Archive for March, 2013

The last week has seen probably the largest distributed denial-of-service (DDoS) attack ever. A massive 300Gbps was thrown against Internet blacklist maintainer Spamhaus’ website but the anti-spam organisation , CloudFlare was able to recover from the attack and get its core services back up and running.

Spamhaus, a group based in both London and Geneva, is a non-profit organisation that aims to help email providers filter out spam and other unwanted content. Spamhaus is pretty resilient, as its own network is distributed across many countries, but the attack was still enough to knock its site offline on March 18.
Five national cyber-police-forces are investigating the attacks.  A group calling itself STOPhaus, an alliance of hactivists and cyber criminals is believed to responsible for bombarding Spamhaus with up to 300Gbps.
The attacks on Spamhaus illustrate a larger problem with the vulnerability of systems fundamental to the architecture of the Internet, the Domain Name Servers (DNS). The high attack bandwidth is made possible because attackers are using misconfigured domain-name service (DNS) servers known as open recursive resolvers or open recursors to amplify a much smaller attack into a larger data flood.

Known as DNS reflection, the technique uses requests for a relatively large zone file that appear to be sent from the intended victim’s network. According to CloudFlare, it initially recorded over 30,000 DNS resolvers that were tricked into participating in the attack. There are as many as 25 million of these open recursive resolvers at the disposal of attackers

“In the Spamhaus case, the attacker was sending requests for the DNS zone file for to open DNS resolvers. The attacker spoofed the CloudFlare IPs we’d issued for Spamhaus as the source in their DNS requests. The open resolvers responded with DNS zone file, generating collectively approximately 75Gbps of attack traffic. The requests were likely approximately 36 bytes long (e.g. dig ANY @X.X.X.X +edns=0 +bufsize=4096, where X.X.X.X is replaced with the IP address of an open DNS resolver) and the response was approximately 3,000 bytes, translating to a 100x amplification factor.”

It now seems that the attack is being orchestrated by a Dutch hosting company called CyberBunker. As long as it’s not child porn and anything related to terrorism, CyberBunker will host it, including sending spam. Spamhaus blacklisted CyberBunker earlier in the month.

However, the DDoS attacks have raised concerns that further escalations of the retaliatory attacks could affect banking and email systems. DDoS attacks are typically carried out to extort money from targeted organisations or as a weapon to disrupt organisations or companies in pursuit of ideological, political or personal interests.


Microsoft is expected to issue seven bulletins affecting all versions of its Windows operating system (OS), some Office components and also Mac OS X, through Silverlight and Office and 4 out of 7 are critical patches.

  • Critical : The first bulletin will address a remote code execution vulnerability affecting Windows and Internet Explorer.
  • Critical : The second bulletin addresses a remote code execution vulnerability affecting Microsoft Silverlight.
  • Critical : The third bulletin addresses a remote code execution vulnerability affecting Office.
  • The fourth security bulletin addresses a critical elevation of privilege vulnerability affecting both the Office and Server suites.
  • Important : The fifth and sixth security bulletins address an information disclosure vulnerability affecting Microsoft Office
  • The last bulletin again addresses an elevation of privilege vulnerability affecting Windows.
Microsoft and other software vendors likely to release further patch updates soon, following the  PWN2OWN competition that concluded earlier this month, which saw security researchers break the security of a number of applications. In fact over the last three months, there has been an IE update every month.
If you have Windows Update set to automatic, critical patches will be installed automatically while important patches must be installed manually.

iOS was in the news lately for a series of security mishaps, but this time android back in scene. A security flaw discovered by Terence Eden on the Galaxy Note II with Android 4.1.2 that allows hackers to briefly bypass the phone’s lock screen without needing a password. By hitting “emergency call” then “emergency contacts” then holding the home button, the main home screen becomes visible for around a second just enough time to load an app, before reverting back to the lock screen.

The flaw appears to be similar to a screen lock vulnerability in newer Apple devices, including the iPhone 5

Steps to follow:

  1. Lock the device with a “secure” pattern, PIN, or password.
  2. Activate the screen.
  3. Press “Emergency Call”.
  4. Press the “ICE” button on the bottom left.
  5. Hold down the physical home key for a few seconds and then release.
  6. The phone’s home screen will be displayed – briefly.
  7. While the home screen is displayed, click on an app or a widget.
  8. The app or widget will launch.
  9. If the widget is “direct dial” the phone will start ringing.

Using this method it could also be possible to load up email or SMS apps for long enough to get an overview of sensitive messages.


Evernote Hacked Reset Your Password

Posted: March 2, 2013 in Analysis
Evernote hacked Cloud note-taking service Evernote has been hacked and now you have to reset your password imminently. According to a post on the official Evernote blog, an unidentified attacker compromise the servers and extracted usernames, email addresses, and passwords.

Evernote’s Operations & Security team has discovered and blocked suspicious activity on the Evernote network that appears to have been a coordinated attempt to access secure areas of the Evernote Service.
But those passwords were encrypted, so all users must change their password before they can log back into their account. “In our security investigation, we have found no evidence that any of the content you store in Evernote was accessed, changed or lost.
Evernote also said that they have no evidence that any payment information for Evernote Premium or Evernote Business customers was accessed.
There are also several important steps that you can take to ensure that your data on any site, including Evernote, is secure:
  • Avoid using simple passwords based on dictionary words
  • Never use the same password on multiple sites or services
  • Never click on ‘reset password’ requests in emails instead go directly to the service