Series of DDoS attacks plague Linode data centers, infrastructure
info security solution

Linode U.S. and U.K. locations were hit by a series of DDoS attacks that began Christmas Day.
Linode U.S. and U.K. locations were hit by a series of DDoS attacks that began Christmas Day.

Cloud hosting company Linode reported that a set of distributed denial of service (DDoS) attacks have caused service interruptions at DNS infrastructure and data center locations in the U.S. and the U.K., including Dallas, London, Atlanta, Frankfurt, Newark, N.J., Tokyo, Singapore and Fremont, Calif.

While some have been resolved, new attacks have continued to emerge and some disruptions remain ongoing.

The disruptions began on Christmas Day when the company discovered and resolved connectivity issues affecting the Linode Manager and Website, just days after it completed scheduled maintenance on Xen Linode host servers in the wake of receiving “several Xen Security Advisories (XSAs).”

On December 26, Linode said it experienced DDoS attacks on data centers in London, Dallas, Atlanta and Singapore that posed connectivity issues as well as an attack on its hosted DNS infrastructure that affected performance. Three days later, renewed and sustained attacks hit the Dallas center, causing connectivity problems for the Linode Website, Manager, and API. Likewise on Dec. 30, a large inbound attack prompted connectivity issues for the Linode Manager and Website and the company reported Lish connectivity concerns. December 31 brought another round of attacks on data centers in London, Dallas and Atlanta, which the company said were resolved, though they were quickly followed by  another round of attacks on facilities in Newark, Frankfurt, Fremont, Atlanta and London.

Linode said it is working to mitigate the latest round of attacks but service interruptions remain at those locations, though service has returned in Newark.

“The DoS attack affecting connectivity in London is ongoing and we are still working with our upstream provider to mitigate it,” according to an update on the Linode website. “Users can expect to see packet loss and problems with connectivity to Linodes in London.” 

Attacks on hosting and data centers are commonplace and can be difficult to mitigate. “Unfortunately, the sheer size and scale of hosting or data center operator network infrastructures and their massive customer base presents an incredibly attractive attack surface due to the multiple entry points and significant aggregate bandwidth that acts as a conduit for a damaging and disruptive DDoS attack,” Dave Larson, COO at Corero Network Security, said in emailed comments to SCMagazine.com, noting that the damaging effects can domino.

“The multi-tenant nature of cloud-based data centers can be less than forgiving for unsuspecting tenants,” Larson said. “A DDoS attack, volumetric in nature against one tenant, can lead to disastrous repercussions for others; a domino effect of latency issues, service degradation and potentially damaging and long-lasting service outages.”

Read more
Steam confirms info on 34K users likely exposed in Christmas Day DoS attack

A DoS attack on Christmas Day left personal information on 34,000 Steam Store users exposed.
A DoS attack on Christmas Day left personal information on 34,000 Steam Store users exposed.

Steam confirmed in a statement on its website that a midday denial-of-service attack on Christmas likely exposed the personal information of 34,000 users via store page requests made between 11:52 a.m. and 13:20 p.m. PST.

While the statement said the information varied according to page, some pages included a Steam user’s billing address, the last four digits of their Steam Guard phone number, the last two digits of their credit card number, and/or their email address.” The company assured users that the “cached requests did not include full credit card numbers, user passwords, or enough data to allow logging in as or completing a transaction as another user.”

Referring to “Steam’s troubled Christmas,” the statement noted that users who did not browse a Steam Store page with personal data during that time period shouldn’t worry that their information had been exposed. Valve, the form behind the Steam gaming platform, and its web caching partner are trying to identify the users affected and will contact them accordingly. No unauthorized activity has been spotted.  

The statement said the attack that began on Christmas morning “prevented the serving of store pages to users,” particularly confounding since the Steam Sale had generated a 2,000 percent increase in traffic to the Steam store. Cache management rules were deployed, in an effort to reroute “legitimate” traffic as well as “minimize the impact on Steam Store servers.”

But a second caching configuration deployed in response to the second wave of the attack “incorrectly cached web traffic for authenticated users” and inadvertently let some users see “Steam Store responses which were generated for other users.” When the error was spotted, the store was shuttered until the company deployed a new caching configuration and remained down until all the caching configurations had been reviewed and confirmation was received that “the latest configurations had been deployed to all partner servers and that all cached data on edge servers had been purged.”

