http://www.infoworld.com

DNSSEC as DDoS amplification attack vector

Here is a report that explains how DNSSEC can be subverted as an amplifier in DDoS attacks.

• Average DNSSEC amplification factor : 28.9 x
• Average response to a 80 byte “ANY” query : 2313 bytes
• Largest amplification response : 17377 bytes

▻https://ns-cdn.neustar.biz/creative_services/biz/neustar/www/resources/whitepapers/it-security/dns/neustar-dnssec-report.pdf

We ran DNS queries from four separate and independent open recursive servers to look for DNSSEC name servers that responded to queries using the DNS command “ANY,” which is a favorite malicious query used by hackers.

[...]

Of the 1,349 domains that we examined, 1,084 were signed with DNSSEC and responded to the “ANY” query.
Which means: 80% of the domains in this one community could be repurposed as a DDoS amplifier and
used maliciously.

[...]

For organizations that use and rely on DNSSEC, Neustar
recommends ensuring that your DNS provider does not
respond to the “ANY” queries or has some mechanism in
place to identify and stop misuse.

#DDoS #DNSSEC

Leaseweb veut nous expliquer comment sauvegarder nos données dans l’ère de la cyber-guerre et des fausses promesses du genre save-harbor.

Hosting-Gipfel in Berlin - Diplomatic Council
▻http://www.diplomatic-council.org/de/portal/hosting-gipfel-in-berlin

Das Diplomatic Council lädt zum Hosting-Gipfel nach Berlin. Ausrichter der Tagesveranstaltung am 17. Februar im renommierten SOHO House ist das DC Corporate Member LeaseWeb, eines der weltweit größten Hosting-Netzwerke.

Keynotesprecher sind RA Ralf Schulten, Chairman des Global Small and Medium-sized Enterprises Forum („Mittelstandsforum“) im Diplomatic Council, und Beststellerautor („Schwarmdumm“) Prof. Dr. Gunter Dueck, Fellow des amerikanischen Ingenieursverbandes IEEE und Mitglied der IBM Academy of Technology.

DC Chairman RA Ralf Schulten informiert über ein Thema, das derzeit vielen vor allem mittelständischen Firmen in Deutschland auf den Nägeln brennt: Was bedeutet die Einigung zwischen der EU und den USA über neue Regeln zum Datenaustausch und Datenschutz, kurz „EU-US Privacy Shield“, genannt? Die Nationale Initiative für Internet-Sicherheit (NIFIS) nennt den „EU-US Privacy Shield“ bereits eine „Mogelpackung“. Auf dem Hosting-Gipfel gibt DC Chairman RA Ralf Schulten Auskunft, welche Regeln Unternehmen in dieser rechtsunsicheren Situation für das Hosting ihrer Daten beachten sollten, um sich vor Ungemach zu schützen. Das Thema hat unter anderem deshalb so hohe Brisanz, weil bei Nichtbeachtung des Datenschutzes eine unmittelbare Haftung durch Vorstand oder Geschäftsführung eintreten kann.

Venez nombreux pour une fois qu’il y a un repas gratuit dans le Soho House, club autrement cher et exclusif ;-) (Il faut s’inscrire à l’URL plus haut en indiquant les coordonnés de son entreprise.)

About Leaseweb
▻https://www.leaseweb.com/about

The LeaseWeb platform resides on one of the largest, most reliable networks in the world, boasting 5.0 Tbps bandwidth capacity and 99.9999% core uptime. Thanks also to state-of-the-art data centers, and a broad choice of technologies, we are able to deliver an industry-leading portfolio of solutions – from bare metal to public and private clouds.

With such ingredients to hand, we can help you find the perfect combination of IaaS options to maximize the performance of every workload – in the most efficient way for your business now – and as your requirements change.

All LeaseWeb solutions are easy to configure and manage too. Our intuitive customer portal and API allows you to set up your infrastructure exactly as you want it, deploy new services on-demand and keep on top of your costs.

#sécurité #internet #business #Berlin #cloud #hosting #safe_harbor #privacy_shield

13 frameworks for mastering Machine Learning

▻http://www.infoworld.com/article/3026262/data-science/13-frameworks-for-mastering-machine-learning.html

Apache Spark MLlib, Apache Singa, Caffe, Microsoft Azure ML Studio, Microsoft Distributed Machine Learning Toolkit, , Microsoft Computational Network Toolkit, Amazon Machine Learning, Google TensorFlow, Veles, Brainstorm, mlpack 2, Marvin.

