Monday, October 31, 2016

Hackforums Shutters Booter Service Bazaar

Perhaps the most bustling marketplace on the Internet where people can compare and purchase so-called “booter” and “stresser” subscriptions — attack-for-hire services designed to knock Web sites offline — announced last week that it has permanently banned the sale and advertising of these services.

On Friday, Oct. 28, Jesse LaBrocca — the administrator of the popular English-language hacking forum Hackforums[dot]net — said he was shutting down the “server stress testing” (SST) section of the forum. The move comes amid heightened public scrutiny of the SST industry, which has been linked to several unusually powerful recent attacks and is responsible for the vast majority of denial-of-service (DOS) attacks on the Internet today.

The administrator of Hackforums bans the sale and advertising of server stress testing (SST) services, also known as "booter" or "stresser" online attack-for-hire services.

The administrator of Hackforums bans the sale and advertising of server stress testing (SST) services, also known as “booter” or “stresser” online attack-for-hire services.

“Unfortunately once again the few ruin it for the many,” LaBrocca wrote under his Hackforums alias “Omniscient.” “I’m personally disappointed that this is the path I have to take in order to protect the community. I loathe having to censor material that could be beneficial to members. But I need to make sure that we continue to exist and given the recent events I think it’s more important that the section be permanently shut down.”

Last month, a record-sized DDoS hit KrebsOnSecurity.com. The attack was launched with the help of Mirai, a malware strain that enslaves poorly security Internet-of-Things (IoT) devices like CCTV cameras and digital video recorders and uses them to launch crippling attacks.

At the end of September, a Hackforums user named “Anna_Senpai” used the forum to announce the release the source code for Mirai. A week ago, someone used Mirai to launch a massive attack on Internet infrastructure firm Dyn, which for the better part of a day lead to sporadic outages for some of the Web’s top destinations, including Twitter, PayPal, Reddit and Netflix.

The Hackforums post that includes links to the Mirai source code.

The Hackforums post that includes links to the Mirai source code.

As I noted in last week’s story Are the Days of Booter Services Numbered?, many booter service owners have been operating under the delusion or rationalization that their services are intended solely for Web site owners to test the ability of their sites to withstand data deluges.

Whatever illusions booter service operators or users may have harbored about their activities should have been dispelled following a talk delivered at the Black Hat security conference in Las Vegas this year. In that speech, FBI Agent Elliott Peterson issued an unambiguous warning that the agency was prepared to investigate and help prosecute people engaged in selling and buying from booter services.

But it wasn’t until this month’s attack on Dyn that LaBrocca warned the Hackforums community he may have to shut down the SST section.

“I can’t image this attention is going to be a good thing,” Omni said in an October 26, 2016 thread titled “Bad things.” “Already a Senator is calling for a hearing on the Internet of Things [link added]. In the end there could be new laws which effect [sic] us all. So for those responsible for the attacks and creating this mess….you dun goofed. I expect a lot of backlash to come out of this.”

If LaBrocca appears steamed from this turn of events, it’s probably with good reason: He stands to lose a fair amount of regular income by banning some of the most lucrative businesses on his forum. Vendors on Hackforums pay fees as high as $25 apiece to achieve a status that allows them to post new sales threads, and banner ads on the forum can run up to $200 per week.

"Stickies" advertising various "booter" or "stresser" DDoS-for-hire services.

“Stickies” advertising various “booter” or “stresser” DDoS-for-hire services.

Vendors who wish to “sticky” their ads — that is, pay to keep the ads displayed prominently near or at the top of a given discussion subforum — pay LaBrocca up to $60 per week for the prime sticky spots. And there were dozens of booter services advertised on Hackforums.

Allison Nixon, director of security research at Flashpoint and an expert on booter services, said the move could put many booter services out of business.

Nixon said the average booter service customer uses the attack services to settle grudges with opponents in online games, and that the closure of the SST subforum may make these services less attractive to those individuals.

“There is probably a lesser likelihood that the average gamer will see these services and think that it’s an okay idea to purchase them,” Nixon said. “The ease of access to these booters services makes people think it’s okay to use them. In gaming circles, for example, people will often use them to DDoS one another and not realize they might be shutting down an innocent person’s network. Recognizing that this is criminal activity on the same level of criminal hacking and fraud may discourage people from using these services, meaning the casual actor may be less likely to buy a booter subscription and launch DDoS attacks.”

Although the closure of the SST subforum could put many booter services out of business, the action almost seems somewhat arbitrary given the sheer amount of other illegal hacking activity that is blatantly advertised on Hackforums, Nixon said.

“It’s interesting the norms that are on this forum because they’re so different from how you or I would recognize acceptable behavior,” she said. “For example, most people would think it’s not acceptable to see booter services advertised alongside remote access Trojans, malware crypting services and botnets.”

Other questionable services and subsections advertised on Hackforums include those intended for the sale of hacked social media and e-commerce accounts. More shocking are the dozens of threads wherein Hackforums members advertise the sale of “girl slaves,” essentially access to hacked computers belonging to teenage girls who can be extorted and exploited for payment or naked pictures. It’s worth noting that the youth who was arrested for snapping nude pictures of Miss Teen USA Cassidy Wolf through her webcam was a regular user of Hackforums.

Hackforums users advertising the sale and procurement of "girl slaves."

Hackforums users advertising the sale and procurement of “girl slaves.”

Nixon said most Hackforums users are essentially good people who are interested in learning more about technology, security and other topics. But she said many of the younger, impressionable members are heavily influenced by some of the more senior forum participants, a number of whom are peddling dangerous products and services.

“Most of the stuff on Hackforuns is not that bad,” Nixon said. “There are a lot of kids who are pretty much normal people and interested in hacking and technology. But there are also gangs, and there are definitely criminal organizations that have a presence on the forum that will try to enable criminal activity and take advantage of people.”

The removal of booter services from Hackforums is a gratifying development for me personally and professionally. My site has been under near-constant attack from users of these booter services for several years now. As a result, I have sought to bring more public attention to these crooked businesses and to the young men who’ve earned handsome profits operating over the years. Here are just a few of those stories:

Stress Testing the Booter Services, Financially

Are the Days of Booter Services Numbered?

Israeli Online Attack Service ‘vDOS’ Earned $600,000 in Two Years

Ragebooter: Legit DDoS Service, or Fed Backdoor?

DDoS Services Advertise Openly, Take PayPal

Booter Shells Turn Web Sites Into Weapons

Spreading the DDoS Disease and Selling the Cure

Lizard Stresser Runs on Hacked Home Routers

The New Normal: 200-400 Gpbs DDoS Attacks



from
https://krebsonsecurity.com/2016/10/hackforums-shutters-booter-service-bazaar/

Thursday, October 27, 2016

Are the Days of “Booter” Services Numbered?

It may soon become easier for Internet service providers to anticipate and block certain types of online assaults launched by Web-based attack-for-hire services known as “booter” or “stresser” services, new research released today suggests.

The findings come from researchers in Germany who’ve been studying patterns that emerge when miscreants attempt to mass-scan the entire Internet looking for systems useful for launching these digital sieges — known as “distributed denial-of-service” or DDoS attacks.

ddosbomb

To understand the significance of their research, it may help to briefly examine how DDoS attacks have evolved. Not long ago, if one wanted to take down large Web site, one had to build and maintain a large robot network, or “botnet,” of hacked computers — which is a fairly time intensive, risky and technical endeavor.

These days, however, even the least sophisticated Internet user can launch relatively large DDoS attacks just by paying a few bucks for a subscription to one of dozens of booter or stresser services, some of which even accept credit cards and PayPal payments.

These Web-based DDoS-for-hire services don’t run on botnets: They generally employ a handful of powerful servers that are rented from some dodgy “bulletproof” hosting provider. The booter service accepts payment and attack instructions via a front end Web site that is hidden behind Cloudflare (a free DDoS protection service).

