Brian Krebs recently wrote articles about a disturbing trend: legitimized Denial of Service. The first story, DDoS Services Advertise Openly, Take PayPal, exposes the emerging industry. The second story, Ragebooter: ‘Legit’ DDoS Service, or Fed Backdoor?, relates an interview with Justin Poland, who admits to operating this DDoS Service and who claims that the site "includes a hidden backdoor that lets the FBI monitor customer activity." (This admission, if corroborated, partly answers my question, "if denials of service are not illegal, then why the hell not!") I read Brian's articles, then found a referrral article at Sophos, DDoS-for-hire service is... Continue reading

WhiteHat Security surveys customers and examines terabytes of data collected from websites and applications it monitors to annually produce a report that concentrates on unknown vulnerabilities in custom Web applications. Custom has the same meaning here as a "custom made suit": organizations may operate websites using commercial or open source operating systems, web server software and content management systems, but nearly every site of meaningful size has code that is unique to that organization. Unique code doesn't necessarily translate to unique vulnerabilities: software developers worldwide make similar assumptions, use similar dev languages and tools... and being human, some make errors... Continue reading

U.S. politics are dominated by two parties: Republican and Democrat. Republicans are popularly perceived as believing in having a small Federal government and empowering state governments, whereas Democrats are popularly preceived as believing that a larger Federal government is better suited to ensuring that all Americans receive the same (equal) benefits of a governed nation. Montana State University Billings examined Montana school quality in response to a less than enthusiastic reaction by Montana educators to a Thomas Fordham Foundation ranking of state education quality. For their study, the MSU Billings folks compared fiver measures of education quality: Teacher Quality, Education... Continue reading

Colleagues Greg Aaron (Illumintel) and Rod Rasmussen (Internet Identity) have published another comprehensive survey on phishing patterns, behavior and impact. With Greg's permission, I'm posting his summary of highlights from the Report. The APWG Global Phishing Survey Report (2H2012) contains key stats and analysis for the time period July-December 2012, including what top-level domains were used, phishing site uptimes, and at what registrars phishers registered domain names. Highlights from the Report: Attacks made by compromising virtual hosting accounted for 47% of all phishing attacks in the period. Breaking into hosting providers has been a high-yield activity of the bad guys,... Continue reading

DDoS attacks are increasingly in frequency and intensity. Virtually every individual, organization, or business is a potential target. On behalf of ICANN's Security Team - and with the invaluable assistance of trusted colleagues in the operational community - I've published a post on aspects of DDoS attacks that is often overlooked: How do I report an Attack? To whom? What kinds of assistance can I expect to find? From whom? Should I contact law enforcement? What kind of information should I provide when reporting an attack? We conclude the article, How to Report a DDoS Attack, with a list of... Continue reading

You're giving a conference talk. You're running presentation software from your MacBook. The talk is going extremely well. Suddenly, you lose control of the presentation. Slides change randomly. You regain control. You begin a movie clip, the volume suddenly changes to max, and your audience covers their ears. You minimize the presentation software to investigate. iTunes launches, chooses Fuel by Metallica. At max volume. Your audience heads for the exits. Your trusty laptop hasn't grown a mind of its own. It's been hijacked by someone in the audience with a remote control infrared receiver. A post at tumblr exposes how... Continue reading

Photo by mtneer_man My K-12 experience included classes in both woodworking and metal crafting. Of the two, I most benefitted from wood shop. My wood shop teacher didn’t stop at explaining the correct way to hammer, saw or turn wood: in addition, he fed us a steady stream of adages as we worked wood - Measure twice but cut once. If you can't find the time to do it properly, how will you find the time to fix it? You can do it quickly or you can do it right. - and infused an ethos that embraced quality and competency... Continue reading

