Tally of Cyber Extortion Attacks on Tech Companies Grows
bits.blogs.nytimes.comAnd one that resulted in a full shut down: http://www.codespaces.com/
Looking at the armchair post-mortems on HN, they had it coming, one way or another. Putting your only backups the same place you host your full product? Priceless foolhardiness!
Tough call. S3 is supposed to have 99.999999999 (or whatever) reliability (not uptime, just storage reliability). It's hard to justify backing up to somewhere else when they give you that figure.
All your family jewels in one place? Accessible from a common front-panel? Abso-f-ing-lutely NO offline backups that count? Like I said, they had it coming.
Seriously, if you don't have the code-and-data backup that will enable you to switch service providers, even with a downtime penalty, then you and your SAAS truly have it coming. If these guys had any real backups, they could have let the clusterfuck at AWS play out the way it did and still be able to upload everything to DigitalOcean or a colo or whatever and still come back alive a month later. Now that 99.999999999999999 (ad nauseaum) ain't worth squat, is it?
I mean, basic (Dev)-Ops-(Sec), real basic. But, then again, I'm just another armchair, after-the-fact, analyst-dude on the internet.
It's amazing to me that people would screw around with this for 2 or 3 hundred dollars.
I realize wages are low in many parts of the world and this might represent a significant amount of money, but anyone with access to the resources and possessing the technological know how, to pull this off maybe could make that in a legitimate way.
I have no idea, but maybe state actors are involved. Maybe it is a low level warning of what "could" be done. Probably not... but maybe. $300 doesn't seem like it would be worth the trouble and risk but maybe it is.
DDoS attacks like this wouldn't be so easy if governments actively fixed backdoors in hardware and software instead of creating and stockpiling them. Much harder to build a botnet if there are fewer vulnerable systems to recruit via exploits.
A. I don't see how "the government" is behind botnets.
B. You don't need many machines to create DDoS attacks because of reflection/amplification.
C. You can rent machines without having to use a botnet.
A. I never said the government was "behind botnets." Nor did I refer to any singular government. Yet, Stuxnet did create, in effect, a botnet.
B. A government interested in network security would inform managers of reflection- and amplification-vulnerable systems (such as misconfigured DNS resolvers), as well as design and release open, verifiable, trustable specifications for filtering hardware and packet matching algorithms to block DDoS attacks at the same points they currently tap network traffic.
C. Rented machines can be shut down far more easily than a botnet.
> DDoS attacks like this wouldn't be so easy if governments actively fixed backdoors in hardware and software instead of creating and stockpiling them.
The same thing keeping government from regulating the Internet is the same thing keeping government from simultaneously fixing every flaw in every router, switch, and TCP/IP stack.
Stockpiling has nothing to do with it by itself, as they are stockpiling individual numbers of bugs in an entire frothing sea of bugs. NSA didn't even know about Heartbleed, and that's one that could have enormously aided NSA in doing what they do.
> NSA didn't even know about Heartbleed
Source?
http://icontherecord.tumblr.com/post/82416436703/statement-o...
But also, straight from the mouth of a USCYBERCOM strategist speaking to our class the other week.
And also, just plain logic. I pointed out here on HN even before the ODNI released the statement I linked above that Heartbleed is far more damaging to the USG itself than any intel value NSA could have hoped to achieve from it.
With the other vulns NSA would have stockpiled they don't need Heartbleed, and leaving Heartbleed open would have hurt a lot of USG (and just as importantly, private US) infrastructure, so even going by crazy USG logic the right thing to do would have been to disclose it, just as NSA has fixed other open source security flaws over the years.
> This Administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet.
> When Federal agencies discover a new vulnerability in commercial and open source software – a so-called “Zero day” vulnerability because the developers of the vulnerable software have had zero days to fix it – it is in the national interest to responsibly disclose the vulnerability rather than to hold it for an investigative or intelligence purpose.
> This process is called the Vulnerabilities Equities Process. Unless there is a clear national security or law enforcement need, this process is biased toward responsibly disclosing such vulnerabilities.
Nothing about this statement makes me believe that they were unaware of Heartbleed, specifically because it seems to imply that they don't stockpile vulns that they find, which we know that they do.
> The Federal government relies on OpenSSL to protect the privacy of users of government websites and other online services.
The only damage that seems to be claimed specifically in their report is that not fixing Heartbleed would compromise public interface security, and not necessarily any government internal security.
> I pointed out here on HN even before the ODNI released the statement I linked above that Heartbleed is far more damaging to the USG itself than any intel value NSA could have hoped to achieve from it.
I suspect that this isn't true, especially if the US government isn't using OpenSSL for their internal security.
