Month: December 2015

Linode Hit by DDoS Attacks

Posted on

Cloud hosting company Linode has suffered a series of service interruptions due to distributed denial-of-service (DDoS) attacks launched against its infrastructure over the past few days.

The campaign started on December 26 when the company reported that DDoS attacks had disrupted the Linode Manager and its website. On the same day, the attackers also targeted Linode’s DNS infrastructure, and the company’s data centers in Dallas, Atlanta, London and Newark.

It took roughly 2-3 hours for Linode’s systems and network engineering teams and the company’s upstream providers to mitigate the attacks.

On December 27, DDoS attacks were reported at the data centers in Atlanta, Newark, and London. Linode’s service status page shows that it took the company nearly four hours to mitigate the attack against the London datacenter, while network connectivity was restored in one hour, respectively two hours, in Atlanta and Newark.

The attacks against various components of Linode’s infrastructure continued on Monday and Tuesday.

In the early hours of Wednesday, shortly after announcing that a DDoS attack affecting Linode’s website had been mitigated, the company reported seeing continued attacks disrupting access to its web services.

The latest update indicates that the Dallas data center was again targeted recently, causing packet loss.

Kaspersky Lab reported in November that in the third quarter of 2015, Linux-based botnets accounted for nearly half of the total number of DDoS attacks. The most notable was the XOR botnet, which malicious actors leveraged to launch attacks that peaked at more than 150 Gbps.

A Kaspersky report released in December showed that almost half of the organizations hit by DDoS attacks actually claimed to know the identity of the attackers. The study is based on information from more than 5,500 companies across 26 countries.



A software bug caused the early release of 3,200 US prisoners

Posted on

The US Department of Corrections discovered a long-standing software bug that resulted in the early release of prisoners.

This news is disconcerting and demonstrates the importance to carefiìully consider the technology in our lives. The Washington State Department of Corrections (DoC) launched an investigation after it early released 3,200 prisoners over the course of 13 years.

It seems that a software bug present in the systems of the Department since 2002, caused errors in the calculation of time credits for the good behavior of individuals while imprisoned.

The bugs led errors in the calculation of sentence reductions for the US prisoners that had a good behavior,  the experts estimated that in a 13-year period, the average number of days of those released early from prison was 49 days before the correct release date.

“This problem was allowed to continue for 13 years is deeply disappointing to me, totally unacceptable and, frankly, maddening,” is thecomment of the Washington State Governor Jay Inslee. “I’ve [many] questions about how and why this happened, and I understand that members of the public will have those same queries.”

Gov. Jay Inslee today already  ordered the Washington Department of Corrections to take the necessary actions to discover the bug that allowed criminals to leave the jail early.

Department of Corrections software bug

The software bug was introduced in 2002, in that year the state’s supreme court introduced a change in the calculation of the “good time” credit system for all the prisoners in State Prisons and County jails,

Criteria for evaluating the good behavior of prisoners were introduced to allow guests of state prisons to reduce the period to be served.

The DoCs released a new version of software that implemented the new rules, but it introduced also a bug, but it is important to highlight that the Department of Corrections (DoC) has been informed of the software bug at least 3 years ago. In December, 2012 in fact, the familiars of an assault victim reported the issue to the Department of Corrections.

The US Department of Corrections accepted the claim and filed a request, ranking the error as “time sensitive.” This means that the US Department urged a solution as soon as possible, but something went wrong.

“Between December 2012 and this month, the software fix “was repeatedly delayed,” according to a DOC timeline of events. The delays occurred despite the fact a DOC worker who filed the service request labeled the fix as time sensitive and “ASAP.” Reported the SeattleTimes. “Typically, IT fixes are put into a queue according to priority, said Brown. But, “What we know, I think, at a bare minimum, is the proper prioritization did not occur,” he said.”

Three years to fix a time sensitive bug that could have effects on people security. Simply absurd!

Now something seems to be changing, Inslee assured that the software bug will be fixed within the January 7th.

