Archive for January, 2010

US oil industry hit by cyberattacks: Was China involved? / The Christian Science Monitor – CSMonitor.com

January 26, 2010

US oil industry hit by cyberattacks: Was China involved? / The Christian Science Monitor – CSMonitor.com:
Iraq’s Rumaila oil field: A key target of 2008 cyberattacks on US oil and gas companies ExxonMobil, ConocoPhillips, and Marathon was exploration ‘bid data’ that provides critical details about new energy discoveries.

Atef Hassan/Reuters

Enlarge
PrintBuzz up! PermissionsEmail and shareRSS
By Mark Clayton Staff writer / January 25, 2010

Houston
At least three US oil companies were the target of a series of previously undisclosed cyberattacks that may have originated in China and that experts say highlight a new level of sophisticati”

(Via .)

Advertisements

Lethic Spamming Botnet Shut Down

January 13, 2010

Lethic Spamming Botnet Shut Down: “Lethic Spamming Botnet Shut Down”

(Via threatpost – The First Stop for Security News.)

Date breaches: The insanity continues

January 11, 2010

Date breaches: The insanity continues: “In 2009, the Identity Theft Resource Center recorded 498 breaches, less than the 657 in 2008, more than the 446 in 2007.

Are data breaches increasing or decreasing? That is the question no one can …”

(Via Help Net Security – News.)

Shadowserver Foundation Blog: DDoS for Hire – More cooperation, or new competition?

January 9, 2010

Shadowserver Foundation – Calendar – 2010-01-09

Saturday, 9 January 2010
DDoS for Hire – More cooperation, or new competition?

I’ve always been interested in DDoS attacks, not only for their technical aspects, but also their social, economic, or political aspects. This past summer, several of us were closely watching a DDoS group that was fairly aggressive and diverse in its attack targets. This group, known as the “hack-off” group used the domains ‘hack-off.ru” & “hack-off.info” for their command and control. What was particularly interesting about ‘hack-off’ was their attack campaigns on targeted industries and groups. Such industries included:

hack-off DDoS targeted industries

* Online pharmacies
* Porn sites
* Automotive parts suppliers
* Replica Watches
* Online Gambling
* Logo Design companies
* Sporting goods and sportswear
* Healthcare products
* Electronics vendors

Many of the attacks victims were fairly high profile, and law enforcement agencies from at least 5 different countries became involved. Eventually, with the assistance of cert-ru and Affilias, the domains were suspended and by October 2009, the ‘hack-off’ crew was offline.

Recently while looking through some of our data sets, I again noticed aggressive DDoS attacks against targeted industry groups. In this case, four domains are seen being used for command and control:

New DDoS controllers
853c9e57.biz
atatatata.org
http://www.atatata.org
goog-le.ru

Over 250 different sites were targeted for DDoS from these controllers since November, 2009. The victim sites were fairly diverse, but were seen predominately in the following industries:

Industries targeted by atatata and friends

* Car buying sites
* Footwear
* Sporting goods
* Jewelry
* Gambling and Lottery
* Watches
* Appliances
* Travel and Tourism

The domains used by these controllers have been run on various hosting providers as described below. atatata.org has also been seen dropping FakeAv as well as other malware. Another active botnet domain on the same IP as atatata.org, is dia2.cn, however I haven’t yet seen DDoS related activity from them.

The top IP address prefaced is the currently active IP for that domain. The listing below also shows the nameserver history for each domain.
Domain information

853c9e57.biz

* 193.104.94.117 – AS50033 – GROUP3-AS GROUP 3 LLC.
* 91.196.138.97 – AS15756 -CARAVAN
* 91.212.220.242 – ??

Registrar: ONLINENIC, INC. D/B/A CHINA-CHANNEL.COM
Nameserver: Dns-diy.net

atatatata.org

* 115.100.250.107 – AS4837 – CHINA169-Backbone
* 210.51.166.229 – AS9929 – China Netcom Corp.
* 61.235.117.76 – AS9394 – CHINA RAILWAY Internet

Registrar:Directi Internet Solutions
Nameserver: Everydns.net

http://www.atatata.org

* 115.100.250.107 – AS4837 – CHINA169-Backbone
* 210.51.166.229 – AS9929 – China Netcom Corp.
* 61.235.117.76 – AS9394 – CHINA RAILWAY Internet
* 174.37.235.32 – AS36351 – SoftLayer
* 174.36.195.197 – AS36351 – SoftLayer
* 91.212.198.137 – AS49314 – NEVAL PE Nevedomskiy Alexey Alexeevich

Registrar: Privacy Protected
Nameservers:

* 8/22/09 Everydns.net
* 8/29/09 Slavhost.com
* 9/5/09 Agava.net.ru
* 9/6/09 Slavhost.com
* 9/7/09 Intdelivery.com
* 9/11/09 Everydns.net

goog-le.ru

* 91.212.198.171 – AS49314 – NEVAL PE Nevedomskiy Alexey Alexeevich

Registrar: NAUNET-REG-RIPN
Nameserver: freedns.ws

While DDoS for hire is nothing new, these particular attacks and the activity behind them remain interesting. Are these new criminal groups rising up to compete in the lucrative world of DDoS? Or are we just seeing more cooperation and consolidation of efforts among the usual and familiar players?

