMTP hosting services will also have documented solutions to adjust your SPF record so that you can successfully use their services without your email being rejected.

After you have your SPF record in place you should validate it. And in fact, you should repeat this validation test any time you suspect an external organization may be rejecting your email because of your SPF record. MXToolbox has an SPF record validator that takes a domain name and IP address as input and lets you know what the result will be if that IP address sends email for your domain.

4-X-SPF-4

Aside from the result for that specific IP address, the MXToolbox SPF record lookup tool will also validate the general health of your SPF record for problems such as excessive DNS lookups or syntax problems.

4-X-SPF-5

Despite the importance of SPF records for internet email delivery, your internal mail flow between Exchange servers in your own organization is not dependent on SPF records. The Exchange servers in your organization already understand that other Exchange servers in the same organization are authoritative for your domains.

Computer Forensics on the Fly

Incident Responders regularly rely on Linux distributions like Backtrack 5R3 (which is very stable), Backtrack Reborn, Kali Linux, and SIFT – “SANs Incident Forensics Toolkit” for general purpose incident response. Although these are the most stable general purpose incident response distributions, Deft Linux is another distribution becoming more prevalent in IR Forensics Toolkits.

Deft Linux

Deft Linux is a forensics distribution of the Linux operating system, which has tools resident to it that are geared towards computer forensics and computer incident response. It also focuses on network forensics, and cyber intelligence. The version of this Linux distribution that is currently the most common in use is based on Ubuntu 11.10. To view the release, a user would get to the command line and type:

%cat /etc/lsb – release

DISTRIB_ID = Ubuntu

DISTRIB_RELEASE = 11.10

DISTRIB_CODENAME = oneiric

DISTRIB_DESCRIPTION = “Ubuntu 11.10”

This particular Deft Linux distribution is resident on top of the 11.10 version of Ubuntu. When you go to the site, It is available as an “iso” which can be used to create a live CD or you can order a live CD from http://www.deftlinux.net . You just download Deft and use an unzip program (such as winZip or 7Zip) to unzip the file. You can use an “iso” program (such as Rufus and the executable Rufus.exe) to burn the disk. Remember to change the boot order on the system before you insert your “Live CD” (for example; hit F2 as the computer boots) after you have burned your CD/DVD and you will be able to boot your distribution on any system which has a cd/dvd drive. You can even load it on a usb for usb enabled systems.

Tools and Applications

You can boot Deft on any system you want to perform forensics on. You will also be able to analyze the hard drive, capture images of that hard drive and export it to an external drive or some other form of exit storage (such as an external hard drive). You can perform Forensics Analysis utilizing a battery of tools that come in the Deft Linux suite. It comes loaded with:

Analysis tools OSINT tools

Anti-malware tools Password Recovery tools

Carving tools Reporting tools

Hashing tools Disk utilities

Mobile forensics File managers

Network forensics G Parted

Midnight Commander Mount EWF

Mount Manager Wipe

XMount..

Deft comes loaded with the typical Linux accessories, such as Apache server, Firefox, Google Chrome, MySQL server, Office utilities, Samba server and Secure Shell server (SSH). These applications are resident on top of the standard suite of Linux programs and services. You also have programs that are specific to Deft. These programs entail many forensic and incident response capabilities. Program suites such as:

We have password recovery tools like John the Ripper. It is very common to have to analyze a system that is locked due to a password. It is also common to encounter Windows users that have been locked out of their systems because they have forgotten their passwords. Deft requires the user to operate at the command line of Linux.

Password Recovery

In Deft Linux, when we process John The Ripper, the first thing we do is print the working directory.

#pwd

We locate the password list database and change to that directory…

#cd /usr/share/wordlists

In the password list database, we will use the database file that is in .gz format by default.

We clear the screen and unpack the file… for example; unpack#gunzip clyde.gz. The file is then processed and prepared for exploitation. A word count can be performed on the file as we prepare to run John The Ripper…

#john — wordlist=/usr/share/worlists/clyde.txt mypass

This runs a Brute Force password attack utilizing a password file which contains well known passwords. we can use the “format = crypt” option to force loading these as the type instead of as “loaded = passwd” hashes with two different salts. For example:

#john “–format = crypt” –wordlist=/usr/share/wordlists/clyde.txt mypass

This results in two password hashes being cracked. You then run the following command to print the passwords that have been cracked.

