Anonymous shut down the bank of Greece website in a powerful DDoS attack — Vows to target more banks against financial corruption.

Anonymous shut down the bank of Greece website in a powerful DDoS attack — Vows to target more banks against financial corruption.

The online hacktivist Anonymous recently relaunched operation OpIcarus directed towards banking sector in Europe and the United States — The first bank coming under the fire is the Bank of Greece who had their website under a series of distributed denial-of-service attacks (DDoS) forcing the servers to remain offline for more than 6 hours.

OpIcarus is all about targeting banking and financial giants

Anonymous’ Operation OpIcarus was launched in January 2016 and restarted in March 2016. The hacktivists behind the operation believe banks and financial giants are involved in corruption and to register their protest they had to take the war to a next level.

In an exclusive conversation with one of the hacktivists behind the Greek bank DDoS attack, HackRead was told that:

“The greek central bank has been offline all day. we would like all banks out there to know that unless they hold themselves accountable for their crimes against humanity that we will strike a new bank every single day and punish them #OpIcarus.”



Australia emerges as source for DDoS attacks

NBN connections abused for service disruption attacks.

Australia has appeared in content delivery network provider Akamai’s top ten list of sources for denial of service attacks for the first time, as high-speed broadband connections become more commonplace.

Akamai’s State of the Internet report saw Australia enter the top ten DDoS source list in the second quarter of this year with around four percent of attacks globally, putting it on par with larger countries such as Germany, Russia and Korea.

The report indicates fast NBN connections are being abused by attackers for denial of service attempts.

“Australia’s appearance on the list is likely due to the increased adoption of high speed internet access throughout NBN and connectivity of IOT [internet of things] devices in the region,” Akamai wrote.

The vast majority of DDoS attacks with non-spoofed source addresses came from Chinese internet users (37 percent), the United States (just under 18 percent) and the UK (10.2 percent), Akamai’s data showed.

Denial of service attacks are used for criminal purposes by those who seek to blackmail organisations and providers through service disruptions that harm their reputations.

Compared to the year before, the second quarter of 2015 saw a 132 percent increase in total DDoS attacks, with the number of 100 gigabit per second floods doubling from six to 12.

Attacks also last longer on average, up to 20.64 hours from 17.35, but Akamai saw an 11.5 percent decrease in average peak bandwidth.

SYN and Simple Service Discovery Protocol (SSDP) were the two most common flooding techniques used by attackers, who have started to combine several denial of service vectors for greater effect, Akamai said.

The largest DDoS recorded by Akamai in the second quarter of 2015 measured 240Gbps. Online gaming sites remain the most common target for DDoS attacks.

Akamai also saw one of the highest recorded packet rate attacks on the Prolexic network in quarter two of 2015.

This peaked at 214 million packets per second, an intensity sufficient to take out routers used by large Tier 1 internet providers.

DDoS attack grounds Poland’s national airline

Chief executive of Polish national carrier LOT has warned no airline is safe from the type of cyber attack that grounded his aircraft and hundreds of passengers at Poland’s busiest airport over the weekend.

Poland’s domestic intelligence agency said it had been called in to investigate, but there was no word on who might be responsible for the attack that disabled the system LOT uses for issuing flight plans.

The attack is likely to bring renewed scrutiny to the question of whether systems which help keep airliners safe in the air are adequately protected from hackers intent on causing havoc or even on bringing down a plane.

“This is an industry problem on a much wider scale, and for sure we have to give it more attention,” LOT chief executive Sebastian Mikosz told a news conference.

“I expect it can happen to anyone anytime.”

The airline said there was never any danger to passengers from the attack since it did not affect systems used by aircraft while in the air.

Around 1400 passengers were stranded at Warsaw’s Chopin airport when the flight plan system went down for around five hours on Sunday. Flights were taking off and landing as scheduled on Monday, the airline said.

Denial of service attack overloads network

A LOT spokesman said the problem was most likely caused by a Distributed Denial of Service (DDoS) attack.

“This was a capacity attack, which overloaded our network,” said the spokesman, Adrian Kubicki.

Ruben Santamarta, a researcher on airline’s cyber-security, said there are not enough details on the LOT attack to properly assess what happened. But he said it highlighted the vulnerability of passenger jets when they are on the tarmac preparing to fly.

“There are multiple systems at ground level that provide critical services for airlines and aircraft, in terms of operations, maintenance, safety and logistics,” said Santamarta, who is principal security consultant for Seattle-based security research firm IOActive.

Santamarta last year said he had figured out how to hack into the satellite communications equipment on passenger jets through their wi-fi and inflight entertainment systems.

