What is the source of this overwhelming attack?

A vulnerability was discovered recently with certain servers that are exposed to the internet. If a certain type of packet was sent to the server with a small amount of data, the server would reply to the packet with a much greater quantity of data – in some cases up to 50,000 times more data.

Now most of you are thinking, well that would mean the server would reply to the sender with a big hunk of data and so overwhelm the bad guy.

The thing about the type of packet in question (officially known as User Datagram Protocol or UDP) is that the sender can change the source address of the packet to “spoof” where the packet came from. The vulnerable server will blindly believe that the reply should go to the victim and add lots of additional data. This is all because there is no verification of the source address when UDP packets are used.

So all the evil doer needs to do, is locate a large number of vulnerable servers, send them each a packet of data with the same spoofed source address and the servers will send a greater amount of data back to the victim address and cause an overwhelming attack on any services they have exposed to the internet. The following is a simple diagram of how this works – in this case a 1 Megabyte request gets amplified to 15 Megabytes:

So what can I do if I get hit?

If you fall victim to one of these attacks, the evil doers may contact you and demand a ransom payment to stop the attack.

Your first place to call is your Internet Service Provider (ISP). They may have a facility to mitigate such attacks or they can engage a third party company to do so. These services may not be cheap however – so you’ve got to balance this cost against any ransom that may be demanded.

Bear in mind, that if you do pay the ransom once, the chances are you’ll do so again (at least one more time).

My advice is don’t pay the ransom.

Engage the good guys to mitigate the attack.

Finally report the crime to An Garda Síochána.

What? Why???

A crime was committed.

No, they probably won’t be able to do anything about it.

But the more reports that the Gardai record on cyber crime, these will begin to factor in their statistics, which will mean once the scale of cyber crime is seen, they will begin to receive an adequate budget to deal with this type of crime, which they badly need.

The post Overwhelming attack sets new record. appeared first on L2 Cyber Security Solutions Ltd..

1. Ransomware levels will plateau, but constantly change

2. Smart Device Botnets will target the big service providers

3. There will be an even bigger data leak than 2016’s revelation of the Yahoo! world record leak

4. Russia will be accused of interfering in elections occurring across Europe

5. More Irish people will be protecting themselves from Cyber Threats

The post Review of my 2017 predictions. appeared first on L2 Cyber Security Solutions Ltd..

What is DNS?

A Domain Name Service is the backbone of addressing, as every website is stored on a server located somewhere on the internet. Your favourite security website (www.L2CyberSecurity.com) is sitting on a server in Dublin. That server has an Internet address of 217.78.11.90. You don’t need to know that long-winded number. You just need to know the nice, friendly name L2CyberSecurity.com. When you type that address, or click a link to that address in your browser, your PC/Laptop will pass the friendly name to some DNS server (whichever one it is configured to use), that will then return the long-winded number to the browser, so off it goes to that server and dishes up the webpage to you.

How does the existing DNS fail to protect me?

If you currently use the DNS server that your provider gives you, or perhaps OpenDNS or Google’s DNS, then if you get infected with malicious software, this will probably try to “phone home”, i.e.- connect with a server controlled by the evil doers. It will look to connect to the server by referencing a friendly name (e.g.- www.scaryevilhackersoftware.co) and the usual DNS servers will resolve that to the bad guys server and facilitate the connection.

IT’S NOT THEIR FAULT! This is how the internet is supposed to work.

How does Quad9 protect me?

The good people over at IBM, the Packet Clearing House (PCH) and Global Cyber Alliance came together and set-up this global service. They have made it genuinely free to use, without any sneaky monitoring of what you do. When you have it set-up, Quad 9 will check a site you are trying to connect to against the IBM X-Force threat intelligence database of over 40 billion analysed web pages and images. it also uses feeds from 18 additional threat intelligence partners to block a large portion of the threats that present risk to end users and businesses alike. If the site you are trying to connect with is a known evil site, Quad9 will NOT resolve the friendly address to the long winded number. It will effectively return a “domain/site does not exist”.

That sounds great. How do I set it up?

For a business environment, please contact your IT Department or IT Service Provider. There could be internal DNS server dependencies which, if you implemented Quad9, might break an application. IT will need to make a determination on whether it can be implemented or not.

For home users, on the Quad 9 home page there are videos and instructions for configuring Mac and Windows desktops/laptops.

However, for the best possible coverage, I would recommend you have this setting applied to the router or modem that your service provider installed with your connection. It should be noted that some internet providers do not allow changes to be made to their router (Imagine and Sky are two examples). You may need to log a support request to have the change applied to your router.

If you are, or know somebody who is technically competent (and game-playing teenagers may not fit this criteria ?), the change is as easy as logging into the router and changing, whats called, the DHCP settings. Before anything is changed, you should make a note of what the current DNS settings are. Then all you have to do is change the primary DNS server to 9.9.9.9 (4 nines … Quad9 … get it now? ?). The secondary address can be set to whatever was previously the primary address. Be sure to save the setting and reboot the router.

When the router comes back up, any device that connects to it (laptop, desktop, tablet, phone, smart toaster, etc.) will receive the protection of Quad9 automatically.

If you have any connectivity issues after the change, then simply log back into the router and put back the DNS settings under DHCP that had been there before, save the setting and reboot the router again.

One thing I had concerns about was performance. I previously used Google’s DNS (8.8.8.8) which was always pretty responsive. So when I tested it’s performance against Quad9’s I found that Quad9 was generally faster than Google. They are improving the service all the time as demand increases, so it should always be very quick.

So for me it’s a ??.