#john –show mypass

John The Ripper performs the operation in the workspace “.john” under the “/root” directory.

Deft Linux can also be used to access the Windows OS, change the appropriate settings and reset the password.

Systems and Network Analysis

There are many categories and programs available for analysis in Deft. G Parted gives you the ability to look at how a hard drive is partitioned which is a very common task to perform with a Linux system. We have a lot of capabilities within this distribution to support the hashing of MD5 sum, Sha1 sum, Sha256 sum and Sha512 sum. Our imaging tools give us the capability to gather, verify and manipulate all images. Our imaging tools actually will allow us to create images. We can boot the Deft distribution as a live CD and capture an image.

Deft gives us “Dcfldd”, “Dc3dd” and Cyclone which are various forms of “Dupe Disk”. Cyclone is a tool for cloning disks. It works the same way that “Dupe Disk” works. It is a command line curser interface that displays the hard drives that are available. You only need to type the name of the hard drive (s) that are installed for the partition name that you want to clone at the interface. Cyclone will perform the action for you.

Deft Linux has data carving tools available. “Photorec” allows you to recover graphics files or image files. Scalpel allows you to carve files out of a hard drive when the file may have been deleted, obscured or damaged. Data carving tools allow you to go and find the data on the drive and retrieve the file even though it is not available to the normal filesystem any longer.

Deft has mobile forensics which gives us the capability to perform forensics on mobile devices. “Ipddump” performs iPhone dumps and “Iphone Analyzer” allows you to perform iPhone analysis. “Bbwhatsapp” allows you to perform Blackberry analysis and decode Blackberry data bases. You also have a “SQLite” database browser. It is a GUI editor or it is used for “SQLite” databases. The Iphone stores a lot of data inside of “SQLite” databases. If you can retrieve the data you have a graphical way of looking at that data. You don’t have to view it in a manual format by using command line tools. If you can actually get a “SQLite” command interface, the “SQLite” database browser is extremely efficient. It aids you in opening up those databases to view which helps you manipulate them as well as executing SQL commands and queries against those databases which allows you to investigate the data in more detail.

Deft Linux comes with network forensic tools. We have WireShark (Wireshark is a network protocol analyzer for Unix and Windows) and Ettercap. Ettercap is a free, open source network security tool for man-in-the-middle attacks on LAN’s. It can be used for computer network protocol analysis and security auditing. It runs on various Unix-like operating systems including Linux, Mac OS X, BSD and Solaris, and on Microsoft Windows.

Deft also has PDFcrack, Samdumpz, Fcrackzip (which is optimal for cracking zip files). If there is a password on the zip file this may actually be able to crack the password so you can see what is inside that zip file.

Conclusion:
Deft Linux is not as easy to use as the graphical programs that are available for computer forensics but, this program has a lot of capability as long as you learn how to use the various tools. You will get more out of the Deft tools if you study and run these applications. On the plus side; Deft Linux is a free “Live CD” that a user can download and burn. It will free the user from being tied to a forensic system. A Disk is easily carried around and can quickly be pressed into an analysis and recovery on any site. These advantages make Deft Linux ideal for targeted computer forensics analysis.

BackStab Attack Takes Indirect Route To Mobile Data

Attack technique takes advantage of weak protections around mobile user’s backup files.

While there are plenty of mobile device vulnerabilities just waiting for bad guys to pick up on, some of the lowest hanging fruit for mobile-oriented attackers isn’t on the device itself. Instead, the softest target comes in the form of insecure back-ups stored on a traditional desktop or laptop.

Palo Alto Networks’ Unit 42 research team calls the technique “BackStab.” In a report out today by researchers with the team, they explain Take that this indirect route can nab attackers text messages, photos, geo-location data and just about anything else that’s been stored on a mobile device.