> would have hurt a lot of USG (and just as importantly, private US) infrastructure, so even going by crazy USG logic the right thing to do would have been to disclose it
This didn't seem to be a paramount concern with their other spying activities, which have hurt the security of the US infrastructure and compromised us tech companies (both hardware and internet services) trying to compete internationally.
> But also, straight from the mouth of a USCYBERCOM strategist speaking to our class the other week.
If we're going with anecdotes, I've met a couple of military contractors who claimed to have known of Heartbleed ahead of the public disclosure by non-trivial periods of time.
> > This process is called the Vulnerabilities Equities Process. Unless there is a clear national security or law enforcement need, this process is biased toward responsibly disclosing such vulnerabilities.
> Nothing about this statement makes me believe that they were unaware of Heartbleed, specifically because it seems to imply that they don't stockpile vulns that they find, which we know that they do.
Are you just trying to be obtuse here? The very paragraph you quoted says they are biased towards disclosing, not 100% committed to disclosing. They admit right there that it's possible they would discover a vulnerability and not disclose it.
But the part of the statement you left out is that Heartbleed in particular would only have met their criteria for disclosure due to the great danger to USG systems and systems used by private U.S. persons and entities.
> I suspect that this isn't true, especially if the US government isn't using OpenSSL for their internal security.
The USG uses OpenSSL everywhere. Even USG can't run MS everywhere, and there's not exactly a ton of options for their many Linux, BSD and UNIX-based systems.
Even worse, they likely use OpenSSL in places that no one in particular knows about. It wouldn't surprise me one bit to find out that some of those 300,000 systems still vulnerable belong to government agencies.
> If we're going with anecdotes, I've met a couple of military contractors who claimed to have known of Heartbleed ahead of the public disclosure by non-trivial periods of time.
Non-trivial as in? If they hear about it while Google is developing a fix (and logo) as you seem to be implying, that's preferential disclosure, not NSA holding onto a vuln from the day it came out.
So the governments are responsible for every bug now? I'm not so quick to absolve guilt from shitty development. There are many developers that take a lot of shortcuts, with hardcoded passwords and the like.
If we were talking a handful of bugs, your argument would make sense. But we're talking about tens of thousands.
>>> There are many developers that take a lot of shortcuts, with hardcoded passwords and the like.
This.
Last year worked at a huge, multinational,privately held company. After being at my job less than two days, I found out they store all of their server passwords in plaintext, on the server, together, in one file.
It took me about an hour to compose myself. It was like having a dream where you come to work and you suddenly realize you left your pants at home.
One thing I don't quite understand - wouldn't it be possible to unravel a botnet? If you acquire one of the infected machines, a bit of reverse engineering (or perhaps just monitoring its network traffic) should presumably be able to reveal where it gets instructions from. It would probably take the cooperation of law enforcement, but assuming that, wouldn't it be possible - even practical - to do?
Yes, in the past when they were more centralized with only a few IRC/C&C's this was an easy solution.
However now, a botmaster is able to generate thousands of C&C centers's from hacked boxes, via hidden TOR or I2P nodes, or shared hosting, as well as hundreds of thousands of varying infected malware almost instantly. The only thing that requires effort from the botmaster now is spreading and constantly updating their slaves so they can keep them in control longer.
The actual implementation is the easy part of it.
I see. Still, the attacker has multiple surfaces to try and trace them through. Unless they are very careful, you would expect that they tend to slip every now and then, making it possible to find them? I would imagine that a dedicated security team within law enforcement would be able to get a pretty good success rate, but that doesn't appear to be the case?
i dont get it...why not just switch your dns to cloudflare or a similiar service and run under their protection?
Right there in the article... Moz signed up with CloudFlare "but Mr. Skinner said the attacker has found new ways to attack their systems."
Does anyone know what that might be? There are quite a few people on HN who have zero sympathy for DDoS victims who don't pony up for Cloudflare etc., but I'm curious about situations when that isn't going to help or other attack vectors that will get you regardless.
The underlying hosting that CloudFlare proxies to can be attacked, for one.
If you have MX records on a cloudflare enabled domain you have to expose the Ip address of your mail server:
https://support.cloudflare.com/hc/en-us/articles/200168536-W...
If that is in the same DC as the rest of your equipment [or worse, the same server] it might be still possible to figure things out and DDoS you.
The underlying hosting is just as vulnerable w/ or w/o Cloudflare.
Last week someone spinning up their own botnet threw like 1Gbps at a side project of mine via UDP at the mail server.
Because centralization is bad for the internet. CloudFlare unwraps every single SSL connection, they see every cookie, they can modify every response. It is a goldmine for a bad actor to compromise.