Read more
China’s anti-terror law mandates tech firm cooperation
Insec Ethical Hacking Hub Horror of Horrors: Smartphones From Xiaomi, Lenovo & Huawei Have Pre-Installed Malwares Says GData 1

China passed a new, wide ranging anti-terror law this week that includes provisions requiring telecom operators and Internet service providers to provide technical assistance, including decryption, to government authorities investigating terrorist activities.

According to the report by China’s official Xinhua news agency, those firms will also be called on to “prevent dissemination of information on terrorism and extremism.”

Li Shouwei, deputy head of the parliament’s criminal law division under the legislative affairs committee, said at a press conference that the new law would “not affect companies’ normal business nor install backdoors to infringe intellectual property rights,” reflecting an approach that, at least publicly, appears to be similar to that advocated by U.S. politicians who have been engaging in the debate over strong encryption.

“The clause reflects lessons China has learned from other countries and is a result of wide solicitation of public opinion,” Li told reporters, adding, that the new anti-terror law would not infringe on “citizens’ freedom of speech on the Internet and their religious freedom.”

U.S. legislators recently passed the oft-criticized Cybersecurity Information Sharing Act promoting information sharing between the private sector and federal government, and now members of Congress and law enforcement officials such as FBI Director James Comey have called for greater access to encrypted communications. Speaking at RSA Conference 2014 in San Francisco, Comey said that surveillance is necessary for effective law enforcement. Earlier this month, in senate testimony, Comey said: “We want to get to a place where if a judge issues an order, the company figures out how to supply that information to a judge and figures out on its own how to do that.”

North Korea’s Red Star OS takes another approach to security

Meanwhile, software researchers presenting their analysis of North Korea’s Red Star OS at the Chaos Communication Congress in Hamburg this week reported that the totalitarian regime’s homegrown OS features customized encryption algorithms, tamper protection and file watermarking to track illegal copying.

The operating system, based on Red Hat Fedora and KDE and emulating the look of OS X, has been extensively modified by North Korean developers, according to researchers Florian Grunow and Niklaus Schiess of German IT security company ERNW GmbH.

Red Star OS was designed with security in mind and includes a firewall, virus scanner and encryption software that, while based on standard encryption algorithms such as AES, includes modifications which the researchers speculated were to avoid any backdoors that might have been placed in those algorithms. However, Grunow said that the operating system is a “privacy nightmare.”

One feature incorporated into Red Star OS is a mechanism that adds a watermark to any file mounted to a Red Star OS file system, which allows North Korean authorities to trace files passed from one user to another whether by network or passed along in portable storage media like USB drives.

Red Star OS also continuously monitors hashes of certain key files to protect the integrity of the system. If any of those files have been modified, the OS will reboot, instantly.

And in other news:

  • News Year’s Day is the beginning of the end for SHA-1. As previously announced by Microsoft, Google and Mozilla, up-to-date browsers will begin flagging websites signed with SHA-1 certificates issued after January 1, 2016. When encountering a SHA-1 certificate, the Firefox browser will show an “Untrusted Connection” error and Chrome (starting with version 48) will display a certificate error. Microsoft has announced that, starting on that date, “Windows (version 7 and higher) and Windows Server will no longer trust any code that is signed with a SHA-1 code signing certificate and that contains a timestamp value greater than January 1, 2016.” Such certificates should not be issued, however, because the CA/Browser Forum baseline requirements call for certificate authorities to stop issuing SHA-1 certificates by that date. Experts have been calling for deprecation of SHA-1 due to weakness in the face of increasing computing power since 2004.
  • U.S. Representative Michael McCaul (R-Texas) and Senator Mark Warner (D-Virginia) proposed “a national commission on security and technology challenges in the digital age” in a recent editorial in The Washington Post. The Congressmen wrote: “Because extremists are ‘going dark,’ law enforcement officials warn that we are ‘going blind’ in our efforts to track them.” The commission would be tasked with finding solutions to the security challenge of detecting and disrupting terrorist group communications without weakening encryption used for commerce and privacy with backdoors. McCaul, chairman of the House Homeland Security Committee, previously called for establishment of the commission early in December in in what he called the first annual State of the Homeland Security Defense Address, where he proposed bringing together “the technology sector, privacy and civil liberties groups, academics, and the law enforcement community to find common ground.”