We’ll continue to keep an eye on any new attacks from these controllers as well as the providers from where they are hosted.

=>Posted January 09, 2010, at 10:25 AM by Andre’ – Semper_Securus

(Via DDoS for Hire – More cooperation, or new competition?.)

French court says ‘oui’ on workplace smut

January 8, 2010

French court says ‘oui’ on workplace smut: “

Dirty downloader comes out clean

In a surprise ruling last month, France’s highest court – la Cour de Cassation – ruled that an employee was wrongly dismissed for downloading smut to their work PC.…

Case Study: WhatsUp keeps Legoland turnstyles ringing

(Via The Register.)

Patriot Hacker Hits Jihad With DDoS Attacks : Information Security Resources

January 8, 2010

Patriot Hacker Hits Jihad With DDoS Attacks : Information Security Resources

Patriot Hacker Hits Jihad With DDoS Attacks
January 7, 2010 by ADMIN · Comment
By Richard Stiennon, Chief Research Analyst, IT-Harvest
I had an interesting demonstration this evening from a hacker who goes by the handle ‘The Jester’ or in so-called l33t speak, th3j35t3r which is his Twitter ID.
Since January 1, The Jester has been systematically wreaking havoc with several websites he associates with Al Quiada and Jihadists via a Denial of Service attack delivered over the web through a Swedish anonimizer service (www.anonine.com).
The Jester has been documenting his attacks against http://www.alemarah.info, http://www.radicalislam.org, islamicpoint.net, http://www.almaghrib.org, http://www.as-ansar.com, http://www.islamicnetwork.com, http://www.islamicawakening.com, http://www.ansarnet.info, since the beginning of 2010.
Early today he posted:
Official Presidency Website of …”

‘Bulletproof’ safe havens are all the rage for Internet pirates

January 7, 2010

‘Bulletproof’ safe havens are all the rage for Internet pirates: ”

Filed under: Internet, P2P
‘Bulletproof’ safe havens are all the rage for Internet pirates
by Sebastian Anthony (RSS feed) Jan 6th 2010 at 12:02PM

Have you ever put much thought into Internet piracy?

‘Ooh, cool, tons of free stuff!’ — no, I mean, really thought about it.

In almost every Western nation software and music piracy is theft. In the eyes of the law it’s wrong. There’s simply nothing more to it: it’s intellectual property that you’re stealing from the property’s owner. As mere users, just single faces in a crowd of millions, we’re relatively safe. It’s like stealing an apple from a busy market stall: it’s not particularly hard, it’s not very damaging — and at the end of the day, it’s hard to catch a single thief in a crowd of millions.

Organized crime, on the other hand, is serious business. You can “

(Via .)

Attack on InterNetX’s DNS servers

January 7, 2010

Attack on InterNetX’s DNS servers: “On Wednesday, a DDoS nearly completely took out domain provider InterNetX’s DNS service”

(Via The H Security.)

Cybersecurity: Here’s What Really Worries the Pentagon | Danger Room | Wired.com

January 7, 2010

Cybersecurity: Here’s What Really Worries the Pentagon | Danger Room | Wired.com: ”

Cybersecurity: Here’s What Really Worries the Pentagon
By Noah Shachtman January 6, 2010  |  10:33 am  |  Categories: Info War

In Washington, ‘cybersecurity’ is a term that’s come to have a thousand meanings, and none at all. Any crime, prank, intelligence operation, or foreign-government attack involving a computer has become a ‘cyber threat.’ But at the Pentagon, they aren’t worried about some kid painting a Hitler moustache on Defense Secretary Robert Gates’ online portrait. They’re not even that concerned about a full-scale attack on the military’s networks – even though the modern American way of war depends so heavily on the free flow of data. In the military, there’s now broad agreement that one cyber threat trumps all others: electronic espionage, the infiltration (and possible corruption) of Defense Department networks.

Well-placed spy software not only opens a window for an adversary to look into Ameri”

(Via .)

Suricata: A Next Generation IDS/IPS Engine

January 7, 2010

Suricata: A Next Generation IDS/IPS Engine: “

Last Thursday, I was very glad that the Open Information Security Foundation (OISF) released the first public beta version of Suricata. It has been three years in the making. Several new releases are expected this month culminating in a production quality release shortly thereafter. OISF describes Suricata an ‘an Open Source Next Generation Intrusion Detection and Prevention Tool, not intended to just replace or emulate the existing tools in the industry, but to bring new ideas and technologies to the field.’ It is looking very promising.

The Suricata Engine and the HTP Library are available to use under the GPLv2. The new engine supports ‘Multi-Threading, Automatic Protocol Detection (IP, TCP, UDP, ICMP, HTTP, TLS, FTP and SMB! ), Gzip Decompression, Fast IP Matching and coming soon hardware acceleration on CUDA and OpenCL GPU cards’. GPU integration allows the use of graphic cards to accelerate operations. Mike Cloppert in his post, ‘Detection, Bandwidth, and Moore’s Law’ pointed out:

It appears the authors well understand the point in this post, and the corresponding state of the art in solving parallel computing problems. GPU’s are emerging as a good commodity solution to parallel processing. This is covered in depth by a number of recent publications discussing parallelism, and I am by no means an expert in this field, so I will simply leave follow-up on this point as an exercise for the reader.