Most denial of service attacks use a publicly accessible internet site as the channel through which to bombard their target. The LOT system has no public site.

“I am quite surprised that such sensitive systems dedicated to airline operations are exposed to the internet to be exposed to denial of service attacks,” said Pierluigi Paganini, the chief information security officer of Naples-based Bit4Id.

“Like many experts, I am waiting for more details to understand how this occurred,” he said.

Asked about whether the system was exposed to the internet, Kubicki, the airline spokesman, said the hackers had acted illegally to interfere with the operation of the system, but he said they had not gained direct access to any of the data contained within it.

“The key thing for an airline is the ability to apply certain emergency procedures in such situations and I think that we passed this test,” said Kubicki.


Banks beef up online security measures

Cyber attacks like hacking put not only sensitive information but also huge sums of money at risk. Not far from home, the hacking of the Bangladeshi central bank’s account from the Federal Reserve Bank of New York in February led to $81 million in stolen money getting laundered in Philippine casinos after entering the country through the financial system.

Banks are on their toes, and are now working to beef up online security measures to protect themselves and their customers.

“Online security is a continuing effort. Banks constantly exert efforts to update their security software and protocols. On the other hand, cyber-criminals also exert efforts to overcome bank security. So banks redouble efforts in reaction,” East West Banking Corp. president and chief executive Antonio C. Moncupa Jr. said.

“Banks are also careful that they have competent and trustworthy people to man their IT (information technology) systems,” Moncupa added.

In a recent interview, Etay Maor, senior fraud prevention strategist at IBM Security, said security threats in banking could be minimized by a very simple solution—data sharing among peers.

While he noted that banks, in nature, tend to be protective and secretive with data and information, Maor noted it was only through information exchange could they better combat cybercriminals together.

He said one of the products of IBM—one of the fastest-growing security companies in the world— allowed thousands of firms to share information and opened collaboration to shield themselves from attacks.

“For example, if a criminal uses an IP address, users of our product share such information to warn others. We have no other way to beat criminals,” Maor said.

“You don’t have to shoot bombs today. You just have to shut down several banks and their infrastructure, and that’s it. Organized groups have capabilities to do cyber attacks. It has become easy to do phishing attacks … It’s very easy today to be a criminal—you can go just go to online forums and ask questions, people will help you,” Maor pointed out.

Maor said cyber attacks on banks had become a global problem, such that billions of dollars were being lost to cybercriminals each year.

In a recent statement, cloud services provider and ePLDT affiliate IP Converge Data Services Inc. (IPC) said the banks’ cyber security measures at present were not enough.


IPC hence urged financial institutions “to safeguard their systems by deploying up-to-date security measures to ensure data and network protection” while also checking on their current data security setup as “even the most secure institutions are not exempt from the alarming increase in crimes perpetrated online.”

“This is a reality that has caused the loss of significant revenue for many businesses. The global recorded cost of cyber attacks is at $400 billion to $500 billion per year—about 50 percent of which is from Distributed Denial of Service (DDoS) attacks,” IPC president Rene Huergas said, citing data from its DDoS mitigation partner Nexusguard.

“Unless executives take stock of this as a serious issue at hand, companies are most likely to lose more,” Huergas warned.

Citing that “some institutions may have inadequate system and network security layers to protect them from cyber attack,” Huergas said not only the financial institution but also the customers faced greater danger.

“As data and network security is a commodity in this day and age, now is the best time to recognize that the threats are real and can make businesses vulnerable and susceptible to attacks, banks and financial institutions being the most inclined to this kind of attack,” Huergas said.

World’s most costly

According to IPC, “while DDoS attacks are considered the world’s most costly cyber crime, cyber attacks that involve malware, phishing, password attacks, MITM (man-in-the-middle), drive-by downloads, malvertising and rogue software are also widespread.”

“In fact, it was found that the Philippines’ vulnerability to cyber crimes has statistically doubled. A large percentage of computers in the country have been invaded by malware, the same intrusive software initially found to have allowed the illegal electronic transfer of funds in the Bangladesh case,” IPC added.

“This condition poses a real and imminent threat as records from the Bangko Sentral ng Pilipinas (BSP) show that around 22 million people use electronic banking services and channels and that the volume and value of e-money transactions keep growing over the years. The figure continues to increase each year as more and more people join the workforce and make use of a bank’s facilities. This translates to the overwhelming amount of data that is at risk,” according to IPC.

“Depending on the needs of the institution, additional security measures have to be in place. It is also as important to regularly review and assess whether these security measures are being implemented and are functioning well,” said Niño Valmonte, IPC director for product management and marketing.

