Thursday, June 23, 2011

Identifying the hacktivists of the emerging cyberwar

The hacktivist landscape has become increasingly cluttered, and while the anonymity they cling to makes clearly labeling each player difficult, the rising division between these groups is beginning to give them distinct identities.
The Internet has never been a safe place, and since its inception, and introduction to consumers, privacy and security have been a major concern. Of course, now that the average person’s computer skills are many times over what they used to be, that only amplifies the problem. Couple this with the fact that millions and millions of people are uploading mass amounts of personal and sensitive data and you’ve got a recipe for some serious cyber-insecurity. The advent of hackers with a conscience has exacerbated the situation while also putting a new twist on Web ethics.
Anonymous and LulzSec have become household names, and their Internet antics have captured the attention of just about everyone, including the CIA. But as identities and opponents merge, the cyberwar landscape has become confusing. Consider this an introductory course to the who’s who of hackers.

Anonymous

Anonymous first largely appeared on many radars after making worldwide headlines for its attack on the Church of Scientology in what they called Project Chanology. But more recently the group became a household name shortly after the WikiLeaks Cablegate debacle.
When various websites refused to host WikiLeak’s site, and credit card companies wouldn’t offer a way for people to make donations to the group, the hacktivists took it upon themselves to fight WikiLeak’s enemies. Anonymous used a series of DDoS to take down MasterCard, Visa, PayPal and drew the ire of international law authorities.
So where did Anonymous come from? The group organized via popular forum 4chan and past victims include the Church of Scientology, Internet predator Chris Forcand, and censorship proponents worldwide. Many of its actions have been motivated by the groups’ personal morals, which largely focus on freedom of information. Much of its recent work has centered on the Middle East rebellions, and the group has publicly announced its fight against Iran and Egypt. Other notable targets were HB Gary, Sony PlayStation (although Anonymous claimed innocence for the PSN collapse), and Bank of America.
The group’s various press releases and announcements are typically well written and almost business-like, as have been its denials. It has often had to defend itself against many groups claiming to be hacked by Anonymous. There have been rumors of inner turmoil that has led to different factions with separate agendas and personalities. At the moment, AnonNews is down due to DDoS attacks.

LulzSecLulzSec

If Anonymous is the student body president of hackers, LulzSec is the class clown. The group hasn’t been on the public scene very long, first gaining notoriety about a month ago when attacked Fox.com in retaliation for calling the rapper Common “vile.” But LulzSec’s first breakthrough performance came when it hacked PBS and posted a fake report that Tupac Shakur was alive. The group claimed that this was in response to negative attention directed toward WikiLeaks and Bradley Manning. LulzSec also claimed responsibility for some of Sony’s hacked web properties. Over the last month, LulzSec has also hit the FBI, Nintendo, and the CIA websites.
Despite some of its very serious and established opponents, LulzSec has time and time again affirmed it’s “in it for the lulz.” The group has also been extremely communicative with the public via its Twitter feed and even a phone request line, where it will take suggestions for hacks. The group has more of a prankster air to it then serious freedom defender, although its beliefs seem to align with Anonymous’. LulzSec has taking to mocking its victims more openly and in a more lighthearted tone than Anonymous has, though, giving it an entirely different reputation than its more serious counterpart.

Anonymous vs. LulzSec?

There were rumors that Anonymous and LulzSec were opponents. After a series of DDoS attacks that slowed down various online games because of malicious traffic, some frustrated 4chan users decided to begin their own DDoS retaliation against LulzSec. The group then used its massively popular Twitter account to attack 4chan, which Anonymous took as a personal affront. By later that day, however, both had denied such a rivalry, and the two have since united for Operation Anti-Security to expose faulty handling of user data.

Web NinjasWeb Ninjas vs. Anonymous and LulzSec

It’s a good thing Anonymous and LulzSec teamed up when they did, because Web Ninjas has its eye on them. It’s rumored Web Ninjas is the home of Th3J35t3r, who took down WikiLeaks shortly after it posted its stash of confidential diplomatic cables in fall 2010. Whether or not he’s a part of the coalition, the group insists it’s working for a “safer and peaceful Internet for everyone, not some bunch of kids threatening [the] Web and trying to own it for LULZ or in the name of publicity or financial gain or anti-government agenda.” The group released a large amount of information about the alleged identities of LulzSec hackers, including their whereabouts. LulzSec has denied the seriousness and truth behind these revelations, but an associate of the group was arrested today. LulzSec downplayed the amount of his involvement in the group, saying he is largely inconsequential to their operations. LulzSec also released the information of someone they believe attempted to out them.

IdahcIdahc

Residing (purportedly) outside this interwoven ring of hackers is Idahc. The Lebanese hacker is reportedly an 18-year-old computer science student and runs a one-man operation seemingly focused on Sony and Sony alone. He personally has moral issues with Sony, particularly for its treatment of George “GeoHot” Hotz and has said “If you want ethics, go cry to Anonymous. True lulz fans, stay tuned in.” He is thought to be behind many if not all of the hacks to various Sony Web properties. Idahc calls himself a grey hat focused on exposing the insecurity of Sony user accounts.