Image by Trevino I came across a firewall-wizards mailing list thread on DDoS from 2007 that reminds me of how long infosec practitioners have been encouraging, cajoling, or pleading with organizations and access providers to do their part to mitigate DDoS attacks. In a 28 November 2007 thread, Patrick Darden explains that: Properly configured, a simple firewall CAN prevent most DOS attacks. Check out this SANS bulletin on "Defeating DDOS". Yes, that is my name in the credits. Special task force back in 2000. Sigh, and still people don't know that you can use a simple firewall to defeat most... Continue reading

The Interactive Advertising Bureau (IAB) and Association of National Advertisers (ANA) have launched a coordinated campaign against Mozilla in retaliation for the browser developer's Firefox patch that block cookies from any site that a user has not visited by default ("third party cookies"). But rather than mounting a campaign that attacks Mozilla directly, IAB/ANA strategy is focused on scaring users by threatening more advertisements. The rhetoric flowing from IAB and ANA is reminiscent of the 2012 presidential campaign - or the blather we now expect to hear following any given session of either branch of the US Congress; in fact,... Continue reading

Veracode has a great track record for producing compelling infographics. And they have a great attitude about sharing. The Hacking the Mind infographic I've inserted here explains the art and threat of social engineering quite thoroughly: Infographic by Veracode Application Security eBook download Playing on Emotion Quiz time: identify what emotion or motivation attackers use in the following scams. Choose from {fear, greed, empathy, curiosity, anger, interest...}. Stranded traveller scams are emails from a colleague, relative or friend who claims to have lost wallet, passport, etc. and is desperate for you to wire money so they can recover from the... Continue reading

The SANS Securing the Human project has an excellent resource for parents who want to keep their children or teens safe online. This project recognizes that parents may not be as Internet engaged or sophisticated as their children and thus aims to level that playing field a bit while also describing how to have a constructive conversation with children or teens about using the Internet safely, and lastly, how to implement the "safe use" contract parents and kids negotiate. The Securing the Kids presentation begins by explaining to parents that many Internet safety issues have real world analogs (e.g., bullying,... Continue reading

Could attackers change their IP address scanning technique to scan a larger address space with more stealth and identify hosts or services that are vulnerable to attack more efficiently? It's absolutely possible. Let me explain how. Attackers and penetration testers use various scanning techniques to identify hosts in target networks. In a basic scan, an attacker or tester targets an IP subnet (an address block or range of IP addresses), sends traffic to the addresses within that block or range, and composes a list or enumeration of the hosts that respond. Image by Mike Licht Attackers or testers use different... Continue reading

Photo by ~Aphrodite The AntiPhishing Working Group has released a study of phishing attacks detected in the first half of 2012, and a second study of reports by phishing victims over a period of nearly two years. The Global Phishing Survey 1H2012: Trends and Domain Name Use uses a large sampling of confirmed phishing URLs. The Web Vulnerabilities Survey September 2012 uses reports submitted by organizations whose websites were compromised and subsequently used to host phishing attacks. While the studies use entirely different data sets, they share several of the same findings. In both reports, researchers found that the average... Continue reading

Internet Down... A Modern American Western relates the post apocalyptic adventures of Chris Nelson as he attempts to return home to Colorado from Chile following a terrorist attack on the oil platform where he earned his living. The apocalyptic event in this story is constructed around the collapse of critical infrastructures in the United States, the damage resulting from Internet-based and real world attacks (nation state sponsored). These set into motion an economic collapse and a oil crisis, and the USG elects to limit access to all major communications' infrastructures: the Internet down and much of the population has limited... Continue reading

One of the hands-on activities I use when explaining how the DNS works shows how to access DNS zone data using the command line tools dig on Mac, BSD, or Linux operating systems. dig is a convenient way to illustrate how applications like the browser or mail client on your device queries the DNS for IP addresses associated with names. dig does essentially what a "stub" resolver on your device does: basically, it accepts a domain name and submits a query to a name server that performs what is called recursion to obtain the data you are requesting from the... Continue reading

