Layer 7 Application attacks - (DDoS)

Security attacks are moving ‘up the stack.’  90% of security investments are focused on network security, yet according to Gartner, 75% of the attacks are focused at the application layer and ‘over 90 percent of security vulnerabilities exist at the application layer, not the network layer.’  SQL Injection and XSS are #1 and #2 reported vulnerabilities and the top two from the OWASP Top 10.  Plus, from Forrester Consulting, the average loss of revenue per hour for a layer 7 DDoS attack is $220,000.  These vulnerabilities are some of the primary routes that are being exploited in many of the recent attacks.
Modern DoS attacks are distributed, diverse and cross the cavity that divides network components from application infrastructure yet many of these attacks are preventable. The problem is that organizations are using outdated network and/or desktop technology to try and protect against sophisticated application security attacks which traditional solutions like network firewalls, IPS or AV systems have little to no visibility or role. It’s like trying to protect a city against a coordinated air attack by digging trenches in the ground. Wrong band-aid for the attack vector. 

It is interesting that these attacks have been around for a while but also shows how hard it is to get protection right, especially when the attacks are blended.  Once a vector is found to deliver, a variety of exploits can be used in quick succession to find one that will work.  Most of these attacks would also have sailed invisibly through an IPS device – no offense to those solutions – they are just not designed to protect the application layer or didn’t have a signature that matched.  A unified application delivery platform with multi-layer visibility is the best way to detect and mitigate multi-layer attacks.

http://psilvas.wordpress.com/2011/06/22/cure-your-big-app-attack/

Use your brain - don't let your PC turn into a zombie

IF you're in an office, like I am, take a look around. If there are 10 computers in the room, chances are one of them is a zombie.

According to a University of Sydney cyber security expert studies have shown about one in five home computers and one in 10 work computers are "zombies" that have been taken over and used to conduct illegal activity.
"The global average is 20 to 25 per cent that are probably infected which means about one in five," said Professor Michael Fry from the university's school of IT.
"These computers are taken over remotely and incorporated into botnet networks."
Botnets are networks of computers enslaved by malware allowing the "bot herder" or "bot master" to control them remotely.
Prof Fry said remotely-controlled computers were being used in everything from organised crime to cyber warfare.
"Controllers use botnets for stuff like identity theft, to launch mass spam campaigns, phishing attacks, and online advertising 'click fraud'," he said.
"But the big one that they are becoming the weapon of choice for are distributed denial of service attacks."
A denial-of-service attack is when someone directs such a huge volume of requests to a target website that the web server can't respond and the site becomes inaccessible to everyone.
A distributed denial-of-service, or DDoS, attack occurs when hundreds or thousands of infected zombie computers are enlisted to help.
Prof Fry said botnets were today's "weapon of choice" for organised crime conducting DDoS attacks and there was a strong suspicion in cyber security circles that governments had also used botnets to sabotage others countries' IT systems.
He said individuals were already using attacks such as these to extort money right here in Australia.
"We had a case where a man in Alice Springs had his system go down one day," Prof Fry said.
"A little later he received an email from a group saying 'this was us and pay up or we’ll do it again'. He told them no and the next day they attacked him, bringing his whole system down."
They are even reports that individuals are able to hire botnets for a fee.

• One in five home computers are enslaved "zombies"
• Enslaved PCs used by "botmasters" in cyber attacks
• That means my computer has more of a life than I do

Aim for the head
Prof Fry said the systems which were the most vulnerable to these sorts of attacks were "unpatched" machines — computers which haven't been updated with the latest defences from software providers.
"These regular update requests can be a nuisance but are essential to stay ahead in the day to day battle against cyber crime," he said.
Craig McDonald is the founder and chief executive of MailGuard, a company specialising in the online security needs of business. He said it was essential for individuals and businesses to check for regular software updates.
"You're only as protected as the last update," Mr McDonald said.
"And for businesses, as email is highly used for 'doing business', I would recommend a multi-layered managed email filtering service."
Mr McDonald said individuals needed to ensure they followed all the directions given by their software and to run full scans of all computers.
Prof Fry said the identification of malware could sometimes be extremely hard and the process had become an "arms race".
"The less sophisticated ones can be tracked down and stopped, but the detection of zombies or the detection of bot masters can be very difficult," he said.
"The whole thing is an arms race. You can develop a tool that is very good at detecting them but as soon as you do people are working to get better at covering their tracks.
"It’s a global problem — governments, ISPs and everyone else."

