The Hacker News

 

 

The Hacker News

The Hacker News has been internationally recognized as a leading news source dedicated to promoting awareness for security experts and hackers // via fulltextrssfeed.com

DDoS attack from Browser-based Botnets that lasted for 150 hours
11/14/2013 5:21:00 PM

Browser-based botnets are the T-1000s of the DDoS world. Just like the iconic villain of the old Judgment Day movie, they too are designed for adaptive infiltration. This is what makes them so dangerous. Where other more primitive bots would try to brute-force your defenses, these bots can simply mimic their way through the front gate.

By the time you notice that something`s wrong, your perimeter has already been breached, your servers were brought down, and there is little left to do but to hang up and move on.

So how do you flush out a T-1000? How do you tell a browser-based bot from a real person using a real browser? Some common bot filtering methods, which usually rely on sets of Progressive Challenges, are absolutely useless against bots that can retain cookies and execute JavaScripts.

The alternative to indiscriminately flashing CAPTCHA's for anyone with a browser is nothing less than a self-inflicted disaster - especially when the attacks can go on for weeks at a time.

To demonstrate how these attacks can be stopped, here's a case study of an actual DDoS event involving such browsers; an attack which employed a swarm of human-like bots which would – under most circumstances - result in a complete and total disaster.

Browser-based Botnet: Attack Methodology

The attack was executed by an unidentified botnet, which employed browser-based bots that were able to retain cookies and execute JavaScript. Early in the attack they were identified as PhantomJS headless-browsers.

PhantomJS is a development tool that uses a bare-bone (or "headless") browser, providing its users with full browsing capabilities but no user interface, no buttons, no address bar, etc. PhantomJS's can be used for automation and load monitoring.

The attack lasted for over 150 hours, during which we recorded malicious visits from over 180,000 attacking IPs worldwide. In terms of volumes, the attack peaked at 6,000 hits/second for an average of +690,000,000 hits a day. The number of attacking IPs, as well as their geographical variety, led us to believe that this might have been a coordinated effort, involving more than one botnet at a time.

More than one Botnet?

Throughout the duration of the attack we dealt with 861 different user-agent variants as the attackers constantly modified the header structure to try and evade our defenses. Most commonly, the attackers were using different variants of Chrome, Opera and FireFox user-agents.

Most active attacking IPs.

It is interesting to note that, besides using human-like bots, the attackers also made an effort to mimic human behavior, presumably to avoid behavior-based security rules. To that end, the attackers leveraged the number of available IP addressed to split the load in a way that would not trigger rate-limiting. At the same time, by constantly introducing new IPs, the attackers made sure that the IP restriction would be just as ineffective. The bots were also programmed for human-like browsing patterns; accessing the sites from different landing pages and moving through them at a random pace and varied patterns, before converging on the target resource.

Methods of Mitigation

Incapsula's Layer 7 security perimeter uses a combination of filtering methods, which create several defensive layers around the protected website or web application.

In this case the nature of the attacking bots allowed them to successfully bypass Progressive Challenges. As mentioned, the botnet's shepherds also went to great length to evade our Abnormality Detection mechanisms, which they were able to do – at least to some extent.

However, by using a known headless-browser, the attackers left themselves open to detection by our Client Classification mechanism, which – interestingly enough – uses the same technology as our free plan 'Bot Filtering' feature.

Our Client Classification algorithms rely on a crowd-sourced pool of known signatures, consisting of information gathered from across our network. At the time of the attack, the signature pool held over 10,000,000 signature variants, each of them containing an information about:

1. User-agent
2. IPs and ASN info
3. HTTP Headers
4. JavaScript footprint
5. Cookie/Protocol support variations

In the context of browser-based visitors, this means that we are looking not only at the more apparent factors (like user-agent or their correlation to origin IPs), but also at the intricate nuances that exist within each browser.

Security is a closed hand game, so it would be hard to explain this without exposing some of our methods. Still, to provide some context, we can say that (on the low end) this means looking at minor differences in the way browsers handle encoding, respond to specific attributes, etc. For example, we can learn about our visitors from the way their browser handles HTTP Headers with double spacing or special characters.

The point is, our database holds tens of thousands of variants for each known browser or bot, to cover all possible scenarios (e.g., browsing using different desktop or handheld devices, going through proxies, etc.). Best of all, in this case, the attacker's weapon of choice - the PhantomJS webkit - is one of those signatures.