The HTP Library is an HTTP normalizer and parser written by Ivan Ristic, creator of Mod Security and author of the soon to be released book ‘ModSecurity Handbook‘. This integrates and provides very advanced processing of HTTP streams. The HTP library is required by the engine, but may also be used independently in a range of applications and tools. Additional details have been provided by Ivan in his post, ‘HTTP parser for intrusion detection and web application firewalls.’ Ivan writes concerning the development, ‘For the first release of the parser the goal is to be able to parse HTTP streams reliably. In the subsequent versions I will work in the parser’s security properties (such as the ability to see through evasion attacks).’

New Ideas and Concepts

Quoting from the OISF announcement, some of the next generation capabilities include:

  • Multi-Threading: so very necessary.
  • Automatic Protocol Detection: the engine has keywords for IP, TCP, UDP, ICMP, HTTP, TLS, FTP and SMB. Users can write rules to detect a match within a stream regardless of the port the stream occurs on. This is important for malware detection and control. Detections for more layer 7 protocols are being developed.
  • Gzip Decompression: the HTP Parser will decode Gzip compressed streams.
  • Independent HTP Library: the HTP Parser will be usable by other applications such as proxies, filters, etc. The parser is available as a library under GPLv2 for easy integration ito other tools.
  • Standard Input Methods: support for NFQueue, IPFRing, and the standard LibPcap to capture traffic. IPFW support will be available soon.
  • Unified2 Output: support for standard output tools and methods.
  • Flow Variables: it is possible to capture information out of a stream and save that in a variable which can then be matched against later.
  • Fast IP Matching: the engine will automatically use a special fast matching preprocessor on rules that are IP matches only (such as the RBN and compromised IP lists at Emerging Threats).
  • HTTP Log Module : HTTP requests can be automatically output into an apache-style log format file for monitoring and logging activity completely independent of rulesets and matching.

A few features to look forward to in a few weeks:

  • Global Flow Variables: the ability to store more information from a stream or match (actual data, not just setting a bit) over a period of time allowing comparing values across many streams and time.
  • Graphics Card Acceleration: using CUDA and OpenCL to make use of the processing power of even old graphics cards to accelerate the IDS. Offloading the very computationally intensive functions of the sensor will greatly enhance performance.
  • IP Reputation: will allow sensors and organizations to share intelligence and eliminate many false positives.
  • Windows Binaries: will be released once there is a reasonably stable body of code.

Folks Behind It

The team is listed on the OISF site. It is an all star cast including Matt Jonkman, Victor Julien, Will Metcalf, Nathan Jimerson, Margaret Skinner, Josh Smith, Brian Rectanus, Breno Silva Pinto, Anoop Saldanha, Gurvinder Singh Dahiya, Jason MacLulich, <a href="http://ca.linkedin.com/pub/jason-ish/0/272/576
“>Jason Ish, Kirby Kuehl, Dennis Henderson, <a href="http://www.linkedin.com/pub/martin-solum/1/446/41a
“>Martin Solum, Ivan Ristic, <a href="http://es.linkedin.com/pub/pablo-rinc%C3%B3n-crespo/7/842/169
“>Pablo Rincon, and Gerardo Iglesias Galvan.

I also wanted to point out some of the heavy hitting organizations involved. The initial funding for OISF comes from the US Department of Homeland Security (DHS), the US Navy’s Space and Warfare Command (SPAWAR), and a number of private companies that participate in the OISF Consortium. The OISF is a part of the DHS Homeland Open Security Technology (HOST) program. OISF works with Open Source Software Institute and has received legal guidance from the Software Freedom Law Center.

OISF is a US nonprofit, a 501c(3) and will not commercialize, sell, patent, copyright, or profit from the engine. OISF Consortium members are donating coders, equipment, and financial support in exchange for the ability to commercialize the engine. The important take away is that OISF has long term support for future development of Suricata.

Final Thoughts

Suricata is a very exciting and promising IDS/IPS engine. It has a great group of people behind it and future development appears secured. It is a project that is in the early stages. Do not expect to download it and simply install on a production environment. For testing the software and providing feedback, the engine and the HTP Library are available for download. To keep apprised of the latest developments join the oisf mailing lists where you discuss and share feedback. The blog of Victor Julien, Suricata’s lead developer, is another great source for the latest news and information.

To finally answer the burning question: why the name Suricata? According to the OISF site, Suricata comes from the Latin genus name for the meerkat and ‘the Meerkat takes security and vigilance as a life or death responsibility. There is always at least one individual on guard, watching, ready to alert the entire organization. Very much like an IDS sensor. It is always watching, always ready to alert you to danger. Or something like that…’

(Via System Advancements at the Monastery.)