Despite their claims of independence and purported ethical intentions, the very nature of the groups inspires distrust. And it’s difficult to admit that with the apprehension toward supporting what are legally cyber-criminals, comes some sort of interest mixed with understanding: Whether or not you agree with all of their ploys, combating oppressive regimes and censorship while also exposing the careless liberties large corporations is difficult to oppose. Of course if you’re one of the many who’s had their email and password plastered all over PasteBin recently, you might feel otherwise.
http://www.digitaltrends.com/computing/identifying-the-hacktivists-of-the-emerging-cyberwar/

Layer 7 Application attacks - (DDoS)


Security attacks are moving ‘up the stack.’  90% of security investments are focused on network security, yet according to Gartner, 75% of the attacks are focused at the application layer and ‘over 90 percent of security vulnerabilities exist at the application layer, not the network layer.’  SQL Injection and XSS are #1 and #2 reported vulnerabilities and the top two from the OWASP Top 10.  Plus, from Forrester Consulting, the average loss of revenue per hour for a layer 7 DDoS attack is $220,000.  These vulnerabilities are some of the primary routes that are being exploited in many of the recent attacks.
Modern DoS attacks are distributed, diverse and cross the cavity that divides network components from application infrastructure yet many of these attacks are preventable. The problem is that organizations are using outdated network and/or desktop technology to try and protect against sophisticated application security attacks which traditional solutions like network firewalls, IPS or AV systems have little to no visibility or role. It’s like trying to protect a city against a coordinated air attack by digging trenches in the ground. Wrong band-aid for the attack vector. 

It is interesting that these attacks have been around for a while but also shows how hard it is to get protection right, especially when the attacks are blended.  Once a vector is found to deliver, a variety of exploits can be used in quick succession to find one that will work.  Most of these attacks would also have sailed invisibly through an IPS device – no offense to those solutions – they are just not designed to protect the application layer or didn’t have a signature that matched.  A unified application delivery platform with multi-layer visibility is the best way to detect and mitigate multi-layer attacks.

http://psilvas.wordpress.com/2011/06/22/cure-your-big-app-attack/

Financial Mogul Linked to DDoS Attacks

Pavel Vrublevsky, the embattled co-founder of ChronoPay — Russia’s largest online payments processor — has reportedly fled the country after the arrest of a suspect who confessed that he was hired by Vrublevsky to launch a debilitating cyber attack against a top ChronoPay competitor.
KrebsOnSecurity has featured many stories on Vrublevsky’s role as co-founder of the infamous rogue online pharmacy Rx-Promotion, and on his efforts to situate ChronoPay as a major processor for purveyors of “scareware,” software that uses misleading computer virus infection alerts to frighten users into paying for worthless security software.  But these activities have largely gone overlooked by Russian law enforcement officials, possibly because the consequences have not impacted Russian citizens.
In the summer of 2010, rumors began flying in the Russian blogosphere that Vrublevsky had hired a hacker to launch a distributed denial of service (DDoS) attack against Assist, the company that was processing payments for Aeroflot, Russia’s largest airline. Aeroflot had opened its contract for processing payments to competitive bidding, and ChronoPay was competing against Assist and several other processors. The attack on Assist occurred just weeks before Aeroflot was to decide which company would win the contract; it so greatly affected Assist’s operations that the company was unable to process payments for extended periods of time. Citing the downtime in processing as a factor in its decision, Aeroflot ultimately awarded the contract to neither ChronoPay nor Assist, but instead to Alfa-Bank, the largest private bank in Russia.
According to documents leaked to several Russian security blogs, investigators with the Russian Federal Security Service (FSB) this month arrested a St. Petersburg man named Igor Artimovich in connection with the attacks. The documents indicate that Artimovich — known in hacker circles by the handle “Engel” — confessed to having used his botnet to attack Assist after receiving instructions and payment from Vrublevsky. The same blogs say Vrublevsky has fled the country. Sources close to the investigation say he is currently in the Maldives. Vrublevsky did not respond to multiple requests for comment.