The post Quad9 – Safer addressing on the internet appeared first on L2 Cyber Security Solutions Ltd..

What is a “smart Teddy Bear?” I hear you ask. Apparently these toys can send and receive voice messages from children to their parents and vice versa … which is nice. ? While the voice recordings were not apparently leaked, the criminals, using the data they have stolen may be able to access the servers where the recordings are stored and download them.

The data that was stolen included e-mail addresses and “hashed” passwords. This means that the passwords were scrambled, which shows a sensible security practice by the company, as the evil doers will have difficulty in cracking a “hashed” password.

However, that one sensible security practice has been undone by the fact the password policy is such that a  single character is acceptable as a password. So the password “e” could be cracked by a hacker in less than a second. If the passwords were a more acceptable 12 characters long with complexity requirements, then we are looking at it taking decades or even centuries to crack a hashed password.

Another security fail by the company was storing the customer data on a particular type of database (MongoDB), which was publicly exposed online and required no form of authentication for somebody to access it … yes folks you read that right … if you could see the database server you could access all of it’s data. ??

If the evil doers had cracked some passwords (and one of the researchers in the linked article did, using the old reliable “123456”), then they could log on to the accounts and download the voice messages left by parents and children for that account.

The company had been notified that their MongoDB database was exposed in December, but they did not seem to take any action. The CEO of the company made some statements defending their handling of the situation and playing down any risks associated with the leak (the statements are quoted in the linked article), but frankly none of them are acceptable.

In fact, come May 25th 2018, if any EU citizen had an account with this crowd and they continued to adopt this laissez-faire attitude to the security of their customer’s personal data, then they will find themselves slapped with a big ol’ fine from the EU under the General Data Protection Regulation (GDPR). That might get their attention. Yes you did read that right. Under the GDPR, a company, anywhere in the world, that stores/processes the personal information of an EU citizen, is governed by the GDPR and can be penalised for breaching this regulation.

So in conclusion, if you have any “smart” or “connected” device/toy/whatever, make sure you have a good, strong, 12 character minimum – with complexity – password for it and any on-line account associated with it. This password should be unique to that device. Come on folks you know that this is important. Your teddy bear is listening after all! ☺?

The post Company that makes smart Teddy Bear’s leaked data. appeared first on L2 Cyber Security Solutions Ltd..

The first time I saw that picture of the Dr. Evil meme, I never thought that it might be possible for the numbers to reach those nonsensical values, but if Internet connected brooms are in our future (see below), we might be in serious trouble, if the manufacturers of such devices keep ignoring the need for easily configured security settings on their gear.

The Mirai Botnet, which was responsible for the historic attack on Brian Krebs website, amongst others last month has grown dramatically. I came across this Botnet tracking website, which gives details of the number of infected hosts in the Mirai Botnet a few hours ago. At that time the total number of hosts was 1,479,110. It is now showing 1,547,552 (it’ll be higher by the time you read this ?) That means on a Wednesday morning in late October, another 68,000 devices have been hacked and are ready to be used for evil purposes. It is believed that last Friday’s massive attack on Dyn, which crippled such services as Twitter, Amazon, Spotify, PayPal and Netflix, was partly as a result of the Mirai Botnet according to Flashpoint.

Granted the total number of affected hosts is likely to be a lot lower as some of the earlier compromised devices may have been reset or disconnected from the internet either by their owners or by ISPs who detect such devices and block them.

Following the initial attack on Brian Krebs in September, I had blogged encouraging everyone to change the default passwords on their IP cameras and DVRs. However, it has become apparent that a particular make of these devices has a hard coded backdoor which is not under the control of the user. According to Brian Krebs:

The scary part about IoT products that include XiongMai’s various electronics components, Flashpoint found, was that while users could change the default credentials in the devices’ Web-based administration panel, the password is hardcoded into the device firmware and the tools needed to disable it aren’t present.

These affected devices will need new firmware to be installed on them to remove this backdoor, but (a) there is no sign of any and (b) given the numbers involved, it would be unlikely that even 1% would get updated, and that is me being wildly optimistic. ?

I want to finish on a couple of light notes … as whimsically stated by Jeff Jarmoc, “In a relatively short time we’ve taken a system built to resist destruction by nuclear weapons and made it vulnerable to toasters,” How very, very true. ?

And if you wondered what I was talking about in regards to an Internet connected broom above – this is where that came from – the Internet of Evil Things:

The post The Internet of Evil Things continues to grow. appeared first on L2 Cyber Security Solutions Ltd..

The post Details emerge about the huge internet attack last Friday. appeared first on L2 Cyber Security Solutions Ltd..

• Security Cameras or Digital Video Recorders (DVRs)
• Baby monitor
• Smart sockets
• Smart light bulbs
• Smart Thermostat
• Energy usage monitor
• Smart fridge
• Media Server

Octave Klaba, the founder and CTO of French hosting company OVH, sounded the alarm on Twitter on the 22nd September when his company was hit with two concurrent DDoS attacks whose combined bandwidth reached almost 1 terabit per second. One of the two attacks peaked at 799 gigabits per second alone, making it the largest ever reported.

According to Klaba, the attack targeted Minecraft servers hosted on OVH’s network, and the source of the junk traffic was a botnet made up of 145,607 hacked digital video recorders and IP cameras.

With the ability to generate traffic of between 1 megabit per second and 30 megabits per second from every single device, this botnet is able to launch DDoS attacks that exceed 1.5 terabits per second, Klaba warned.

The post Have you any smart internet connected IoT devices in your home? appeared first on L2 Cyber Security Solutions Ltd..