#machine_learning
#deep_learning
#neural_networks

NSA shuts down massive phone surveillance

The U.S. National Security Agency [will end] its daily vacuuming of millions of Americans’ phone records [Sunday 29/11/2015] and replace the practice with more tightly targeted surveillance methods, the Obama administration said on Friday.

[...]

It comes two and a half years after the controversial program was exposed by former NSA contractor Edward Snowden.

[...]

Under the Freedom Act, the NSA and law enforcement agencies can no longer collect telephone calling records in bulk in an effort to sniff out suspicious activity. Such records, known as “metadata,” reveal which numbers Americans are calling and what time they place those calls, but not the content of the conversations.

#surveillance
#NSA

How Cisco is trying to keep NSA spies out of its gear

We know from the Snowden files that the NSA, through interdiction programmes intercepts transport of network equipment to secretly install spying software / hardware and then pack it all up again as if nothing happened. [1]

The problem with Cisco is that

▻http://www.infoworld.com/article/3006213/security/how-cisco-is-trying-to-keep-nsa-spies-out-of-its-gear.html

Despite being one of largest sellers of routers and networking equipment, Cisco doesn’t have a single factory¨. Its products — at least the physical ones — are totally outsourced, and it has some 25,000 suppliers.

This makes it complicated to control the whole supply chain in order to make sure its integrety remains intact.

This is why they

Early next year, Cisco plans to open a facility in the Research Triangle Park in North Carolina for the program, called the Technology Verification Service. Interested customers will have to pay for the service, which is also subject to U.S. export control regulations.

▻http://www.cisco.com/web/about/doing_business/trust-center/technology-verification.html

Cisco’s Technology Verification Service helps customers review and test Cisco technology, including hardware, software, and firmware. You can access, review, and test source code and other intellectual property within a dedicated, highly secure facility at a Cisco site.

#espionage #espionnage

___
[1] ▻https://www.eff.org/files/2015/01/27/20150117-spiegel-supply-chain_interdiction_-_stealthy_techniques_can_crack_some

Mass Surveillance Isn’t the Answer to Fighting Terrorism

►http://www.nytimes.com/2015/11/18/opinion/mass-surveillance-isnt-the-answer-to-fighting-terrorism.html

It happens after ever terrorist attack: authorities & intelligence agencies complain about surveillance and encrypted communication. But,

indiscriminate bulk data sweeps have not been useful. In the more than two years since the N.S.A.’s data collection programs became known to the public, the intelligence community has failed to show that the phone program has thwarted a terrorist attack. Yet for years intelligence officials and members of Congress repeatedly misled the public by claiming that it was effective.

Often, the problem is not lack of information but means to act upon that information:

Most of the men who carried out the Paris attacks were already on the radar of intelligence officials in France and Belgium, where several of the attackers lived only hundreds of yards from the main police station, in a neighborhood known as a haven for extremists.

What’s more:

“Every time there is an attack, we discover that the perpetrators were known to the authorities,” said François Heisbourg[1], a [French] counterterrorism expert and former defense official. “What this shows is that our intelligence is actually pretty good, but our ability to act on it is limited by the sheer numbers.”

We all agree that

There is no dispute that law enforcement agencies should have the necessary powers to detect and stop attacks before they happen. But that does not mean unquestioning acceptance of ineffective and very likely unconstitutional tactics that reduce civil liberties without making the public safer.

#terrorism
#surveillance #mass_surveillance
_____
[1] ▻https://fr.wikipedia.org/wiki/Fran%C3%A7ois_Heisbourg

The Linux XOR botnet is launching crippling DDoS attacks in excess of 150 Gbps

The XOR #DDoS #botnet can generate attacks more powerful than most businesses can withstand.

▻http://www.pcworld.com/article/2987580/security/a-linux-botnet-is-launching-crippling-ddos-attacks-at-more-than-150gbps.htm

Attackers install it on Linux systems, including embedded devices such as WiFi routers and network-attached storage (NAS) devices, by guessing SSH (Secure Shell) login credentials using brute-force attacks.

[...]

Old and unmaintained routers are especially vulnerable to such attacks, as several incidents have shown over the past two years.

▻https://www.stateoftheinternet.com/resources-web-security-threat-advisories-2015-xor-ddos-attacks-l

Akamai’s Security Intelligence Response Team (SIRT) is tracking XOR DDoS, a Trojan malware that DDoS attackers have used to hijack Linux machines to build a botnet for distributed denial of service (DDoS) attack campaigns with SYN and DNS floods.

