IT Support and Hardware for Clinics
32.7K views | +1 today
Follow
IT Support and Hardware for Clinics
News, Information and Updates on Hardware and IT Tools to help improve your Medical practice
Your new post is loading...
Your new post is loading...
Scoop.it!

LastPass Sounds Breach Alert

LastPass Sounds Breach Alert | IT Support and Hardware for Clinics | Scoop.it

Warning to all LastPass users: Change your master password for the service now and ensure you're using multi-factor authentication. There has been a data breach that might allow attackers to crack master passwords and password reminders.


"Our team discovered and blocked suspicious activity on our network," reads a security notice from Joe Siegrist, the CEO of online password management service LastPass, which allows people to store multiple passwords inside a single, cloud-based password vault.


Siegrist says the intrusion was discovered June 12. "In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised."


This is not the first time that LastPass has reported that passwords or data might have been hacked. In 2011, the firm reported finding a "traffic anomaly from one of our databases" that could have resulted in data exfiltration. In response, the firm said it took a number of steps to tighten security, including registering domains that might be used by phishing attackers, as well as removing non-core services from the LastPass network.


In the wake of this newly announced breach, Siegrist says that the company is "confident that our encryption measures are sufficient to protect the vast majority of users," noting that the site's techniques for creating users' authentication hashes - in essence, how their authentication credentials get protected - would make it very difficult for an attacker to crack those hashes "with any significant speed." But because that is a possibility, the company says it has now "locked down" all accounts, meaning that any attempt to access an account from a new device or IP address will require the user to first verify their identity via email, unless they're already using multi-factor authentication.


"We will also be prompting all users to change their master passwords," Siegrist says. "You do not need to update your master password until you see our prompt. However, if you have reused your master password on any other website, you should replace the passwords on those other websites." He adds that because encrypted user data wasn't stolen, users do not need to change the passwords for any sites stored inside their LastPass password vault.


LastPass also offers multi-factor authentication - including Google Authenticator, Yubikey and the Duo Security Authenticator - to safeguard accounts. And in the wake of the breach, multiple information security experts recommend that all LastPass users ensure that they are using this feature.

Rethink Password Reset Questions

"Should I panic because LastPass was hacked?" asks Robert David Graham, head of information security research firm Errata Security. "If you chose a long, non-dictionary password, nobody can crack it," he says, thanks to the way LastPass creates its hashing algorithms. "Conversely, if you haven't, then yes, you need to change it."


Some security experts, meanwhile, say that the biggest risk now facing LastPass users will bephishing attacks, especially because users' email addresses have been compromised. "LastPass is advising users to change the master password. While this is a good idea, it should not be the top priority," says Martin Vigo, a product security engineer for salesforce.com who's due to present the talk "Breaking Vaults: Stealing LastPass protected secrets" at the July Shakacon conference in Hawaii. "You should pay more attention to the password hint you set up and be on the lookout for any possible phishing email in the next weeks pretending to be LastPass."


Vigo says many users undercut their security by using password reminders - he recommends never using them, if possible - or else creating weak ones. "While the password reminder cannot be the password itself, it can contain it. This means that password reminders such as 'My password is correct horse battery staple' are possible," he says. "Other more common passwords reminders such as 'My dogs name' can help attackers guess your master password. Remember that they have your email, which leads to your Twitter, Facebook, etc., where possibly that information can be found."

Password Vaults: Pros and Cons

The LastPass breach begs the question of whether people should ever use password managers, a.k.a. password vaults. "If a crook gets hold of your master password, then that's like getting the crown jewels - because now the crook has access to all your accounts at once," says Paul Ducklin, a senior security adviser for anti-virus firm Sophos, in a blog post. As a result, some security experts decry their use, on the grounds that the password manager master password creates a potential single point of failure.


But many security experts, including Bruce Schneier, have long advocated using such tools, saying that it is much more likely that users will get hacked if they reuse passwords, or select weak ones, than have their encrypted password database stolen and cracked.

F-Secure security adviser Sean Sullivan, for example, has said he "can't imagine life" without using one, because such tools can ensure that a user only uses strong passwords, and never repeats them across sites. But Sullivan also takes certain precautions, such as never entering the master password for his password manager when he's using an untrusted system - such as the shared family PC at home - in case a keylogger might be in operation.

