The CyberBunker/Spamhaus denial-of-service attack appears to have subsided, and yesterday's suggestion that the attack was big and broad but limited in impact holds up. CyberBunker backs away from earlier boasting of responsibility and now denies involvement (although they still think Spamhaus had it coming). With the qualified exception of Moscow's Highload Labs, which thinks it sees involvement by a Russian cyber gang, no one's really buying the eleventh-hour disavowal.
The DNS amplification attacks exploited open DNS resolvers (Anonymous threatened but failed to do this in last year's fizzled SOPA protests). Analysts suggest source address validation as a partial answer to DNS amplification threats.
Dark Reading sensibly asks who's supplying CyberBunker and finds that it's difficult to say—possibly A2B or DataHouse (both unavailable for comment), who in turn may be supplied by Tata Communications and Intelliquent. Intelliquent was also incommunicado, but Tata says, in essence, that CyberBunker is their customer's customer, and that they try to enforce acceptable use policies, but it's tough.
And yesterday CyberBunker's site itself fell to a denial-of-service attack.
A BIND nameserver vulnerability opens the possibility of fresh DNS exploits. Spammers bypass reputation filters with Google Translate to redirect victims to malicious sites.
Fear of Chinese cyberespionage continues unabated, as US firms report high rates of intellectual property theft while doing business in China. A US House member notes with satisfaction Sprint's decision to avoid Huawei equipment—a sign new Congressional cyber-counterespionage measures already affect markets.
US Senators want the National Guard to develop cyber capabilities.
Today's issue includes events affecting China, India, Iran, Netherlands, Russia, United Kingdom, United States..
Cyber Attacks, Threats, and Vulnerabilities
Chronology of a DDoS: SpamHaus(Cisco) Around 12:00 GMT March 16, 2013, a distributed denial of service (DDoS) attack took offline both the spamhaus. org website and a portion of its e-mail services. SpamHaus was able to restore connectivity by March 18; however, SpamHaus is still weathering a massive, ongoing DDoS attack
When spammers go to war: Behind the Spamhaus DDoS(Ars Technica) Over the last ten days, a series of massive denial-of-service attacks has been aimed at Spamhaus, a not-for-profit organization that describes its purpose as "track[ing] the Internet's spam operations and sources, to provide dependable realtime anti-spam protection for Internet networks." These attacks have grown so largeup to 300Gb/sthat the volume of traffic is threatening to bring down core Internet infrastructure. The New York Times reported recently that the attacks came from a Dutch hosting company called CyberBunker (also known as cb3rob), which owns and operates a real military bunker and which has been targeted in the past by Spamhaus. The spokesman who the NYT interviewed, Sven Olaf Kamphuis, has since posted on his Facebook page that CyberBunker is not orchestrating the attacks
Open DNS Resolvers Center Stage in Massive DDoS Attacks(Threatpost) For some perspective on what 300 Gbps of traffic represents, lets just pretend that your company, as a potential customer, put this massive volume of bits and bytes in front of 20 of the leading Internet service providers. Chances are, all but three or four will tell you Thanks, but no thanks, we can't handle your business. That, according to Jared Mauch of the Open DNS Resolver Project, is an anecdotal picture of the largest surges in DDoS traffic directed at Spamhaus this week, an attack that also reportedly caused some collateral damage to unrelated online services
How Spamhaus' attackers turned DNS into a weapon of mass destruction(Ars Technica) DNS amplification can clog the Internet's core—and there's no fix in sight. A little more than a year ago, details emerged about an effort by some members of the hacktivist group Anonymous to build a new weapon to replace their aging denial-of-service arsenal. The new weapon would use the Internet's Domain Name Service as a force-multiplier to bring the servers of those who offended the group to their metaphorical knees. Around the same time, an alleged plan for an Anonymous operation, "Operation Global Blackout" (later dismissed by some security experts and Anonymous members as a "massive troll"), sought to use the DNS service against the very core of the Internet itself in protest against the Stop Online Piracy Act