Next Steps

Find out how Chinese hackers are bypassing privacy tools

Learn more about what law enforcement officials in the U.S., UK and EU want to do about encryption

Read about the recent high-level cyber summit between China and the U.S.

Read more
These are our New Year’s security resolutions – tell us yours
info security solution

If we want computer security in 2016 to be anything other than a repeat of computer security in 2015 then we’ll have to do things a bit differently in the New Year.

And when I say “we” I mean “all of us”, because we can all do things a little better (and, anyway, your users are gearing up for another 366 security groundhog days).

Yup, 2016 is in our hands!

I asked our regular Naked Security writers what they’ll be doing differently in 2016, and here is what they said. (You can tell us what you’ll be doing differently in our comments section below.)


Mark Stockley

In 2016 I will stop treating my Mac’s offer to postpone software updates like the snooze button on my alarm clock.

If my laptop is open then it means I’m working and I don’t want to down tools for a software update. When I’m asked if I want to install software updates now or in one hour I choose one hour.

I tell myself that one more hour won’t hurt. I tell myself that what I’m doing is terribly important, that I’ll have finished in an hour, and I’ll do the update then.

I tell myself this every hour, over and over for days weeks.

In fact I have an update pending now…


John Zorabedian

A couple of months ago, I went out and bought an external hard drive, but it sat in the box for weeks. I know, I know – a lot of good it was doing me. Imagine how silly I would have felt if, during that time, I had lost my laptop containing all of my important images and other private data. Or it was stolen or damaged. Or I had somehow gotten ransomware on my Mac, making all my files unreadable.

Good intentions will get me nothing. In 2016, I pledge to be much more conscientious about backing up my personal files on a regular basis.


Lisa Vaas

Lisa’s first thought was to “wiggle the crap out of ATMs” to check them for any phony bits that thieves might have stuck on in an effort to skim bank cards. She changed her mind after writing up yet another facepalm-inducing tale about a preposterous Facebook hoax that hooked users with CAPITALISED promises of a share of the Zuckerbergs’ largesse.

Now her resolution is simply to “yell at people more”.


Paul Ducklin

No more New Year’s resolutions for computer security! We need to make online security into a long-term digital lifestyle choice instead of something you can put off until the day after the night before… errr, which is my New Year’s resolution, I guess.


Your End Users

If you’re wondering what your end users will be doing in 2016, our marketing folks have put together this handy instructional video that explains exactly what you’re in for.

(No video? Watch on YouTube.)


You!

Now it’s up to you, dear reader – make your computer security resolution a public pledge in our comments section below!

Image of 2016 courtesy of Shutterstock.

Read more
Hacks! Breaches! Skimming! And some good news, too… [Chet Chat Podcast 225]

Sophos Security Chet Chat – Episode 225 – Dec 31, 2015

If you’re a regular weekly Chet Chat listener, you’ll know that our last episode was back at the start of this month…

…for the very good reason that Chester, after a year crammed with work-related travel, decided to do some travelling on his own account, and have a vacation.

But he’s back now (you can hear how he spent his vacation if you take a listen), and so is the Chet Chat.

So, join regular host Chester Wisniewski, and me, Paul Ducklin, for the NYE 2015 edition of our security podcast.

We look back over the past year to tell you what we think we’ve learned, and what we can do differently to improve our collective security and privacy in 2016.

LISTEN NOW

(Audio player above not working? Download MP3 or listen on Soundcloud.)

Get this and other Sophos podcasts:

Read more
John McAfee launching funding drive for password replacement technology
Insec Ethical Hacking Hub Rahul Yadav Fired As Housing CEO. No Association With The Company Anymore!

John McAfee takes time out of presidential bid to push to make passwords obsolete.
John McAfee takes time out of presidential bid to push to make passwords obsolete.