Cloud Versus PC-Based

Users can also choose between PC-based, cloud-based or hybrid password managers. Some encryption experts, such as Johns Hopkins cryptographer Matthew Green, have voiced concerns about the security of cloud-based password management services.

more...
No comment yet.
Scoop.it!

'Freak' Flaw Also Affects Windows

'Freak' Flaw Also Affects Windows | IT Support and Hardware for Clinics | Scoop.it

Microsoft is warning that all Windows operating systems are at risk from the vulnerability known as Freak, for "Factoring RSA-EXPORT Keys." The flaw exists in SSL, which is used to secure online communications, and could be abused by an attacker to force crypto suites to downgrade from using a "strong" RSA cipher to a weaker, "export-grade" RSA cipher.

A new Microsoft security advisory (KB3046015) warns that Secure Channel, or Schannel, which encrypts traffic and transactions on most Windows platforms, is at risk from the Freak flaw.


"Microsoft is aware of a security feature bypass vulnerability in Secure Channel that affects all supported releases of Microsoft Windows," the alert says. "Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system."

As yet, there's no patch available for vulnerable Windows systems, although information security experts say they expect Microsoft to release related fixes quickly. In the interim, Microsoft has detailed a temporary workaround that can be used for most Windows systems. "You can disable the RSA key exchange ciphers in Windows Vista and later systems by modifying the SSL Cipher Suite order in the Group Policy Object Editor," it says. But it warns: "Windows will fail to connect to systems that do not support any of the ciphers listed in the workaround."

To date, however, there's no fix or workaround available for Windows Server 2003. "The cipher management architecture on Windows Server 2003 does not allow for the enabling or disabling of individual ciphers," Microsoft says.

Risks to Apple, Android, Cloud

After quietly warning security vendors, government agencies and other organizations in recent weeks, security researchers first sounded a public alert about the Freak vulnerability on March 3. They've warned that the vulnerability exists in versions of OpenSSL prior to 1.0.1k, all Android devices that ship with the standard browser, as well as in Apple SSL/TLS clients, which are used by both Mac OS X clients and iOS mobile devices, among other operating systems. The vulnerability has been designated as CVE-2015-0204.

The Freak flaw could be exploited to downgrade a browser or other client's Internet connection from a relatively secure cipher, to an outdated - and weak - "export cipher," which attackers could then crack, allowing them to intercept communications or inject attack code into browsers. "What Freak allows you to do is, if you can break the RSA export-strength key, then you can provide a 'valid' certificate for a man-in-the-middle attack," says Gavin Millard, technical director for Europe, the Middle East, and Africa at Tenable Network Security. Tenable, which sells the widely used Nessus vulnerability scanner, has released a Nessus plug-in that will scan for Windows clients and servers that are vulnerable to Freak.

No Attacks Seen

But to date, there have been no signs that the Freak flaw has ever been exploited in the wild - against Windows servers and systems, or any other device. "The reality is, it's still really difficult to do - to break a key, it would still take a few hours or $100 of Amazon EC2 time," Millard says, referring to Amazon's Elastic Compute Cloud, which offers on-demand processing power. "There are so many other ways to break into a site. Hackers are smart; they don't use a sledgehammer to crack a walnut."

Still, related vulnerabilities remain widespread. The Freak Attack website, which is run by researchers at the University of Michigan, has been tracking the extent of the Freak vulnerability. The site reports that as of March 6, 9.5 percent of the websites on the Alexa index of the 1 million most popular top-level domains remained vulnerable to Freak, although that was a decrease from 12.2 percent of all such sites when the Freak vulnerability was first publicized on March 3. But 37 percent of all HTTPS servers with browser-trusted certificates remained vulnerable to Freak, as did 26 percent of all HTTPS servers, and neither of those statistics had declined since Freak was first publicized, the researchers say.