Fortune favors the prepared

And so, while the attacker were ducking and diving to make their bots look like humans, all our team really had to do was to let our system discover the type of headless-browsers they were using. From there it was a simple task of blocking all PhantomJS instances. We even left a redemption option, offering the visitors to fill a CAPTCHA, just in case any of them were real human visitors.

Not surprisingly, no such CAPTCHAs were filled.

1 DDoS blocked.

Aftermath

The attacks continued past the point of mitigation. Days later, after we switched to auto-pilot, the attackers were still trying to come at us with new user-agents and new IPs, obviously oblivious to the real reason for their blockage. However, for all their T-1000s-like relentlessness, they were already iced. Their cover was blown and their methods, signatures and patterns were internally recorded for future reference.

Cross Post from Incapsula.

Ronen Atias - Security Analyst at Incapsula. (Google+ Profile)

 

You are receiving this email because you subscribed to this feed at feedmyinbox.com

If you no longer wish to receive these emails, you can unsubscribe from this feed, or manage all your subscriptions

The Hacker News

 

 

The Hacker News

The Hacker News has been internationally recognized as a leading news source dedicated to promoting awareness for security experts and hackers // via fulltextrssfeed.com

Samsung Galaxy S4 and iPhone 5 zero-day exploits revealed at Pwn2Own 2013 Contest
11/14/2013 9:05:00 AM

At Information Security Conference PacSec 2013 in Tokyo, Apple's Safari browser for the iPhone 5 and the Samsung Galaxy S4 have been exploited by two teams of Japanese and Chinese white hat hackers.

In HP's Pwn2Own 2013 contest, Japanese squad Team MBSD, of Mitsui Bussan Secure Directions won won $40,000 reward for zero day exploit for hacking Samsung Galaxy S4. The vulnerabilities allow the attacker to wholly compromise the device in several ways, such as using a drive-by download to install malware on the phone.

In order for the exploit to be successful, the group lured a user to a malicious website, gained system-level privileges and installed applications that allowed the team to gather information, including SMS messages, contacts and browsing history. They 

Another Hackers Team from Keen Cloud Tech in China showed how to exploit a vulnerability in iOS version 7.0.3 to steal Facebook login credentials and a photo from a device running iOS 6.1.4. They won $27,500 in prize money. Keen Team is the first ever Chinese winners of any Pwn2Own competition.

Both hacks would require user interaction, but took no longer than five minutes to perform. Organisers from the HP Zero Day Initiative have informed Samsung and Apple about the flaws and they will be working to address.

Wang Wei - Security consultant for the government, financial Securities & Banks. Malware Analyst, Penetration Tester, Security Researcher at 'The Hacker News'. (Google+ Profile)

Popular Stories

 

Hacker 'Pinkie Pie' successfully compromised Chrome on Nexus 4 and Samsung Galaxy S4
11/14/2013 9:54:00 AM

At Information Security Conference PacSec 2013 in Tokyo, during the HP's Pwn2Own contest, a zero-day exploit showcased by "Pinkie Pie", that took advantage of two vulnerabilities:

• An integer overflow that affects Chrome.
• Chrome vulnerability that resulted in a full sandbox escape.

For successful exploitation, you have to get your victim to visit a malicious website e.g. clicking a link in an email, or an SMS or on another web page. He demonstrated this zero-day attack with remote code execution vulnerability on the affected devices.

It is not known whether other Android phones are also vulnerable to same flaw or not. Vulnerability has been disclosed to Google by the Contest organizers and the company is working to address the issue as soon as possible.

Researchers from Japan has also found a second exploit for the Samsung Galaxy S4, for which they are rewarded with $40,000 yesterday.

Stay tuned to +The Hacker News 's Facebook Page and Twitter Account for more updates!

 

You are receiving this email because you subscribed to this feed at feedmyinbox.com

If you no longer wish to receive these emails, you can unsubscribe from this feed, or manage all your subscriptions

 

 

The Hacker News

The Hacker News has been internationally recognized as a leading news source dedicated to promoting awareness for security experts and hackers // via fulltextrssfeed.com

Federal Judge ruled at Child pornography case, 'Your Peer-to-Peer file sharing data is not a private matter'
11/13/2013 5:28:00 PM

Today computer telecommunications have become one of the most prevalent techniques used by pedophiles to share illegal photographic images of minors and to lure children into illicit sexual relationships. The Internet has dramatically increased the access of the preferential sex offenders to the population they seek to victimize and provides them greater access to a community of people who validate their sexual preferences.

The Fourth Amendment is the most implicated and litigated portion of the Constitution. Courts are increasingly confronting the problems associated with adapting Fourth Amendment principles to modern technology.