The allegations against Artimovich and Vrublevsky were supported by evidence collected by Russian computer forensics firm Group-IB, which said it assisted the FSB with the investigation. Group-IB presented detailed information on the malware and control servers used to control more than 10,000 infected PCs, and shared with investigators screen shots of the botnet control panel (pictured at left) allegedly used to coordinate the DDoS attack against Assist. Group-IB said Artimovich’s botnet also was used to attack several rogue pharmacy programs that were competing with Rx-Promotion, including Glavmed and Spamit (these attacks also were observed by security firm SecureWorks in February).
This DDoS saga is the latest chapter in a fascinating drama playing out between the two largest rogue Internet pharmacies: Vrublevsky’s Rx-Promotion and Glavmed (a.k.a. “Spamit”), a huge pharma affiliate program run by Igor Gusev, the man who co-founded ChronoPay with Vrublevsky in 2003.
Gusev has been in exile from his native Moscow since last fall, when Russian authorities named him the world’s biggest spammer and lodged criminal charges against him for operating an illegal business. Spamit was forced to close shortly thereafter, and Gusev blames Vrublevsky for using his political connections to sabotage Spamit. Late last year, Gusev launched redeye-blog.com, a blog dedicated to highlighting alleged wrongdoing by Vrublevsky. In one post, Gusev charged that Artimovich agreed to DDoS Spamit.com because he believed forum members fleeing the program would join his own budding spammer forum: the still-active but largely dormant program Spamplanet.
Both ChronoPay and Glavmed/Spamit suffered hacking attacks last year that exposed internal documents, financial dealings and organizational emails. The data leaked from Glavmed/Spamit includes a list of contact information, earnings and bank account data for hundreds of spammers and hackers who were paid to promote the program’s online pharmacies. Those records suggest that for most of 2007, Artimovich was earning thousands of dollars a month sending spam to promote Spamit pharmacy sites.
The document that the FSB used to lay out the case for criminal proceedings against Artimovich, a.k.a. “Engel,” states that he was paid for the DDoS services with funds deposited into a WebMoney account “Z578908302415″. According to the leaked Spamit affiliate records, that same WebMoney account belonged to a Spamit affiliate who registered with the program using the email address “support@id-search.org.” Web site registration records for id-search.org show that the name of the registrant is hidden behind paid privacy protection services. But historic WHOIS records maintained by DomainTools.com reveal that for a two-month period in 2008 those registration records were exposed; during that brief window, records listed the registrant as Igor Artimovich from Kingisepp, Russia, a town 68 miles west of St. Petersburg.
The emails and documents leaked from the hacking intrusion into ChronoPay last year show that Artimovich and Vrublevsky exchanged numerous emails about payment for unspecified services. Among them is an email receipt from WebMoney showing a transfer of more than $9,000 from an account Vrublevsky controlled to Artimovich’s Z578908302415 purse on July 6, 2010, just days before the DDoS attacks began. The notation listed next to the payment receipt? “Engel.”


http://krebsonsecurity.com/2011/06/financial-mogul-linked-to-ddos-attacks/

Wednesday, June 22, 2011

World Cup DDoS blackmailer sentenced to jail


A court in Düsseldorf, Germany, has convicted a man who extorted money out of online gambling websites in the run-up to the 2010 Football World Cup in South Africa.
The Frankfurt man, who has not been identified, successfully blackmailed three online betting sites (and attempted to extort money from three others) by threatening them with distributed denial-of-service (DDoS) attacks which could have blasted them off the internet.
According to German media reports, the blackmailer hired a botnet for $65 per day and told the betting firms that he would make their websites unavailable during July 2010 - the month of the World Cup - if they did not pay him 2,500 Euros ($3,700). When three of the sites refused to pay any money, the man reduced the ransom to 1,000 Euros.




http://news.hitb.org/content/world-cup-ddos-blackmailer-sentenced-jail

Network Solutions Fights Off Multiple DDoS Attacks:

Two attacks on consecutive days left Web host and domain name registry Network Solutions' customers unable to access their Web sites and servers.
A distributed denial-of-service (DDoS) attack was carried out against Network Solutions on yesterday afternoon, and again this morning, according to a post on the company's official blog by spokesman Shashi Bellamkonda.
"Our engineers worked quickly to mitigate the attacks and services are in the process of being restored," he wrote. "We continue to monitor this situation, as potential risk still exists for these attacks to recur."
Some customers complained of outages and said they could not reach the sites hosted by Network Solutions, and were having trouble accessing their e-mail and reaching their servers as of Tuesday afternoon. The company's Twitter feed was still saying that employees were working on bringing its network back online.

http://news.hitb.org/content/network-solutions-suffers-two-ddos-attacks

Hackers attack 1,500 Vietnamese websites











 

Foreign hackers have attacked an estimated 1,500 Vietnamese websites, including the online forum for white-hat hackers, since early this month.