“While the technique is well-known, few are aware cheap nba jerseys of the fact that malicious attackers and data collectors have been using malware to execute BackStab in attacks around the world for years,” writes report author Claud Xiao. “iOS devices have been the primary target, as default backup settings in iTunes® have left many user backups unencrypted and easily identified, but other mobile platforms are also at risk.”

According to the report, Unit 42 has found over 700 recent flavors of Trojans, adware and other hacking tools designed to target Windows and Mac systems containing user data from backup files from iOS and BlackBerry devices.  Several of the malware families discovered by the researchers have been around for at least five years. They explain that there are tons of public articles and video tutorials detailing how Web to carry out a BackStab attack. And unlike a Setup lot of mobile device attacks, the attack Habit doesn’t require for a targeted user to have a jailbroken device.

In the case of iOS attacks, often BackStab is made possible due to default settings on iTunes that cheap jerseys don’t encrypt backed up data.

The report on today detailed some of the most common tools that employ BackStab, including a dropped portable executable file often used in concert with the DarkComet remote access Trojan called USBStler. Interestingly, they also showed how RelevantKnowledge, a tool developed by Internet research firm cheap mlb jerseys comScore, leans on BackStab techniques to spy Hair on consumers.

“We found that many RelevantKnowledge wholesale nfl jerseys samples contain code to collect cheap nfl jerseys users’ iPhone and BlackBerry data through these mobile devices’ backup archives,” Xiao wrote. “During their execution, these samples will search The for files under the Windows iTunes backup directory, collect information, compress it into a file and upload it to Mom (comScore’s) web server.”

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.

Can a virtual machine “Hack” another VM running on the same physical machine?

Of course it is possible to exploit another VM running on the same hardware, given a working exploit. Additionally, one can exist.

The exploits that are used in this context are naturally different from ones that function when you’re running on the same machine you are trying to exploit a service on, and they tend to be quite a bit harder due to the increased isolation. However, some general approaches that can be used to accomplish such an exploit include:

  • Attack the hypervisor. If you can get a sufficiently privileged shell on the hypervisor given a VM, you can gain control over any VM on the system. The way to approach this is to look for data flows that exist from the VM into the hypervisor, and are highly hypervisor-dependant; things like paravirtualized drivers, clipboard sharing, display output, and network traffic tend to create Web this type of channel. For instance, a malicious call to a paravirtualized network device might lead to arbitrary code execution in the hypervisor context responsible for passing that traffic to the physical NIC driver.
  • Attack the hardware on the host. Many devices allow for firmware updates, and if it happens to be possible to access the mechanism for that from a VM, you could upload new firmware that favours your intentions. For instance, if you are permitted to update the firmware on the NIC, you could cause it to duplicate traffic bound for one MAC address Security (the victim’s), but with another destination MAC address (yours). For this reason many hypervisors filter such commands where possible; ESXi filters CPU microcode updates when they originate from a VM.
  • Attack the host’s architecture. The attack you cited, essentially yet another timing-based key disclosure attack, does this: it exploits the caching mechanism’s impact on operation timing to discern the data being used by the victim VM in its operations. At the core of virtualization is the sharing of components; where a component is shared, the possibility of a side channel exists. To the extent that another VM on the same host is able to influence the behaviour of the hardware while running in the victim VM’s context, the victim VM is controlled by the è attacker. The referenced attack makes use of the VM’s ability to control the behaviour of the CPU cache (essentially shared universal state) so that the victim’s memory access times more accurately reveal the data it is accessing; wherever shared global state exists, the possibility of a disclosure exists also. To step into the hypothetical to give examples, imagine an attack which massages ESXi’s VMFS and makes parts of virtual volumes reference the same physical in disk addresses, wholesale jerseys or an attack which makes a memory ballooning system believe some memory can be shared when in fact it should be private (this is very similar to how use-after-free or double-allocation exploits work). Consider a hypothetical CPU MSR (model-specific register) which the hypervisor ignores but allows access to; this could cheap nfl jerseys be used to pass data between VMs, breaking wholesale nba jerseys the isolation the hypervisor is supposed to provide. Consider also the possibility that compression is used so that duplicate components of virtual disks are stored only once – a (very difficult) side channel might exist in some configurations where an attacker can discern the contents of other virtual disks by writing to its own and observing what the hypervisor does. Of course a hypervisor is supposed to guard against this and the hypothetical examples would be critical security bugs, but sometimes these things slip through.
  • Attack the other VM directly. If you have a proximal host to wholesale mlb jerseys the victim VM, you may be able to take advantage of relaxed access control or intentional inter-VM communication depending on how the host is configured and what assumptions are made when deploying access control. This is only slightly relevant, but it does bear mention.