Where Were You During the Great DDoS Cybergeddon of 2013?(Internet Storm Center) We've had a few e-mails come in to the ISC now that the popular media has picked up the story of the distributed denial of service attack on CloudFlare and SpamHaus. For instance, here is the New York Times article on the subject. CloudFlare has their own write-up here. I was peripherally involved (very peripherally) as were some other handlers. Let's start with some truth. The attack did reach upwards of 300 Gb/sec and is the largest recorded DDoS to date. It combined already known issues on DNS open resolvers but combined it with specific targetted at a choke point which did have a real impact for SpamHaus and CloudFlare. There also were many people who spent many hours helping deal with this problem. A good number of those had no real connection to SpamHaus or CloudFlare, they are just fellow members of the information security community who came together to deal with a threat. This is a Very Good Thing that this level of cooperation has built up over time and we respond to these threats as a community
Who Supplies CyberBunker?(Dark Reading) The hosting company behind CyberBunker, the company allegedly behind the DDOS attacks on Spamhaus, connects to the Internet through other providers. Perhaps the only way to pressure those responsible for the attacks is to put pressure on the upstream providers. Reputable businesses don't like to have customers using their services to facilitate crimes. Sadly, not all businesses are reputable. Some don't even pretend to be. Consider CyberBunker. (The site has been offline a lot today.) Their website says they will sell hosting services to any website "except child porn and anything related to terrorism." They brag about it. Is it any wonder that spammers and other such miscreants use their services? Spamhaus, one of the most popular DNSRBLs (DNS-based Blackhole List; they are a service which provide lists of IP addresses of hosts known to spam), called them on it and when their direct ISP, A2B Internet, didn't comply with Spamhaus's requests, Spamhaus put their network on the SBL and that's when things got really ugly. Attackers, claiming to be acting on CyberBunker's behalf, conducted a major DDOS against Spamhaus and their hosts
Cyber Attack Thought to Originate in Russia(Wall Street Journal) A massive cyber attack targeting a European spam-fighting group that slowed some global Internet traffic to a crawl appears to have been launched by a gang of hackers from Russia and neighboring countries, says the head of a Russian firm
Anti-Spam Group Says Cyber Attack Has Subsided(Voice of America) An anti-spam group says a large cyber-attack that slowed down parts of the Internet in recent days appears to have subsided. The London-based group Spamhous said in a web posting early Thursday that it was still seeing some "distributed denial of
Q&A: Behind 'biggest' cyber-attack in history(Aljazeera.com) But the group has raised the ire of attackers, who in recent weeks launched what may have been the biggest cyber-attack ever. Spamhaus blames Dutch hosting company Cyberbunker for the assault. Cyberbunker denies the charge, but its spokesman has
The Truth Behind the 'Biggest Cyberattack in History'(Yahoo) Is it "the biggest cyberattack in history"? Or just routine flak that network-security providers face all the time? News websites across the Western world proclaimed Internet Armageddon today (March 27), largely due to a New York Times story detailing a "squabble" between the spam-fighting vigilantes at Spamhaus and the dodgy Dutch Web-hosting company Cyberbunker."Fight Jams Internet," the Times headline said
Questions arise over massive cyber attack(The Age) A day after details emerged of an alleged massive cyber attack targeting the anti-spam organisation Spamhaus, questions arose about its severity and origin. The target of the attack, which was widely reported on Wednesday, was the anti-spam
Sceptics Dispute Claims Of Massive DDoS Attack Slowing Down The Internet(Huffington Post) Scepticism has been thrown on reports that a massive online attack caused speeds on the internet to slow around the world on Wednesday. Publications including the BBC and the New York Times reported that a 'war' between a hosting firm and a non-profit spam-fighting organisation had clogged up the internet for millions of users. The New York Times said this attack was "jamming crucial infrastructure around the world" and quoted an expert who likened its effect to a "nuclear" attack
Is massive cyber-attack just the first of many?(The Week) Millions of internet users were left with slower internet connections last night after what is being described as "the biggest cyber-attack in history". Access to popular sites such as Netflix was disrupted and there were fears that the attack could spread to web browsing, online banking services and email. Five national police forces are said to be investigating
Cold War bunker is nerve-centre for biggest ever cyber-attack(The Sun) Spamhaus said it was subjected to a massive cyber-attack after it blacklisted Dutch company Cyberbunker for its alleged malicious internet use. Millions of web users have already experienced disruption with big delays in loading websites such as film