In March 2012, and on behalf of the ICANN Security Team, I published a thought paper on domain seizuers. The paper helps folks ask the right questions and gather the right information as they prepare a court order, to make clear exactly what actions the issuer expects. Photo by West Midlands Police This first thought paper is not an endorsement of seizures. It acknowledges that domains will beseized and that people issuing court orders for those seizures need to understand how domain names and DNS work to ensure that the seizures are done properly and, more importantly, to insure against... Continue reading

Marvin Ammori has written an important book about the threats to free speech and expression that we are not only privileged to conduct on the Internet today but have come to treat as basic human rights. On Internet Freedom looks at the past, present and future of the Internet as a speech technology. Ammori examines how the coordinated and determined efforts by Big Content to protect content and increasing efforts by governments to censor content threaten Internet use as we embrace it today. Ammori also explains how these acts were in fact anticipated by Clark, Sollins, Wroclawski and Braden in... Continue reading

Part I of guest Kim Crawley's multi-part series presented a multi-tiered strategy for protecting sites that run the popular open source WordPress content management system. In Part II, Kim examines plug-ins you can add to further improve WordPress security. Photo by Eric E Johnson In How to Protect Your WordPress Site from Hackers, I explain that securing your web site's OS, web server, WordPress CMS, and PHP content will reduce your risk of falling victim to the kinds of attacks we describe in How Hackers Target and Attack Your Site. There are also a number of WordPress plug-ins and configuration... Continue reading

Guest Kim Crawley's first of a multi-part series presents a multi-tiered strategy for protecting sites that run the popular open source Wordpress content management system. Part II, also by Kim, will consider addons to further improve Wordpress security. Web site attacks are all too common, and Wordpress sites are among the most frequently hacked. There are many reasons or motives why your web site might fall victim to such attacks. Some of the most common are listed below: To plant malware on your site that will infect your visitors, take control of their computers, and recruit them into a botnet,... Continue reading

MIT Stata Center for CIIS by Wallyg At first blush, logging seems simple. Turn it on, collect what you log, review and analyze what you collect. For individual systems and small-business LANs, logging can be as simple and easy as drinking from a garden hose. Now imagine drinking from a fire hose (or several) and appreciate how quickly you can go from drinking to drowning in a sea of seemingly unrelated data of arbitrary format, context, and content. One way to help your partners get the maximum benefit from logging activities is to explain the value of having a game... Continue reading

My daughter is an ultimate Doctor Who fan and is insisting we visit the Dr. Who Experience when we visit London next June (as a side trip to Cardiff, Wales). She's also converted me from a casual watcher to the guy on the aircraft with the Doctor Who ringtone. You can imagine how excited she was when we came across this infographic timeline: Via: CableTV.com I did a bit more research on Doctor Who Timelines and found one by NathantheNerd. This timeline identifies the actors who played the Doctor and his companions for the episodes in seasons 1-6. Continue reading

Veracode has produced an informative infographic on the state of application security and has generously granted permission to use. This graphic is too dense to present to senior management and receive anything but blank stares and impatient tapping while you try to flounder through the statistics to give them something they can act upon decisively. The simpler approach is to focus on one message at a time, keep the dialog simple, and recommend a way forward. Your senior management no doubt understands and appreciates data, databases, information integrity and confidentiality, so if you do use this infographic, try this: Photo... Continue reading

Phishers remain thankful for how generous so many Internet users continued to be in 2012. As they did in 2009, 2010, and 2011, carolers are filling IRC channels with the merry sounds of Phishmas anew! On the first day of Phishmas, the Lotto emailed me... I've won $7 Million USD! On the second day of Phishmas, the Red Cross emailed me... Help the Sandy victims, and I've won $7 Million USD. On the third day of Phishmas, a broker texted me... List your vacation rental, help the Sandy victims, and I've won $7 Million USD. On the fourth day of... Continue reading