Cybersecurity legend and former fugitive John McAfee has launched a crowdfunding campaign to replace passwords.

The McAfee Antivirus founder started an Indiegogo campaign this week for his Everykey project, which he claimed would securely unlock users’ devices and enter their passwords.

The project is portrayed as a “master key” and so far has raised $63,000, or around 300 per cent of its original goal of $20,000.

Characteristically, McAfee said the project was “a f*cking game changer”.

“When our team first conceptualised Everykey, security was a top priority,” said McAfee. “That’s why we’ve built in military grade encryption and safety features like the ability to remotely freeze your Everykey if it’s lost or stolen.”

He said Everykey would work not only on smartphones and PCs but also on Bluetooth-enabled cars and doors. It uses Bluetooth to connect hardware to Everykey and can enter passwords stored on servers. Everykey will inlock a device when it is near a device and will lock them again when out of range. The device stores passwords using military-grade encryption.

If an Everykey is lost, it can be deactivated to the hardware no longer recognises the dongle. 

The project plans to start shipping the devices some time in March with donors able to choose perks such as multiple Everykeys, key rings and charging cables.

“When we looked at the access control industry, we saw an outdated and insecure system. We wanted to build something that was more personal and convenient. Instead of carrying a bulky keychain and remembering a list of passwords, we want your access control to be something you don’t have to think about. That was our dream back when this was just a school project, and we’re making it a reality with Everykey,” said Everykey CEO Chris Wentz.

Read more
Tor Project to launch first bug bounty program
info security solution

Found a bit of rot in one of the anonymizing layers of the Tor service?

It well might be worth something – something monetary, that is, beyond just good karma with the pro-privacy population.

The Tor Project on Monday announced that as of the New Year, it will be paying bug bounties.

The bounty program was announced at the State of the Onion address at the annual Chaos Communication Congress art, politics and security conference in Germany, according to Motherboard.

The reference to onion, of course, is that Tor is short for “The Onion Router,” because it shuffles traffic around randomly inside its network, wrapping each step in its own layer of encryption, in the way that an onion is made up of concentric layers.

Nick Mathewson, co-founder, researcher, and chief architect of the Tor Project, told the publication that when it comes to scouring code, it’s time to get more people on board:

We are grateful to the people who have looked over our code over the years, but the only way to continue to improve is to get more people involved.

The nonprofit Tor Project, founded by Roger Dingledine and Matthewson in 2006, develops and maintains free software and tools that support anonymous communications on the Dark Web.

Tor’s multiple layers of encryption shield the path your traffic takes, thus shielding your location and your connection to any hidden services you use.

But Tor’s own analysis has found that hidden services actually make up only a fraction of its traffic: about 3.4% of client traffic is hidden-service traffic, and 6.1% of traffic seen at a relay is hidden-service traffic.

In other words, it’s used for far more than buying drugs or dealing in child abuse images.

Tor’s normal, non-criminal users include journalists, law enforcement, activists, whistleblowers (Edward Snowden’s a user), those who don’t want to be surveilled, and people trying to protect their kids’ personally identifying information (PII), among others.

Details about the bug bounty program are limited, but we do know this: it’s going to be invitation-only, at least at first, and it will cover vulnerabilities specific to Tor applications.

Dingledine said that the Tor Project is working with a sponsoring organization, the Open Technology Fund (OTF).

The OTF is paying HackerOne, a platform for connecting researchers who discover vulnerabilities and the companies affected by them, to help it run the bounty program.

Tor already has a price on its head, of course. Or, rather, make that a few prices.

A new security company known as Zerodium, the company that made a splash in September by waving around $1 million for an iOS 9 bug, has offered $30,000 for an exploit affecting the Tor browser, according to Wired.

Russia, for its part, has offered a bounty of 3.9m rubles (about £65,000, or $55,000) to anyone who can peel the onion.

In the US, the Tor Project has accused the FBI of paying Carnegie Mellon $1 million to get its hands on technology that allowed it to pierce Tor’s layers, though the university has denied it.

Clearly, there’s money to be made by those who find a bug in Tor.

The Tor Project is understandably starting its bug program off gradually, opting for a model in which it hand-picks the bug finders it wants to start looking first.