A peek inside the EgyPack Web malware exploitation kit(Webroot) On a daily basis we process multiple malicious campaigns that, in 95%+ of cases, rely on the market leading Black Hole Exploit Kit. The fact that this Web malware exploitation kit is the kit of choice for the majority of cybercriminals, speaks for its key differentiation factors/infection rate success compared to the competing exploit kits, like, for instance, the Sweet Orange exploit kit or the Nuclear Exploit pack v2.0. In this post Ill profile the EgyPack, a Web malware exploitation kit that was originally advertised on invite-only/vetted cybercrime friendly communities between the period of 2009-2011
Critical Flaw Threatens Millions of BIND Servers(Threatpost) BINDThere is a critical vulnerability in several current versions of the BIND nameserver software that could allow an attacker to knock vulnerable DNS servers offline or compromise other applications running on those machines. The bug is present in several versions of the ubiquitous BIND software and the maintainers of the application have released a patch for it that they recommend users install as soon as possible
Evernote account used to deliver instructions to malware(CSOonline) A piece of malicious software spotted by Trend Micro uses the note-taking service Evernote as a place to pick up new instructions. The malware is a backdoor, or a kind of software that allows an attacker to execute various actions on a hacked computer. Trend Micro found it tries to connect to Evernote in order to obtain new commands."The backdoor may also use the Evernote account as a drop-off point for its stolen information," wrote Nikko Tamana, a Trend Micro threat response engineer
Sudan Embassy website Hacked by Ymh(The Hackers Post) Official website of South Sudan Embassy in Norway (www. embrss-norway. org) hacked and defaced by a Yemeni hacker with the handle of Ymh
MI5 undercover spies: People are falsely claiming to be us(The Register) British spook hive MI5 has taken the unusual step of placing a front-page warning on its website about a financial scam carried out by people pretending to be spies or the agency's director general. The online alert was prominently posted on mi5. gov. uk, and occupies more space than the UK security threat level indicator, which describes the danger to Brits as "substantial"
Spammers Finding Favor with Google Translate(Threatpost) Google TranslateSome spammers, looking to launder the dirty links they email you, are relying on the positive reputation of Google Translate to redirect victims to rogue websites. Researchers at Barracuda Labs who maintain the company's spam honeypots have spotted a rash of illicit messages trying to beat reputation filters by using this tactic
Dwolla Is Latest Victim Of DDoS Attacks – Site & API Down For Second Day(TechCrunch) While the media continues to debate the severity of the denial-of-service attacks taking place across the web this month, they appear to have claimed another victim: payments startup Dwolla announced today that it, too, is now experiencing a distributed denial-of-service event (DDoS attack). The attack, which is still underway, began yesterday, resulting in either limited or no availability to
Cyberattacks Seem Meant to Destroy, Not Just Disrupt(NY Times) American Express customers trying to gain access to their online accounts Thursday were met with blank screens or an ominous ancient type face. The company confirmed that its Web site had come under attack. The assault, which took American Express offline for two hours, was the latest in an intensifying campaign of unusually powerful attacks on American financial institutions that began last September and have taken dozens of them offline intermittently, costing millions of dollars
Pirated software use triples leaving PC users at risk of infection(welivesecurity) Use of pirated and counterfeit Windows software has tripled since 2006, according to analysts IDC creating a fertile breeding ground for malware. For the report, entitled The Dangerous World of Pirated and Counterfeit Software, IDC analysts conducted 533 tests on counterfeit software from P2P and web sources. The tests found that counterfeit software led to infection with Trojans and malicious adware in 36% of cases
China offers businesses big opportunities, including the chance to have your data stolen(Quartz) International businesses have flocked to China for years to try and grab a slice of the nation's economic growth. That is why publishers never stop producing upbeat books such as this one, or this one, which appeal to entrepreneurs dreaming of the riches they could make by selling to just a fraction of the nation's 1.35 billion people. Yet according to a survey, a quarter of American businesses in China say they have experienced the expensive theft of proprietary data since setting up in the country