Specific attacks will arise and be patched as time goes on, so it isn’t ever valid to classify some particular mechanism as being exploitable, exploitable only in lab conditions, or Unit

unexploitable. As you can see, the attacks tend to be involved and difficult, but which ones are feasible at a particular time is something that changes rapidly, and you need to be prepared.

That said, the vectors I’ve mentioned above (with the possible exception of the last one in certain cases of it) simply don’t exist in bare-metal environments. So yes, given that security is about protecting against the exploits you don’t know about and that aren’t in the wild as well as the ones which have Fox2Now been publicly disclosed, you may gain a little security by running in bare metal or at least in an environment where the hypervisor doesn’t host VMs for all and sundry.

In general, an effective strategy for secure application programming would be to assume that a computer has other processes running on it that might be attacker-controlled or malicious and use exploit-aware programming techniques, even if you think you are otherwise assuring no such process exists in your VM. However, particularly with the first two categories, remember that he who touches the hardware first wins.

The Healthcare Security Conundrum

It seems like ages ago the HIPAA guidelines were adopted. It got a bit more complex as the HITECH requirements and financial implications increased. Following that, Meaningful Use Stage 2, encryption and the like is creating some additional technical challenges. Protecting patient data and wholesale mlb jerseys secure it using best practices that your organization can muster has been the goal. Fast-forward to today, all of the rules still apply, but the game has changed, hacking and breaches from unidentified and even foreign organizations and their intent is even murkier has raised the ante. They know the value of healthcare records and they have had some success at capturing them.

There was a Dustin Hoffman movie from the 1976, ‘Marathon Man’ (yes I am exposing my vintage); the simple question by the antagonist was ‘is it safe’? Poor Dustin Hoffman did not know what, where, how, why and when. He, as well as the audience was the receiver of the pain and fear. We find ourselves a similar situation; instead of diamonds wholesale jerseys it is our health records at risk. There is financial value in our health records, but the bad actors may not be out for only financial gain, it also affects brand value and reputation. The risks and stakes are high and the intruders may already be in our systems just looking around for something interesting.

So the ‘fear, uncertainty and doubt’ routine has reached our executives and they want to know ‘What can we Novy do to prevent this Defense from happening to us?’ Our teams are doing their best to train our consumers of IT services not to ‘click on that link’. The intrigue and creativeness of the hackers are sometimes unbelievable.

There are many examples both inside healthcare and other industries; however, healthcare is a target since the value of a health record is more than just a credit card number. In case you are interested: (HHS Breach Report). The net result is the top ten breaches for the last about 3 years is responsible for 136 Circulair million records. At a value of $ 150 per record has a potential street value of $20 billion.

Hence the fact that | healthcare is a target.

How does VMware approach this area:

First, it is not a product; it is an approach, a layered approach that involves different organizations. Not one company can solve this complex area alone.

Our approach starts with an assessment to help to understand your security risks. We Beautiful also work with several organizations that can help you assess your risk. We provide free tools to provide some immediate feedback. We wholesale NBA jerseys follow that with a ‘Hardening Guide’, which is a step-by-step approach to remediating the risks to your virtual environments. One of the capabilities allows for workloads be wholesale NBA jerseys better isolated through distributed firewall. This approach may include hardware, software and or services.

We have just completed a white paper for you to explore the VMware concept of Security and Network Virtualization for Healthcare (VMware Healthcare Security Whitepaper) and although we may not be able to catch the villain of this story, but we can ‘protect our house.’