If you think that your peer-to-peer file sharing can be kept under wraps, then please think again. A federal judge 'Christina Reiss' in Vermont has ruled that there should be no expectation of privacy for data shared across peer-to-peer file-sharing services.

In a Child pornography case, three defendants argued that information gained from a P2P network had been illegally obtained by police without a search warrant.

District Court Judge Christina Reiss wrote in a decision released on Friday: "The evidence overwhelmingly demonstrates that the only information accessed was made publicly available by the IP address or the software it was using... Accordingly, either intentionally or inadvertently, through the use of peer-to-peer file sharing software, Defendants exposed to the public the information they now claim was private."

Police found the files using the Child Protection System, which features a number of software tools to help locate these files. The tools send out automated searches for files known to contain data of this kind, and then maps out matching files with an IP address, data and time, as well as various other details about the particular computer.

A P2P network consists of a group of PCs that can exchange files with one another without going through a centralized server, saving time and bandwidth space. This distributed arrangement, however, makes tracing the source of a file difficult, given that different pieces of a file typically come from different PCs in the network.

In July, Oak Ridge National Laboratory engineers have developed BitPredator and BitThief, tools to automate the tracking of P2P content distributed using the BitTorrent protocol, so it can help law enforcement crack down on child abusers.

Mohit Kumar - Founder and Editor-in-Chief of 'The Hacker News'. Cyber Security Analyst, Information Security Researcher, Developer and Part-Time Hacker. (Google+ Profile)

Popular Stories

 

Bitcash.cz Bitcoin Exchange hacked; Money from 4000 Bitcoin wallets Stolen
11/13/2013 6:14:00 PM

Yet another Bitcoin Exchange Bitcash. CZ based out of the Czech Republic has been hacked and Money from 4000 Bitcoin wallets have been Stolen with a total value of over 2 million Czech Koruna i.e. Approx $100,000.

Bitcash.cz is currently down with a maintenance message that on the evening of November 11, their server was compromised by unknown Hackers and bitcoins from its clients were stolen.

Hackers appear to have sent emails from Bitcash.cz email accounts pretending to be members of staff. The emails claim the company had to use a US recovery company to get back the bitcoins that have been stolen and recipients are then apparently asked to send 2 BTC to a wallet address in order for their bitcoins to be returned.

"We are trying to resolve the situation, but we want to warn our users about fraudulent emails and scams [claiming to be from Bitcash]" site said on their Facebook page.

Meanwhile, GBL, the Chinese Bitcoin exchange mysteriously disappeared, taking more than $4 million of the virtual currency with it and leaving profit-hungry investors out of pocket.

Last week, Australian Bitcoin website inputs.io was hacked and around 4100 BTC valued at over $1 million stolen from a user's virtual wallet.

In May 2012, Bitcoinica, a Bitcoin exchange started by a 17-year old teenager was also hacked and more than 18,000 BTC worth $90,000 or 68,000 EUR were stolen.

Mohit Kumar - Founder and Editor-in-Chief of 'The Hacker News'. Cyber Security Analyst, Information Security Researcher, Developer and Part-Time Hacker. (Google+ Profile)

Popular Stories

 

MacRumors forum hacked; more than 860,000 accounts compromised
11/13/2013 7:40:00 PM

Popular Mac news and information site MacRumors user forums have been breached by hackers on Monday this week.

More than 860,000 usernames, emails and hashed passwords were potentially compromised. Users are advised to users that they change their passwords on the forums, as well as any other sites or services where the same password has been used.

MD5 with or without salt, to be an inadequate means of protecting stored passwords. Back in 2012, the original author of the MD5 password hash algorithm has publicly declared that MD5 is no longer considered safe to use on commercial websites.

The owner of the site, Arnold Kim, apologized for the intrusion and said that it occurred because the hacker gained access to a moderator account, which then allowed the intruder to escalate their own privileges with the goal of stealing user login credentials.

"We are looking into it further to see if there was another exploit, but there hasn't been any evidence of it yet."

He said the site had been hacked in a similar manner to the Ubuntu forums in July, where attackers defaced the site and accessed the user database. At the time, the site claimed to have over 1.8 million registered members.

"We are still working to get the forums fully functional and more secure,"

He said, according to the Log file, so far indicate that the intruder tried to access the password database, but there are no indications that the passwords are circulating online in any form.