But with all the interested parties out there who are keen to learn about a zero-day Tor bug before their surveillance targets do, and who are quite willing to pay for that early access, let’s hope the Tor people shift out of that slow start soon.

The faster the better, for the sake of all who rely on Tor.

Read more
Naked Security’s top 10 most popular stories of 2015

As 2015 passes into history, it’s fun to look back and ask: what did we learn?

We’ve already looked at some of the weirdest stories of 2015, and previewed 2016 with a funny video parody of New Year’s resolutions from end users.

But which stories got the most eyeballs, and what does that say about our readers’ biggest interests and concerns?

Here they are – the top 10 most popular stories on Naked Security in 2015, ranked in reverse order for dramatic effect!


10. The Siri-ous bug in iOS 9 that could have spilled selfies and contacts.

Siri is a convenient and fun tool for voice-activated web searching and much more, but she can also present a security risk.

Back in September 2015, a bug hunter discovered a way to exploit Siri from the lock screen to access contacts and stored photos. The bug affected all iDevices running iOS 9 and 9.0.1.

Although Apple fixed Siri’s security flaw in iOS 9.0.2, our advice still stands: reduce the possibility of future hacks by turning off Siri on the lock screen.


9. WhatsApp spy tool lets anyone track when you’re online.

In February 2015, a Dutch student created an online tool called WhatsSpy Public that could track any WhatsApp user, revealing when they are online. WhatsApp said this was a “feature” not a bug.

Facebook similarly dismissed privacy concerns when a Harvard student created a tool called Marauder’s Map, which tracked the location of contacts on Facebook Messenger.

Facebook subsequently changed its default location settings in Messenger, but it told the Harvard student he would no longer be invited to intern at Facebook because of how he publicized the privacy bug.


8. Facebook hoax claims Mark Zuckerberg is giving away millions to regular people.

We’re accustomed to seeing hoaxes, spam and scams spreading on the world’s most popular social network, but a recent Facebook viral post got a lot of attention from our readers.

After Facebook’s Mark Zuckerberg and his wife, Priscilla Chan, pledged to donate 99% of their wealth to a foundation they established, a hoax spread like wildfire claiming that Zuckerberg would be giving away some of the estimated $45 billion in stock to regular people on Facebook.

All you had to do, the hoax claimed, was copy and paste the post in your own feed (and spread the hoax even further to your own contacts). It was all nonsense. If it sounds too good to be true, it most certainly is.


7. What you sound like to a Sysadmin.

Lots of Naked Security readers are IT professionals, whose dedication we like to celebrate on occasions like SysAdmin Day.

We honored IT pros with one of our most popular posts this year, in which we parodied all of the frustrating things that users say.

We know how easy it is to get frustrated with IT – but just think how frustrating it must be from the other side of the support desk!


6. The Stagefright hole in Android.

One of the biggest security vulnerability stories of the year was a bug in Android known as Stagefright.

This bug could have allowed criminals to use booby trapped files or malicious MMS messages to install malware automatically on your Android device.

Stagefright, and another widespread Android vulnerability called OCtoRuTA, once again highlighted the difficulties of securing billions of Android devices from various vendors and carriers, all running their own variations of the operating system and patching security bugs on their own schedules.


5. Twitter troll fired and another suspended when Curt Schilling names and shames them.

Handling cyberbullies and trolls on social media is a difficult proposition. Do you ignore them? Block them? Report them?

Social media companies like Twitter and Reddit have made many failed attempts at cracking down on bullies.

Ex-baseball star Curt Schilling got results by naming and shaming trolls who went after his daughter – at least one of the trolls got fired from his job, and many more quickly turned apologetic when they were exposed on Schilling’s website.


4. Siri 9/11 “joke” is no laughing matter for police.

Some viral posts spread this year telling people to ask Siri about “9/11” (the shorthand for the 11 September 2001 terrorist attacks) and see what she says.

The posts didn’t warn people that Siri would recognize someone saying “nine-eleven” just the same as someone saying “nine-one-one” (9-1-1), the number for emergency services, and place a call to 911.

Some joke! Bogus calls to 911 tie up emergency services staff and may prevent someone in dire need from getting help.