As of March 6, the Freak Attack website reported that the following client software remained vulnerable to the Freak flaw:

  • Internet Explorer
  • Chrome on Mac OS (patch available now)
  • Chrome on Android
  • Safari on Mac OS (patch due week of March 9)
  • Safari on iOS (patch due week of March 9)
  • Stock Android Browser
  • BlackBerry Browser
  • Opera on Mac OS
  • Opera on Linux

Cloud security firm Skyhigh Networks reported that as of March 4, 766 cloud providers also remained unpatched against the vulnerability, thus leaving their users at risk. "These services include some of the leading backup, HR, security, collaboration, CRM, ERP, cloud storage, and backup services," Sekhar Sarukkai, vice president of engineering at Skyhigh, says in a March 5 blog post. Across the company's 350 customers, meanwhile, he reports that 99 percent use at least one cloud provider that's vulnerable to the Freak flaw, while the average company uses 122 vulnerable services.

Don't Freak: How to Mitigate

The Freak Attack site says that to mitigate the vulnerability, anyone running a server "should immediately disable support for TLS export cipher suites," and that anyone who uses a browser should ensure that they have the latest version installed, and keep checking for new upgrades, since all major browsers should soon see a fix.

Finally, Freak Attack recommends that all systems administrators and developers ensure that their TLS libraries are fully updated. "Both OpenSSL and Microsoft Schannel are known to be vulnerable," it says. "Note that these libraries are used internally by many other programs." The site offers a number of tools that can be used to test for related flaws.

This is not the first time that the Microsoft Schannel has been at risk from a newly discovered vulnerability. In particular, a zero-day vulnerability in Schannel was discovered in November 2014. Before that, Schannel was at risk from the so-called POODLE flaw - first publicly revealed Oct. 14 - in SSL, and which was later found in TLS. The flaw could be exploited to intercept and read encrypted Internet communications, steal session cookies and impersonate users.


more...
No comment yet.
Scoop.it!

Survey shows cyber crime on the rise

Survey shows cyber crime on the rise | IT Support and Hardware for Clinics | Scoop.it

An estimated 40% of Irish internet users have received emails or phone calls trying to get access to their computer or personal details such as their banking information.

That is according to the latest Eurobarometer poll on the experience of cybercrime.

Nearly a third of Irish internet users have discovered malicious software on their device, but just over half of them have installed anti-virus software.

This compares with an EU average of 61% who have taken this precaution.

16% of Irish internet users - the third highest in the EU - say they have had experience of their social media or email account being hacked compared to an EU average of 12%.

Among the top concerns of Irish people are the misuse of personal data, security of online payments and online purchases.

While Irish people are more aware of cybercrime than the EU average, half of users do not take basic precautions such as changing their passwords every 12 months.

And while internet access in Ireland has never been higher at 80%, Ireland is behind Sweden (96%) the Netherlands (95%) and Denmark (94%).

Lowest access was in Romania (54%), Portugal (55%), and Greece (58%).


more...
HK Khan's curator insight, February 18, 2015 2:38 AM

We Gives Latest News Of Hacking, Updates Of Cyber Crimes, Computer Technology News, Reviews and Full Version Softwares, Drivers For Laptops

Scoop.it!

Sony Hack a 'National Security Matter'

Sony Hack a 'National Security Matter' | IT Support and Hardware for Clinics | Scoop.it

The White House says that it's treating the malware attack against Sony Pictures Entertainment and subsequent data leaks as a "national security matter." But the administration says it's too early in its investigation into the attack to definitively attribute the attacks to any particular group or nation state.


"This is something that's being treated as a serious national security matter," White House Press Secretary Josh Earnest told reporters in a Dec. 18 briefing. "There is evidence to indicate that we have seen destructive activity with malicious intent that was initiated by a sophisticated actor. And it is being treated by those investigative agencies, both at the FBI and the Department of Justice, as seriously as you would expect."

The hacker attack against Sony has reportedly included data theft and, on Nov. 24, wiper malware being used to erase Sony data. That's been followed by ongoing data leaks and other threats against Sony Pictures Entertainment and its employees.

Earnest says the ongoing attack "has also been the subject of a number of daily meetings that have been convened here at the White House," led by homeland security adviser Lisa Monaco and cybersecurity coordinator Michael Daniel and including representatives from intelligence, diplomatic, military and law enforcement agencies.