Mohit Kumar - Founder and Editor-in-Chief of 'The Hacker News'. Cyber Security Analyst, Information Security Researcher, Developer and Part-Time Hacker. (Google+ Profile)

Popular Stories

 

You are receiving this email because you subscribed to this feed at feedmyinbox.com

If you no longer wish to receive these emails, you can unsubscribe from this feed, or manage all your subscriptions

The Hacker News

 

 

The Hacker News

The Hacker News has been internationally recognized as a leading news source dedicated to promoting awareness for security experts and hackers // via fulltextrssfeed.com

Security updates for available for Adobe Flash Player and ColdFusion vulnerabilities
11/13/2013 4:22:00 PM

Adobe released critical security patches for its ColdFusion web application server and Adobe Flash Player for Mac, Windows and Linux. Adobe AIR and the AIR SDK and Compiler are also being updated.

These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system, dubbed as CVE-2013-5329, CVE-2013-5330.

The following software versions are affected and should be updated as soon as possible:

• Adobe Flash Player 11.9.900.117 and earlier versions for Mac and Windows
• Adobe Flash Player 11.2.202.310 and earlier versions for Linux
• Adobe AIR 3.9.0.1030 and earlier versions for Windows and Macintosh

Adobe has also released a security hotfix for ColdFusion versions 10, 9.0.2, 9.0.1 and 9.0 for Windows, Macintosh and Linux, addresses two vulnerabilities:

• Cross-site scripting (XSS) vulnerability (CVE-2013-5326)
• Allow unauthorized remote read access (CVE-2013-5328)

Both products have been patched multiple times this year. In January four critical vulnerabilities (CVE-2013-0625, CVE-2013-0629, CVE-2013-0631 and CVE-2013-0632) were exploited by hackers to access and steal sensitive data stored on the servers.

In May, Hackers used these flaws to breach Washington state's Administrative Office of the Courts. In that hack hackers accessed as many as 160,000 Social Security numbers and up to one million drivers license number.

HotFix (APSB13-26) for Adobe Flash Player and (APSB13-27) for Adobe ColdFusion are available for Download. Install the appropriate Adobe patches immediately, or let the Adobe's updater do it for you.

Mohit Kumar - Founder and Editor-in-Chief of 'The Hacker News'. Cyber Security Analyst, Information Security Researcher, Developer and Part-Time Hacker. (Google+ Profile)

Popular Stories

 

You are receiving this email because you subscribed to this feed at feedmyinbox.com

If you no longer wish to receive these emails, you can unsubscribe from this feed, or manage all your subscriptions

The Hacker News

 

 

The Hacker News

The Hacker News has been internationally recognized as a leading news source dedicated to promoting awareness for security experts and hackers // via fulltextrssfeed.com

Singapore police arrested six men for allegedly hacking Prime Minister and President websites
11/12/2013 12:52:00 PM

A Singaporean hacker calling himself the "The Messiah" was arrested in Kuala Lumpur last Monday for hacking into a Singaporean government website over two weeks ago - from a Kuala Lumpur apartment.

James Raj (35) charged with hacking of Ang Mo Kio town council website and posting a symbol associated with international hacker group Anonymous.

He was charged under the Computer Misuse and Cybersecurity Act. If found guilty, he could be jailed for up to three years and fined S$10,000.

Police said Raj was also linked to a series of hacking incidents, including penetrating the website of a charity group related to the ruling People's Action Party.

Police declined to give details but suggested that Raj was not responsible for defacing the prime minister's office and presidential palace websites on November 7 and 8.

Five other local men are being held for allegedly hacking the websites of Singapore's president and prime minister websites i.e. Muhammad Fitri Abu Kasim, 24, Danial Ryan Salleh, 25, Mohamad Fadzly Aziz, 21, Muhammad Redzwan Baskin, 26, and Muhammad Qamarul Arifin Sa'adon, 22.

It added three suspects in the incident related to the hacking of the PMO site were family members. The other two suspects in the incident involving the presidential Istana site were Facebook friends.

A Home Affairs Ministry spokesperson said, "Such acts can compromise the operation of critical services, cause alarm, damage and harm, and have serious security, economic and social consequences for Singapore and Singaporeans." 

The suspects had exploited vulnerabilities in both websites for defacement. They were released on bail of $15,000 each, but if found guilty, they face jail terms of up to three years or a fine of up to $2,000.