IPC said “businesses that do not have a core competency on data and network security may leave it to experts … to conduct rigid vulnerability assessments to ensure that all bases are covered.”

Even the BSP has long been aware of risks from cyber crime.

At the first Cybersecurity Summit for the Financial Services Industry held last November, BSP Governor Amando M. Tetangco opened the event reminding industry players: “It is a fact: Cyber crimes are being committed and financial institutions and financial consumers are being targeted.”

Citing the transformative power of technology in many aspects of human lives, Tetangco noted that technology had likewise revolutionized banking and the manner it was providing services and products such that financial customers could now perform banking transactions anytime, anywhere at their convenience.

“Based on our records as of December 2014, about 22 million users of electronic banking services and channels were being serviced by more than one hundred banks across the country.  Indeed, we have seen the volume and the value of transactions using e-money and e-banking channels grow steadily over the years,” Tetangco said.

The cyber landscape, however, has its downside, and also poses a threat to the financial sector.

“As in other fields, there is a downside that comes with innovations in technology—criminal elements have likewise evolved. While it is far from widespread, cyber crimes exploit advances in technology to expand, conceal and perpetrate their criminal activities from the real world to the cyber realm,” Tetangco noted.

He cited how authorities had arrested foreigners belonging to cyber syndicate who had been involved in ATM skimming, credit card fraud and phishing.

While Tetangco conceded that cyber attacks and crimes against the financial industry would likely go on, the sector could manage the risks.

In 2013, the BSP issued Circular No. 808 which, Tetangco noted, “provides the framework for technology risk management which takes into account robust and multilayered security controls for cyber-risk prevention, detection and response.”

Under Circular 808, all banks and BSP-supervised institutions have an obligation to report to the BSP any breach in information security, especially incidents involving the use of electronic channels.

“The BSP has also introduced various initiatives and supervisory enhancements for a more proactive approach to cyber security supervision and oversight,” Tetangco added.


DDoS attacks on the rise as UK named as a key target

New research has revealed that the UK is one of the biggest targets for DDoS criminals, as the number of attacks continues to soar.

The latest Imperva Global DDoS Threat Landscape Report discovered that the UK is the second-most targeted nation, being hit by over nine per cent of all DDoS attacks in the first three months of 2016. Only the US suffered more, at 50.3 per cent.


Main source

Businesses of all sizes are being targeted by the global threat of DDoS attacks, according to the report, which also revealed that South Korea is the main source of DDoS attacks around the globe. This is partly down to a sharp rise in botnet activity in the country according to Imperva. Russia and Ukraine also topped the list of originating countries, particularly via the Generic!BT malware which is Trojan used to compromise Windows computers.


Frequency increase

Finally, Imperva also saw the frequency of attacks continue to increase. In the first quarter of 2016, every other site that came under attack was targeted more than once. The number of sites that were targeted between two and five times increased from 26.7 percent to 31.8 percent.

Imperva’s Igal Zeifman said: “Every DDoS attack mitigated is an invitation for the attacker to try harder. This is the reality of DDoS protection business and the common motive for many of the trends we are observing in the DDoS threat landscape today.”


DDoS attackers are developing more elaborate tools and attack methods

As we’ve reported repeatedly in these pages, distributed denial of service attacks are growing both in terms of number and size.

Now it seems that DDoS attackers are coming up with even more elaborate tools and attack methods to take down websites and networks, according to the latest report from DDoS mitigation firm Imperva.

Imperva’s analysis is based on data from 3,791 network layer and 5,267 application layer DDoS attacks on websites using its Incapsula services from January 1, 2016 through February 29, 2016.

For example, attackers are expanding their use of browser-like DDoS bots capable of bypassing standard security challenges. The use of these bots increased to a record-breaking 36.6 percent of application layer attacks, up from 6.1 percent in the previous report.

In addition, DDoS attackers are increasingly using upload scripts to mount multi-gigabit HTTP POST flood attacks. The scripts randomly generate large files and attempt to upload them to the server, creating an HTTP flood of extremely large content-length requests.

Also, network layer attacks are growing more sophisticated. Attackers are employing millions-of-packets-per-second, or Mpps, assaults in which small network packets are pumped out at extremely high speed to overwhelm network switches, resulting in denial of service.

In terms of botnets, the first quarter saw a steep increase in DDoS traffic out of South Korea, making it the country of origin for 29.5 percent of botnet activity. The majority of these assaults were aimed at websites hosted in Japan and the United States.

The United States took the brunt of all DDoS attacks, with a majority of attacks targeting that country. The United Kingdom came in a distant second with 9.2 percent of attacks targeting that country.



Can Hybrid DDoS Mitigation Stop Large Application Layer Attacks?