A group that calls itself the Guardians of Peace has claimed credit for the attack against Sony Pictures, including the leaks of stolen data, which has included top Sony Pictures executives' Outlook e-mail spools. After "G.O.P." launched its attacks and began leaking data, however, the group then claimed it would stop the data leaks if Sony canceled its forthcoming comedy "The Interview," which centers on a tabloid TV reporting team that gets approached by the CIA to assassinate Kim Jong-un, who heads the Pyongyang-based communist dictatorship that rules North Korea.

After G.O.P. published a "terror" threat against movie theaters, U.S. theater chains announced that they would not show the film. Subsequently, Sony announced that it would shelve "The Interview" indefinitely, which has sparked a further backlash against the already beleaguered movie and television studio.

Investigation Still 'Progressing'

In response to questions about whether North Korea launched or sponsored the Sony attack, Earnest said that while the investigation is "progressing," he was not yet able to comment on that question, Reuters reports. But he said that the administration "would be mindful of the fact that we need a proportional response," and cautioned that the people behind these types of malicious attacks were "often seeking to provoke a response."

"They may believe that a response from us in one fashion or another would be advantageous to them," Earnest said, for example, by focusing international attention on their agenda, or increasing their standing with peers.

Ken Westin, a security analyst at information security vendor Tripwire, says it is premature to attribute the Sony hack to any specific group or nation. "FBI notices have been sent out stating specifically no connection has been made and that the investigation is still under way," he says.


While the White House and FBI say it's too soon to blame the hack attack against Sony Pictures - which is a subsidiary of Japanese multinational conglomerate Sony - on any particular group or actor, other government officials have nevertheless been sharing their own theories with multiple media outlets. "We have found linkage to the North Korean government," a "U.S. government source" tells NBC News, which reports that the attack against Sony appeared to have been launched from outside North Korea. But no evidence was supplied that might confirm any supposed linkage to Pyongyang having participated in or ordered up the attacks.

Information security experts, meanwhile, have warned against reading too much into any supposed "linkage" between the Sony hack and North Korea, or the fact that unnamed government sources told the New York Times that North Korea was "centrally involved" in the attack against Sony, saying such suppositions have yet to be confirmed by the release of any supporting facts. In fact, security experts warn, the information being cited by unnamed government officials at times seems to contradict suggestions of Pyongyang involvement.

"People don't seem to be reading past the headline or first couple of paragraphs," says attrition.org CEO and security expert Brian Martin, a.k.a. Jericho, in a blog post, referring to the New York Times report. "What seems like a strong, definitive piece falls apart and begins to contradict itself entirely halfway through the article."

Intelligence Not 100% Reliable

Furthermore, what one unnamed intelligence source believes may not square with another intelligence source, warns Jeffrey Carr, CEO of threat-intelligence sharing firm Gaia International. He says the intelligence community "is rarely unified when it comes to intelligence analysis; especially cyber-intelligence."

Carr and other security experts have also warned that whoever is sharing supposed Sony-related intelligence may also have a political agenda. "Cybersecurity has become an increasingly political topic thanks to recent NSA revelations and increased defense spending being allocated to cyber defense - and offense - not to mention issues of pirating, net neutrality, privacy and related topics, all of which the Sony breach touches on," Tripwire's Westin says.

Despite the lack of solid evidence that proves North Korea is responsible for the Sony attack, some commentators have been referring to the hack against Sony in military terms. Former Congressman Newt Gingrich, for example, claims that "with the Sony collapse America has lost its first cyberwar."

But security experts have cautioned against jumping to conclusions. "I've said it for a week, and I must say it again," Martin of attrition.org says. "How about we wait for actual evidence. ... Remember, North Korea is the same country that threatened the U.S. with a nuclear missile earlier this year. They like to rattle their saber at everyone, but it doesn't mean they actually did anything."



more...
Kyle Greene's curator insight, October 18, 2017 11:59 AM

Cyber Security is a growing concern among all companies in the Entertainment and Media industries. This article addresses the notion that the treaty to companies cyber security is so prominent that government agencies such as the White House and the FBI. I feel that this article is a reliable source because it is from a website hosted by Cyber Security workers, and authors who have first hand experience in Cyber Security.