Wang Wei - Security consultant for the government, financial Securities & Banks. Malware Analyst, Penetration Tester, Security Researcher at 'The Hacker News'. (Google+ Profile)

Popular Stories

 

You are receiving this email because you subscribed to this feed at feedmyinbox.com

If you no longer wish to receive these emails, you can unsubscribe from this feed, or manage all your subscriptions

The Hacker News

 

 

The Hacker News

The Hacker News has been internationally recognized as a leading news source dedicated to promoting awareness for security experts and hackers // via fulltextrssfeed.com

CTF365 Capture The Flag - The Next Generation IT Security Training Platform
11/11/2013 7:15:00 PM

For years, the Capture the Flag platform has been a common and very popular part of the hacker convention scene. Teams come from all over the world to show their skill and technique in various competitions.

The CTF365 team took that interest, passion and excitement and went to a new level in their platform. That original capture the flag environment is now available to anyone from the safety and comfort of their own home. Not only is the original and fun capture the flag platform available, but the CTF365 team is bringing in red verses blue competitions, as well as an entire exploitable virtual world!

While still in alpha, the development team is working tirelessly to bring a brand new approach to an original favorite to the hacker and information security community.

What is CTF365?

CTF365 is a revolution in the world of capture the flag, simulated attacks and Information security as a whole. Capture the flag is always a fan favorite at hacker conventions, online and with hacker spaces and other gatherings. The developers at CTF365 have brought the growing trend of capture the flag to everyone in a completely new way. The main aspect to CTF365 is the team aspect of the fortress attack and defense environment.

A team can consist of between 5 to 10 users who have to protect their fortress and its services while also attacking other team's fortresses. This is much like the red verses blue competitions that have become very popular with the growing popularity of Metasploit and the Armitage GUI front-end that is designed primarily for this type of exercise. This primary function of the CTF365 environment sets them apart from the isolated and single-event CTFs at different conferences across the country.

Who can benefit from CTF365?

The environment(s) of CTF365 allow for the common red verses blue environment that many in the information security field are used to, however CTF365 goes even farther than that in their vision; they have opened their servers up to where different private challenges can be created, recruiters can use this environment to test candidates, system administrators can deploy servers and test them against stress testing and so much more.

While CTF365 is still in alpha, the possibilities they envision are truly limitless, and with the input of the InfoSec community, they are hoping to expand to address the specific and unique needs of the people who make this platform popular, and this specific development successful.

How does it work?

For those not familiar with CTF challenges, the environment is designed to consist of "fortresses," which are VMs launched by each team and then that team has to run an array of services and lock them down to prevent them from being hacked. Other teams must also host these fortresses, but then must try to hack everyone else's fortresses (or specific fortresses for competitions). Currently, you can use the tools you have in order to break into these other machines. There are a very limited number of rules to allow for you to try and explore different attacks and attack vectors.

What makes CTF365 unique?

The best answer to this question might be what doesn't make it unique, however the CTF team and I are proud to be able to take the idea of a capture the flag to the next level. We all enjoy and look forward to CTF competitions, and can now, as CTF365, we are able to share that passion with the world. Teams no longer need to be in the same location to compete together. There are also currently have many less rules than typical CTF competitions to allow for exploring attacks, trying new things and just having fun.

Where is CTF365 going from here?

CTF365 is currently in the alpha stage of testing, during which time, they are testing the platform for usability, user experience and other CTF365 features yet to be announced. The CTF365 team wants to thank all of the users who are putting such a strong effort into testing, toying with and bug reporting in our current environment i.e. Team CTFUK (http://ctf365.com/teams/997), Team Singapore (http://ctf365.com/teams/954).

In the current testing stage, most users are security professionals from various penetration testing and security training companies. With referrals for the pre-release environment, information security professionals as well as information security instructors and teachers are also more than welcome.

If you would like early access, and feel that you meet any of these categories, please reach out to CTF365 support email or mike@ctf365.com.

The CTF365 team wants to see your creativity come out, displaying your abilities in as many ways as possible, and most importantly they want you to have fun doing it!

Those who win different levels and challenges will be eligible to win prizes and other such surprises. This feature will be released when CTF365 gets to the beta stage of development. I will have more information on this in an upcoming blog article, so tune in for updates!

The CTF365 team always welcomes input and suggestions. You can reach out to me personally with suggestions, questions, comments or concerns on Twitter at @MikeCTF365. I look forward to hearing from everyone, and hope that you love this new platform as much as we do!

Come over to CTF365.com and check out the latest and greatest in virtual hacking environments!

Mike Ringer - CTF365 Content Editor/Manager. (Google+ Profile)

Popular Stories

 

You are receiving this email because you subscribed to this feed at feedmyinbox.com

If you no longer wish to receive these emails, you can unsubscribe from this feed, or manage all your subscriptions