Wednesday, February 23, 2011

DDoS attack firing Rabobank offline

Dutch media are reporting that last weekend, the RABO bank suffered from system failure rendering its online banking facilities inaccessible for several hours. Today it turns out that the cause had been a Denial of Service (DOS) attack. The bank will now go and file a criminal complaint with Dutch law enforcement authorities.
On the same day the Dutch Minister for Security and Justice Mr. Ivo Opstelten announces the birth of a National Cyber Security Center as well as the expansion of the Dutch Team High Tech Crime to remedy the cyber threat.
The Dutch Police Union (ACP) made public that legal encryption tools pose a big threat to enforcement activities both on a national and international level. It wants the developers of encryption software to cooperate with enforcement authorities and calls for international regulatory measures as well.

Tuesday, February 22, 2011

Westboro Baptists Stage Fake Anonymous Threat

The controversial Westboro Baptist Church isn't exactly a beloved organization. However, when it claimed that ethereal hacking group Anonymous had threatened to take the WBC down, it was apparently just a bold-faced lie to garner publicity.
Anonymous is known for taking on targets big and small that range from the U.S. government to Gene Simmons. One common thread through Anonymous' attacks is that they all seem to go along with the group's ideals of open government or freedom of speech.
The WBC has some pretty insane views, in my humble opinion, the least terrible of which calls Batman and Superman false idols. At the worst, the WBC praises terrorism for, well, some crazy reason probably not even worth discussing. The organization claims it received an open letter from Anonymous that said: "We will target your public websites, and the propaganda and detestable doctrine that you promote will be eradicated; the damage incurred will be irreversible, and neither your institution nor your congregation will ever be able to fully recover."
Anonymous put out a press release denying it had written the letter, believing it to be a trap to "harvest IPs to sue." The press release reads: "When Anonymous says we support free speech, we mean it. We count Beatrice Hall among our Anonymous forebears: 'I disapprove of what you say, but I will defend to the death your right to say it.'"
While it might be nice to see Anonymous take on the WBC, it unfortunately just doesn't make sense. It'd be like taking down the website of the crazy guy that yells at you when you walk down the street, on a slightly larger scale.

US domain seizures disable 84,000 websites

Thousands of legitimate websites were apparently accidentally taken offline last week, when the US Departments for Justice and Homeland Security seized the domains of websites allegedly hosting counterfeiting and child sexual abuse content (also reported here and here).
It appears that the DHS unknowingly targetted the dynamic DNS service, which provides URLs for 84,000 websites under subdomains of As a result, thousands of innocent website owners found their homepages replaced with the following message:

The seizure of was reversed last Sunday, but at the time of writing the DHS is yet to publically acknowledge its mistake.
Domain seizures have become a subject of controversy in the US, where copyright-related seizures have become increasingly commonplace. Critics claim that the practice violates the First Amendment of the US Constitution by placing a “prior restraint” on speech.
The practice is likely to re-ignite long-standing international concerns about the US government’s privileged relationship with ICANN. Foreign governments, especially those in the Middle East under pressure from a populace newly empowered by the Internet, will draw attention to the contrast between this US action to enforce its own laws and its support for unrestricted free speech abroad.
On the other side of the Atlantic, Nominet is consulting on its own domain deletion policies. The US mistake will give Nominet reason to be very careful about adopting procedures that give an unbalanced assumption of authority to law enforcement complaints.