Android: The IT community's latest problem child(IT World) Microsoft's Windows operating system spent close to two decades as the 'problem child' of the IT world - ubiquitous, buggy and easy to hack. But this week brought more evidence that Google and its Android mobile operating system may be taking that mantle from the folks in Redmond, Washington
Security Patches, Mitigations, and Software Updates
Cisco Fixes Seven Critical Security Bugs(Threatpost) Cisco Systems issued seven security updates yesterday, all of which patched vulnerabilities in the networking giant's internetwork operating system (IOS), the software it deploys on the majority of its routers and network switches
Enterprises Less Confident They Can Stop Targeted Attacks On Their Servers(Dark Reading) More than half of server administrators worldwide rate targeted malware attacks as their number one concern and they are becoming less confident in their ability to identify and halt attacks. And the number of organizations suffering targeted attacks increased by 8 percent over last year, according to a new report
Former CIA Director Predicts Network Security Breaches a Major Threat for Energy Companies(EdgeWave) Energy industry executives from all over the world gathered for the annual IHS CERAWeek energy conference held in Houston this month. According to the official website, the conference is designed to offer new insight on the energy future and on the strategic and investment responses by producers, consumers and policy-makers. One of the keynote speakers at the conference was Michael Hayden, former director of the Central Intelligence Agency (CIA) and the National Security Agency (NSA)
Concerns Arise over Increased Frequency, Power of Cyber Attacks(Techzone360) U.K. authorities formed a cyber-crime protection project involving the private and public sectors. Also, the U.S. Department of Homeland Security is focusing more on cyber threats, and the government could launch pre-emptive cyber strikes on foreign
US, Russia are top cyber-threat hosts(Infosecurity Magazine) 1 rank, having held the position at various times in the past," Host Exploit said. "Ecatel does not top the rankings for any particular category of activity
New Trends in Cyber Threats(Security Management) For a few hundred dollars in start-up money and another couple hundred each month in fees, anyone can get the software tools and even 24/7 call center support services they need to build and run their own malicious botnet that allows them to surreptitiously control a network of computers. The computer owners have no idea their machines have been turned into zombies in the service of others
Bitdefender: privacy being impacted by app monetisation(Mobile World Live) Bitdefender said that adware targeting Android devices "jumped 61 per cent worldwide in the five months through January", while malware grew by 27 per cent. "While Android adoption increased steadily in the past five months, so has the number of
Sprint pledges not to use Huawei, lawmaker says(ComputerWorld) Sprint Nextel and Softbank have pledged to keep Huawei Technologies products out of the Sprint network and try to replace Huawei gear that is already in Clearwire's network, according to a U.S. lawmaker. The companies met with Rep. Mike Rogers, chairman of the House Intelligence Committee, as the government reviews Softbank's planned $20. 1 billion investment in Sprint
Why We Need More Troops For Escalating Cyberwar(USAToday.com) Cybersecurity is one of the most serious economic and national security challenges we face, and the risk of calamitous attack is growing. We have the tools to catch up. We can catch up if together we work to expand the pipeline of highly skilled cyber-professionals by embracing new ways of engaging our talent, educating our students, and employing a new workforce
NJVC Cloudcuity Management Portal to Provide Secure Cloud Brokerage Services to NCOIC(Sacramento Bee) NJVC will lead efforts to provide secure cloud brokerage services to the Network Centric Operations Industry Consortium (NCOIC) using its first-to-market Cloudcuity Management Portal during a series of 2013 geospatial community cloud demonstrations that will be conducted on behalf of the National Geospatial-Intelligence Agency (NGA). NJVC's partners are The Aerospace Corporation, The Boeing Company and Open Geospatial Consortium (OGC)
LGS to Build HHS Anti-Malware Systems(New New Internet) LGS Innovations has won a $1 million task order to build systems intending to help the Department of Health and Human Services defend its networks from malware and security breaches
State Govts Pick Symantec eDiscovery Platform(New New Internet) Symantec Corp. has said that at least 25 state governments in the U.S. have purchased Clearwell eDiscovery platform as a solution, according to a company statement