Scoop.it!

Devastating malware that hit Sony Pictures similar to other data wiping programs

Devastating malware that hit Sony Pictures similar to other data wiping programs | IT Support and Hardware for Clinics | Scoop.it

A malware program with data wiping functionality that was recently used to attack Sony Pictures Entertainment bears technical similarities to destructive malware that affected organizations in South Korea and the Middle East in the past.

Security researchers from Kaspersky Lab, Symantec and Blue Coat Systems independently reported that Trojan Destover, the malicious program used in the Sony Pictures attack, relied on a legitimate commercial driver called EldoS RawDisk to overwrite data and master boot records.

That same driver was used by a piece of malware called Shamoon that is believed to have been used in August 2012 to render up to 30,000 computers inoperable at Saudi Aramco, the national oil company of Saudi Arabia.

A previously unknown hacktivist group called the Cutting Sword of Justice took credit for the attack on Saudi Aramco through a series of posts on Pastebin. The group said it targeted the company because it was the main financial source for Saudi Arabia’s Al Saud regime, which the group claimed supported oppressive government actions in countries like Syria, Bahrain, Yemen, Lebanon and Egypt.

The attack against Sony Pictures Entertainment was carried out by another previously unknown group called the Guardian of Peace (GOP), which claimed to have targeted the company because “Sony and Sony Pictures have made terrible racial discrimination and human rights violation, indiscriminate tyranny and restructuring in recent years.”

The sharing of a third-party driver is not enough evidence to establish a direct link between the two malware programs, but it is possible that the Destover creators copied techniques from Shamoon, especially since the EldoS RawDisk driver is an unusual choice for implementing data wiping functionality.

Both Destover and Shamoon stored the EldoS RawDisk driver in their resource sections and both were compiled just days before being used in attacks, researchers from Kaspersky Lab said in a blog post.


Destover shares even more commonalities with another wiper malware program called DarkSeoul or Jokra that affected several banks and broadcasting organizations in South Korea in March 2013.

“The malware used in the Jokra attacks contained code that did not begin wiping the hard drive until a set time period expired,” researchers from Symantec said in a blog post. “Destover is also configured to perform a delayed wipe. Furthermore, media outlets in South Korea have reported that a number of similar file names were used in both attacks.”

The Jokra attacks were accompanied by website defacements that displayed a message from an obscure group of hackers called the Whois Team. “This is the beginning of our movement,” the message said. “User accounts and all data are in our hands.”

The GOP also left a message for Sony Pictures informing the company that it had obtained its internal data and both GOP’s and Whois Team’s messages were accompanied by images of skeletons, though this might be a mere coincidence.

“Just like DarkSeoul, the Destover wiper executables were compiled somewhere between 48 hours prior to the attack and the actual day of attack,” the Kaspersky researchers said. “It is highly unlikely that the attackers spear-phished their way into large numbers of users, and highly likely that they had gained unfettered access to the entire network prior to the attack.”

A more direct connection was established by Symantec between Destover and a backdoor program known as Volgmer that allows attackers to retrieve system information, execute commands, upload files, and download files for execution.

“Some samples of Destover report to a command-and-control (C&C) server that was also used by a version of Trojan.Volgmer crafted to attack South Korean targets,” the Symantec researchers said. “The shared C&C indicates that the same group may be behind both attacks.”

The apparent links between Destover and malware that was used to target South Korean organizations will likely fuel ongoing speculation that North Korea might be behind the attack against Sony Pictures Entertainment, supposedly as retaliation for an upcoming comedy film called “The Interview” in which two reporters are asked by the CIA to assassinate North Korean leader Kim Jong Un. North Korea reportedly denied its involvement in the attack.

These commonalities “do not prove that the crew behind Shamoon is the same as the crew behind both DarkSeoul and Destover,” the Kaspersky researchers said. “But it should be noted that the reactionary events and the groups’ operational and toolset characteristics all carry marked similarities. And, it is extraordinary that such unusual and focused acts of large scale cyber-destruction are being carried out with clearly recognizable similarities.”




more...
No comment yet.
Scoop.it!