I'd love to see every market segment have its share of competition, but at this point, cloudflare comes pretty close to "doing magic" in terms of dealing with the increasing volume of DDOS, and I frankly don't know anyone else who offers the services or results they do. (my only connection to them is that they've pulled a few sites I follow out of the fire over the last few months, and getting to see the before/after more firsthand convinced me a bit more of their importance.)
Basically, I'd rather there is _some_ company that can shut down these exiting known bad actors than avoid it on the off chance that it becomes a bad actor down the road. Better to use the time that buys us to look for better ways to deal with DDOS, both policy and tech based, as other comments suggest.
Maybe your origin has been discovered already.
Feedly did that and was down anyway. Though im interested what they did to stop it.
Anyone want to start a registry of threatening bitcoin addresses, so we can prevent funds from these transactions from being used? (aside from paying other organized criminals)
Isn't that difficult to enforce, unless you also blacklist the public mixers? It's easy to launder moderate amounts of Bitcoins through the mixers, after which blacklisting the original wallets would no longer impede the money being spent. Though if the major mixers were willing to go along with such a blacklist it'd get considerably more effective.
You can track the amount through the transaction logs though, and mixers don't want to get stuck with bitcoins which will eventually be invalidated by other parts of the ecosystem.
Not a perfect idea at this point though, it'd require considerable organization to get this done, certainly better than throwing away Bitcoin or waiting for it to become criminalized. IMHO
I posted this because I found it of particular interest that the blackmailers ask for payment in Bitcoin.
It makes you think if Bitcoin is turning into a giant example of "be careful what you wish for".
We have exchange after exchange get hacked and legit Bitcoin users losing their money, and now Bitcoin enables extortion schemes that couldn't work so effortlessly before.
Where is this going?
Bitcoin is only pseudoanonymous. At some point, the 'bad actor' has to access 'legitimate' banking institutions to exchange the Bitcoins to fiat and that is the weakest link. It requires reporting to relevant tax or other authorities based on arbitrary (and secret) amounts, but targets money laundering, drug trade, gamlbing, etc.
I suppose if I had to throw a potentially disruptive idea out there, you could create a database of 'blacklisted addresses.' Let's say when Bitlocker came out, you entered that address into a database and it was verified as being associated with this scam, well it is trivial to track those coins between addresses and every address it enters is blacklisted until it enters a mixer or exchange, at which point you have a potentially complicit corporation that you could actually target with the subpoena or other legal action for discovery of IPs, login, etc.
People have suggested this before. A bad actor then just takes 100 illicit bitcoins and sprinkles them in random amounts across many addresses, 11 to himself at another address, 6 to a non-profit, and 14 to you. You are now indistinguishable from the bad guy.
I can't say I would complain if thousands of dollars was given to my address, but you are right... it would represent a difficult problem for enforcement and creative people would come up with clever workarounds.
> "At some point, the 'bad actor' has to access 'legitimate' banking institutions to exchange the Bitcoins to fiat and that is the weakest link."
And on the contrary they can do the exchange in, say, Nigeria. So Bitcoin's weakest link is also the law enforcement weakest link, because no one has authority over the entire world, and there are plenty of spots where you can do the exchange without trace.
> Where is this going?
Not far's my guess. If BTC gets too popular as a tool for extortion and money laundering, then the authorities in developed countries are going to start carefully monitoring people who sell large quantities of BTC for sovereign currency or commodities. It would just be another part of their general efforts to combat organized crime. That would make major speculators feel less welcome. If major speculators decide to take their ball and go play somewhere else, the price of BTC will probably tank. That'll discourage everyone else. At which point BTC becomes a terrible medium for money laundering because nobody wants to buy them. I also suspect that the relative anonymity of any one transaction is closely related to overall transaction volume in the BTC economy.
These organizations aren't in developed countries, so their potential cash-outs wouldn't be noticed. Going forward, I would expect even more of the expenses of running an online criminal operation to be payable in BTC, so you wouldn't even need to convert it.
Bitcoin — assuming it works — also becomes the perfect currency for kidnappers and blackmailers. Awesome, huh?
You mean like straight cash has been up until now?
Yup. Except straight cash still needs someone to physically collect it which leaves a point of failure in the crime and a good place for authorities to catch the bad guys. Bitcoin removes that.
But gives another ways to track the money that was paid. It's a matter of authorities catching up with the technology.
The very nature of it makes it much easier for criminals to avoid authorities once payment is made though. Sure you can screw up and do something stupid like send it to coinbase and cash out but there are lots of ways to use it without the authorities being able to determine your identity or location.
yup, we can't have the cake and eat it too. we have to learn how to minimize risks and keeping bitcoin alive