But the back end of the booter service is where the really interesting stuff happens. Virtually all of the most powerful and effective attack types used by booter services rely on a technique called traffic amplification and reflection, in which the attacker can reflect or “spoof” his traffic from one or more third-party machines toward the intended target.

In this type of assault, the attacker sends a message to a third party, while spoofing the Internet address of the victim. When the third party replies to the message, the reply is sent to the victim — and the reply is much larger than the original message, thereby amplifying the size of the attack.

To find vulnerable systems that can be leveraged this way, booters employ large-scale Internet scanning services that constantly seek to refresh the list of systems that can be used for amplification and reflection attacks. They do this because, as research has shown (PDF), anywhere from 40-50 percent of the amplifiers vanish or are reassigned new Internet addresses after one week.

Enter researchers from Saarland University in Germany, as well as the Yokohama National University and National Institute of Information and Communications Technology — both in Japan. In a years-long project first detailed in 2015, the researchers looked for scanning that appeared to be kicked off by ne’er-do-wells running booter services.

To accomplish this, the research team built a kind of distributed “honeypot” system — which they dubbed “AmpPot” — designed to mimic services known to be vulnerable to amplification attacks, such as DNS and NTP floods.

“To make them attractive to attackers, our honeypots send back legitimate responses,” the researchers wrote in a 2015 paper (PDF). “Attackers, in turn, will abuse these honeypots as amplifiers, which allows us to observe ongoing attacks, their victims, and the DDoS techniques. To prevent damage caused by our honeypots, we limit the response rate. This way, while attackers can still find these ratelimited honeypots, the honeypots stop replying in the face of attacks.”

In that 2015 paper, the researchers said they deployed 21 globally-distributed AmpPot instances, which observed more than 1.5 million attacks between February and May 2015. Analyzing the attacks more closely, they found that more than 96% of the attacks stem from single sources, such as booter services.

“When focusing on amplification DDoS attacks, we find that almost all of them (>96%) are caused by single sources (e.g. booters), and not botnets,” the team concluded. “However, we sadly do not have the numbers to compare this [to] DoS attacks in general.”

Many large-scale Internet scans like the ones the researchers sought to measure are launched by security firms and other researchers, so the team needed a way to differentiate between scans launched by booter services and those conducted for research or other benign purposes.

“To distinguish between scans performed by researchers and scans performed with malicious intent we relied on a simple assumption: That no attack would be based on the results of a scan performed by (ethical) researchers,” said Johannes Krupp, one of the main authors of the report. “In fact, thanks to our methodology, we do not have to make this distinction upfront, but we can rather look at the results and say: ‘We found attacks linked to this scanner, therefore this scanner must have been malicious.’ If a scan was truly performed by benign parties, we will not find attacks linked to it.”

SECRET IDENTIFIERS

What’s new in the paper being released today by students at Saarland University’s Center for IT-Security, Privacy and Accountability (CISPA) is the method by which the researchers were able to link these mass-scans to the very amplification attacks that follow soon after.

The researchers worked out a way to encode a secret identifier into the set of AmpPot honeypots that any subsequent attack will use, which varies per scan source. They then tested to see if the scan infrastructure was also used to actually launch (and not just to prepare) the attacks.

Their scheme was based in part on the idea that similar traffic sources should have to travel similar Internet distances to reach the globally-distributed AmpPot sensors. To do this, they looked at the number of “hops” or Internet network segments that each scan and attack had to traverse.

Using trilateration –the process of determining absolute or relative locations of points by measurement of distances — the research team was able to link scanners to attack origins based on hop counts.

These methods revealed some 286 scanners that are used by booter services in preparation for launching amplification attacks. Further, they discovered that roughly 75 percent of those scanners are located in the United States.

The researchers say they were able to confirm that many of the same networks that host scanners are also being used to launch the attacks. More significantly, they were able to attribute approximately one-third of the attacks back to their origin.

“This is an impressive result, given that the spoofed source of amplification attacks usually remains hidden,” said Christian Rosso of Saarland University.

Rosso said the team hopes to conduct further research on their methods to more definitively tie scanning and attack activity to specific booter services by name. The group is already offering a service to hosting providers and ISPs to share information about incidents (such as attack start and end times). Providers can then use the attack information to inform their customers or to filter attack traffic.

“We have shared our findings with law enforcement agencies — in particular, Europol and the FBI — and a closed circle of tier-1 network providers that use our insights on an operational basis,” the researchers wrote. “Our output can be used as forensic evidence both in legal complaints and in ways to add social pressure against spoofing sources.”

ANALYSIS

Even if these newly-described discovery methods were broadly deployed today, it’s unlikely that booter services would be going away anytime soon. But this research certainly holds the promise that booter service owners will be able to hide the true location of their operations less successfully going forward. and that perhaps more of them will be held accountable for their crimes.

Efforts by other researchers have made it more difficult for booter and stresser services to accept PayPal payments, forcing more booters to rely more on Bitcoin.

Also, there are a number of initiatives that seek to identify a handful of booter services which resell their infrastructure to other services who brand and market them as their own. Case in point, in September 2016 I published an expose on vDOS, a booter service that earned (conservatively) $600,000 over two years helping to launch more than 150,000 DDoS attacks.

Turns out, vDOS’s infrastructure was used by more than a half-dozen other booter services, and shortly after vDOS was taken offline most of those services went dark or were dismantled as well.

One major shift that could help to lessen the appeal of booter services — both for the profit-seeking booter proprietors and their customers — is a clear sign from law enforcement officials that this activity is in fact illegal and punishable by real jail time. So far, many booter service owners have been operating under the delusion or rationalization that their services are intended solely for Web site owners to test the ability of their sites to withstand data deluges. The recent arrest of two alleged Lizard Squad members who resold vDOS services through their own “PoodleStresser” service is a good start.

Many booter operators apparently believe (or at least hide behind) a wordy “terms of service” agreement that all customers must acknowledge somehow absolves them of any sort of liability for how their customers use the service — regardless of how much hand-holding and technical support they offer those customers.

Indeed, the proprietors of vDOS — who were arrested shortly after my story about them — told the Wall Street Journal through their attorneys that, “If I was to buy a gun and shoot something, is the person that invents the gun guilty?”

The alleged proprietors of vDOS — 18-year-old Israelis Yarden Bidani and Itay Huri — were released from house arrest roughly ten days after their initial arrest. To date, no charges have been filed against either men, but I have reason to believe that may not be the case for long.

Meanwhile, changes may be afoot for booter services advertised at Hackforums[dot]net, probably the biggest open-air online marketplace where booter services are advertised, compared and rated (hat tip to @MalwareTechblog). Earlier this week, Hackforums administrator Jesse “Omniscient” LaBrocca began restricting access to its “stressers” subsection of the sprawling forum, and barring forum members from advertising booter services in their user profiles.

“I can absolutely see a day when it’s removed entirely,” LaBrocca said in a post explaining his actions. “Could be very soon too.”

bbbooters

Hackforums administrator Jesse “Omniscient” LaBrocca explaining a decision to restrict access to the “stressers” portion of the Hackforums marketplace.

My worry is that we may soon see a pendulum shift in the way that many booter services operate. For now, the size of attacks launched by booter services is somewhat dependent on the number and power of the back-end servers used to initiate amplification and reflection attacks.

However, I could see a day in the not-too-distant future in which booter service operators start earning most of their money by reselling far more powerful attacks launched by actual botnets made from large networks of hacked Internet of Things (IoT) devices — such as poorly-secured CCTV cameras and digital video recorders (DVRs).