The list of hacked websites ranges from government sites to sites dealing with real estate and electronics. In the latest case, Kon Tum Province’s Department of Education and Training's website was disrupted on Wednesday.
On June 5, www.hvaonline.net, a popular forum for legitimate web security technicians (aka white-hat hackers) fell prey to a staunch attack.
The hackers allegedly deployed a Distributed Denial-of-Service attack (DDoS attack).
The website’s service provider announced that most of the hackers had Chinese IP addresses.
Shortly after the website was restored, on June 12, it was hit by another DoS attack.
The Vietnam National Oil and Gas Group (PetroVietnam)'s site, petrotimes.vn, and a website used by the Vietnamese Ministry of Foreign Affairs were also hacked.
IT experts said the DDoS attacks did not cause huge losses to Vietnamese websites because they could not change the content of the websites.
The hackers used the attacks just to show what they are capable of, they said.
According to commenters in a number of popular IT forums, a number of Vietnamese companies and agencies were poorly equipped to deal with the online assault. “Foreign hackers are launching organized and deliberate attacks on Vietnamese websites,” said Vo Do Thang, director of Athena Network Security Center in Ho Chi Minh City.

http://www.i-policy.org/2011/06/hackers-attack-1500-vietnamese-websites.html

Hack Attack Exposes 1.3 Million Sega Accounts


LulzSec says to watch your Facebook, Gmail, and Skype passwords, though no one has claimed responsibility for the Sega breach.

Another day, another hacked website belonging to a video game manufacturer. On Friday, Sega confirmed news reports that attackers had compromised its systems, exposing data on 1.3 million users. Sega took the hacked Sega Pass system, which is both a newsletter and account management system for the company's online games, offline on Thursday. It gave no estimate for when the service would be restored. Despite the passwords having been encrypted, Sega reset all users' Sega Pass passwords. It also cautioned that "if you use the same login information for other websites and/or services as you do for Sega Pass, you should change that information immediately."
The attack against Sega follows comments made by Sega West CEO Mike Hayes to Eurogamer last month, in which he said that the PlayStation Network (PSN) hack, which resulted in over 77 million user accounts being compromised, was "an interesting wake up call for all of us." In particular, it led Sega to conduct an immediate security audit. "Fortunately we seemed pretty solid so we didn't have to do too many additional changes," he said.

According to a message posted on the Sega Pass website, "we had identified that unauthorized entry was gained to our Sega Pass database." Attackers stole Sega Pass members' email addresses, dates of birth, and encrypted passwords. "None of the passwords obtained were stored in plain text," said Sega, although it didn't detail the encryption technique used.

http://www.informationweek.com/news/security/attacks/231000042

'LulzSec suspect' arrested by New Scotland Yard




New Scotland Yard has confirmed that it has arrested a 19-year old suspected hacker in Essex, UK, in connection with a series of hacks and denial-of-service attacks against a number of organisations.
It is being widely speculated that the arrest is in connection with the high-profile attacks by the LulzSec hacking group, which has claimed amongst its victims Sony, the CIA, the FBI, and the Serious Organised Crime Agency (SOCA).
Officers from the Police Central e-Crime Unit (PCeU) arrested the man last night at approximately 10:30pm, on suspicion of breaching the Computer Misuse Act, and searched a house in Wickford, Essex, where they seized computer equipment which will undergo forensic examination.
The FBI and local Essex police worked in co-operation with the PCeU to investigate the case. The arrested man, who has been named as Ryan Cleary in many media reports, has been taken to a London police station for questioning.
It's important to note at this point that it has not been confirmed that the arrested man is suspected by the authorities of being involved with LulzSec. But many observers are speculating that that could be the case.
LulzSec Twitter wallpaper
The controversial LulzSec group have been playing a dangerous game as they targeted "big players" such as the crime-fighting agencies around the world. Inevitably the authorities were not going to take kindly to that, and would put man-power to work seeking out intelligence as to who could be involved.
Seemingly drunk with the popularity of their Twitter account (which has more than 220,000 followers) they have becoming increasingly vocal in the messages they have made public, and embarrassed computer crime authorities and large organisations around the world with their attacks.
New Scotland YardOne had to wonder if all of this bragging could lead to the group's downfall. It would, after all, be hard to keep a secret from friends and peers if you were a member of LulzSec.
There has been much speculation recently regarding who might be behind LulzSec - if the police believe that they have cracked the group then a strong messaage will be sent to others considering engaging in illegal acts such as malicious hacking and denial-of-service attacks.
It will be interesting to see if LulzSec's Twitter account is updated, or has anything more to say about the arrest. Will it be a case of "who lulz last, laughs longest?"


http://nakedsecurity.sophos.com/2011/06/21/lulzsec-suspect-arrested-scotland-yard/

Soca website taken down after LulzSec 'DDoS attack'


The UK Serious Organised Crime agency has taken its website offline after it appeared to be a victim of an attack by hacking group Lulz Security.


Soca said it had taken its website offline to limit the impact attack on clients hosted by its service provider.
Soca.gov.uk had been unavailable for much of Monday afternoon, with an intermittent service restored later.
Lulz Security has said it was behind the denial of service attack which had taken the website offline.
Earlier on Monday, as the agency launched an investigation, LulzSec tweeted: "Tango down - in the name of #AntiSec".
The group has hit a number of high-profile websites in recent weeks, including the CIA and US Senate.
Soca appeared to be the victim of a distributed denial of service (DDoS) attack, where large numbers of computers, under malicious control, overload their target with web requests.
In a statement given to BBC News, a Soca spokesman said: "Soca has chosen to take its website offline to limit the impact of DDoS attack on other clients hosted by our service provider.
"The Soca website is a source of information for the general public which is hosted by an external provider. It is not linked to our operational material or the data we hold."
Embarrassment
Earlier on Monday, a LulzSec Twitter posting seemed to confirm the nature of the attack.
"DDoS is of course our least powerful and most abundant ammunition. Government hacking is taking place right now behind the scenes," it said.
The latest attack will come as an embarrassment for Soca, which is tasked with investigating cybercrime.
"It is not going to please the boys in blue one bit," said Graham Cluley, senior technology consultant at security firm Sophos.