New Rombertik malware destroys master boot record if analysis function detected

New Rombertik malware destroys master boot record if analysis function detected | IT Support and Hardware for Clinics | Scoop.it

While detection scanning malware is nothing new, Cisco researchers have identified a new malwaresample that takes its detection evasion features one step further than the average malware.


Instead of simply self-destructing when analysis tools are detected, Rombertik attempts to destroy the device's master boot record (MBR), researchers wrote in a blog post


This malware spreads through spam and phishing messages sent to possible victims.


In one example, attackers attempted to convince a user to download an attached document in an email. If downloaded and unzipped, a file that looks like a document thumbnail comes up. Although it mimics a PDF icon, it is actually a .SCR screensaver executable file containing the malware.


At this point Rombertik will first run anti-analysis checks to determine whether it is running within a sandbox. If it isn't, it will then decrypt and install itself, which then allows it to launch a second copy of itself and to overwrite the second copy with the malware's core functionality. Then, again, it will check to make sure it isn't being analyzed in memory. If it is, the attack takes an even more malicious turn with the malware attempting to destroy the Master Boot Record and restart the computer to make it inoperable.


To make actual analysis even more difficult, in the unpacked Rombertik sample used by Cisco more than 97 percent of the packed file dedicated to useless files, including 75 images and more than 8,000 functions that are never used.


Plus, instead of evading sandbox detection by sleeping for a certain amount of time and forcing the sandbox to time out, Rombertik writes a byte of random data to memory more than 900 million times. If an analysis tool attempted to document all these write instructions, the log would be more than 100 gigabytes.


All this occurs before the malware actually gets down to its true purpose of capturing a victim's plain-text data sent over a browser. Rombertik injects itself into the user's preferred browser's process and hooks API functions that handle plain text data. The attackers can then see usernames and passwords from almost any website a user visits.

“This is the perfect example where layered defense makes a lot of sense,” said Craig Williams, technical leader, Cisco Talos, in an interview with SCMagazine.com.


Although the malware may beat one detection system it's unlikely to detect or avoid them all, he said, making layered defense an important method to mitigate the risk. However, he noted, it's possible more exploit kits will begin adopting Rombertik's evasion tactics, making defense even more difficult.


Via Danen Raas, Paulo Félix
more...
No comment yet.
Scoop.it!

How to protect your wireless router from malware

How to protect your wireless router from malware | IT Support and Hardware for Clinics | Scoop.it

O D worries that other people, including criminals, can see his IP address. “What can happen if they come into my router?”

As I pointed out last year, your router’s IP address is anything but a secret. Every website you visit gets a look at that number. And from that IP address, they can discover your ISP and your general location (your neighborhood, but not your address).

But can they infect your router with malware? It’s not likely, but the danger is significant enough to take precautions.

[Have a tech question? Ask PCWorld Contributing Editor Lincoln Spector. Send your query to answer@pcworld.com.]

Last year, researchers discovered a worm, which they called TheMoon, that infected several Linksys routers. Linksys soon issued a fix to stop it. This wasn’t the first such attack, and it will almost certainly not be the last.

Note that TheMoon infected only Linksys routers. I’m not picking on Linksys; the next attack could be on D-Link or Netgear routers. That’s the nature of this kind of  malware— it’s manufacturer-specific. So chances are that a worm that tries to attack your router won’t be compatible with it—and for once, you can be thankful for incompatibility.

What follows are the basic precautions everyone should take. For more details, read this helpful router security piece by Michael Brown and Jon L. Jacobi.

  1. Update your browser firmware. Check the manufacturer’s website regularly to see if there’s a new version.
  2. Go into your router’s setup page and make sure that remote administration is turned off. (If the IP address is 0.0.0.0, it’s off.)
  3. Change the name of your wireless network. There’s no need to advertise the make of your router.
  4. Change the router’s password. I’m not talking about the Wi-Fi password, but the one that gets you into the router’s setup. And make it a strong password.

Finally, if you’re really worried, hide your IP address by using either an anonymity browser like Tor, or a virtual private network (VPN) like CyberGhost.



more...
No comment yet.
Scoop.it!