DDoS attacks: coming to a network near you

There has already been much fallout from the recent massive release of information by the WikiLeaks organisation--including attacks on WikiLeaks itself by those angered by its actions that aimed to disrupt and discredit the organisation. This saw WikiLeaks targeted by a variety of sustained distributed denial of service (DDoS) attacks that aim to make its web presence inaccessible.
Although these attacks were seen to be relatively modest in size and not very sophisticated, the publicity that they received has served to raise awareness of the dangers of such attacks, which can be costly and time-consuming to defend against. DDoS attacks occur when a hacker uses large-scale computing resources, often using botnets, to bombard an organisation's network with requests for information that overwhelm it and cause servers to crash. Many such attacks are launched against websites, causing them to be unavailable, which can lead to lost business and other costs of mitigating the attacks and restoring service.
DDoS attacks are actually extremely widespread. A recent survey commissioned by VeriSign found that 75% of respondents had experienced one or more attacks in the past 12 months. This is echoed in recent research published by Arbor Networks of 111 IP network operators worldwide, which showed that 69% of respondents had experienced at least one DDoS attack in the past year, and 25% had been hit by ten such attacks per month. According to Adversor, which offers services to protect against DDoS attacks, DDoS attacks now account for 4% of total internet traffic. Another provider of such services, Prolexic Technologies, estimates that there are 50,000 distinct DDoS attacks every week.
The research from Arbor Networks also shows that DDoS attacks are increasing in size, making them harder to defend against. It found that there has been a 102% increase in attack size over the past year, with attacks breaking the 100Gbps barrier for the first time. More attacks are also being seen against the application layer, which target the database server and cripple or corrupt the applications and underlying data needed to effectively run a business, according to Arbor's chief scientist, Craig Labovitz. Among respondents to its survey, Arbor states that 77% detected application layer attacks in 2010, leading to increased operational expenditures, customer churn and revenue loss owing to the outages that ensue.
Measures that are commonly taken to defend against DDoS attacks include the use of on-premise intrusion detection and prevention systems by organisations, or the overprovisioning of bandwidth to prevent the attack taking down the network. Others use service providers, such as their internet service provider (ISP) or third-party anti-DDoS specialists, which tend to be carrier-agnostic, so not limited to the services offered by a particular ISP. The first two options are time-consuming and costly to manage by organisations and they need the capacity to deal with the massive-scale, stealthy application-layer attacks that are being seen.
With attacks increasing in size and stealthier application-layer attacks becoming more common, some attacks are now so big that they really need to be mitigated in the cloud before the exploit can reach an organisation's network. ISPs and specialist third-party DDoS defence specialists monitor inbound traffic and when a potential DDoS attack is detected, the traffic is redirected to a scrubbing platform, based in the cloud. Here, the attack can be mitigated thus providing a clean pipe service--the service provider takes the bad traffic, cleans it and routes it back to the network in a manner that is transparent to the organisation.
Guarding against DDoS attacks is essential for many organisations and vital especially for those organisations with a large web presence, where an outage could cost them dearly in terms of lost business. DDoS attacks are becoming increasingly targeted and are no longer just affecting larger organisations. Rather, recent stories in the press have shown that organisations of all sizes are being attacked, ranging from small manufacturers of industry food processing equipment and machinery through to large gambling websites.
By subscribing to cloud-based DDoS mitigation services, organisations will benefit from a service that not only provides better protection against DDoS attacks than they could achieve by themselves, but can actually reduce the cost of doing so as the cost of hardware and maintenance for equipment required is spread across all subscribers to the service and organisations don't need to over-provision bandwidth as the traffic is directed away from their networks. For protecting vital websites, subscribing to such a service is akin to taking out insurance for ensuring that website assets are protected, and the organisation can protect itself from the cost and reputational damage that can follow from a successful DDoS attack that renders services unavailable

Tuesday, February 15, 2011

Anonymous could launch Stuxnet attack on Iran

Anonymous, the leaderless 'hacktivist' collective that recently launched DDoS attacks in support of WikiLeaks, claims to have got hold of the Stuxnet worm - and could use it to launch further attacks on targets including Iran's nuclear programme.

Israeli and US secret services are alleged to have created Stuxnet in order to launch the sophisticated cyber attack on Iran.
Anonymous claims it has obtained details of the worm from the emails of security researchers HBGary, after the collective attacked the company's website earlier this month in revenge for the US firm's help for the FBI in identifying alleged members of Anonymous.
As yet, Anonymous has not announced its intention to use the malicious code - but the 'online living consciousness' has signalled its disapproval of the Tehran regime in an open letter to the Iranian people, stating:
"People of Iran, you will not be denied your right to free speech and free press; your right to freedom of assembly, uncensored information and unlimited access to the Internet; your right to a life without oppression and fear."
The group plans to launch attacks in support of the country's pro-democracy 'green movement'.
But security experts have raised doubts over Anonymous's ability to exploit the worm in order to carry out attacks on Iran - in particular with regard to high-profile targets such as the Bushehr nuclear reactor complex, the target of the original attacks last year.