In some ways this has already happened, as I detailed in my January 2015 story, Lizard Stresser Runs on Hacked Home Routers. But with the now public release of the source code for the Mirai botnet — the same malware strain that was used in the record 620 Gbps DDoS on my site last month and in the widespread Internet outage last week caused by an attack against infrastructure provider Dyn — far more powerful and scalable attacks are now available for resale.

The research paper being presented today at CISPA is available here (PDF).



from
https://krebsonsecurity.com/2016/10/are-the-days-of-booter-services-numbered/

Tuesday, October 25, 2016

Senator Prods Federal Agencies on IoT Mess

The co-founder of the newly launched Senate Cybersecurity Caucus is pushing federal agencies for possible solutions and responses to the security threat from insecure “Internet of Things” (IoT) devices, such as the network of hacked security cameras and digital video recorders that were reportedly used to help bring about last Friday’s major Internet outages.

In letters to the Federal Communications Commission (FCC), the Federal Trade Commission (FTC) and the Department of Homeland Security (DHS), Virginia Senator Mark Warner (D) called the proliferation of insecure IoT devices a threat to resiliency of the Internet.

“Manufacturers today are flooding the market with cheap, insecure devices, with few market incentives to design the products with security in mind, or to provide ongoing support,” Warner wrote to the agencies. “And buyers seem unable to make informed decisions between products based on their competing security features, in part because there are no clear metrics.”

The letter continues:

“Because the producers of these insecure IoT devices currently are insulated from any standards requirements, market feedback, or liability concerns, I am deeply concerned that we are witnessing a ‘tragedy of the commons’ threat to the continued functioning of the internet, as the security so vital to all internet users remains the responsibility of none. Further, buyers have little recourse when, despite their best efforts, security failures occur” [link added].

As Warner’s letter notes, last week’s attack on online infrastructure provider Dyn was launched at least in part by Mirai, a now open-source malware strain that scans the Internet for routers, cameras, digital video recorders and other Internet of Things “IoT” devices protected only by the factory-default passwords.

Once infected with Mirai, the IoT systems can be used to flood a target with so much junk Web traffic that the target site can no longer accommodate legitimate users or visitors. The attack on Dyn was slightly different because it resulted in prolonged outages for many other networks and Web sites, including Netflix, PayPal, Reddit and Twitter.

As a result of that attack, one of the most-read stories on KrebsOnSecurity so far this year is “Who Makes the IoT Things Under Attack?“, in which I tried to match default passwords sought out by the Mirai malware with IoT hardware devices for sale on the commercial market today.

In a follow-up to that story, I interviewed researchers at Flashpoint who discovered that one of the default passwords sought by machines infected with Mirai — username: root and password: xc3511 — is embedded in a broad array of white-labeled DVR and IP camera electronics boards made by a Chinese company called XiongMai Technologies. These components are sold downstream to vendors who then use them in their own products (for a look at XionMai’s response to all this, see Monday’s story, IoT Device Maker Vows Product Recall, Legal Action Against Western Accusers).

In his inquiry to the federal agencies, Warner asked whether there was more the government could be doing to vet the security of IoT devices before or after they are plugged into networks.

“In the FCC’s Open Internet Order, the Commission suggested that ISPs could take such steps only when addressing ‘traffic that constitutes a denial-of-service attack on specific network infrastructure elements,'” Warner wrote in his missive to the FCC.  “Is it your agency’s opinion that the Mirai attack has targeted ‘specific network infrastructure elements’ to warrant a response from ISPs?”

In another line of questioning, Warner also asked whether it would it be a reasonable network management practice for ISPs to designate insecure network devices as “insecure” and thereby deny them connections to their networks, including by refraining from assigning devices IP addresses.

It’s good to see lawmakers asking questions about whether there is a market failure here that requires government intervention or regulation. Judging from the comments on my story earlier this month — Europe to Push New Security Rules Amid IoT Mess — KrebsOnSecurity readers remain fairly divided on the role of government in addressing the IoT problem.

I have been asked by several reporters over the past few days whether I think government has a role to play in fixing the IoT mess. Personally, I do not believe there has ever been a technology challenge that was best served by additional government regulation.

However, I do believe that the credible threat of government regulation is very often what’s needed to spur the hi-tech industry into meaningful action and self-regulation. And that process usually starts with inquiries like these. So, here’s hoping more lawmakers in Congress can get up to speed quickly on this vitally important issue.

Sen. Warner’s letter to the FCC looks very similar to those sent to the other two agencies. A copy of it is available here.



from
https://krebsonsecurity.com/2016/10/senator-prods-federal-agencies-on-iot-mess/

Monday, October 24, 2016

IoT Device Maker Vows Product Recall, Legal Action Against Western Accusers

A Chinese electronics firm pegged by experts as responsible for making many of the components leveraged in last week’s massive attack that disrupted Twitter and dozens of popular Web sites has vowed to recall some of its vulnerable products, even as it threatened legal action against this publication and others for allegedly tarnishing the company’s brand.

iotstuf

Last week’s attack on online infrastructure provider Dyn was launched at least in part by Mirai, a now open-source malware strain that scans the Internet for routers, cameras, digital video recorders and other Internet of Things “IoT” devices protected only by the factory-default passwords. Once infected with Mirai, the IoT systems can be used to flood a target with so much junk Web traffic that the target site can no longer accommodate legitimate users or visitors.

In an interim report on the attack, Dyn said: “We can confirm, with the help of analysis from Flashpoint and Akamai, that one source of the traffic for the attacks were devices infected by the Mirai botnet. We observed 10s of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack.”

As a result of that attack, one of the most-read stories on KrebsOnSecurity so far this year is “Who Makes the IoT Things Under Attack?“, in which I tried to match default passwords sought out by the Mirai malware with IoT hardware devices for sale on the commercial market today.

In a follow-up to that story, I interviewed researchers at Flashpoint who discovered that one of the default passwords sought by machines infected with Mirai — username: root and password: xc3511 — is embedded in a broad array of white-labeled DVR and IP camera electronics boards made by a Chinese company called XiongMai Technologies. These components are sold downstream to vendors who then use it in their own products.

The scary part about IoT products that include XiongMai’s various electronics components, Flashpoint found, was that while users could change the default credentials in the devices’ Web-based administration panel, the password is hardcoded into the device firmware and the tools needed to disable it aren’t present.

In a statement issued on social media Monday, XiongMai (referring to itself as “XM”) said it would be issuing a recall on millions of devices — mainly network cameras.

“Mirai is a huge disaster for the Internet of Things,” the company said in a separate statement emailed to journalists. “XM have to admit that our products also suffered from hacker’s break-in and illegal use.”

At the same time, the Chinese electronics firm said that in September 2015 it issued a firmware fix for vulnerable devices, and that XiongMai hardware shipped after that date should not by default be vulnerable.

“Since then, XM has set the device default Telnet off to avoid the hackers to connect,” the company said. “In other words, this problem is absent at the moment for our devices after Sep 2015, as Hacker cannot use the Telnet to access our devices.”

Regarding the default user name/password that ships with XM, “our devices are asking customers to change the default password when they first time to login,” the electronics maker wrote. “When customer power on the devices, the first step, is change the default password.”

I’m working with some researchers who are testing XM’s claims, and will post an update here if and when that research is available. In the meantime, the Chinese Ministry of Justice is threatening legal action against media outlets that it says are issuing “false statements” against the company.

Google’s translation of their statement reads, in part: “Organizations or individuals false statements, defame our goodwill behavior … through legal channels to pursue full legal responsibility for all violations of people, to pursue our legal rights are reserved.”

Xiongmail's electrical components that are white-labeled and embedded in countless IoT products sold under different brand names.

Xiongmail’s electrical components that are white-labeled and embedded in countless IoT products sold under different brand names.

The statement by the Chinese Ministry of Justice doesn’t name KrebsOnSecurity per se, but instead links to a Chinese media story referencing this site under the heading, “untrue reports link.”