Waiting for the fix, the US DOC has requested double checks before releasing any prisoner.

“The governor ordered DOC to halt all releases of impacted offenders from prison until a hand calculation is done to ensure the offender is being released on the correct date. A broader software fix is expected to be in place by Jan. 7, 2016.” continues the official statement.

“In addition, DOC is working swiftly to locate offenders who were released from prison prior to their actual earned release date and ensure they fulfill their sentences as required by law. In accordance with Supreme Court precedent, most of the offenders who were released early will be given with day for day credit for their time in the community. Depending on how much time they have left to serve, the offenders will go to work release or back to prison.”


UConn Website Hijacked and Used to Spread Fake Flash Player Containing Malware

Posted on

University of Connecticut loses control of its DNS entries.The official Web portal of the University of Connecticut was compromised on Sunday and used to spread malware to all visitors, masqueraded as a fake Adobe Flash Player update, The Daily Campus reports.

According to UConn deputy spokesman Tom Breen, on Sunday, the third day of Christmas, December 27, at around 11:00 AM, the nonprofit organization Educause, who manages UConn’s website, lost control of the site’s DNS entries.

UConn was the victim of a simple DNS hijacking attack

DNS entries are simple “domain name – IP address” pairs that tell Internet browsing software from where to download the content of a desired website.

Attackers managed to hijack the university’s DNS listing and point all users accessing the URL to the wrong server, one controlled by the attackers.

Here, a blank page would be served to all users, and immediately as the site loaded, a popup would appear asking users to download a newer version of the Adobe Flash Player to be able to continue.

Users that clicked OK in the popup would download a file named adobe_flashplayer_18.exe, containing malware.

Officials resolved the issue by the second day

University staff were quickly alerted and managed to regain access to their DNS records. Their efforts were delayed because the MX records that were responsible for all email addresses were also corrupted, which made it hard to contact the ISP with an email coming from an official address.

All things returned to normal by the second day, when most DNS servers phased out the malicious DNS entry, which remained stored in their cached entries for a few more hours.

DNS hijackings are common, and in the past, many high-profile companies have fallen victims to such attacks. One of the biggest such incidents this year was when domain registrar eNom lost control of four of its DNS servers. The attack was short-lived but affected a large number of clients.

Popup that appeared on UConn’s website

Popup that appeared on UConn's website

How to view saved Wi-Fi passwords in Windows 10, Android and iOS

Posted on


So many stores, service stations, coffee shops, pubs and so on offer free Wi-Fi that you probably have countless networks saved on your phone or laptop. Having a password saved on your computer is great, but how can you get the password so you can use it on your phone as well?

Rather than trying to hunt down a member of staff to ask, or hunting high and low for that tiny sign that shares the password, you can instead view the wireless passwords you have saved. Read on to find out how to retrieve these passwords in both Windows 10 and Android.

If you already have the password for a wireless network saved on your laptop and want to retrieve it to use on your phone — or share with someone else — things are quite simple. The same method works in Windows 7, Windows 8.x, and Windows 10, but it’s important to note that you need to be connected to the network you are trying to retrieve the password for.

  • Press the Windows key and R, typencpa.cpl and press Enter.
  • Right click on the wireless network adaptor and select Status.
  • Click the Wireless Properties button.
  • In the Properties dialog that appears, move to the Security tab.
  • Click the Show characters check box, and the network password will be revealed.


If you want to retrieve a saved wireless network password from Android or iOS, you’ll have to have a rooted or jailbroken device — sadly, there is no standard way to pull up security credentials. It’s worth noting that there are several apps out there in Google Play that claim to reveal Wi-Fi passwords; while some of these work, there are also numerous malicious tools out there, so it’s best to use an alternative method.

If you’re using Android, install a copy of the free file browser ES File Explorer.

  • Navigate to the data/misc/wifi folder on your device — it will not be visible on non-rooted phones.
  • Open the file called wpa_supplicant.conf and you will see a list of saved Wi-Fi networks complete with their passwords.