Mr Cluley added that it was wrong to confuse DDoS with the kind of hacking that can lead to confidential information being stolen.
However, he warned that LulzSec was capable of both types of attack.
"They have in the past broken into websites and stolen e-mail addresses and passwords, so there is a lot of harm can be done."



Big Lulz
When Lulz Security first appeared in May, the group portrayed itself as a light-hearted organisation, bent on creating online fun and Lulz (laughs).
Soon after, details of its hacking exploits began to emerge.
The first involved stealing and publishing a database of US X-Factor contestants, including their e-mail addresses and phone numbers.
It followed up with a mixture of website denial of service attacks and intrusions where data was taken and made available on the internet.
On June 19, LulzSec declared that it would begin targeting government systems, calling the campaign Antisec.
"Top priority is to steal and leak any classified government information, including e-mail spools and documentation. Prime targets are banks and other high-ranking establishments," said a post on the group's website.
The reason for LulzSec's greater focus on government is unclear, although it appears to have recently ended a feud with the more politically-motivated group Anonymous.

http://www.bbc.co.uk/news/technology-13848510

CIA website and FBI hacked by LulzSec




Hacking collective LulzSec has decided to stop giving online gaming sites a hard time and instead put its efforts into taking down the CIA's website and the FBI's phone network.
Last week the group managed to DDoS the CIA's homepage and along with it the FBI's phone network in Detroit.
As per usual LulzSec kept everyone updated with its hacking shenanigans on Twitter, posting on the site: "Tango down – CIA.Gov- for the lulz.".
According to reports, it wasn't just the CIA and the FBI, either - the US Senate's website was also a target, but the group failed to compromise the site.

Love hack
LulzSec has been extremely busy over the last few weeks, but it has mostly targeted gaming sites. Its Titanic Takeover Tuesday campaign saw the group hack into Eve Online, Minecraft, League of Legends and FinFisher.
Even though LulzSec seems to be infiltrating websites just to show how poor the security is, this latest wave of hacks will have the US government keeping more than a close eye on it.

 http://www.techradar.com/news/internet/cia-website-and-fbi-hacked-by-lulzsec-966715#ixzz1PzhuXoHY

Friday, June 10, 2011

Spain Nabs 3 Suspected Members of Anonymous



Spanish police arrested three suspected computer hackers who allegedly belonged to a loose-knit international activist group that has attacked corporate and government websites around the world, authorities said Friday. A National Police statement identified the three detainees as leaders of the Spanish section of a group that calls itself "Anonymous."
A computer server in one of their homes was used to coordinate and carry out the cyber attacks on targets including two major Spanish banks, the Italian energy company Enel and the governments of Egypt, Algeria, Libya, Iran, Chile, Colombia and New Zealand, the statement said.
The statement said the only other countries to act against "Anonymous" so far are the United States and Britain. It attributed this what it called complex security measures that members use to protect their identity. The suspects in Spain were arrested in Barcelona, Valencia and the southern city of Almeria, the statement said without specifying when the detainees were picked up.

http://news.hitb.org/content/spain-nabs-3-suspected-members-anonymous?utm_source=twitterfeed&utm_medium=twitter&utm_campaign=s3cb0t

Thursday, June 9, 2011

Citigroup card customers data hacked



Computer hackers have breached Citigroup’s computer network and have accessed data on hundreds of thousands of its card customers, the Financial Times said.
Citigroup said the breach, which affected about 1 per cent of its card customers, was discovered in early May through routine monitoring.
According to the bank’s annual report, Citi Cards has about 21 million customers in North America.
The breach occurred at Citi Account Online, which holds basic customer information such as names, account numbers and e-mail addresses.
Other information such as birth dates, social security numbers and card security codes are held elsewhere and were not compromised, Citi said.
“The bank said it had contacted law enforcement officials and tightened its fraud detection procedures, but declined to provide further details or to say whether customers had reported suspicious transactions,” the FT reported.
Though Citigroup said the breach involved only credit card accounts, the FT said that several people have reported about their debit card details being compromised.
Hacking into companies is increasingly becoming common.
Lockheed Martin, PBS and Sony have all recently had their security systems violated.

http://www.thehindu.com/business/companies/article2090316.ece

Tuesday, June 7, 2011

Hackers may try to disrupt World IPv6 Day


Hundreds of popular websites -- including Google, Facebook, Yahoo and Bing -- are participating in a 24-hour trial of a new Internet standard called IPv6 on June 8, prompting worries that hackers will exploit weaknesses in this emerging technology to launch attacks.