Brian Karas, a business analyst with IPVM — a subscription-based news, testing and training site for the video surveillance industry — said the Chinese government has an ownership stake in Xiongmai and related IoT device makers including Dahua and Hikvision, and that over the past five years China’s market share in the video surveillance industry has surged.

Karas said the recent Mirai botnet attacks have created “extreme concerns about the impact of Chinese video surveillance products.” Nevertheless, the threats against those the company accuses of issuing false statements are more about saving face.

“We believe Xiongmai has issued this announcement as a PR effort within China, to help counter criticisms they are facing,” Karas wrote. “We do not believe that Xiongmai or the Ministry of Justice is seriously going to sue any Western companies as this is a typical tactic to save face.



from
https://krebsonsecurity.com/2016/10/iot-device-maker-vows-product-recall-legal-action-against-western-accusers/

Friday, October 21, 2016

TDWR 5 GHz Weather Radar Locations and Frequencies

Is your Wi-Fi network close to TDWR weather radar that may impact your deployment?

 

Use this list to know: 

Source: Cisco and WISPA

 http://www.wispa.org/Resources/Industry-Resources/TDWR-Resources/TDWR-Locations-and-Frequencies

 http://www.cisco.com/c/en/us/products/collateral/routers/3200-series-rugged-integrated-services-routers-isr/data_sheet_c78-647116.html

PDF version: 

 http://www.cisco.com/c/en/us/products/collateral/routers/3200-series-rugged-integrated-services-routers-isr/data_sheet_c78-647116.pdf

IMG_3879.PNG

from
http://feedproxy.google.com/~r/RevolutionWi-fi/~3/kNwq5JxTiBo/tdwr-5-ghz-weather-radar-locations-and-frequencies

Hacked Cameras, DVRs Powered Today’s Massive Internet Outage

A massive and sustained Internet attack that has caused outages and network congestion today for a large number of Web sites was launched with the help of hacked “Internet of Things” (IoT) devices, such as CCTV video cameras and digital video recorders, new data suggests.

Earlier today cyber criminals began training their attack cannons on Dyn, an Internet infrastructure company that provides critical technology services to some of the Internet’s top destinations. The attack began creating problems for Internet users reaching an array of sites, including Twitter, Amazon, Tumblr, Reddit, Spotify and Netflix.

l3outage

A depiction of the outages caused by today’s attacks on Dyn, an Internet infrastructure company. Source: Level3 Communications.

At first, it was unclear who or what was behind the attack on Dyn. But over the past few hours, at least one computer security firm has come out saying the attack involved Mirai, the same malware strain that was used in the record 620 Gpbs attack on my site last month. At the end September 2016, the hacker responsible for creating the Mirai malware released the source code for it, effectively letting anyone build their own attack army using Mirai.

Mirai scours the Web for so-called IoT devices protected by little more than factory-default usernames and passwords, and then enlists the devices in attacks that hurl junk traffic at an online target until it can no longer accommodate legitimate visitors or users.

According to researchers at security firm Flashpoint, today’s attack was launched at least in part by a Mirai-based botnet. Allison Nixon, director of research at Flashpoint, said the botnet used in today’s ongoing attack is built on the backs of hacked IoT devices — mainly compromised digital video recorders (DVRs) and IP cameras made by a Chinese hi-tech company called XiongMai Technologies. The components that XiongMai makes are sold downstream to vendors who then use it in their own products.

“It’s remarkable that virtually an entire company’s product line has just been turned into a botnet that is now attacking the United States,” Nixon said, noting that Flashpoint hasn’t rule out the possibility of multiple botnets being involved in the attack on Dyn.

“At least one Mirai [control server] issued an attack command to hit Dyn,” Nixon said. “Some people are theorizing that there were multiple botnets involved here. What we can say is that we’ve seen a Mirai botnet participating in the attack.”

As I noted earlier this month in Europe to Push New Security Rules Amid IoT Mess, many of these products from XiongMai and other makers of inexpensive, mass-produced IoT devices are essentially unfixable, and will remain a danger to others unless and until they are completely unplugged from the Internet.

That’s because while many of these devices allow users to change the default usernames and passwords on a Web-based administration panel that ships with the products, those machines can still be reached via more obscure, less user-friendly communications services called “Telnet” and “SSH.”

Telnet and SSH are command-line, text-based interfaces that are typically accessed via a command prompt (e.g., in Microsoft Windows, a user could click Start, and in the search box type “cmd.exe” to launch a command prompt, and then type “telnet” to reach a username and password prompt at the target host).

“The issue with these particular devices is that a user cannot feasibly change this password,” Flashpoint’s Zach Wikholm told KrebsOnSecurity. “The password is hardcoded into the firmware, and the tools necessary to disable it are not present. Even worse, the web interface is not aware that these credentials even exist.”

Flashpoint’s researchers said they scanned the Internet on Oct. 6 for systems that showed signs of running the vulnerable hardware, and found more than 515,000 of them were vulnerable to the flaws they discovered.

“I truly think this IoT infrastructure is very dangerous on the whole and does deserve attention from anyone who can take action,” Flashpoint’s Nixon said.

It’s unclear what it will take to get a handle on the security problems introduced by millions of insecure IoT devices that are ripe for being abused in these sorts of assaults.

As I noted in The Democratization of Censorship, to address the threat from the mass-proliferation of hardware devices such as Internet routers, DVRs and IP cameras that ship with default-insecure settings, we probably need an industry security association, with published standards that all members adhere to and are audited against periodically.

The wholesalers and retailers of these devices might then be encouraged to shift their focus toward buying and promoting connected devices which have this industry security association seal of approval. Consumers also would need to be educated to look for that seal of approval. Something like Underwriters Laboratories (UL), but for the Internet, perhaps.

Until then, these insecure IoT devices are going to stick around like a bad rash — unless and until there is a major, global effort to recall and remove vulnerable systems from the Internet. In my humble opinion, this global cleanup effort should be funded mainly by the companies that are dumping these cheap, poorly-secured hardware devices onto the market in an apparent bid to own the market. Well, they should be made to own the cleanup efforts as well.

Devices infected with Mirai are instructed to scour the Internet for IoT devices protected by more than 60 default usernames and passwords. The entire list of those passwords — and my best approximation of which firms are responsible for producing those hardware devices — can be found at my story, Who Makes the IoT Things Under Attack.



from
https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage/

DDoS on Dyn Impacts Twitter, Spotify, Reddit

Criminals this morning massively attacked Dyn, a company that provides core Internet services for Twitter, SoundCloud, Spotify, Reddit and a host of other sites, causing outages and slowness for many of Dyn’s customers.

Twitter is experiencing problems, as seen through the social media platform Hootsuite.

Twitter is experiencing problems, as seen through the social media platform Hootsuite.

In a statement, Dyn said that this morning, October 21, Dyn received a global distributed denial of service (DDoS) attack on its DNS infrastructure on the east coast.

“DNS traffic resolved from east coast name server locations are experiencing a service interruption during this time. Updates will be posted as information becomes available,” the company wrote.

DYN encouraged customers with concerns to check the company’s status page for updates and to reach out to its technical support team.

A DDoS is when crooks use a large number of hacked or ill-configured systems to flood a target site with so much junk traffic that it can no longer serve legitimate visitors.

DNS refers to Domain Name System services. DNS is an essential component of all Web sites, responsible for translating human-friendly Web site names like “example.com” into numeric, machine-readable Internet addresses. Anytime you send an e-mail or browse a Web site, your machine is sending a DNS look-up request to your Internet service provider to help route the traffic.

ANALYSIS

The attack on DYN comes just hours after DYN researcher Doug Madory presented a talk on DDoS attacks in Dallas, Texas at a meeting of the North American Network Operators Group (NANOG). Madory’s talk — available here on Youtube.com — delved deeper into research that he and I teamed up on to produce the data behind the story DDoS Mitigation Firm Has History of Hijacks.