Can Hybrid DDoS Mitigation Stop Large Application Layer Attacks? | Neustar Blog

We recently received an email from a customer asking about hybrid DDoS mitigation and its ability to stop large application layer attacks.

Here’s the truth: Hybrid DDoS mitigation works and can stop large application layer attacks. Hybrid DDoS mitigation typically involves a purpose-built DDoS mitigation appliance or software on dedicated hardware that sits immediately in front of or behind an enterprise’s edge router. This type of mitigation is great at stopping low and slow attacks, small probing attacks, and many application-layer attacks on premise.

The local DDoS mitigation appliance can even stop larger volumetric or application layer attacks if an enterprise has large Internet access pipes, a lot of overhead on those pipes, and a DDoS mitigation appliance with high throughput and mitigation capacity. When the local appliance or Internet capacity are nearing a circuit, bits per second, or packets per second threshold, traffic destined for the attacked resource can be redirected to the cloud-based DDoS mitigation hardware that is part of the hybrid solution.

Better hybrid solutions share state and mitigation information between the local appliance and the cloud-based platform. Many of those hybrid solutions allow both learned and manually-set thresholds for failover from local to cloud-based mitigation. This failover can be manually triggered or fully automated to provide a seamless, proactive experience. The best hybrid solutions offer a full set of layer 3 through 7 countermeasures on the local mitigation appliance that are comparable to the countermeasures in the much higher capacity cloud-based platform.

Intelligent, application-layer DDoS attacks (such as HTTP GETs targeting specific objects on a webpage and designed to bog down a web server) are getting larger—even approaching 10Gbps, while we have seen larger volumetric (layer 3 / 4) DDoS attacks even 400Gbps or higher for several years. Application-layer attacks generally require more granular countermeasures and greater expertise to mitigate, and will drive CPU utilization higher on the targeted system or attempt to saturate the connections per second.

Publicizing that a hybrid DDoS mitigation solution could not deal with a larger application-layer attack makes a couple of faulty assumptions about the nature of Internet protocols and the OSI model (Open Systems Interconnection framework that characterizes the nature of protocol interactions).

Take, for example, a very large HTTP GET application-layer attack. Most DDoS attacks can be mitigated in a number of different ways based on preset thresholds or tuned countermeasures. The mitigation tool or countermeasure chosen depends both on the nature of the attack and the nature of the enterprise’s normal traffic. The local DDoS mitigation appliance in a hybrid scenario can mitigate before or after the session is established, up to its scrubbing throughput or local Internet capacity. Any assertion that a DDoS mitigation appliance can only mitigate an established TCP session is therefore false. SYN reset or SYN authentication could be performed in a variety of different ways. HTTP traffic does not need to be mitigated at layer 7. It could be mitigated at layer 4.

In short, hybrid DDoS mitigation does work. And like everything else, it functions best when done properly.


GitHub recovers from major outage; cause unknown

GitHub recovers from major outage; cause unknown – SC Magazine UK

GitHub, a frequent target of distributed denial of service (DDoS) attacks, experienced a major outage Tuesday morning; however, the software development hosting service tweeted shortly thereafter that it identified the problem and that its online operations were running normally again.

As of writing, it is not publicly known if the outage stemmed from an internal error or from the latest in a series of external cyber-attacks against the service. GitHub’s site performance was noticeably impacted just this past 23 March following a DDoS assault against the website.

Asked for an update and an explanation of the underlying issue, a member of GitHub’s communications department directed to its online status page, which showed that from around 4:30 a.m. to 6 a.m, eastern standard time, app server availability ostensibly plummeted to zero percent, while response times spiked.

Travis Smith, senior security research engineer at cyber-security software firm Tripwire, said in a statement emailed to SC, “while a drop in service such as this may be attributed to an operational malfunction internally at GitHub, it can’t be ruled out that this was a targeted attack”, against not just GitHub, but also “any number of their customers who leverage GitHub’s service in production environments.”

GitHub experienced an especially severe DDoS attack in March 2015 — an attack that many researchers have attributed to state-sponsored Chinese hackers.


Turkey launches inquiry into leak of 50 million citizens’ data

Turkey launches inquiry into leak of 50 million citizens’ data | Reuters

Turkey is investigating how hackers have posted online the identity data of some 50 million Turks, including what they said were details about the president and prime minister, after what is believed to be the biggest data breach seen in the country.

While no group has taken credit for uploading the data to a website called the Turkish Citizenship Database, the comments posted suggest Turkey may be a target of political hackers.

The 1.5 gigabyte compressed file contains the national identity number, date of birth and full address for 49.6 million Turks, according to the website, or around two thirds of the population.

