Source Port News & Commentary - October edition

The Source Port is Georgia Tech's monthly cybersecurity newsletter, featuring commentary about topics in the news, what wasn't written between the lines, the big (and sometimes nagging) questions that are driving our research, and new projects underway.


October 3, 2016 edition

 

A DDoS Gag Order
Because Someone Is Learning How to Take Down the Internet

Famed security website “KrebsOnSecurity” sustained one of the worst denial of service attacks in the history of the Internet, at 665 Gbps, in late September. Blogger Brian Krebs has been the target of numerous takedown efforts in the past, due to the nature of his journalistic exposés, but the results of this attempt kept his site down for the better part of a whole business day. The attack came from a botnet comprised of internet of things (IoT) devices such as security cameras, hacked cars, etc. and are likely in retaliation for his recent posts on vDoS, an attack service run by two Israeli hackers who were subsequently arrested as a result of his writings.

 

IISP Analyst Holly Dragoo: "The wow factor here is significant. It’s one thing to be concerned with freedom of the press concerns in your own country, but to fear international [digital] reprisal for investigative journalism? A little bit goes with the territory, to be sure, but scalability is the issue here. Krebs’ security provider, Akamai, had to stop covering him in the midst of this event due to the high costs it was undergoing, which meant Krebs would not be able to stand up his website again after the attack was over. Thankfully Google stepped in and he is back up and running. Does someone deserve to be put out of business because their musings have real impact? More importantly, these type of coordinated IoT attacks have the capacity to affect business giants, not just indie reporters.

Both Ars Technica, the tech media outlet, and Bruce Schneier, another cybersecurity luminary, posted an article on the growing prevalence of these types of large-scale attacks. (read: https://www.schneier.com/blog/archives/2016/09/someone_is_lear.html ) They bring up several valid points:

  • Attacks like these go way beyond bullying and intimidation to be outright censorship.
  • It’s going to get worse before it gets better.
  • Resources involved point towards nation state behavior, but nothing is certain.
  • Mitigation services are not equipped to handle these sizeable attacks.
  • IoT devices will continue to be attractive attack vectors as long as consumer devices remain insecure.

I can’t really put it any more succinctly then they have. Things are getting ugly."

 

IISP Analyst Yacin Nadji: "Interested parties should check out the Verisign report on DDoS trends. Fear mongering aside, this is a nice opportunity to discuss how these attacks work and how to be a responsible Internet denizen to make these attacks harder. In short, many DDoS attacks use tricks to amplify the size of requests to make it possible to mount large attacks with less bandwidth. For example, a request to NTP can be hundreds of bytes but respond with thousands or tens of thousands of bytes. Since this protocol is based on UDP the source address can be spoofed to direct responses to the victim's network.

Amplification DDoS attacks rely on two properties: (1) protocols that can easily be spoofed (e.g., based on UDP) and (2) misconfigured services. The first is harder for network operators to address, but the latter is right up their alley. Operators should abide by BCP38 and filter clearly spoofed packets, only allow externally accessible DNS recursive to recurse for your networks, make sure CHARGEN is disabled, and understand and lock down your NTP servers (see "Don't be part of the problem" heading)."

 


Microsoft's New, Advanced Sandboxing a Savvy Approach to Isolation

Last week in Atlanta, Microsoft announced Windows Defender Application Guard for the Edge browser.  Though other browsers, such as Google Chrome, isolate browsing sessions in separate processes, Application Guard takes the sandboxing concept one step further by creating a new virtual container for untrusted browsing sessions.  This protects against vulnerabilities by providing an extra layer of isolation between the browsing session and the underlying operating system, raising the difficulty of a successful attack.  Not only would an attacker have to find an exploitable vulnerability in the browser, but the attacker would also have to bypass the layer of protection provided by the browsing session’s virtual container.

 

IISP Analyst Joel Odom: "Isolation is a key concept in information security with an interesting history.  During the mainframe era that started in the mid-1960s, isolation was used to allow different users to share the same computer system without affecting one another’s processes.  Personal computers, which first arose during the 1970s, did not include any isolation between processes because designers assumed trust between everything that ran on a given personal computer.  As personal computers advanced, enterprises such as corporate and government users began to establish local networks so that the personal computers on the enterprise network could exchange information.  This is when things got interesting.

The operating systems running on these networks of personal computers (most notably early versions of Windows), grew out of PC technology that enforced no isolation.  Malicious actors discovered that if they could exploit a weakness in a given program, such as a web browser, they could use that weakness to compromise the entire computer, using that as a vantage point for attacking the enterprise network.  Throughout the 1990s and into the 2000s, OS vendors back fitted isolation into personal computers so that users could perform less trusted operations such as web browsing while still attempting to maintain the security of their individual computers and the enterprise networks made up of those computers.  As we know from the current state of enterprise network security, these efforts to maintain isolation have been unreliable.  Microsoft’s Application Guard takes a smart approach to security: assume that Edge has unknown weaknesses and protect the user from those weaknesses by providing an additional layer of isolation."

 


Yahoo Hack Disaster Can't Get Worse

Yahoo recently disclosed that some half a billion user accounts were compromised by state-sponsored actors in late 2014. Names, email addresses, phone numbers, passwords and dates of birth were put up for sale on websites hosting illicit marketplaces. Yahoo is currently notifying account holders for its email services and users who may have linked their Flickr photo sharing services.