Russian experts working on the reactor recently warned the Kremlin that damage caused by the earlier Stuxnet attack could cause 'another Chernobyl' if Iranian nuclear chiefs press ahead with their existing timetable for bringing the site on-stream.
"It would be possible [for Anonymous to use Stuxnet in an attack]," Orla Cox of security analysts Symantec told the UK's Guardian newspaper. "But it would require a lot of work, it's certainly not trivial.
"The impressive thing about Stuxnet is the knowledge its creators had about their target. So even if you have got access to it you need to understand the target - that requires a lot of research."

DDoS bot Darknessis given away for free

A DDoS (distributed denial-of-service) bot called Darkness, which can be used to put websites offline, has been released for free on cyber-criminal forums.
This botnet tool, which attacks websites by creating a high number of page requests to let servers reach their maximum capacity and force them to crash, is very popular in hacker community because it’s more effective than many other tools.
 This means DDoS attacks are now both easier and cheaper to run, and the potential threat to individuals and organizations is sensitive.
 Although Darkness does not use any new DDoS techniques, its coding is widely considered to be tighter than most of its contestants, so needs fewer resources to perform the same number of attacks. This means that fewer systems need to be infected and controlled by the bot for it to be effective.

 The group behind cyber threat information site Shadowserver, who describe their mission as “to understand and help put a stop to high stakes cybercrime in the information age”, said: “Darkness is an effective and efficient DDoS bot. With this free public release we expect to soon see a wider deployment of Darkness command and control servers.”
 DDoS attacks have been prevalent recently. Both MasterCard’s and Paypal’s European sites were forced offline late in 2010 by supporters of whistle-blowing web site Wikileaks.

Anonymous releases 71,800 HBGary e-mails through new site

Try to take on Anonymous or WikiLeaks, and they'll get you back: The hacktivist site is single-handedly destroying HBGary's reputation for threatening its members and planning to sabotage WikiLeaks.

Any companies out there considering taking down Anonymous in return for the various DDoS attacks the group staged earlier this year might want to think twice. The hacktivist group recently infiltrated security firm HBGary Federal’s network and accumulated various confidential material and internal e-mails. The firm’s CEO Aaron Barr allegedly had plans to rat out Anonymous members to the FBI, and as revenge he can now find his and various other HBGary employees’ e-mails publicly posted (HBGary is HBGary Federal’s sister company). In addition to outing Anonymous members, HBGary was one of the handful firms orchestrating an image attack to destroy WikiLeaks’ reputation. WikiLeaks is reportedly preparing to release confidential documents belonging to Bank of America, and according to Forbes, HBGary would work for the company by “spreading misinformation, launching cyberattacks against [WikiLeaks], and pressuring journalists.”
Anonymous is now hosting a site (and there are a variety of mirrors as well) giving anyone access to 71,800 e-mails from the inboxes of HBGary executives Greg Hogland, Aaron Barr, Ted Vera, and Phil Wallisch. Subject matter ranges from a PowerPoint presentation detailing intentions to plant false stories about WikiLeaks to embarrassing love letters between company execs.
This is more than humiliating for HBGary – it’s financially ruining the company. Security firms Berico Technologies and Palantir Technologies have cut ties with HBGary. The released documents tied both firms to the operations defending Bank of American by sabotaging WikiLeaks, and now they’re wiping their hands of the situation. Aside from any business relationships Anonymous’ latest hack and release damaged for HBGary, the fact that a security firm was infiltrated by the group in the first place speaks volumes.
WikiLeaks holds powerful information, and it seems like security firms will stop at nothing to retain it – or at least threaten the group and its supporters to the point of keeping their mouths shut. But it appears that Anonymous has more in its arsenal than unsophisticated DDoS attacks, and the group is ready to use them.

Monday, February 14, 2011

The cyberweapon that could take down the internet

A new cyberweapon could take down the entire internet – and there's not much that current defences can do to stop it. So say Max Schuchard at the University of Minnesota in Minneapolis and his colleagues, the masterminds who have created the digital ordnance. But thankfully they have no intention of destroying the net just yet. Instead, they are suggesting improvements to its defences.
Schuchard's new attack pits the structure of the internet against itself. Hundreds of connection points in the net fall offline every minute, but we don't notice because the net routes around them. It can do this because the smaller networks that make up the internet, known as autonomous systems, communicate with each other through routers. When a communication path changes, nearby routers inform their neighbours through a system known as the border gateway protocol (BGP). These routers inform other neighbours in turn, eventually spreading knowledge of the new path throughout the internet.
A previously discovered method of attack, dubbed ZMW – after its three creators Zhang, Mao and Wang, researchers in the US who came up with their version four years ago – disrupts the connection between two routers by interfering with BGP to make it appear that the link is offline. Schuchard and colleagues worked out how to spread this disruption to the entire internet and simulated its effects.