To retrieve a Wi-Fi password on a jailbroken iPhone, you can check in the Keychain access app if you have a Mac connected to the same network, but there’s another method if you prefer to do it all from your phone.

Grab yourself a copy of WiFi Passwords from Cydia.

Fire up the app, and you’ll be presented with a list of all of the passwords your iPhone has for saved wireless networks.


Yahoo! to Warn Users of State-Sponsored Attacks

Posted on

Yahoo! this week announced that it will notify users when it suspects that their accounts might have been targeted by state-sponsored actors.

Bob Lord, Chief Information Security Officer at Yahoo!, announced in a blog post that the company already has a system for detecting and preventing unauthorized access to user accounts by third parties, and will now will inform users when it believes they are being targeted by attackers working on behalf of a nation-state.

Lord explained that the notifications users will receive will include information on the specific actions they can take to ensure that their Yahoo accounts are safe and secure. He also notes that users should take one of these actions as soon as they receive the notification from the company.

To keep their accounts protected, users should turn on Account Key or Two-Step Verification to approve or deny sign-in notifications, thus being able to deny access to their accounts. They should also choose a strong, unique Yahoo account password they’ve never shared or used before.


Lord also advises users to check that their account recovery information such as phone number or alternate recovery email address is up to date and that they still have access to them, while removing those they no longer have access to or don’t recognize. Users should also check their mail forwarding and reply-to settings, and should be reviewing recent activity in account settings for sessions they don’t recognize.

Users are also strongly encourage to protect themselves outside of their Yahoo account by avoiding falling for phishing attacks by not clicking on links they are not sure about and never providing account information when asked to, especially via email. Users should also have an up-to-date anti-virus software on the computer and should review the account security guidelines posted by other services they use, including social networks, financial institutions, and other email providers.

Lord reminded that although users might receive one of the notifications, it does not necessarily mean that the account has been compromised.He also notes that the warning does not mean that Yahoo’s internal systems have been compromised in any way in such attacks.

The security chief did not share details on how Yahoo! can tell if an attack is state-sponsored.

“However, rest assured we only send these notifications of suspected attacks by state-sponsored actors when we have a high degree of confidence,” he wrote.

Other Internet companies also made formal announcements regarding their position on state-sponsored attacks against user accounts. Google did so in 2012, while Facebook made theannouncement in October 2015. Last week, Twitter also informed some users on suspected state-sponsored attacks, though it did not make an official announcement on the matter.


Microsoft to Remove Superfish-Like Programs Starting in March

Posted on

Microsoft has taken steps to impede the next Superfish from impacting users.

Superfish was pre-installed adware found on new Lenovo laptops earlier this year. The software exposes users to man-in-the-middle attacks because of the way it injects advertisements into the browser. It comes with a self-signed root cert that generates certs for HTTPS connections, replacing existing certs with its own in the process. Attackers could take advantage of this scenario—especially after the password for the cert that shipped with Superfish was found—to listen in on encrypted communication.


Microsoft this week said it has updated its rules around adware, and now such programs that build ads in the browser are required to only use the browser’s “supported extensibility model for installation, execution, disabling and removal.” Microsoft said starting March 31, 2016 it will detect and begin removing programs that are not in compliance.

“The choice and control belong to the users, and we are determined to protect that,” wrote Barak Shein and Michael Johnson of Microsoft’s Malware Protection Center.

Lenovo quickly patched the original Superfish issue and shortly thereafter, browser makers such as Mozilla removed the root cert from Firefox’s trusted root store.

Superfish’s ability to perform SSL interception by proxy was certainly worrisome behavior from a supposedly trusted product, one that was suddenly opening the door not only to man-in-the-middle attacks, but also the manipulation of DNS settings and other network-layer attacks. Worse yet was that Superfish-like software would not trigger warnings about man-in-the-middle attacks.

“All of these techniques intercept communications between the Internet and the PC to inject advertisements and promotions into webpages from outside, without the control of the browser,” Microsoft said. “Our intent is to keep the user in control of their browsing experience and these methods reduce that control.”