David Rowland Tapped as Accenture CFO; Pamela Craig to Retire(GovConWire) David Rowland, senior vice president of finance at Accenture (NYSE: ACN), has been promoted to chief financial officer and will succeed Pamela Craig on July 1. Craig will then retire from the consulting and professional services firm Aug. 31 after a 34-year career there, Accenture said Thursday
Technologies, Techniques, and Standards
Does your breach email notification look like a phish?(Internet Storm Center) With the continual cycle of systems being compromised and customer data being stolen, using email notification is a fast, easy and direct method to send out warnings and advice to the unfortunate victims. It's the one way, other than physical interaction (Phone calls, personal visits while offering a warm cup of tea and a sad smile or hiring street criers calling out the names of the afflicted in every town in the land…) that means all the right people do get notified, well, if they read their emails. It's a defacto standard to communication so surely we've worked out how to use it properly
Should Cloud Providers Secure Their Outbound Traffic?(Dark Reading) Discerning between malicious traffic and legitimate traffic in real time is challenging for companies targeted by distributed denial-of-service attacks, but the task is made more difficult when the attacks come from reputable Internet properties that cannot easily be filtered. The attacks on U.S. financial institutions, for example, have used compromised publishing platforms to target banks with a variety of attack traffic since last September. A key factor in the success of those distributed denial-of-service (DDoS) attacks is the use by attackers of compromised, but reputable hosts
BAE Systems Detica: Capture the Flag!(University of Southhampton) BAE System Detica ran a very successful 'Capture the Flag' event for students in ECS-Electronics and Computer Science earlier this month
Legislation, Policy, and Regulation
US swipes at China for hacking allegations(Yahoo) The U.S. has taken its first real swipe at China following accusations that the Beijing government is behind a widespread and systemic hacking campaign targeting U.S. businesses. Buried in a spending bill signed by President Barack Obama on Tuesday is a provision that effectively bars much of the federal government from buying information technology made by companies linked to the Chinese government. It's unclear what impact the legislation will have, or whether it will turn out to be a symbolic gesture
Heads-Up - How do utilities prepare for the cybersecurity executive order?(Energy Central) In February, President Obama signed an executive order with the intentions of beefing up the cybersecurity protection for bits of critical infrastructure, including the electric power structure strewn across the country. The order itself states that repeated cyber intrusions into critical infrastructure demonstrate the need for improved cybersecurity. The cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront
Don't Leave Iran's Cyber Dissidents Unarmed(Cyberwarzone) In a few short months, the world won't have Mahmoud Ahmadinejad to kick around anymore. Not that many on the world stage, save his fellow anti-American aspiring autocrats, will miss him. This is because, in June, the Islamic Republic of Iran will be holding the quadrennial charade that they call a presidential "election"
China lists all the countries in the world that block Facebook except for China(Quartz) China's Ministry of Industry and Information Technology published a curious article (link in Chinese) on its website yesterday (March 27). The story is headlined "Myanmar lifts ban of Facebook, blocked now by only four countries in the world." It lists the offenders: North Korea, Cuba, Iran and "another." (Here's a summary in English.) Of course, the "another" is China–which has blocked the social media site for about three years
New Senate bill seeks to create a National Guard cyber capability(FierceGovernmentIT) A newly-introduced Senate bill aims to beef up the National Guard's cybersecurity capabilities by creating cyber and computer network incident response teams, or CCNIRTs. If passed, the legislation would set up these teams in every state and the District of Columbia
FBI Pursuing Real-Time Gmail Spying Powers as 'Top Priority' for 2013(Slate) Despite the pervasiveness of law enforcement surveillance of digital communication, the FBI still has a difficult time monitoring Gmail, Google Voice, and Dropbox in real time. But that may change soon, because the bureau says it has made gaining more powers to wiretap all forms of Internet conversation and cloud storage a "top priority" this year
CSO40(Braselton, Georgia, USA, April 2 - 3, 2013) The CSO40 Security Confab + Awards will honor and share the critical viewpoints of today's leading CSOs, CISOs and security executives at the nation's leading CSO thought leadership conference.