 

IISP Analyst Holly Dragoo: "People are calling this the largest compromise of an email provider ever. Ok, maybe. To me that’s irrelevant; with the revelations of Dropbox, LinkedIn, and MySpace hacks, the odds suggest that somewhere down the line there will be a bigger attack somewhere else. What is becoming more important for the general public to realize, however, is this concept of “Credential Stuffing.” This is when a hacker takes credentials they obtained from one source, and brute-force try to shove them in to a wholly separate service/website to see if they work for that account (For more, see: https://www.owasp.org/index.php/Credential_stuffing). This is precisely why different passwords are necessary for ALL of your accounts. Yes, ALL. So if/when your Pinterest, Fantasy League, or carpool app gets hacked, they can’t get into your bank account, and so forth. It’s an unfortunate and inconvenient reality of today’s world, but the Yahoo compromise stands as a significant reminder – don’t assume your data is safe because your service hasn’t disclosed any attacks. They may not be aware, so do the best you can to protect your own data. Now please go change your passwords (and security questions!), and implement two-factor authentication whenever available."

 


Malware Finds an Easy Way to Evade Analysis

An otherwise unremarkable bit of malware embedded in a Word document has found a simple and effective way to detect automated analysis efforts.  If the history of opened documents is mostly empty, the malware assumes that the environment was built as a clean environment for analysis.  In this case the malware changes its behavior in order to frustrate analysis, thus prolonging its lifespan in the wild.

 

IISP Analyst Joel Odom: "Clean virtual environments are often used to analyze malware, so it should come as no surprise when malware attempts to evade analysis by changing its behavior if it detects an analysis environment.  This has led anti-malware researchers to design analysis environments that are difficult to distinguish from real environments.  Predictably, malware authors have become cleverer about detecting analysis environments, and the cat-and-mouse game between malicious actors and cyber defenders continues.  The malware analyzed in this article isn’t particularly special, but I love the simple trick that the malware uses to detect a virtual environment.  The simplest ideas are often the best ideas."

 


Who Gets the Boot?

Researchers at the Delft University of Technology recently presented work at RAID describing the victims of DDoS attacks, specifically those that rely on protocol amplification. Their findings suggest the majority (62%) of the victims are in access networks, such as consumer ISPs, rather than hosting networks. Only a small fraction of victims are enterprise networks. Furthermore, the victim rate in a network is strongly proportional to the size of the network, which suggests the commoditization of these attacks is leading to them being deployed uniformly.

 

IISP Analyst Yacin Nadji: "DDoS services can be purchased from professional-looking websites for as little as $5.63 for 125 Gbps of traffic. The proliferation of these services, often branded as stress-testing tools, means anyone with some pocket change can launch a high-volume DDoS attack for at least a brief period of time. The low cost suggests it is easy to set-up and launch these attacks, probably because of the prevalence of misconfigured services and the lack of BCP38 enforcement by networks. While the authors cannot say for sure, it appears that many of these attacks are directed at gaming websites, presumably to disconnect or boot players from the game's network. This may appear comforting, but shows that if angry teenagers can afford the service to kick opponents from games, more sophisticated DDoS attacks against enterprises or core Internet infrastructure are likely not much more expensive."

 


Federal Court Unseals DC Trap-and-Trace Stats

A federal court justice in Washington, D.C. has ordered the unsealing of records related to the government’s use of electronic surveillance, in particular pen registers (also known as ‘trap-and-trace’ devices), during 2012. These devices allow the tracking of specific phone lines and email headers – but not the content of the communications – without the need of probable cause, or an official warrant. Pen register applications are sealed to prevent tipping off subjects of ongoing investigations, but they are rarely reviewed and unsealed once the need for secrecy has passed. This ruling is in response to a petition VICE News filed in July 2013, immediately following the Snowden disclosures.

 

IISP Analyst Holly Dragoo: "Read the petition – this poses an interesting debate. Mr. Leopold (the petitioner/VICE reporter) is requesting a limit on the number of days that records can be sealed, in addition to his request for data about the (235) pen register applications submitted. I’m no lawyer, but it seems to me this will add gas to the inflamed privacy debate going on, in particular, what constitutes a “reasonable expectation of privacy.” A good example of this is your license plate number or address. These are public bits of information, but most of us take common-sense precautions not to advertise or give it out to entities that don’t need it. By extension, it would seem that an email address or MAC address of a device might be treated the same way. In light of the ruling, it’s not clear what direction this will steer the debate; it’s merely providing data where there was none publicly available before, but journalists and privacy groups are celebrating nonetheless.

Law enforcement must be able to operate with some level of discretion, without tipping off their intended targets. As such, it would be extremely detrimental to remove this capability from their investigative tools. While it doesn’t appear to be a goal of this petition, there are always political concerns it could be used as fodder in a later campaign. That said, to see the EFF using mild language in response, such as:

“We are pleased that the courts seem to be recognizing that they have been, perhaps inadvertently, party to creating a culture of secrecy around the government’s use of surveillance tools,” said Cindy Cohn, executive director of the Electronic Frontier Foundation, a reaction shared by several civil liberties groups. – Washington Post

…is a refreshing turn in the often acrimonious exchange between government officials and privacy advocates; it seemingly acknowledges this need for discretion, if not eye to eye with the USG position."