That story (as well as one published earlier this week, Spreading the DDoS Disease and Selling the Cure) examined the sometimes blurry lines between certain DDoS mitigation firms and the cybercriminals apparently involved in launching some of the largest DDoS attacks the Internet has ever seen. Indeed, the record 620 Gbps DDoS against KrebsOnSecurity.com came just hours after I published the story on which Madory and I collaborated.

The record-sized attack that hit my site last month was quickly superseded by a DDoS against OVH, a French hosting firm that reported being targeted by a DDoS that was roughly twice the size of the assault on KrebsOnSecurity. As I noted in The Democratization of Censorship — the first story published after bringing my site back up under the protection of Google’s Project Shield — DDoS mitigation firms simply did not count on the size of these attacks increasing so quickly overnight, and are now scrambling to secure far greater capacity to handle much larger attacks concurrently.

The size of these DDoS attacks has increased so much lately thanks largely to the broad availability of tools for compromising and leveraging the collective firepower of so-called Internet of Things devices — poorly secured Internet-based security cameras, digital video recorders (DVRs) and Internet routers. Last month, a hacker by the name of Anna_Senpai released the source code for Mirai, a crime machine that enslaves IoT devices for use in large DDoS attacks. Indeed, the 620 Gbps attack that hit my site last month was launched by a botnet built on Mirai.

Interestingly, someone is now targeting infrastructure providers with extortion attacks and invoking the name Anna_senpai. According to a discussion thread started Wednesday on Web Hosting Talk, criminals are now invoking the Mirai author’s nickname in a bid to extort Bitcoins from targeted hosting providers.

“If you will not pay in time, DDoS attack will start, your web-services will
go down permanently. After that, price to stop will be increased to 5 BTC
with further increment of 5 BTC for every day of attack.

NOTE, i?m not joking.

My attack are extremely powerful now – now average 700-800Gbps, sometimes
over 1 Tbps per second. It will pass any remote protections, no current
protection systems can help.”

Let me be clear: I have no data to indicate that the attack on Dyn is related to extortion, to Mirai or to any of the companies or individuals Madory referenced in his talk this week in Dallas. But Dyn is known for publishing detailed writeups on outages at other major Internet service providers. Here’s hoping the company does not deviate from that practice and soon publishes a postmortem on its own attack.



from
https://krebsonsecurity.com/2016/10/ddos-on-dyn-impacts-twitter-spotify-reddit/

Wednesday, October 19, 2016

Spreading the DDoS Disease and Selling the Cure

Earlier this month a hacker released the source code for Mirai, a malware strain that was used to launch a historically large 620 Gbps denial-of-service attack against this site in September. That attack came in apparent retribution for a story here which directly preceded the arrest of two Israeli men for allegedly running an online attack for hire service called vDOS. Turns out, the site where the Mirai source code was leaked had some very interesting things in common with the place vDOS called home.

The domain name where the Mirai source code was originally placed for download — santasbigcandycane[dot]cx — is registered at the same domain name registrar that was used to register the now-defunct DDoS-for-hire service vdos-s[dot]com.

Normally, this would not be remarkable, since most domain registrars have thousands or millions of domains in their stable. But in this case it is interesting mainly because the registrar used by both domains — a company called namecentral.comhas apparently been used to register just 38 domains since its inception by its current owner in 2012, according to a historic WHOIS records gathered by domaintools.com (for the full list see this PDF).

What’s more, a cursory look at the other domains registered via namecentral.com since then reveals a number of other DDoS-for-hire services, also known as “booter” or “stresser” services.

It’s extremely odd that someone would take on the considerable cost and trouble of creating a domain name registrar just to register a few dozen domains. It costs $3,500 to apply to the Internet Corporation for Assigned Names and Numbers (ICANN) for a new registrar authority. The annual fee for being an ICANN-approved registrar is $4,000, and then there’s a $800 quarterly fee for smaller registrars. In short, domain name registrars generally need to register many thousands of new domains each year just to turn a profit.

Many of the remaining three dozen or so domains registered via Namecentral over the past few years are tied to vDOS. Before vDOS was taken offline it was massively hacked, and a copy of the user and attack database was shared with KrebsOnSecurity. From those records it was easy to tell which third-party booter services were using vDOS’s application programming interface (API), a software function that allowed them to essentially resell access to vDOS with their own white-labeled stresser.

And a number of those vDOS resellers were registered through Namecentral, including 83144692[dot].com — a DDoS-for-hire service marketed at Chinese customers. Another Namecentral domain — vstress.net — also was a vDOS reseller.

Other DDoS-for-hire domains registered through Namecentral include xboot[dot]net, xr8edstresser[dot]com, snowstresser[dot]com, ezstress[dot]com, exilestress[dot]com, diamondstresser[dot]net, dd0s[dot]pw, rebelsecurity[dot]net, and beststressers[dot]com.

WHO RUNS NAMECENTRAL?

Namecentral’s current owner is a 19-year-old California man by the name of Jesse Wu. Responding to questions emailed from KrebsOnSecurity, Wu said Namecentral’s policy on abuse was inspired by Cloudflare, the DDoS protection company that guards Namecentral and most of the above-mentioned DDoS-for-hire sites from attacks of the very kind they sell.

“I’m not sure (since registrations are automated) but I’m going to guess that the reason you’re interested in us is because some stories you’ve written in the past had domains registered on our service or otherwise used one of our services,” Wu wrote.

“We have a policy inspired by Cloudflare’s similar policy that we ourselves will remain content-neutral and in the support of an open Internet, we will almost never remove a registration or stop providing services, and furthermore we’ll take any effort to ensure that registrations cannot be influenced by anyone besides the actual registrant making a change themselves – even if such website makes us uncomfortable,” Wu said. “However, as a US based company, we are held to US laws, and so if we receive a valid court issued order to stop providing services to a client, or to turn over/disable a domain, we would happily comply with such order.”

Wu’s message continued:

“As of this email, we have never received such an order, we have never been contacted by any law enforcement agency, and we have never even received a legitimate, credible abuse report. We realize this policy might make us popular with ‘dangerous’ websites but even then, if we denied them services, simply not providing them services would not make such website stop existing, they would just have to find some other service provider/registrar or change domains more often. Our services themselves cannot be used for anything harmful – a domain is just a string of letters, and the rest of our services involve website/ddos protection/ecommerce security services designed to protect websites.”

Taking a page from Cloudflare, indeed. I’ve long taken Cloudflare to task for granting DDoS protection for countless DDoS-for-hire services, to no avail. I’ve maintained that Cloudflare has a blatant conflict of interest here, and that the DDoS-for-hire industry would quickly blast itself into oblivion because the proprietors of these attack services like nothing more than to turn their attack cannons on each other. Cloudflare has steadfastly maintained that picking and choosing who gets to use their network is a slippery slope that it will not venture toward.

Although Mr. Wu says he had nothing to do with the domains registered through Namecentral, public records filed elsewhere raise serious unanswered questions about that claim.

In my Sept. 8 story, Israeli Online Attack Service Earned $600,000 in Two Years, I explained that the hacked vDOS database indicated the service was run by two 18-year-old Israeli men. At some point, vDOS decided to protect all customer logins to the service with an extended validation (EV) SSL certificate. And for that, it needed to show it was tied to an actual corporate entity.

My investigation into those responsible for supporting vDOS began after I took a closer look at the SSL certificate that vDOS-S[dot]com used to encrypt customer logins. On May 12, 2015, Digicert.com issued an EV SSL certificate for vDOS, according to this record.

As we can see, whoever registered that EV cert did so using the business name VS NETWORK SERVICES LTD, and giving an address in the United Kingdom of 217 Blossomfield Rd., Solihull, West Midlands.

