July 2009 Archives

A Vietnam based security organization, Bkis Internet Security, is a member of APCERT (Asia Pacific Computer Emergency Response Team) was asked by the Korean CERT Team KrCERT to investigate the recent July 2009 DDOS Botnet attacks. Bkis Internet Security analyzed what it received from KrCERT, located 8 command and control centers, and obtained access to two of the command centers. After analyzing the traffic, Bkis reported that the original estimates of 20,000 to 50,000 infected systems involved in the Botnet was really more in the line of 166,909 zombies from 74 countries.

The U.S. Cert Teams and the Korean Cert Teams continue to investigate these incidents in the hopes of identifying the source of the attacks.

Links:
H-Online DDoS attacks on South Korea and U.S.
Bkis Internet Security - Korea and U.S. DDoS attacks

The department of homeland security states that:
PASS ID is a critical piece of national security legislation that will fix the REAL ID Act of 2005 and institute strong security standards for government-issued identification.

Links
DHS article on PASS-ID
PASS-ID Act S.1261

Here's a good reminder that the security of a system is only as good as its weakest link. In this case, a hacker claims to have broken into numerous accounts belonging to Twitter's CEO Evan Williams.

As Download Squad's Lee Matthew's points out, the fact that the account(s) were initially breached through "password recovery mechanisms" underscores the inherent weakness in using "secret questions" for account security.

If you've created even a few accounts on the Internet, you are familiar with secret question security. The idea is that if you forget the password for a particular account, you can request that the site reset it (and/or send it to an email address) if you can correctly answer a secret question. The question was selected by you when you created the account, and the answer was already provided by you at that time. For example, "What is my mother's maiden name," or "What is the name of the elementary school I attended," etc.

The weakness, of course, is that a hacker might be able to figure out the answer to this question and gain access to your account. This assumes that either the hacker has access to your email account already, or the account password mechanism doesn't rely on email.

But wait, you say - Williams is a public figure. It can be easy to find all kinds of information on public figures and celebrities. Maybe so, but as regular folks like you and I start sharing more of our personal lives on sites like Facebook, LinkedIn, personal blogs, and, yes, even Twitter, it becomes a simple matter for a hacker to find the information necessary to gain access to anyone's online accounts.

Consider how long I would have to search to guess your mother's maiden name by looking through your Facebook friends (surely you must have some maternal relatives there). Do we talk about our kids and our pets on our blogs and tweets? Is it that hard to use Classmates.com to find out who went to what elementary school?

The odds of being specifically targeted in an attack like this are definitely higher for celebrity types. Still, we should all mind the private information we make available to other folks on the Internet, even those who claim to be our friends (Do you know if that Facebook friend really is your long lost BFF from junior high?). And if you must use a secret question to protect an account, try to find one that will be harder to research through public records, or make up a fake answer and make sure you remember it!

The Korea Herald reports that North Korea is the suspected source involved in a DDOS attack against South Korean government agencies, banks, and Internet portals and all the network range of the attack may point to North Korea, this may not have been done under the direct orders of the Kim Jon-il Government. South Korea believes that the North Korean Government has also stepped up their cyber-warfare initiatives including developing cyber-warfare simulation applications call "100 combat methods." Just as physical weapons have been for sale, are there now Botnets and warfare simulators that could be used as tools for those that may want to have a sneak peak at cyber defenses and forensics abilities - kind of like testing radar abilities but from a distributed source - to see at what point the counter attacks begin?

While there have been these types of reports coming from South Korea on suspecting the DDOS attacks may have originated from North Korea, other professional forensics experts are not ruling out that the cyber attacks that occurred over the 4th of July Holiday need to be further analyzed, that it just may haven been a smoke screen for an intrusion that would have been masked in all the noise. This method of trying to disguise a real intrusion with a cloud of DDOS attacks is a known tactic that Managed Security Service providers know when looking at distributed attacks. The attackers want to draw everyone's attention to one or many DDOS attacks while there is a valuable trust that has been compromised somewhere else that has nothing to do with the DDOS attack.

Ahnlabs believe the attacks were a modified versions of the MyDoom worm that used botnets to initiate the attack.

Rented Botnets seems be a new method of Cloud Computing to either test defenses, distract attention from what is really taking place, or simply making a political protest.

Links:
govinfosecurity.com
N.K. Combat Unit has 100 hackers
Ahnlab