3. Memex – DARPA’s search engine for the Dark Web.

The areas of the internet beyond the reach of most browsers and search engines is called the Dark Web for good reason. But this year we’re seeing a little more light shed on it, thanks to search tools developed specially for these nether-regions of the web.

We reported that the US government research body known as DARPA had developed a set of search tools called Memex, designed for law enforcement and intelligence agencies to probe the Dark Web.

This year, DARPA made Memex available for anyone to use.


2. Onion.city, a search engine bringing the Dark Web into the light.

A Dark Web search engine called Onion City became available this year, allowing people to browse to .onion sites on the Tor network using a normal web browser.

Onion City isn’t a secure or private way to use the Dark Web, but it does make it a lot easier.

The Dark Web is fascinating because it is often used for nefarious purposes, but hidden services like Tor can also be used for good, such by activists and journalists seeking protection and anonymity to bring corruption and abuses of power to light.


1. Man named as a “Creep” in Facebook viral post was just a dad taking a selfie with Darth Vader.

Our top story of the year, with more than 1 million views in just two days, once again showed the dangerous power of misinformation spread on social media.

As we reported, a concerned mother who thought a strange man was taking pictures of her kids went a little too far when she shared a photo of the man on Facebook, calling him a “creep” and a danger to children. Her post went viral, and the man was eventually recognized by the photo, leading to death threats against him.

Yet the accused “creep” was himself a father of three kids who was merely taking a “selfie” picture with a cardboard cutout of Darth Vader to show his own children.


Happy New Year from us at Naked Security, and may your 2016 be a safe and secure one.

NEW YEAR’S RESOLUTIONS FOR 2016

(No video? Watch on YouTube.)

Image of Top 10 courtesy of Shutterstock.com.

Read more
University of Plymouth plans to exchange passwords for pictures
Insec Ethical Hacking Hub BadOnions : Bad TOR exit nodes attempts to login with sniffed password

UK researchers could improve security and overcome password fatigue
UK researchers could improve security and overcome password fatigue

UK scientists has developed a way for ordinary users to overcome the problem of reusing the same password on multiple sites as well as having to remember a host of passwords.

The researchers, based at the University of Plymouth, said that password fatigue could be addressed by using a combination of images and one-time numerical codes to gain access to systems.

Working out of the the Centre for Security Communication and Network Research (CSCAN), researcher believe that this new multi-level authentication system GOTPass (Graphical One Time Password) could be effective in protecting personal online information from hackers.

They claim the system could also be easier for users to remember, and be less costly for providers to implement since it would not require the deployment of potentially costly hardware systems.

The system would enable users to choose a unique username and draw any shape on a 4×4 unlock pattern, similar to that already used on mobile devices. They will then be assigned four random themes, being prompted to select one image from 30 in each.

When logging into an account, the user would enter their username and draw the pattern lock, with the next screen containing a series of 16 images, among which are two of their selected images, six associated distractors and eight random decoys.

If the user identifies the correct two images, this would then generate an eight-digit random code located on the top or left edges of the login panel which the user would then need to type in to gain access to their information.

Initial tests of the system have shown it to be easy for users to remember, while security analysis showed just eight of the 690 attempted hackings were genuinely successful, with a further 15 achieved through coincidence.

“In order for online security to be strong it needs to be difficult to hack, and we have demonstrated that using a combination of graphics and one-time password can achieve that. This also provides a low-cost alternative to existing token-based multi-factor systems, which require the development and distribution of expensive hardware devices,” added Dr Maria Papadaki, a lecturer in network security at Plymouth University and director of the study.

“We are now planning further tests to assess the long-term effectiveness of the GOTPass system, and more detailed aspects of usability.”

 

David Ferbrache, technical director at KPMG’s cyber-security practice, told SC Magazine that passwords are “broken”.

“They have become one of the weakest links in our security chain,” he said. “People are being forced to adopt more and more convoluted passwords, while simultaneously trying to avoid the temptation to reuse those super strong passwords.

“It is high time we moved to more sophisticated approach to authenticating people which blends biometrics, behavioural analysis and contextual information rather than relying on knowledge of a single increasingly user unfriendly password.”

Read more