BACKGROUND: Large-scale IPv6 trial set for June 8
Dubbed World IPv6 Day, the IPv6 trial runs from 8 p.m. EST on Tuesday until 7:59 p.m. EST on Wednesday.
Security experts are concerned that the 400-plus corporate, government and university websites that are participating in World IPv6 Day could be hit with distributed denial of service (DDoS) or other hacking attacks during the 24-hour trial.

"In the last five months, there has been a huge increase in DDoS attacks," says Ron Meyran, director of product marketing and security at Radware, a network device company that is not participating in World IPv6 Day. "IPv6 is going to be even easier for attackers ... because IPv6 traffic will go through your deep packet inspection systems uninspected."
Meyran says another concern is that IPv6 packet headers are four times larger than IPv4 headers. This means routers, firewalls and other network devices must process more data, which makes it easier to overwhelm them in a DDoS attack.
"With a DDoS attack, you need to reach 100% utilization of the networking and security devices to saturate the services," Meyran says. The longer headers in IPv6 "must be processed completely to make routing decisions."

"I wonder if there's going to be any sort of DDoS type of things going on ... or hackers probing servers that are dual-stack enabled [running IPv6 and IPv4 at the same time],'' says Jean McManus, executive director of Verizon's Corporate Technology Organization, which is participating in World IPv6 Day. "Content providers need to be careful and watch to make sure that everything is appropriately locked down."
Many security threats related to IPv6 stem from the fact that the technology is new, so it hasn't been as well-tested or de-bugged as IPv4. Also, fewer network managers have experience with IPv6 so they aren't as familiar with writing IPv6-related rules for their firewalls or other security devices.
"We know from security breaches that the security rules that allow you to see the network and applications better ... is where there is a lack of training and expertise with IPv6," Meyran says. "The new software is much more complex ... and there are much less programmers familiar with it."

BY THE NUMBERS: 8 security considerations for IPv6 deployment
World IPv6 Day participants say the event was advertized to everybody in the Internet engineering community, including hackers, and they are beefing up the security measures on their sites accordingly.
"This is a well-publicized event," says John Brzozowski, distinguished engineer and chief architect for IPv6 at Comcast, which is participating in World IPv6 Day both as a provider of IPv6-based cable modem services and as an operator of seven IPv6-enabled websites. "Anything can happen. IPv6 is no different than any other new technology. The potential [for attacks] is there. Protecting the network is key to us."

Brzozowski says Comcast will be monitoring its network for signs of attack throughout the trial. "We're taking the necessary steps so that the Comcast infrastructure is protected," he adds.
Juniper says that if its website comes under DDoS or other attack on World IPv6 Day, it will simply switch back to IPv4. "We can revert back to IPv4 in about five minutes," says Alain Durand, director of software engineering at Juniper, which is using its own translator-in-a-cloud service to IPv6 enable its main website for the day.
Akamai, a content delivery network with 30 customers that are participating in World IPv6 Day, says it isn't too concerned about hacking or DDoS attacks during the IPv6 trial.
"All of our command and control systems are going to stay on IPv4," says Andy Champagne, vice president of engineering with Akamai, which is developing a commercial IPv6 service. "Absent some underlying exposure in the protocol that we don't know about ... we think we're OK. We've got enough IPv6 capacity ... I don't expect any trouble.''


Radware's Meyran says hackers may be so clever that they won't attack websites on World IPv6 Day but will instead wait until these sites turn IPv6 on permanently. "The hackers will be very happy to see this day go successfully and that sites are starting to deploy IPv6 because it opens up new areas of attack," he predicts.
That's why Meyran recommends network administrators who participate in World IPv6 Day follow up with an event focused on IPv6 security testing. "The next stage will be to ... run attack tools that simulate IPv6 attacks to make sure your firewalls are really seeing the network and that your intrusion protection systems can really do the deep packet inspection of IPv6 traffic," he says.
World IPv6 Day is a large-scale experiment sponsored by the Internet Society that is designed to discover problems with IPv6 before the new protocol is widely deployed.

DETAILS: What if IPv6 simply fails to catch on?
The Internet needs IPv6 because it is running out of addresses using IPv4. The free pool of unassigned IPv4 addresses expired in February, and in April the Asia Pacific region ran out of all but a few IPv4 addresses being held in reserve for startups. The American Registry for Internet Numbers (ARIN), which doles out IP addresses to network operators in North America, says it will deplete its supply of IPv4 addresses this fall.
IPv4 uses 32-bit addresses and can support 4.3 billion devices connected directly to the Internet, but IPv6 uses 128-bit addresses and can connect up a virtually unlimited number of devices: 2 to the 128th power. IPv6 offers the promise of faster, less-costly Internet services than the alternative, which is to extend the life of IPv4 using network address translation (NAT) devices.
One major stumbling block for IPv6 deployment is that it's not backward compatible with IPv4. That means website operators have to upgrade their network equipment and software to support IPv6 traffic.

http://www.networkworld.com/news/2011/060611-ipv6-security.html?page=1

http://www.networkworld.com/news/2011/060611-ipv6-security.html?page=2

Test driving the new internet...World IPv6 Day



IF your Google search takes a little longer than normal tomorrow, or your Facebook doesn't update quite as quickly, it may be due to a trial of new technology.

