Month: November 2015
Encrypted email provider ProtonMail is still being hit by a DDoS attack from what appears to be a nation state, as well as a secondary and separate lower-level assault from an identified assailant. However, the service is now operating normally, it seems.
Switzerland-based ProtonMail offers an encrypted webmail system able to withstand intelligence agency-level surveillance. However, since last Tuesday the company has continued to be hit by DDoS attacks from two attackers.
Talking to The Register, ProtonMail CEO Andy Yen explained: “We have been attacked every day since 3 November, so we’re now entering the sixth day of attacks.”
“There are two attackers,” said Yen. “Since 4 November, we have been mostly battling the second attacker. They are highly sophisticated and have a lot of resources. The first group that attacked us, the Armada Collective, is largely irrelevant compared with the power of the second attacker.”
ProtonMail has stated that the second-attacker’s malicious efforts had all the hallmarks of a state-sponsored attack, both in its complexity and in its willingness to cause large-scale damage to achieve its aims.
The CEO added that the “attack volume is high, but especially the mix of attacks being used, and the highly coordinated fashion in which they are employed point to an extremely sophisticated attacker”.
However, as of the time of publication ProtonMail has provided no concrete proof of a nation going after its servers, which it is still working to protect.
Yen told The Register that “many of the world’s largest tech companies have offered to assist in analysing and tracking the attack”.
Late last week the company paid a bitcoin ransom worth £3,500. A company statement explained:
We hoped that by paying, we could spare the other companies impacted by the attack against us, but the attacks continued nevertheless. This was clearly a wrong decision so let us be clear to all future attackers – ProtonMail will NEVER pay another ransom.
Again, explaining the situation to The Register, Yen said that “the second attackers impacted many other companies who lost access to mission critical infrastructure. From the start, ProtonMail has always been opposed to paying, but after discussions with other impacted companies, and considering the sheer amount of collateral damage, we respected the group decision to pay.”
The transfer had to come from our Bitcoin account as we were the ones that received the extortion email.
The people attacking us now are not the ones the ransom was paid to, but at the onset, it was not clear there were two attackers involved.
A donation campaign was established for ProtonMail with a goal of raising $100,000, although this was later reduced to $50,000, which has almost been reached as of the time of writing.
Yen explained that “the goal was reduced because once the magnitude of the attack became realised, and it became apparent who the target was, one of the world’s top DDoS protection companies offered to step in at significantly reduced prices in order to support our mission. They understand that ProtonMail being down means large numbers of activists, dissidents, journalists, and regular users will have lost the ability to communicate”.
“In addition,” said Yen, “some of the world’s top networking experts volunteered their time to help us recover. Together with our team, they accomplished the impossible and brought us back online in three days with the capability to withstand the largest cyber attack which has ever hit Switzerland. The support from our users has also been amazing, they donated nearly $50,000 in just two days.”
ProtonMail, which published a transparency report, refers all foreign requests for information to the Swiss federal police, according to Yen.
“At that point, an inquiry may be opened and passed to the Swiss court system. It is only after receiving a valid Swiss court order that we are permitted to share any user information. Due to the end-to-end encryption that we employ, we can only hand over encrypted copies of user messages,” he added.
What are black swans? In defence, a black swan is a way someone has passed all your defences, although you thought you covered all the attacking vectors.
A black swan is an incident that you didn’t participate. It’s a sign for the irrational way of human thinking. When you see only white swans, you don’t think there is a black one. In the cyber domain, there are black swans in defence and offence.
In defence, a black swan is a way someone has passed all your defences, although you thought you covered all the attacking vectors. Edward Snowden is a good example. Other examples are Angler Exploit Kit, Taomike SDK or the latest ransomware that would publish your files if you don’t pay.
In offence, a black swan is a way that a hacker has been caught in a way he didn’t predict. It could be a trap or another mechanism that exposed him before he got what he wanted. Worst, it could be a way that the defender applied to attribute the attack to him.
To make the discussion clearer, let’s look at basic assumptions in both offence or defence. The defender assumes that the attacker is already in his network. From the defence perspective, the operating space is divided to perimeter and the internal network.
Tools like Firewalls, IDS/IPS and Anti-DDoS are examples to perimeter defence. Behavioural analytics solutions are the most common for the internal network. The defender is looking to create black swans in the attack vector path that would expose/block the attack in the external/internal domains.
A hacker assumes that the attacking vector will be exposed by the defender. From the offence perspective, there are no external/internal domains. the hacker has a goal, collect information or cause a damage. to do it, all options are on the table, including HUMINT and digital methods.
When I talked to Israeli hackers about their definition for a black swan, the most common answer is an exposure they didn’t predict.
“When you plan an attack, you should think for every move that you will be exposed. the question is what do you do then [What-If scenario]”, Said a well known Israeli hacker.”In some scenarios, the defender will get an alert in the SIEM, but will dismiss it as not important. In others, you will be exposed inside the defender network, and a decision should be taken – to abort or use deception. In some cases, a black swan can be a backup procedure you didn’t predict up front”.
As mentioned before, a black swan is something that you can’t predict. if, for example, the hacker is bribing or blackmailing some of your information security stuff in advanced, that’s a black swan for you.