Surgical strike

The attack requires a large botnet – a network of computers infected with software that allows them to be externally controlled: Schuchard reckons 250,000 such machines would be enough to take down the internet. Botnets are often used to perform distributed denial-of-service (DDoS) attacks, which bring web servers down by overloading them with traffic, but this new line of attack is different.
"Normal DDoS is a hammer; this is more of a scalpel," says Schuchard. "If you cut in the wrong places then the attack won't work."
An attacker deploying the Schuchard cyberweapon would send traffic between computers in their botnet to build a map of the paths between them. Then they would identify a link common to many different paths and launch a ZMW attack to bring it down. Neighbouring routers would respond by sending out BGP updates to reroute traffic elsewhere. A short time later, the two sundered routers would reconnect and send out their own BGP updates, upon which attack traffic would start flowing in again, causing them to disconnect once more. This cycle would repeat, with the single breaking and reforming link sending out waves of BGP updates to every router on the internet. Eventually each router in the world would be receiving more updates than it could handle – after 20 minutes of attacking, a queue requiring 100 minutes of processing would have built up.
Clearly, that's a problem. "Routers under extreme computational load tend to do funny things," says Schuchard. With every router in the world preoccupied, natural routing outages wouldn't be fixed, and eventually the internet would be so full of holes that communication would become impossible. Shuchard thinks it would take days to recover.
"Once this attack got launched, it wouldn't be solved by technical means, but by network operators actually talking to each other," he says. Each autonomous system would have to be taken down and rebooted to clear the BGP backlog.

Meltdown not expected

So is internet meltdown now inevitable? Perhaps not. The attack is unlikely to be launched by malicious hackers, because mapping the network to find a target link is a highly technical task, and anyone with a large enough botnet is more likely to be renting it out for a profit.
An alternative scenario would be the nuclear option in a full-blown cyberwar – the last resort in retaliation to other forms of cyberattack. A nation state could pull up the digital drawbridge by adjusting its BGP to disconnect from the internet, just as Egypt did two weeks ago. An agent in another country could then launch the attack, bringing down the internet while preserving the attacking nation's internal network.

Sitting duck

Whoever launched the attack, there's little we could do about it. Schuchard's simulation shows that existing fail-safes built into BGP do little to protect against his attack – they weren't designed to. One solution is to send BGP updates via a separate network from other data, but this is impractical as it would essentially involve building a shadow internet.
Another is to alter the BGP system to assume that links never go down, but this change would have to be made by at least 10 per cent of all autonomous systems on the internet, according to the researchers' model, and would require network operators to monitor the health of connections in other ways. Schuchard says that convincing enough independent operators to make the change could be difficult.
"Nobody knows if it's possible to bring down the global internet routing system," says Mark Handley, an expert in networked systems at University College London. He suggests that the attack could cause "significant disruption" to the internet, with an effect greater than the Slammer worm of 2003, but it is unlikely to bring the whole thing down.
"The simulations in the paper make a lot of simplifying assumptions, which is necessary to simulate on this scale," he explains. "I doubt the internet would behave as described."

Friday, February 11, 2011

Operation Iran

The hacking collective Anonymous is planning to launch distributed denial-of-service (DDoS) attacks against Iranian government websites tomorrow (Feb. 11).
Anonymous "Operation Iran" is set to begin at 1:00 p.m. local time and is an online protest of what the group called in a press release "chains of oppression, tyranny and torture." The DDoS attacks coincide with a day of physical demonstrations set to occur in Iran tomorrow, ostensibly to commemorate the 32nd anniversary of the revolution but which last year were usurped by anti-government protesters.

A YouTube video created by the group shows violent scenes of revolt and government oppression, while a digitally-modified voice details Anonymous 'mission:
"To the noble people of Iran: We know how great you are. You have been killed, jailed, tortured and silenced by the illegal regime which has hijacked your country for the past 32 years, and yet you still rose up last year against a force that you knew meant ill harm. They may kill one person every eight hours but they can't kill your fighting spirit, they can't kill your freedom. Know that we support you. Know that you are not alone. We are Anonymous, we are legion. We do not forgive, we do not forget. Expect us."