The website said it included the ID information of President Tayyip Erdogan, Prime Minister Ahmet Davutoglu and former president Abdullah Gul and taunted the president.

“Who would have imagined that backward ideologies, cronyism and rising religious extremism in Turkey would lead to a crumbling and vulnerable technical infrastructure?” the website says. “Do something about Erdogan! He is destroying your country beyond recognition.”

An official at Ankara’s chief prosecutor’s office said on Wednesday it was investigating the breach, but declined to give further details.

The number of Turkish citizens affected was roughly the same size as the entire electorate, Justice Minister Bekir Bozdag told reporters.

“How and from where this was leaked needs to be looked into,” he said. “I believe the necessary investigations – both administrative and judicial – have been launched and whatever is necessary will be done.”


Tuncay Besikci, a computer forensics expert at auditing and consultancy firm PwC, confirmed to Reuters the file contained ID numbers and personally identifiable information of at least 46 million citizens.

Transport and Communication Minister Binali Yildirim said on Tuesday the breach appeared to date back to at least 2010. It is not clear when the file was first uploaded, although reports of it surfaced in local media this week.

He said the data was from electoral records that the state shares with political parties before elections.

However, Besikci, the computer expert, said he believed the data was taken from the government’s official Population Governance Central Database in or around 2009 and later illegally sold on to firms that dealt in asset foreclosures.

In December, Turkish Internet servers suffered one of the most intense cyberattacks seen in the country, raising fears Ankara may have been a target of political hackers.

The December hacking involved a flood of disruptive traffic, known as a DDoS (Distributed Denial of Service) attack, where computers target specific Internet sites, resulting in web speeds plummeting.

Under Erdogan, Turkey has a taken a tough stance on social media sites. Turkey has blocked access to sites such as Twitter, often due to images or other content being shared.

Last month an Ankara court ordered a ban on access to both Twitter and Facebook after images from a car bombing in the capital were shared.


USA charges Iran in cyber attacks against banks, NY dam

USA charges Iran in cyber attacks against banks, NY dam

The indictment alleges that the suspects caused cyber mayhem, including coordinated “distributed denial of service”, or DDoS, attacks – which attempt to overwhelm servers – on USA financial institutions.

Those targeted included the New York Stock Exchange, the Bank of America, NASDAQ, JPMorgan Chase Wells Fargo and American Express.

“The attacks were relentless, systematic and widespread”, Attorney General Loretta Lynch said at a briefing Thursday at the Justice Department. He said they used this anonymity “to break our laws through cyber intrusions and to threaten our security and economic well-being…”

Federal investigators say that over the course of several weeks in 2013, one of the Iranian hackers repeatedly gained access to computers controlling key systems of the dam, located 29 miles from Manhattan.

The dam hack, which was previously reported in December, would theoretically have allowed the Iranians to open and close the sluice gate, but at the time of the intrusion it had been manually disconnected for maintenance, the government said.

He was able to access water level and temperature data, as well as the status of the sluice gate, which controls water levels and flow rate.

“Just because they are not here now does not mean we will never get them”, she said. Initially, the DOJ focused on the hacking of a NY dam, but it looks like those efforts were part of a broader plan.

The attacks, which took place between 2011 and 2013, prevented hundreds of thousands of customers from gaining entry to their accounts. The DDoS attacks on United States financial institutions were disruptive and costly, but the dam hacking poses a qualitatively different risk of harm.

‘Today we have unsealed an indictment against seven alleged experienced hackers employed by computer security companies working on behalf of the Iranian government, including the Revolutionary Guard Corps, ‘ Lynch said. Faroozi is charged alone for hacking the dam.

The indictments against the Iranian hackers reflect Iran’s growing cybersecurity capabilities, which have been developed since 2009, when massive protests spurred the government to find ways to manipulate its networks, says James Lewis, a cybersecurity researcher at the Center for Strategic and International Studies.

“The message of this case is that we will work together to shrink the world and impose costs on those people so that no matter where they are we will try to reach them and no matter how hard they work to hide their identity and their tradecraft, we will find ways to pierce that shield and identify them”.

Lynch remained optimistic about the chances to bring both Chinese and Iranian hackers to justice in a USA courtroom.

The United States and Israel covertly sabotaged Iran’s nuclear programme in 2009 and 2010 with the now-famous Stuxnet computer virus, which destroyed Iranian centrifuges that were enriching uranium.

The Islamic Republic also said that the in “no position” to accuse nationals of other countries without providing any evidence.

But the attack alarmed Obama administration officials who have voiced concerns about the vulnerability of US infrastructure to cyberattacks.