Posted on Updated on


En el último artículo aprendimos más acerca de Haka, un lenguaje de seguridad orientado a código abierto con ayuda de expertos de servicios de seguridad informática. En este artículo vamos a cubrir como escribir las reglas de seguridad en Haka con ayuda de profesor de hacking ético. Haka ofrece una forma sencilla de escribir reglas de seguridad para filtrar, modificar, crear e inyectar paquetes. Según expertos de auditoría de seguridad informática, cuando se detecta un flujo con algo malicioso, pueden informar los usuarios o pueden dejar el flujo. Los usuarios pueden definir escenarios más complejos para mitigar el impacto de un ataque. Por ejemplo, se puede alterar peticiones http y obligar a los navegadores obsoletos para actualizar o falsificar paquetes específicos para engañar herramientas de análisis de tráfico.

La siguiente regla es una regla de filtrado de paquetes básico que bloquea todas las conexiones de una dirección de red.

local ipv4 = require(“protocol/ipv4”)

local tcp = require(“protocol/tcp_connection”)

local net =“”)


hook =,

eval = function (flow, pkt)

haka.log(“tcp connection %s:%i -> %s:%i”,

flow.srcip, flow.srcport,

flow.dstip, flow.dstport)

if net:contains(flow.dstip) then


severity = “low”,

description = “connection refused”,

start_time = pkt.ip.raw.timestamp






Las primeras líneas del código cargan los disectores de protocolo, Ipv4 y TCP explica profesor de hacking ético, Mike Stevens. La primera línea se encarga de paquetes IPv4. Después usamos un disector de TCP de estado que mantiene una tabla de conexión y gestiona flujos de TCP. Las siguientes líneas, definen la dirección de red que debe ser bloqueada.

La regla de seguridad se define a través de palabras clave haka.rule. Según experto de servicios de auditoría informática, reglas de haka son muy útiles. Una regla de seguridad está hecha de un gancho y una función de evaluación eval. El gancho es un evento que activará la evaluación de la regla de seguridad. En este ejemplo, la regla de seguridad se evaluará en cada intento de establecimiento de conexión TCP. Los parámetros pasados a la función de evaluación dependen del evento explica el experto de servicios de seguridad informática. En el caso del evento new_connection, eval toma dos parámetros: flow y pkt. Lo primero de ellos tiene detalles sobre la conexión y el segundo es una tabla que contiene todos los campos del paquete TCP.

Según recomendación de profesor de hacking ético, en el núcleo de la regla de seguridad debemos registrar en haka.log primero alguna información acerca de la conexión actual. Luego, comprobamos si la dirección de origen pertenece a la gama de direcciones IP’s no autorizadas. Si la prueba tiene éxito, elevamos una alerta (haka.alert) y liberamos la conexión. Menciona Roberto Talles, experto de auditoría de seguridad informática que tenga en cuenta que se informa sólo algunos detalles de la alerta. Se puede añadir más información, como el origen y el servicio de destino.

Utilizamos hakapcap herramienta para probar nuestra filter.lua regla en un archivo de pcap trace filter.pcap:

$ hakapcap filter.lua filter.pcap

En este artículo vamos a cubrir como escribir las reglas de seguridad en Haka con ayuda de profesor de hacking ético.

De aquí en adelante, en los resultados sale algo de información sobre disectores cargados y reglas registrados. El resultado muestra que Haka logró bloquear conexiones dirigidas a dirección

En el ejemplo anterior, hemos definido una sola regla para bloquear las conexiones. Uno puede escribir un conjunto de reglas de firewall usando la palabra clave mencionó profesor de hacking ético. En este caso, la configuración, se puede elegir un comportamiento por defecto (por ejemplo, bloquear todas las conexiones) si ninguno de la regla de seguridad autoriza explícitamente el tráfico.

En el próximo artículo vamos cubrir más sobre inyección de paquetes con la ayuda de expertos de servicios de seguridad informática