In an Anonymous chat room on today (Feb. 10), a participant using the screen name "arash" expressed the public sentiment in Iran that is behind the need for a government upheaval similar to the ones occurring in Tunisia and Egypt. (Anonymous hackers launched DDoS attacks on government websites in both countries last month).
"They are the most uncivilized regime in the world, worst [sic] than north korea [sic] and all the Iranians hate them," arash wrote.
This batch of DDoS attacks comes at what could be considered a precarious time for Anonymous. Today (Feb. 10), a federal grand jury in San Jose, Calif., began collecting evidence -including computers and mobile phones - seized in multistate raids on suspected members of Anonymous.

Thursday, February 10, 2011

NASDAQ Issues Statement on Security Breach

Through our normal security monitoring systems we detected suspicious files on the U.S. servers unrelated to our trading systems and determined that our web facing application Directors Desk was potentially affected. We immediately conducted an investigation, which included outside forensic firms and U.S. federal law enforcement. The files were immediately removed and at this point there is no evidence that any Directors Desk customer information was accessed or acquired by hackers. Our trading platform architecture operates independently from our web-facing services like Directors Desk and at no point was any of NASDAQ OMX’s operated or serviced trading platforms compromised.

Subsequently, the U.S. Department of Justice requested that we refrain from providing notice to our customers until, at the earliest, February 14, 2011, in order to facilitate the continuing investigation. NASDAQ OMX was honoring the U.S. Government’s request to delay notification, but when a story ran in the media on Saturday, February, 5, 2011, regarding a hacking incident at NASDAQ OMX, we immediately decided, in consultation with the authorities, that we must inform our customers.

We continue to evaluate and enhance our advanced security controls to respond to the ever increasing global cyber threat and continue to devote extensive resources to further secure our systems. Cyber attacks against corporations and government occur constantly. NASDAQ OMX remains vigilant against such attacks. We have been working in cooperation with the Government’s ongoing investigations and have received their technical advice for which we are appreciative.


Tuesday, February 8, 2011

FBI Investigating NASDAQ DDOS Attacks

An investigation is now underway by Federal agents over numerous network intrusions that run the Nasdaq Stock exchange, according to cnet.
Although the hackers did not affect the exchange’s trading platforms, it is not quite clear at this time what other parts of the network were accessed.
The FBI recently launched an investigation and announced they are considering a range of motives for the intrusions, including a threat to national security, financial gain, and theft of trade secrets.
Reports say that those familiar with the investigation are saying that surfaced evidence points to Russia as the intruder’s location. However, investigators warn that the hackers may be using the country as a channel for their actions.
This is not the first time the Nasdaq has been targeted by hackers. In 1999, the group called “United Loan Gunmen” accessed the site and posted a headline entitled “United Loan Gunmen take control of Nasdaq stock market.” The headline was quickly erased and Nasdaq officials said that the trading platforms were never breached.

Anonymous unleashes its wrath on informant

The Internet "hacktivist" collective known as Anonymous has unleashed a full-scale and crippling online attack on a man who was about to blow the roof off the group’s hidden identity.
Aaron Barr, chief executive of the Washington, D.C.-based security firm HBGary Federal, planned to unmask members of Anonymous, the group that organized Internet attacks both on businesses that cut ties with WikiLeaks and, most recently, against government websites in Tunisia and Egypt.

On Saturday,the Financial Times ran a story in which Barr said he had uncovered the identities of Anonymous members, and would reveal them at a security conference this week.The day after the Financial Times piece came out, Barr’s online security began to crumble.

Five members of Anonymous brought down HBGary Federal’s website Sunday. Then they hacked into Barr’s Twitter account — @aaronbarr — and posted his home address, cell-phone and Social Security numbers and a stream of fake and offensive messages.
They also stole 50,000 of Barr’s personal e-mails — now linked to from his Twitter page — as well as his company’s financial records.  A Forbes magazine report said Anonymous was planning to erase data on HBGary Federal's servers.