Tomorrow is World IPv6 Day, when more than 100 companies around the world will test a new way of assigning addresses to devices on the internet.
Narelle Clark of the Internet Society of Australia said the switch was important because the current system, IPv4, was unable to cope with the growing number of gadgets going online.
"In the past, when we were running out of telephone numbers, we added a single digit," Ms Clark told news.com.au.
"We can't take that same approach for the internet, as the entire numbering system needs more capacity — not just one country.
"Over the last fifteen years or so we have come up with some great ways to make those IPv4 addresses last longer, but we're now at the end of the line."
Ms Clark said the IT industry had put off adopting the new protocol and now the switch had become both more urgent and more difficult.
"Unfortunately, all the things we've done to stretch things out have been so effective that we haven't made a timely move across to IPv6," she said.

"At the same time much of our use has matured, and we've come to rely on the internet for our economic, educational and social lives (which) is making the switch even harder."
The companies trialling IPv6 tomorrow include Facebook, Yahoo, Google, YouTube, Cisco, Akamai and Meebo.

Hopefully, the trial will be a success — however things may get bumpy for a few web surfers.
Google said it expected about 0.5 per cent of requests to fail due to network incompatibility, while Facebook said only 0.03 per cent of its users could be affected.
Facebook also said recent studies had indicated that about one in 2000 users have trouble connecting to dual stacked websites — sites that have both IPv4 and IPv6 addresses.
In a post on its engineering blog earlier this year, Facebook said the adoption of IPv6 had become a "classic chicken-and-egg puzzle".

"Websites don't want to enable IPv6 because a small number of their users may have trouble connecting," it said.
"At the same time, doing nothing means that ever more users will have trouble connecting."

http://www.news.com.au/technology/dont-panic-but-the-internet-might-break-tomorrow-just-a-little-bit-and-were-sure-theyll-fix-it/story-e6frfro0-1226071115396

Use your brain - don't let your PC turn into a zombie


IF you're in an office, like I am, take a look around. If there are 10 computers in the room, chances are one of them is a zombie.
According to a University of Sydney cyber security expert studies have shown about one in five home computers and one in 10 work computers are "zombies" that have been taken over and used to conduct illegal activity.
"The global average is 20 to 25 per cent that are probably infected which means about one in five," said Professor Michael Fry from the university's school of IT.
"These computers are taken over remotely and incorporated into botnet networks."
Botnets are networks of computers enslaved by malware allowing the "bot herder" or "bot master" to control them remotely.
Prof Fry said remotely-controlled computers were being used in everything from organised crime to cyber warfare.
"Controllers use botnets for stuff like identity theft, to launch mass spam campaigns, phishing attacks, and online advertising 'click fraud'," he said.
"But the big one that they are becoming the weapon of choice for are distributed denial of service attacks."
A denial-of-service attack is when someone directs such a huge volume of requests to a target website that the web server can't respond and the site becomes inaccessible to everyone.
A distributed denial-of-service, or DDoS, attack occurs when hundreds or thousands of infected zombie computers are enlisted to help.
Prof Fry said botnets were today's "weapon of choice" for organised crime conducting DDoS attacks and there was a strong suspicion in cyber security circles that governments had also used botnets to sabotage others countries' IT systems.
He said individuals were already using attacks such as these to extort money right here in Australia.
"We had a case where a man in Alice Springs had his system go down one day," Prof Fry said.
"A little later he received an email from a group saying 'this was us and pay up or we’ll do it again'. He told them no and the next day they attacked him, bringing his whole system down."
They are even reports that individuals are able to hire botnets for a fee.
  • One in five home computers are enslaved "zombies"
  • Enslaved PCs used by "botmasters" in cyber attacks
  • That means my computer has more of a life than I do
Aim for the head
Prof Fry said the systems which were the most vulnerable to these sorts of attacks were "unpatched" machines — computers which haven't been updated with the latest defences from software providers.
"These regular update requests can be a nuisance but are essential to stay ahead in the day to day battle against cyber crime," he said.
Craig McDonald is the founder and chief executive of MailGuard, a company specialising in the online security needs of business. He said it was essential for individuals and businesses to check for regular software updates.
"You're only as protected as the last update," Mr McDonald said.
"And for businesses, as email is highly used for 'doing business', I would recommend a multi-layered managed email filtering service."
Mr McDonald said individuals needed to ensure they followed all the directions given by their software and to run full scans of all computers.
Prof Fry said the identification of malware could sometimes be extremely hard and the process had become an "arms race".
"The less sophisticated ones can be tracked down and stopped, but the detection of zombies or the detection of bot masters can be very difficult," he said.
"The whole thing is an arms race. You can develop a tool that is very good at detecting them but as soon as you do people are working to get better at covering their tracks.
"It’s a global problem — governments, ISPs and everyone else."