Who owns VS NETWORK SERVICES LTD? According this record from Companies House UK — an official ledger of corporations located in the United Kingdom — the director of the company was listed as one Thomas McGonagall. 

Records from Companies House UK on the firm responsible for registering vDOS's SSL certificate.

Records from Companies House UK on the firm responsible for registering vDOS’s SSL certificate.

This individual gave the same West Midlands address, stating that he was appointed to VS Network Services on May 12, 2015, and that his birthday was in May 1988. A search in Companies House for Thomas McGonagall shows that a person by that same name and address also was listed that very same day as a director for a company called REBELSECURITY LTD.

If we go back even further into the corporate history of this mysterious Mr. McGonagall we find that he was appointed director of NAMECENTRAL LTD on August 18, 2014. Mr. McGonagall’s birthday is listed as December 1995 in this record, and his address is given as 29 Wigorn Road, 29 Wigorn Road, Smethwick, West Midlands, United Kingdom, B67 5HL. Also on that same day, he was appointed to run EZSTRESS LTD, a company at the same Smethwick, West Midlands address.

Strangely enough, those company names correspond to other domains registered through Namecentral around the same time the companies were created, including rebelsecurity[dot]net, ezstress[dot]net.

Asked to explain the odd apparent corporate connections between Namecentral, vDOS, EZStress and Rebelsecurity, Wu chalked that up to an imposter or potential phishing attack.

“I’m not sure who that is, and we are not affiliated with Namecentral Ltd.,” he wrote. “I looked it up though and it seems like it is either closed or has never been active. From what you described it could be possible someone set up shell companies to try and get/resell EV certs (and someone’s failed attempt to set up a phishing site for us – thanks for the heads up).”

Interestingly, among the three dozen or so domains registered through Namecentral.com is “certificateavenue.com,” a site that until recently included nearly identical content as Namecentral’s home page and appears to be aimed at selling EV certs. Certificateavenue.com was responding as of early-October, but it is no longer online.

I also asked Wu why he chose to become a domain registrar when it appeared he had very few domains to justify the substantial annual costs of maintaining a registrar business.

“Like most other registrars, we register domains only as a value added service,” he replied via email. “We have more domains than that (not willing to say exactly how many) but primarily we make our money on our website/ddos protection/ecommerce protection.”

Now we were getting somewhere. Turns out, Wu isn’t really in the domain registrar business — not for the money, anyway. The real money, as his response suggests, is in selling DDoS protection against the very DDoS-for-hire services he is courting with his domain registration service.

Asked to reconcile his claim for having a 100 percent hands-off, automated domain registration system with the fact that Namecentral’s home page says the company doesn’t actually have a way to accept automated domain name registrations (like most normal domain registrars), Wu again had an answer.

“Our site says we only take referred registrations, meaning that at the moment we’re asking that another prior customer referred you to open a new account for our services, including if you’d like a reseller account,” he wrote.

CAUGHT IN A FIB?

I was willing to entertain the notion that perhaps Mr. Wu was in fact the target of a rather elaborate scam of some sort. That is, until I stumbled upon another company that was registered in the U.K. to Mr. McGonagall.

That other company —SIMPLIFYNT LTD — was registered by Mr. McGonagall on October 29, 2014. Turns out, almost the exact same information included in the original Web site registration records for Jesse Wu’s purchase of Namecentral.com was used for the domain simplifynt.com, which also was registered on Oct. 29, 2014. I initially missed this domain because it was not registered through Namecentral. If someone had phished Mr. Wu in this case, they had been very quick to the punch indeed.

In the simplyfynt.com domain registration records, Jesse Wu gave his email address as jesse@jjdev.ru. That domain is no longer online, but a cached copy of it at archive.org shows that it was once a Web development business. That cached page lists yet another contact email address: sales@jjdevelopments.org.

I ordered a reverse WHOIS lookup from domaintools.com on all historic Web site registration records that included the domain “jjdevelopments.org” anywhere in the records. The search returned 15 other domains, including several more apparent DDoS-for-hire domains such as twbooter69.com, twbooter3.com, ratemyddos.com and desoboot.com.

Among the oldest and most innocuous of those 15 domains was maplemystery.com, a fan site for a massively multiplayer online role-playing game (MMORPG) called Maple Story. Another historic record lookup ordered from domaintools.com shows that maplemystery.com was originally registered in 2009 to a “Denny Ng.” As it happens, Denny Ng is listed as the co-owner of the $1.6 million Walnut, Calif. home where Jesse until very recently lived with his mom Cindy Wu (Jesse is now a student at the University of California, San Diego).

WHO IS DATAWAGON?

Another domain of interest that was secured via Namecentral is datawagon.net. Registered by 19-year-old Christopher J. “CJ” Sculti Jr., Datawagon also bills itself as a DDoS mitigation firm. It appears Mr. Sculti built his DDoS protection empire out of his parents’ $2.6 million home in Rye, NY. He’s now a student at Clemson University, according to his Facebook page.

CJ Sculti Jr.'s Facebook profile photo. Sculti is on pictured on the right.

CJ Sculti Jr.’s Facebook profile photo. Sculti is on pictured on the right.

As I noted in my story DDoS Mitigation Firm Has a History of Hijacks, Sculti earned his 15 minutes of fame in 2015 when he lost a cybersquatting suit with Dominos Pizza after registering the domain dominos.pizza (another domain registered via Namecentral).

Around that time, Sculti contacted KrebsOnSecurity via Skype, asking if I’d be interested in writing about this cybersquatting dispute with Dominos. In that conversation, Sculti — apropos of nothing — admits to having just scanned the Internet for routers that were known to be protected by little more than the factory-default usernames and passwords.

Sculti goes on to brag that his scan revealed a quarter-million routers that were vulnerable, and that he then proceeded to upload some kind software to each vulnerable system. Here’s a snippet of that chat conversation, which is virtually one-sided.

July 7, 2015:

21:37 CJ http://krebsonsecurity.com/2015/06/crooks-use-hacked-routers-to-aid-cyberheists/

21:37 CJ
vulnerable routers are a HUGE issue

21:37 CJ
a few months ago

21:37 CJ
I scanned the internet with a few sets of defualt logins

21:37 CJ
for telnet

21:37 CJ
and I was able to upload and execute a binary

21:38 CJ
on 250k devices

21:38 CJ
most of which were routers

21:38 Brian Krebs
o_0

21:38 CJ
yea

21:38 CJ
i’m surprised no one has looked into that yet

21:38 CJ
but

21:39 CJ
it’s a huge issue lol

21:39 CJ
that’s tons of bandwidth

21:39 CJ
that could be potentially used

21:39 CJ
in the wrong way

21:39 CJ
lol

Tons of bandwidth, indeed. The very next time I heard from Sculti was the same day I published the above-mentioned story about Datawagon’s relationship to BackConnect Inc., a company that admitted to hijacking 256 Internet addresses from vDOS’s hosting provider in Bulgaria — allegedly to defend itself against a monster attack allegedly launched by vDOS’s proprietors.

Sculti took issue with how he was portrayed in that report, and after a few terse words were exchanged, I blocked his Skype account from further communicating with mine. Less than an hour after that exchange, my Skype inbox was flooded with thousands of bogus contact requests from hacked or auto-created Skype accounts.

Less than six hours after that conversation, my site came under the biggest DDoS attack the Internet had ever witnessed at the time, an attack that experts have since traced back to a large botnet of IoT devices infected with Mirai.

As I wrote in the story that apparently incurred Sculti’s ire, Datawagon — like BackConnect — also has a history of hijacking broad swaths of Internet address space that do not belong to it. That listing came not long after Datawagon announced that it was the rightful owner of some 256 Internet addresses (1.3.3.0/24) that had long been dormant but that were previously assigned to a now-defunct electronics firm.