If the attacker is implementing a malicious electronic chip in the network equipment that you bought from a known manufacturer [As did the NSA with Cisco equipment], that’s a black swan for you. If your CEO of is hiring a “Cyber mercenary” from the darknet to hack your company, that’s a black swan for you. Another could be a mini computer with Kali Linux hidden in your network pretending to be a legitimate network entity.
A recent black swan scenario happened at DISA [Defense Information Systems Agency] by the contractor that hired Russian programmes. They implemented a code that apparently led to the presence of viruses in the U.S. military’s communications systems.
There is no doubt that in today’s cyber domain, it’s all about black swans. The defender wants to surprise the hacker and vice versa. that’s the reason why defence solutions companies are looking for hackers, and hackers are looking for experience in defence procedure – it’s take one to know one. Writing code is not enough. If you don’t think as a hacker [or defender], you won’t be able to see your black swans.
Two US military contractors have agreed to pay substantial fines for employing the services of Russian programmers for software that was delivered and installed on the computer network of the US Department of Defense.
According to a statement issued by the U.S. Attorney’s Office, District of Columbia, the two companies are NetCracker Technology Corp. headquartered in Waltham, Mass., and Computer Sciences Corp. (CSC) headquartered in Falls Church, Va.
Back in 2008, CSC, an information technology services company, won a DoD contract for building communications software for DOD’s DISA (Defense Information Systems Agency).
From 2008 to 2013, CSC subcontracted some of their work to NetCracker, a company specialized in telecom software and services.
To keep costs down and provide the software under the deadline, NetCracker used individuals without security clearances, living outside the US.
While the U.S. Attorney’s Office declined to name their nationality, a complaint from 2013 by John Kingsley, a former NetCracker manager, said the programmers the company hired were living in and nearby Moscow, Russia, as SC Magazine is reporting.
Unlike Snowden, “whistleblower” Kinglsey will receive $2 million
Mr. Kingsley made his complaint under the whistleblower provision of the False Claims Act. This provision allowed him to file a complaint on behalf of the US government against the two companies.
For this breach of contract clauses and national security, NetCracker agreed to pay $11.4 million while CSC agreed on $1.35 million.
The same provision that allowed Mr. Kingsley to break his confidentiality clause and report his company also warrants he’ll receive a portion of the damages. According to official documents, Mr. Kingsley will collect $2,358,750.
The two companies resolved their lawsuit by reaching an out-of-court settlement that also guarantees that no legal liability was determined, which means that nobody has to go to jail.
US officials did not provide details on the status of the “corrupt” software installed on DoD computers, but common sense points us to believe it was removed back in 2013.
Bank card slurping malware discovered in casino chain’s tills.
A casino owner in Michigan is warning its players after detecting bank-card-stealing malware in its payment systems.
The Four Winds Casino Resort, which operates three casinos and a service station on tribal lands in the state, said it found the software nasty after banks alerted it to fraudulent transactions.
According to Four Winds, the malware specifically sought out payment card data including cardholder name, number, expiration date, and verification numbers. The data would have been collected from cards swiped at sales terminals at the various resorts.
“It is possible that any card that was used in person at the Four Winds casino properties in New Buffalo, Hartford, or Dowagiac, or the Bent Tree Market service station on the Dowagiac property, between October 2014 and October 21, 2015, could have been copied by the program,” Four Winds said.
“We do not have sufficient information to identify the name and address of individuals who swiped their payment card at our properties during this time frame.”
Four Winds said it is working with the cops to investigate the security breach, and a third-party infosec biz has been brought in to check its networks and prevent any further infection. The company has alsoset up a site for customers who were possibly exposed in the breach.
Anyone who visited the casinos in the last year or so is being advised to keep a close eye on their bank statements and credit monitors for any suspicious or unauthorized activity. The resort has yet to say whether it will be offering affected customers a credit monitoring service.
The Four Winds resort company is one of several to have fallen victim to point of sale (POS) malware infections aimed at collecting payment card information. Big names including Hilton, Mandarin Oriental, and Trump have fallen prey to malware infections that harvest card data from cash registers and point of sale (POS) terminals. The stolen card data is typically sold off and used for fraudulent charges.
SocialMiner doesn’t play nice with China’s popular WeChat.
Mining social media to protect your brand is a great idea, unless the tool you use becomes an attack vector.
That’s the slightly embarrassing bug Cisco’s just reported in its SocialMiner 10.0(1) product: its WeChat page is open to cross-site scripting.
It means some unfortunate support staffer who’s not paying close attention to what they’re receiving could get tricked into clicking a malicious link.
SocialMiner is yet-another “brand management for social media” application – in other words, if Foobar Inc sees unfavourable mentions or a call for help on a social network, the software will tell someone to respond. Preferably before anything looks like going viral.
Cisco’s advisory states: “The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by convincing the user of the affected device to follow a malicious link or visit an attacker-controlled website.
“An exploit could allow the attacker to submit arbitrary requests to the affected device via the affected web browser with the privileges of the user.”
While it only has a relatively low CVSS score of 4.3, there’s no fix as yet, nor are there workarounds.
However, it’s probably not a wonderful look in China, where WeChat has about half a billion users under its “Weixin” brand, and in addition to its Twitter-like micro-messaging, the app is used for payments, video-messaging, taxi bookings and other things.