The biggest threat?
Last week Attorney-General Robert McClelland and Defence Minister Stephen Smith said the Australian Government would work towards the creation of its first ever national strategy for dealing with cyber security.
"The Cyber White Paper will examine what we need to do to protect ourselves online, the role of government, industry and the public in protecting our interests," McClelland told a cyber security function in Sydney.
The paper will be completed in the first half of next year and would look at a broad range of areas including consumer protection, cyber safety, cyber crime, cyber security and cyber defence, he said.
Earlier this year the Federal Parliament was the subject of a cyber attack with the computers of at least 10 federal ministers, including Prime Minister Julia Gillard and Defence Minister Stephen Smith, targeted and confidential emails possibly accessed.
The head of Sydney University's Centre for International Security Studies, Professor Alan Dupont, said cyber attacks were "possibly the biggest security threat facing Australia".
"Of course we need to understand the technical detail of cyber crime in order to keep ahead of the game but we want people to think more broadly about cyber security," Prof Dupont said.
"We are stressing the importance of how cyber attacks are conducted, why and by whom, in order to enhance understanding of systems' susceptibility to attacks.
"If we don't get on top of this in a defensive sense, everything on a computer network is vulnerable to attack."

Read more: http://www.news.com.au/technology/use-your-brain-dont-let-your-pc-become-a-zombie/story-e6frfro0-1226070293650#ixzz1OaFtTJ9F

Sony apologises as hackers strike again!!!


Sony executives took to the stage at games show E3 to apologise for a massive hacking incident, as yet another attack targeted the beleaguered firm.
In April, Sony temporarily shut down its PlayStation Network, after hackers made off with details from 77 million accounts, including some credit card data.
"This is not the first time I've come to the stage at E3 with an elephant in the room," Jack Tretton, the head of Sony's gaming division in the US, told attendees of the show, as the firm unveiled an update to the PlayStation Portable, the Vita.
"I want to apologise personally and on behalf of the company for any anxiety that we have caused," he said. "It is you that causes us to be both humble and amazed at the amount of dedication and support you continue to give to the PlayStation brand."
Another hack
The apology came as hacking group Lulz Security said it had again targeted Sony, posting company data online.
The group posted what appeared to be Sony BMG network maps from a New York city office and what they said was 54MB of Sony developer source code.
"We're not commenting on this issue," said Sony Music spokeswoman Liz Young.
Last week, the group said it had broken into Sony's computer network and accessed information on more than one million customers to show the vulnerability of the company's systems.
Nobody has claimed responsibility for the attacks that Sony disclosed in April and May.

Read more: Sony apologises as hackers strike again | Security | News | PC Pro http://www.pcpro.co.uk/news/security/367849/sony-apologises-as-hackers-strike-again#ixzz1OaDcqtVb

RSA, the security division of EMC, has acknowledged that information stolen from its network was used to carry out a cyber attack against Lockheed Martin and offers to replace all of the 40 million SecurID hardware tokens in existence.

Back in March, RSA announced that attackers managed to penetrate its network and accessed information related to SecurID, its two-factor authentication solution. 
The company provided little information about the incident and the extent of the breach, a decision that attracted strong criticism from the information security community.

"While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack," the company said at the time.

Since then, three large U.S. government contractors, namely Lockheed Martin, L-3 Communications and Northrop Grumman are believed to have been attacked using information stolen during the RSA breach.

Of these, only the Lockheed Martin one was publicly confirmed and attackers are said to have used cloned SecurID tokens to access the company's network.

Lockheed claims that its security team spotted and blocked the attack before any sensitive information was stolen, but the incident prompted a week-long remote network access ban and a change of SecurID tokens for all employees.

In a letter to customers sent yesterday, RSA acknowledged that intruders breached Lockheed Martin's security using information stolen from its systems. Furthermore, the company's chairman, Mr. Art Coviello, told the Wall Street Journal that as a precaution, the company will offer to replace the SecurID tokens for virtually every customer.

In addition, for certain customers, primarily those in the financial industry, RSA will provide transaction monitoring and other intrusion detection capabilities. Depending on their security requirements, some customers might not need to replace the tokens. "We believe and still believe that the customers are protected," Mr. Coviello said.
 
http://news.softpedia.com/news/RSA-Offers-to-Replace-All-SecurID-Tokens-Following-Lockheed-Martin-Attack-204609.shtml?utm_source=twitterfeed&utm_medium=twitter&utm_campaign=s3cb0t