The Web address 1.3.3.7 currently does not respond to browser requests, but it previously routed to a page listing the core members of a hacker group calling itself the Money Team. Other sites also previously tied to that Internet address include numerous DDoS-for-hire services, such as nazistresser[dot]biz, exostress[dot]in, scriptkiddie[dot]eu, packeting[dot]eu, leet[dot]hu, booter[dot]in, vivostresser[dot]com, shockingbooter[dot]com and xboot[dot]info, among others.

Datawagon has earned a reputation on hacker forums as a “bulletproof” hosting provider — one that will essentially ignore abuse complaints from other providers and turn a blind eye to malicious activity perpetrated by its customers. In the above screenshot, taken from a thread on Hackforums where Datawagon was suggested as a reliable bulletproof hoster, the company is mentioned in the same vein as HostSailor, another bulletproof provider that has been the source of much badness (as well as legal threats against this author).

dw-bp

In yet another Hackforums discussion thread from June 2016 titled “VPS [virtual private servers] that allow DDoS scripts,” one user recommends Datawagon. “I use datawagon.net. They allow anything.”

Last year, Sculti formed a company in Florida along with a self-avowed spammer. Perhaps unsurprisingly, anti-spam group Spamhaus soon listed virtually all of Datawagon’s Internet address space as sources of spam.

Are either Mr. Wu or Mr. Sculti behind the Mirai botnet attacks? I cannot say. But I’d be willing to bet money that one or both of them knows who is. In any case, it would appear that both men may have hit upon a very lucrative business model. More to come.



from
https://krebsonsecurity.com/2016/10/spreading-the-ddos-disease-and-selling-the-cure/

Monday, October 17, 2016

Hackers Hit U.S. Senate GOP Committee

The national news media has been consumed of late with reports of Russian hackers breaking into networks of the Democratic National Committee. Lest the Republicans feel left out of all the excitement, a report this past week out of The Netherlands suggests Russian hackers have for the past six months been siphoning credit card data from visitors to the Web storefront of the National Republican Senatorial Committee (NRSC).

nrscThat’s right: If you purchased a “Never Hillary” poster or donated funds to the NRSC through its Web site between March 2016 and the first week of this month, there’s an excellent chance that your payment card data was siphoned by malware and is now for sale in the cybercrime underground.

News of the break-in comes from Dutch researcher Willem De Groot, co-founder and head of security at Dutch e-commerce site byte.nl. De Groot said the NRSC was one of more than 5,900 e-commerce sites apparently hacked by the same actors, and that the purloined card data was sent to a network of servers operated by a Russian-language Internet service provider incorporated in Belize.

De Groot said he dissected the malware planted on the NRSC’s site and other servers (his analysis of the malware is available here) and found that the hackers used security vulnerabilities or weak passwords to break in to the various e-commerce sites.

The researcher found the malware called home to specific Web destinations made to look like legitimate sites associated with e-commerce activity, such as jquery-cloud[dot]net, visa-cdn[dot]com, and magento-connection[dot]com.

“[The attackers] really went out of their way to pick domain names that look legitimate,” De Groot said.

The NRSC did not respond to multiple requests for comment, but a cached copy of the site’s source code from October 5, 2016 indicates the malicious code was on the site at the time (load this link, click “view source” and then Ctrl-F for “jquery-cloud.net”).

A majority of the malicious domains inserted into the hacked sites by the malware map back to a few hundred Internet addresses assigned to a company called dataflow[dot]su.

Dataflow markets itself as an “offshore” hosting provider with presences in Belize and The Seychelles. Dataflow has long been advertised on Russian-language cybercrime forums as an offshore haven that offers so-called “bulletproof hosting,” a phrase used to describe hosting firms that court all manner of sites that most legitimate hosting firms shun, including those that knowingly host spam and phishing sites as well as malicious software.

De Groot published a list of the sites currently present at Dataflow. The list speaks for itself as a collection of badness, including quite a number of Russian-language sites selling synthetic drugs and stolen credit card data.

According to De Groot, other sites that were retrofitted with the malware included e-commerce sites for the shoe maker Converse as well as the automaker Audi, although he says those sites and the NRSC’s have been scrubbed of the malicious software since his report was published.

But De Groot said the hackers behind this scheme are continuing to find new sites to compromise.

“Last Monday my scans found about 5,900 hacked sites,” he said. “When I did another scan two days later, I found about 340 of those had been fixed, but that another 170 were newly compromised.”

According to the researcher’s analysis, many of the hacked sites are running outdated e-commerce software or content management software. In other cases, it appears the attackers simply brute-forced or guessed passwords needed to administer the sites.

Further, he said, the attackers appear to have inserted their malware into the e-commerce sites’ databases, rather than into the portion of the Web server used to store HTML and other components that make up how the site looks to visitors

“That’s why I think this has remained under the radar for a while now,” De Groot said. “Because some companies use filesystem checkers so that if some file changes on the system they will get a notice that alerts them something is wrong.”

Unfortunately, those same checking systems generally aren’t configured to look for changes in the site’s database files, he explained, since those are expected to change constantly — such as when a new customer order for merchandise is added.

De Groot said he was amazed at how many e-commerce merchants he approached about the hack dismissed the intrusion, reasoning that they employed secure sockets layer (SSL) technology that encrypted the customers’ information end-to-end.

What many Webmaster fail to realize is that just as PC-baed trojan horse programs can steal data from Web browsers of infected victims, Web-based keylogging programs can do the same, except they’re designed to steal data from Web server applications.

PC Trojans siphon information using two major techniques: snarfing passwords stored in the browser, and conducting “form grabbing” — capturing any data entered into a form field in the browser before it can be encrypted in the Web session and sent to whatever site the victim is visiting.

Web-based keyloggers also can do form grabbing, ripping out form data submitted by visitors — including names, addresses, phone numbers, credit card numbers and card verification code — as customers are submitting the data during the online checkout process.

These attacks drive home one immutable point about malware’s role in subverting secure connections: Whether resident on a Web server or on an end-user computer, if either endpoint is compromised, it’s ‘game over’ for the security of that Web session.

With PC banking trojans, it’s all about surveillance on the client side pre-encryption, whereas what the bad guys are doing with these Web site attacks involves sucking down customer data post- or pre-encryption (depending on whether the data was incoming or outgoing).



from
https://krebsonsecurity.com/2016/10/hackers-hit-u-s-senate-gop-committee/

Friday, October 14, 2016

Self-Checkout Skimmers Go Bluetooth

This blog has featured several stories about payment card skimming devices designed to be placed over top of credit card terminals in self-checkout lanes at grocery stores and other retailers. Many readers have asked for more details about the electronics that power these so-called “overlay” skimmers. Here’s a look at one overlay skimmer  equipped with Bluetooth technology that allows thieves to snarf swiped card data and PINs wirelessly using nothing more than a mobile phone.

The rather crude video below shows a Bluetooth enabled overlay skimmer crafted to be slipped directly over top of Ingenico iSC250 credit card terminals. These Ingenico terminals are widely used at countless U.S. based merchants; earlier this year I wrote about Ingenico overlay skimmers being found in self-checkout lanes at some WalMart locations.

The demo video briefly shows the electronics hidden on the back side of the overlay skimmer, but most of the sales video demonstrates the Bluetooth functionality built into the device. The video appears to show the skimmer seller connecting his mobile phone to the Bluetooth elements embedded in the skimmer. The demo continues on to show the phone intercepting PIN pad presses and card swipe data.

Your basic Bluetooth signal has a range of approximately 100 meters (328 feet), so theoretically skimmer scammers who placed one of these devices over top of a card terminal in a store’s self-checkout lane could simply sit in a vehicle parked outside the storefront and suck down card data wirelessly in real-time. However, that kind of continuous communication likely would place undue strain on the skimmer’s internal battery, thus dramatically decreasing the length of time the skimmer could collect card and PIN data before needed a new battery.