The digital smack-down continued: Anonymous’ foot soldiers went after Barr’s colleagues and his boss, Ted Vera, whose LinkedIn profile name they changed to a homophobic slur.And in a final display of defiance, Anonymous members decided that rather than squash the 23-page dossier that Barr had compiled containing the group’s secret identities, they would make the document public themselves. Anonymous posted the document online, and said Barr’s findings were mostly incorrect. Members of Anonymous have reason to be worried.  British authorities arrested five men last month in connection with the WikiLeaks-related attacks, and the FBI executed two dozen searches across the U.S. at the same time. Anonymous members claimed over the weekend that Barr planned to hand over his list to the FBI, but the dossier itself seems more like an unfinished series of notes than a formal report.
A recent post on Barr’s Twitter page, presumably posted by a member of Anonymous, summed up the situation: “Today we taught everyone a lesson. When we actually decide to bite back against those who try to bring us down, we bite back hard.”

Thursday, February 3, 2011

Mubarak, Obama the KIll Switch..... and some Humour

A “kill switch” bill that grants President Barack Obama the power to shut down the entire nation’s Internet during a national crisis will soon resurface in the Homeland Security and Governmental Affairs Committee.

The legislation, which has bipartisan support, floated through the Senate committee in December but expired with the new Congress early January.

After Senate leaders announced Jan. 27 that Sen. Susan Collins (R-Maine), who introduced the bill, will continue to serve as the ranking member of the Senate committee, Collins indicated that she will bring the bill to the table again.

The planned introduction also follows the Internet blackout in Egypt on Jan. 27 in response to the nationwide protests to remove Egyptian President Hosni Mubarak, who has been in office since 1981.

Collins said that the bill would not give Obama the same level of power as the Egyptian president and is only designed to prevent damage from “significant” cyberthreats, according to Wired magazine.

“My legislation would provide a mechanism for the government to work with the private sector in the event of a true cyber-emergency,” Collins told Wired. “It would give our nation the best tools available to swiftly respond to a significant threat.”
An aide to the Senate committee explained to the magazine that the bill will not permit the shutting down of the entire Internet but only allow the president to deny access to certain websites when the government detects a possible cyber-attack.

The aide added that there will not be one “kill switch” that can take down the entire network but a central system that is connected to servers in different regions.

Critics and organizations such as the American Civil Liberties Union, American Library Association, Electronic Frontier Foundation, and Center for Democracy and Technology are skeptical of the legislation and said in an open letter that the legislation could be used to censor the Internet.

The groups pointed out that the bill is ambiguous about what can be declared as a cyber-attack, and the bill itself can be flexible enough to be manipulated to censor the Internet or limit free speech, which is a violation of the constitution’s First Amendment, according to The Hill.

"Those in Congress who have proposed an 'Internet Kill Switch' for the United States should realize the danger of their proposal now that Egyptian President Mubarak has flipped such a switch to stifle dissent in Egypt," Berin Szoka, president of TechFreedom told The Hill.

The details of the bill and its reintroduction are currently unavailable, but a Senate aide told The Hill that the committee is considering taking the more popular aspects of the proposed legislation and attaching them to other bills.

Tuesday, February 1, 2011

Syria Internet Disrupted As Egypt Blackout Catches On In Middle East:

On the same day that Egypt has suspended online activity, Syria has also blocked internet service, according to reports.
Syria is known for a tight control of the internet, which was tightened further after the unrest in Tunisia, reports Reuters. Now, Al Arabiya is reporting that internet services have gone down completely in the country. Previously, Syria had blocked programs that "allow access to Facebook Chat from cellphones," according to Reuters.
Egypt's online services have reportedly been down since last night as the country's deadly protests continued into what was planned as the largest day so far.
Facebook has reportedly been blocked in Egypt for days, before which it was being used as a key tool for organizers. It was also used by the successful revolutionaries in Tunisia, raising concerns among other nations that it posed a threat.