DDoS-attack takes Dutch government sites offline for 10 hours

DDoS-attack takes Dutch government sites offline for 10 hours | IT Support and Hardware for Clinics | Scoop.it

A sophisticated distributed denial-of-service (DDoS) blocked Dutch government and privately run commercial sites from the public for more than 10 hours Tuesday.

The ministry of General Affairs, the National Cyber Security Center (NCSC), website hosting company Prolocation and services provider Centric are working to determine the specific methods used in the attack and who was behind it.

The attack, which started at 9:45 a.m. local time, was difficult to deflect because the attack patterns changed regularly, said Prolocation’s director, Raymond Dijkxhoorn. The attack was different from the usual DDoS attempts that happen on an almost daily basis and are easier to defend against, he said.

“It is the first time that we couldn’t deal with it,” Dijkxhoorn said.

The attack targeted the sites of the federal government directly, but also caused other sites that were hosted on the same network to go down, Dijkxhoorn said. Blog site Geenstijl.nl and telecom provider Telfort’s site were among those blocked in the attack.

A few of the sites on the network used DDoS-deflecting services from providers like Cloudflare, Dijkxhoorn noted. But unless all clients on a network are able to ward off a DDoS attack, there is a risk for other sites on that network, he said.

Geenstijl, for instance, uses Cloudflare, which will usually allow traffic to reach the site’s server when a DDoS attack targets the site. However, Geenstijl’s server can still become unreachable as a result of a DDoS attack aimed at other sites on the network that don’t have such protection, Dijkxhoorn said. The Dutch government did not use such external DDoS protection services, he said.

The DDoS attack consisted of mix of methods used alternately, according to Dijkxhoorn. Though Prolocation has experience with DDoS attacks, this was the first time they encountered this strategy, he said. He declined to provide more details about the attacks, since he has agreed with the NCSC not to do so until the investigation is finished.

The NCSC and Centric both declined to comment on details of the attack, pending the investigation.

Prolocation, however, has discussed the incident with engineers at Prolexic and Akamai, who say they have seen similar methods used in DDoS attacks in other places around the world.

Sites hosted on the same IP block can go down as collateral damage when one site is the focus of the attack, confirmed Akamai’s manager for Belgium, the Netherlands and Luxembourg, Hans Nipshagen. If the government sites had used external DDoS filtering services, the network might have stayed up, he said.

While it was difficult to tell from the outside the exact methods used against the government sites, the DDoS attack seems to have been large-scale, employing a vast amount of traffic, Nipshagen said. Some big DDoS attacks use multiple vectors to deliver large bandwidth-consuming packets at an extremely high rate of speed, swarming target sites, according to an Akamai report. These incidents have been fueled by the increased availability of attack toolkits with easy-to-use interfaces as well as a growing DDoS-for-hire criminal industry, Akamai said.


more...
No comment yet.
Scoop.it!

Sony Hack: Ties to Past 'Wiper' Attacks?

Sony Hack: Ties to Past 'Wiper' Attacks? | IT Support and Hardware for Clinics | Scoop.it

The "wiper" malware attack against Sony Pictures Entertainment has numerous commonalities with previous wiper attacks in Saudi Arabia and South Korea, anti-virus firm Kaspersky Lab reports.

While that's no smoking gun proving that the same group is behind all three attacks, "it is extraordinary that such unusual and focused acts of large-scale cyber destruction are being carried out with clearly recognizable similarities," says Kurt Baumgartner, a Kaspersky Lab principal researcher, in a blog post.


Previous, high-profile wiper malware attacks - designed to erase data from PC and file-server hard drives and delete the master boot record, so the machines cannot boot - have included the use of "Shamoon" malware against Saudi Aramco, and "Dark Seoul" malware against South Korean banks and broadcasters. The attacks - respectively launched in 2012 and 2013 - each resulted in an estimated 30,000 hard drives being erased. The identify of the attackers has never been confirmed - although South Korea published evidence of North Korean ties to Dark Seoul. Security experts say insiders, hacktivists or a nation state could be responsible.