Rather, such a skimmer would most likely be configured to store the stolen PIN and card data until such time as its owner skulks within range of the device and instructs it to transmit the stored card data.

Concerned about whether the Ingenico terminals at your favorite store may be compromised by one of these overlay skimmers? Turns out, payment terminals retrofitted with overlay skimmers have quite a few giveaways if you know what to look for. Learn how to identify one, by checking out my tutorial, How to Spot Ingenico Self-Checkout Skimmers.

If you liked this piece, have a look at the other skimmer stories in my series, All About Skimmers. And if you’re curious about how card data stolen through skimmers like these are typically sold, take a peek inside a professional carding shop.

The red calipers in the image above show the size differences in various noticeable areas of the case overlay on the left compared to the actual ISC250 on the right. Source: Ingenico.

The red calipers in the image above show the size differences in various noticeable areas of the case overlay on the left compared to the actual ISC250 on the right. Source: Ingenico.

Thanks to Alex Holden of Hold Security LLC for sharing the above video footage.



from
https://krebsonsecurity.com/2016/10/self-checkout-skimmers-go-bluetooth/

Thursday, October 13, 2016

IoT Devices as Proxies for Cybercrime

Multiple stories published here over the past few weeks have examined the disruptive power of hacked “Internet of Things” (IoT) devices such as routers, IP cameras and digital video recorders. This post looks at how crooks are using hacked IoT devices as proxies to hide their true location online as they engage in a variety of other types of cybercriminal activity — from frequenting underground forums to credit card and tax refund fraud.

networktechniciansRecently, I heard from a cybersecurity researcher who’d created a virtual “honeypot” environment designed to simulate hackable IoT devices. The source, who asked to remain anonymous, said his honeypot soon began seeing traffic destined for Asus and Linksys routers running default credentials. When he examined what that traffic was designed to do, he found his honeypot systems were being told to download a piece of malware from a destination on the Web.

My source grabbed a copy of the malware, analyzed it, and discovered it had two basic functions: To announce to a set of Internet addresses hard-coded in the malware a registration “I’m here” beacon; and to listen for incoming commands, such as scanning for new vulnerable hosts or running additional malware. He then wrote a script to simulate the hourly “I’m here” beacons, interpret any “download” commands, and then execute the download and “run” commands.

The researcher found that the malware being pushed to his honeypot system was designed to turn his faux infected router into a “SOCKS proxy server,” essentially a host designed to route traffic between a client and a server. Most often, SOCKS proxies are used to anonymize communications because they can help obfuscate the true origin of the client that is using the SOCKS server.

proxy

When he realized how his system was being used, my source fired up several more virtual honeypots, and repeated the process. Employing a custom tool that allows the user to intercept (a.k.a. “man-in-the-middle”) encrypted SSL traffic, the researcher was able to collect the underlying encrypted data passing through his SOCKS servers and decrypt it.

What he observed was that all of the systems were being used for a variety of badness, from proxying Web traffic destined for cybercrime forums to testing stolen credit cards at merchant Web sites. Further study of the malware files and the traffic beacons emanating from the honeypot systems indicated his honeypots were being marketed on a Web-based criminal service that sells access to SOCKS proxies in exchange for Bitcoin.

Unfortunately, this type of criminal proxying is hardly new. Crooks have been using hacked PCs to proxy their traffic for eons. KrebsOnSecurity has featured numerous stories about cybercrime services that sell access to hacked computers as a means of helping thieves anonymize their nefarious activities online.

And while the activity that my source witnessed with his honeypot project targeted ill-secured Internet routers, there is no reason the same type of proxying could not be done via other default-insecure IoT devices, such as Internet-based security cameras and digital video recorders.

Indeed, my guess is that this is exactly how these other types of hacked IoT devices are being used right now (in addition to being forced to participate in launching huge denial-of-service attacks against targets that criminals wish to knock offline).

“In a way, this feels like 1995-2000 with computers,” my source told me. “Devices were getting online, antivirus wasn’t as prevalent, and people didn’t know an average person’s computer could be enslaved to do something else. The difference now is, the number of vendors and devices has proliferated, and there is an underground ecosystem with the expertise to fuzz, exploit, write the custom software. Plus, what one person does can be easily shared to a small group or to the whole world.”

ROUTER SECURITY 101

As I wrote last week on the lingering and coming IoT security mess, a great many IoT devices are equipped with little or no security protections. On a large number of Internet-connected DVRs and IP cameras, changing the default passwords on the device’s Web-based administration panel does little to actually change the credentials hard-coded into the devices.

Routers, on the other hand, generally have a bit more security built in, but users still need to take several steps to harden these devices out-of-the-box.

For starters, make sure to change the default credentials on the router. This is the username and password pair that was factory installed by the router maker. The administrative page of most commercial routers can be accessed by typing 192.168.1.1, or 192.168.0.1 into a Web browser address bar. If neither of those work, try looking up the documentation at the router maker’s site, or checking to see if the address is listed here. If you still can’t find it, open the command prompt (Start > Run/or Search for “cmd”) and then enter ipconfig. The address you need should be next to Default Gateway under your Local Area Connection.

If you don’t know your router’s default username and password, you can look it up here. Leaving these as-is out-of-the-box is a very bad idea. Most modern routers will let you change both the default user name and password, so do both if you can. But it’s most important to pick a strong password.

When you’ve changed the default password, you’ll want to encrypt your connection if you’re using a wireless router (one that broadcasts your modem’s Internet connection so that it can be accessed via wireless devices, like tablets and smart phones). Onguardonline.gov has published some video how-tos on enabling wireless encryption on your router. WPA2 is the strongest encryption technology available in most modern routers, followed by WPA and WEP (the latter is fairly trivial to crack with open source tools, so don’t use it unless it’s your only option).

But even users who have a strong router password and have protected their wireless Internet connection with a strong WPA2 passphrase may have the security of their routers undermined by security flaws built into these routers. At issue is a technology called “Wi-Fi Protected Setup” (WPS) that ships with many routers marketed to consumers and small businesses. According to the Wi-Fi Alliance, an industry group, WPS is “designed to ease the task of setting up and configuring security on wireless local area networks. WPS enables typical users who possess little understanding of traditional Wi-Fi configuration and security settings to automatically configure new wireless networks, add new devices and enable security.”

However, WPS also may expose routers to easy compromise. Read more about this vulnerability here. If your router is among those listed as vulnerable, see if you can disable WPS from the router’s administration page. If you’re not sure whether it can be, or if you’d like to see whether your router maker has shipped an update to fix the WPS problem on their hardware, check this spreadsheet.

Finally, the hardware inside consumer routers is controlled by software known as “firmware,” and occasionally the companies that make these products ship updates for their firmware to correct security and stability issues. When you’re logged in to the administrative panel, if your router prompts you to update the firmware, it’s a good idea to take care of that at some point. If and when you decide to take this step, please be sure to follow the manufacturer’s instructions to the letter: Failing to do so could leave you with an oversized and expensive paperweight.

Personally, I never run the stock firmware that ships with these devices. Over the years, I’ve replaced the firmware in various routers I purchased with an open source alternative, such as DD-WRT (my favorite) or Tomato. These flavors generally are more secure and offer a much broader array of options and configurations. Again, though, before you embark on swapping out your router’s stock firmware with an open source alternative, take the time to research whether your router model is compatible, and that you understand and carefully observe all of the instructions involved in updating the firmware.

Since October is officially National Cybersecurity Awareness Month, it probably makes sense to note that the above tips on router security come directly from a piece I wrote a while back called Tools for a Safer PC, which includes a number of other suggestions to help beef up your personal and network security.



from
https://krebsonsecurity.com/2016/10/iot-devices-as-proxies-for-cybercrime/