Egypt's Last ISP, Noor Group, Vanishes from 'Net

The Noor Group, the last remaining Egyptian ISP that remained online, has disappeared from the Internet.
According to Renesys, Noor went offline at about 20:46 UTC, or about 3:45 PM ET.
"Very little about the Internet is indisputable, but we can say with certainty that Noor originated and transited prefixes are no longer seen from any of hundreds of vantage points around the globe," the editors of the Renesys blog post, which included Earl Zmijewski, a Renesys vice president and general manager, wrote.
The authors also speculated that the outage also resulted in a termination of in-country communications, as well. "Without a way to reach them at present, we cannot comment on current in-country availability of services," they wrote. "However, we have past evidence of a lack of peering in-country, so even if various providers are up, they may not be able to exchange traffic with one another, partitioning the country."
Government officials ordered the shut down of Internet service in part to stop protestors from organizing on the Web via social-networking sites like Facebook and Twitter. In fact, Internet connectivity issues in the region first started last week when Egypt blocked access to Twitter and Facebook.
Noor, served several top businesses in Egypt, including the Egyptian Stock Exchange; the Egyptian Credit Bureau; and NTG, the National Technology Group providing IT processing to the aviation, banking and financial sectors. But just after 20:45, access to Noor-hosted sites began dropping, and within ten minutes the 80 or so networks that used Noor's services were unreachable, the site said.
For now, Internet access is barely reachable. For those without access to Noor, however, the French Data Network (FDN) is providing those with landlines access to dial-up networks.
"Because this is definitely [an] open attack from a state against [the] Internet, FDN has decided to open a small window on the network by giving access to anyone interested a modem access account," FDN said in a statement on its Web site.
The service will work for anyone with an analog land line that is capable of calling France, FDN said. The phone number and password is available on its blog.
Google, meanwhile, launched a tweet-by-phone service that will allow phone users access to Twitter services via SayNow, a service Google acquired that will transcribe the short messages into tweets.,2817,2379016,00.asp

Arbor Networks targeted after DDoS report


Arbor Networks has sent over the following statement / Q&A:
Q: What is going on with
A: We are experiencing intermittent outages of our Website and are working with our upstream provider to address the issue. 
Q: Is Arbor under a DDoS attack?
A: As a security vendor, Arbor is constantly the target of attacks and attack threats.  It is part of doing business in this space. 
Q: Anonymous is taking credit, is that true?
A: We are not going to comment on any group’s claims, nor are we going to comment on what we are doing to resolve this or any other Website outages.
[Note: The questions and answers were emailed to TTH by Arbor Networks. They are not our own.]
Original Article:
Arbor Networks was made an official target of Operation Payback for a short time earlier this afternoon. The Distributed Denial-of-Service (DDoS) campaign started after some of the individuals gathered online noticed Arbor Networks' commentary on Operation Payback’s recent DDoS actions, including a comment that they were small and unsophisticated.

Global messages sent to users on the AnonOps IRC network said that Arbor Networks insulted them “ saying a number of things. It is your job to show them we are sophisticated and organized.”
The insult appeared in a blog post by Craig Labovitz, the chief security scientist with Arbor Networks. The post, titled “The Internet Goes to War”, said that the recent actions taken by Operation Payback, such as the DDoS attacks on MasterCard, Post Finance, Visa, and PayPal were both “relatively small and unsophisticated”.
“In short, other than [the] intense media scrutiny, the attacks were unremarkable… While the last round of attacks lead to brief outages, most of the carriers and hosting providers were able to quickly filter the attack traffic,” Labovitz said.
“In addition, these attacks mostly targeted web pages or lightly read blogs — not the far more critical back-end infrastructure servicing commercial transactions. By the end of the week, Anonymous followers had mostly abandoned their attack plans as ineffective.”
The Tech Herald has been online speaking with, and observing those Anons who are loosely associated with Operation Payback, for some time. The halt in DDoS operations was not due to a perceived failure. They stopped mostly because many of them felt that the point had been made. Others moved on to things such as Operation Leakspin.
This afternoon, as word of the Arbor Networks’ blog post filtered out, links to The Register started to spread in the IRC chatrooms. This led to calls for manual DDoS targeting. Soon after that, what started as a manual and unofficial DDoS campaign on, was quickly picked up by others. At 13:40 EST they were named an official target.
In true Anonymous fashion, some immediately followed the fold and targeted Arbor Networks, while others questioned the logic of such a response. Many viewed Labovitz’s comments as a calling out of sorts, so a response was needed. Think of it as a “this is what you get” type of DDoS.
Others took his comments at face value, and saw no reason for a response at all.
We spoke to a few people who refrained from participating in the Arbor Networks DDoS. Their reasons were that such an attack denies people access to the blog post, and as such removed Arbor Networks’ freedom of speech. The exact thing that Operation Payback was defending last week.
The targeting lasted about an hour. During that time Arbor Networks’ domain was reduced to a crawl or down completely. As we post this, the domain remains offline.
Online, one Anon reminded the others that they needed to remember the whole point of Operation Payback.
“Things like this [DDoS attacks] cause little harm and get publicity. Publicity grows the ranks. Arbor Networks simply said we're powerless. We simply demonstrated that they're wrong. It's a statement and it’s the sentiment that counts. No harm will be caused.”
Another remarked that the DDoS was a good test against Arbor Networks anti-DDoS software. "...their DDoS prevention failed, and their statement has been discredited."
We’ve reached out to Arbor Networks for comment, but calls were not returned by the time this went to press. As more information becomes available, we will update this post.