Baumgartner sees an extensive list of similarities between the Shamoon and Dark Seoul campaigns, and the Nov. 24 Destover - also known as Wipal - malware campaign against Sony. From a timing perspective, for example, Kaspersky Lab says attackers compiled both the Dark Seoul and Destover wiper executable files 48 hours or less before the wiper attacks commenced, while Shamoon was compiled five days before the payload was set to "detonate."

For Sony, that timeline offers new clues about just how badly the company had likely been breached. "It is highly unlikely that the attackers spear-phished their way into large numbers of users, and highly likely that they had gained unfettered access to the entire network prior to the attack," Baumgartner says, because it would have been very difficult to steal so much data and infect numerous systems in less than 48 hours.

Technical Similarities

Technically speaking, Shamoon and Destover both used commercially available EldoS RawDisk drivers, which enable developers to create applications that can gain direct access to Windows disks, thus allowing them to evade security restrictions or file locking, Baumgartner says. "The Destover droppers install and run EldoS RawDisk drivers to evade NTFS security permissions and overwrite disk data and the MBR itself," he says. But the overwritten data wasn't just random zeros and ones. "Just like Shamoon, the DarkSeoul wiper event included vague, encoded pseudo-political messages used to overwrite disk data and the master boot record," he says.

By overwriting the master-boot record, or MBR, attackers could make it impossible to boot an infected Windows machine. But the good news, Baumgartner says, is that based on previous attacks, the attackers didn't forcibly wipe all data being stored on the disk, which ultimately made recovering whatever was being stored on the drive easier. "In the case of the DarkSeoul malware, the overwritten data could be restored using a method similar to the restoration of the Shamoon 'destroyed' data," he says. "Destover data recovery is likely to be the same."

Shamoon, Dark Seoul and Destover were all hit-and-run attacks committed by groups about which nothing is known. "All attempted to disappear following their act, did not make clear statements but did make bizarre and roundabout accusations of criminal conduct, and instigated their destructive acts immediately after a politically charged event that was suggested as having been at the heart of the matter," Baumgartner says.

The graphic and warning used by the "Whois" team that claimed credit for Dark Seoul, and the "Guardians of Peace" - or G.O.P. - group that's claimed credit for hacking Sony, are aesthetically quite similar, including similar fonts, colors, warning language and love of skull graphics.

Not New: Sabotage, Ransomware

But the technical, timing and aesthetic similarities don't prove that the same group was behind all three attacks, and security experts say that whoever launched Destover may have just carefully studied Shamoon or Dark Seoul.

And sabotage attacks launched against individuals and businesses are nothing new. On an individual level, for example, "what we are seeing a lot of is so-called ransomware, which is effectively a monetized version of this type of [wiper malware] attack," Roel Schouwenberg, a security researcher at Kaspersky Lab, tells Information Security Media Group.

While security experts say large-scale wiper attacks are rare, cybercriminals do sometimes employ these tactics. In June, for example, criminals used a distributed-denial-of-service attack against source code hosting firm Code Spaces to obscure their simultaneous 12-hour hack attack in which they deleted most of the business's data, machine configurations as well as onsite and offsite backups, and then demanded a ransom. Instead, Code Spaces shuttered.

Leaked: PII For Actors, Directors

For Sony, the breach is embarrassing for executives and puts employees and freelancers at risk. The list of leaked data includes Social Security numbers for numerous current and former employees and freelancers, including actor Sylvester Stallone, Australian actress Rebel Wilson and director Judd Apatow, The Wall Street Journal reports.

"More than 600 files that contained Social Security numbers - these included Acrobat PDFs, Excel spreadsheets, and Word docs - with more than 47,000 unique SSNs were publicly available," says Todd Feinman, president and CEO of data loss and leak-prevention firm Identity Finder, in a blog post, referencing data that had been leaked by Dec. 3.

The leaked information is reportedly now circulating on BitTorrent sites, meaning that anyone can download the files and potentially use the data to commit identity theft. The risk of ID theft - for example to fraudulently open credit card accounts or take out mortgages in someone else's name - for 15,000 current and former employees is high, Feinman warns, because their full names, birthdates, and home addresses are also included in the leaked Sony data.

Sony has not responded to repeated requests for comment on the hack attack.



more...
No comment yet.