Cloud Connect Silicon Valley(Santa Clara, California, USA, April 2 - 5, 2013) Cloud Connect returns to Silicon Valley, April 2-5, 2013, for four days of lectures, panels, tutorials and roundtable discussions on a comprehensive selection of cloud topics taught by leading industry...
Cyber 1.3(, January 1, 1970) Maj. Gen. Suzanne Vautrinot, USAF, commander, 24th Air Force, and commander, Air Force Network Operations, will discuss the global strategic implications that relate to the cyber domain at the Space Foundation...
HITBSecConf2013(Amsterdam, the Netherlands, April 8 - 11, 2013) HITB2013AMS will feature cutting edge attack and defense research including the a presentation on the inner workings of the iOS 6.1 Evasi0n jailbreak presented by members of the world famous Evad3rs Team,...
SANS Northern Virginia 2013(Reston, Virginia, USA, April 8 - 13, 2013) This event features comprehensive hands-on technical training fand includes several courses that will prepare attendees for DoD 8570 and GIAC approved certification exams. Four of the courses can apply...
INFILTRATE 2013(Miami, Florida, USA, April 11 - 12, 2013) INFILTRATE is a deep technical conference that focuses entirely on offensive security issues. Researchers focused on the latest technical issues will demonstrate techniques that you cannot find elsewhere.
Software Engineering Institute Invitational Career Fair(Pittsburgh, Pennsylvania, USA, April 11 - 12, 2013) Attention software engineers and cyber security professionals, the Carnegie Mellon Software Engineering Institute needs your top notch skills to meet today's challenges. SEI staff will be interviewing...
Information Tech Expo Series - Hawaii(Oahu, Hawaii, USA, April 12 - 19, 2013) This 6-series showcase will feature stops at 5 DoD locations and 1 Intel Center on the island of Oahu. Celebrating 20 years of these expos is a true testament to the government and military's readiness...
InfoSec World Conference & Expo 2013(Orlando, Florida, USA, April 15 - 17, 2013) With the primary objective of providing top-notch education to all levels of information security and IT auditing professionals, InfoSec World delivers practical sessions that give you the tools to strengthen...
Cyber Guardian 2013(Baltimore, Maryland, USA, April 15 - 20, 2013) Cyber Guardian is the SANS Institute's annual, interactive training session for cyber security professionals. All courses are associated with a GIAC Certification, and cover topics like intrusion detection,...
Infosec Southwest 2013(Austin, Texas, USA, April 19 - 21, 2013) InfoSec Southwest is intended to be a general security and hacking conference with no specific industry or topical focus. As such, nearly all topics (other than vendor pitches) are fair game and the attending...
Mobile Device Security for Defense and Government(Alexandria, Virginia, USA, April 23 - 24, 2013) This Defense Strategies Institute conference addresses the challenges of operating mobile devices in networks whose security is mission critical. The symposium's overall theme will focus on DOD's plan...
Infosecurity Europe(London, England, UK, April 23 - 25, 2013) Europe's number one Information Security event. Featuring over 350 exhibitors, the most diverse range of new products and services, an unrivalled education programme and over 12,000 visitors from every...
INSA Leadership Dinner Featuring Betty Sapp, Director, NRO(Reston, Virginia, USA, April 25, 2013) - This leadership dinner will feature a keynote address from Betty Sapp, Director of the National Reconnaissance Office highlighting her focus on innovation at the NRO and for the Intelligence Community.
23rd Annual Government Procurement Conference(Washington, DC, USA, April 25, 2013) This unique one-day event attracts more than 3,000 participants representing government agencies, prime contractors and small businesses from around the country. Participating companies are able to network...
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.