The biggest threat?
Last week Attorney-General Robert McClelland and Defence Minister Stephen Smith said the Australian Government would work towards the creation of its first ever national strategy for dealing with cyber security.
"The Cyber White Paper will examine what we need to do to protect ourselves online, the role of government, industry and the public in protecting our interests," McClelland told a cyber security function in Sydney.
The paper will be completed in the first half of next year and would look at a broad range of areas including consumer protection, cyber safety, cyber crime, cyber security and cyber defence, he said.
Earlier this year the Federal Parliament was the subject of a cyber attack with the computers of at least 10 federal ministers, including Prime Minister Julia Gillard and Defence Minister Stephen Smith, targeted and confidential emails possibly accessed.
The head of Sydney University's Centre for International Security Studies, Professor Alan Dupont, said cyber attacks were "possibly the biggest security threat facing Australia".
"Of course we need to understand the technical detail of cyber crime in order to keep ahead of the game but we want people to think more broadly about cyber security," Prof Dupont said.
"We are stressing the importance of how cyber attacks are conducted, why and by whom, in order to enhance understanding of systems' susceptibility to attacks.
"If we don't get on top of this in a defensive sense, everything on a computer network is vulnerable to attack."

Read more: http://www.news.com.au/technology/use-your-brain-dont-let-your-pc-become-a-zombie/story-e6frfro0-1226070293650#ixzz1OaFtTJ9F

Wikileaks DDoS spawns security arms race

Ever since supporters of Julian Assange took to the internet to launch DDoS attacks against Wikileaks naysayers, companies have woken up to a need to protect their entire infrastructure, and F5 Networks and their customers are now preaching the need to wrap all network applications into a secure environment.
Jason Needham, senior director of product management for F5, said that companies now more than ever need to protect every part of their online infrastructure, not just mission-critical applications.
"Wikileaks has woken up the industry to the fact that it's not about [protecting against] losing content, but it's also [protecting against] virtual protesting where flash crowds come in and try to take a service offline based on an agenda and protest of sorts," Needham said.
The real challenge in the conflict, he went on, is identifying who is a valid user and who intends to do the organisation harm online.
"One of the things F5 goes into organisations talking about is how to solve the DoS problem and its many faces. One of the faces it takes is from the unintelligent brute force attack, another face it takes is valid application-based attacks."
These application-based attacks work to disguise themselves as normal user interactions in order to exploit security vulnerabilities like SQL injections, Needham said.
The solution, according to Kurt Hansen, F5 Network's local managing director, is to deploy a breadth of security activities "from intelligent filtering to dynamic security policies to really trying to decipher good users from bad users and help organisations stay online".
Hansen said that the bar had been lowered for people to take to the internet as hacktivists, with the only prerequisite being a working internet browser.

IPv6 isn't riding to the rescue

Needham also said the implementation of IPv6 wouldn't raise the bar for application-level security.
"The application security problem does not go away with IPv6. It's not going to solve the problem of DoS [attacks] and it's not going to solve the problem of application-based threats," Needham said, adding that the design of IPv6 may in fact make security enforcement more difficult.

"One of the inherent security functions of IPv6 is a point-to-point security tunnel between two devices, which means you're now encrypting all of your application-layer traffic from the attacker through to whatever they're attacking," he added.

According to F5, the only way to effectively deal with evolving security threats is to respond swiftly and implement faster technology with staff like Mark Wallis, who is a network administrator for credit card payment company Qvalent.
Wallis recently implemented a quick fix to a Java exploit without having to write a software patch, which, in the banking industry, can take time due to regulatory constraints.
Instead, Wallis wrote a rule into Qvalent's application firewall as a line of defence against the global Java exploit.
"We now look for that magic number within [our application firewalls]. It's never a number you're going to see in day-to-day transactions … and it's the type of thing we can get a fix out for within a 24-hour period," Wallis said.
Wallis went on to predict that the exploit may find its way into a new worm before a software patch comes to hand.
"What everyone is betting is that [the exploit] is going to pop up in a worm very quickly. I guarantee you that the next Stuxnet is going to be looking for that [exploit] and it's just so dead simple," Wallis said.

http://www.zdnet.com.au/wikileaks-ddos-spawns-security-arms-race-339309259.htm