DDoS attacks made worse by firewalls

The rising tide of distributed denial of service attacks (DDoS) is being made much worse by a tendency to mis-deploy firewalls and intrusion prevention systems (IPS) in front of servers, a report by Arbor Networks has found.
The company surveyed 111 global service providers across fixed and mobile sectors for its 2010 Infrastructure Security Report and uncovered a huge jump in DDoS attack size during the year. Maximum attack sizes reached 100Gbit/s for the first time, double that for 2009, and ten times the peak size seen as recently as 2005, increasingly in the form application attacks rather than simple packet flooding.
Attack frequency also appears to be increasing, with 25 percent of respondents seeing 10 or more DDoS attacks per month, and 69 percent experiencing at least one.
But according to Arbor, service providers and corporate could significantly reduce their DDoS vulnerability by designing their security infrastructure to better locate policy-based security devices such as firewalls.
During 2010, nearly half of all respondents had experienced a failure of their firewall or IPS due to DDoS, something that could have been avoided in many cases using better router security configuration.
“They [firewalls] should not be placed in front of servers. Folks do it because they have been programmed to do it,” says Arbor’s solutions architect, Roland Dobbins. In many cases, these devices became immediate bottlenecks in the face of DDoS, achieving the attackers' aims with ease.
Firewalls and IPS were fine for LANs where they filtered outgoing traffic, but turned into obvious points of failure when used as a barrier to protect servers receiving large volumes of inbound packets, he says.
One thing that is clear form Arbor’s report is that DDoS size will go on increasing, fed ironically by increased investment in defences against DDoS generally. Rather like the growth in spam after the advent of efficient filtering, better defences force attackers to up their game, throwing more and more traffic at targets in the hope of having some effect.
An interesting blind spot suggested by Arbor could be mobile networks, which Dobbins describes as being almost “accidental ISPs.”
Currently, mobile providers know almost nothing about the state of the handsets using their services, despite half reporting security problems with customers. The same proportion reported outages due to security incidents, which suggests that such networks could become the next frontier for criminals to attack Internet targets.
“They don’t have visibility into their IP network. They are almost a decade behind,” says Dobbins of providers in this space.
Longer term, a missing piece of the DDoS defence is policing, with a significant minority of respondents expressing a lack of confidence in law enforcement. Many of the sceptical see no point in reporting attacks to the law and have little hope of it doing much good even when they do.

Egypt versus the internet - Anonymous hackers launch DDoS attack

Hot on the heels of similarly politically-motivated attacks against websites belonging to the governments of Tunisia and Zimbabwe, hackers are bombarding official websites in Egypt with a DDoS attack.
The hackers' current target is believed to be the Egyptian Ministry of Communications and Information Technology, although at the time of writing it was still accessible.
A press release shared via Facebook by the loosely-knit "Anonymous" group uses stark language to make their demands of the Egyptian government:
"Anonymous wants you to offer free access to uncensored media in your entire country. When you ignore this message, not only will we attack your government websites, Anonymous will also make sure that the international media sees the horrid reality you impose upon your people."
Anonymous press release
The internet attacks are against a backdrop of anti-government protests in Egypt, with police using tear gas and rubber bullets to break up demonstrations.
"Anonymous" has used the internet to rally volunteers to participate in the attacks - dubbed "Operation Egypt" - seemingly in response to the country's attempts to crack down on public protests and block access to websites such as Twitter.
Yesterday Twitter confirmed that their site was being blocked by the Egyption authorities and commented that they believed that "the open exchange of info & views benefits societies & helps govts better connect with their people".;utm_campaign=Feed:+nakedsecurity+(Naked+Security+-+Sophos)&utm_campaign=faabo%20network%20security&utm_medium=Twitter&utm_medium=feed&