• The XOR DDoS botnet has produced DDoS attacks from a couple of Gbps to 150+ Gbps
• The gaming sector has been the primary target, followed by educational institutions.
• The botnet has attacked up to 20 targets per day, 90% of which were in Asia.
• XOR DDoS is an example of attackers building botnets of Linux systems instead of Windows-based machines.
• XOR DDoS appears to be of Asian origin
• The malware spreads via Secure Shell (SSH) services susceptible to brute-force attacks due to weak passwords.
• To hide its presence, the malware also uses common rootkit techniques.
• Akamai’s SIRT expects XOR DDoS activity to continue as attackers refine and perfect their methods, including a more diverse selection of DDoS attack types.

What you can find in the Technical information about XOR:

• Indicators of binary infection
• Characteristics of the botnet and C2 communications
• Observed DDoS attack campaigns
• DDoS payloads for DDoS mitigation
• Snort rule to detect the initial registration of a bot with its C2
• YARA rule to detect infection by XOR DDoS malware on your hosts
4 steps to remove XOR DDoS malware from a Linux host

▻https://www.stateoftheinternet.com/downloads/pdfs/2015-threat-advisory-xor-ddos-attacks-linux-botnet-malware-remov

An argumentation (by a Linux fan) against blaming Linux about this botnet:
(albeit somewhat "de mauvaise foi", and using as main defence argument that anything can fail against brute force attacks):

▻http://www.infoworld.com/article/2990956/linux/dont-blame-linux-for-the-xor-botnet.html

The real culprits are the irresponsible vendors behind cheap broadband routers and their clueless customers

The existence of the XOR DDoS was already mentioned here in January 2015 by @stephane : ▻http://seenthis.net/messages/327907

Why hackers are more & more interested in heath care data

Health care records can be more valuable because they have a longer shelf life than financial data, which becomes worthless once the fraud is detected and the payment card is cancelled or blocked.
With health care credentials you can get “free” health care as someone else is paying for the insurance. Unlike credit card numbers, healthcare information is non recoverable, and potentially lethal in the wrong hands.
Learning a patient’s medications and diagnoses means that a hacker can order expensive drugs or equipment and resell them.

▻http://www.infoworld.com/article/2983634/security/why-hackers-want-your-health-care-data-breaches-most-of-all.html

Social Security numbers can’t easily be cancelled, and medical and prescription records are permanent. There’s also a large market for health insurance fraud and abuse, which may be more lucrative than simply selling the records outright in forums.

[...]

criminals monetize health care data in a different way than they cash in on financial data. Most forums selling health care data tend to be more specialized than the carding forums where payment card information is sold. Stolen health care data forums operate more like drug cartels, where health records are not sold outright, but rather used to buy and sell addictive prescriptions,

[...]

It makes sense that governments would be interested in getting their hands on this data because it can be useful for building dossiers that reflect a deeper understanding of the target population. Medical and insurance records provide insights about where people live, what medical treatments they had, who their family members are, and who they work for.

▻http://www.bloomberg.com/news/articles/2015-06-05/u-s-government-data-breach-tied-to-theft-of-health-care-records

The disclosure by U.S. officials that Chinese hackers stole records of as many as 4 million government workers is now being linked to the thefts of personal information from health-care companies.

▻http://resources.infosecinstitute.com/hackers-selling-healthcare-data-in-the-black-market

Many healthcare organizations do not perform encryption of records within the internal networks. They also do not use encryption of data at rest and transit. This interest the hackers since the attack surface area is very huge. Health insurance information can be used to purchase drugs or medical equipment, which are then resold illegally, or even to get medical care. The latter can have consequences that go far beyond the financial.

And the Internet of Things with all the quantifying self data is not going to make it any better

#health_care
#hack
#social_security
#identity_theft
#data_breach
#security
#dark_net #darknet #dark_web

( Athem, Excellus Blue Cross Blue Shield, CareFirst Blue Cross, LifeWise )

12.5 Gbps RIPv1 DDoS

Reflector type attack where the victim’s IP is spoofed as destination of a RIPv1 message that sends back routing table responses.

Interesting thought is Akamai’s recommendation for mitigation: as it is impossible for manufacturers of all kinds of small & SOHO routers to begin updating all devices to disable RIPv1 by default (many devices are end of life and no longer supported), the recommendation is to have ISPs think about blocking that RIPv1 traffic. Obviously a touchy subject, but already today some ISPs block by default some ports for residential users as a security measure. If a user wants he can have the ports activated. (usually only expert users request this, who know what they are doing – or are more likely to know)

It’s time to declare RIPv1 to Rest In Peace.

▻http://www.infoworld.com/article/2942749/network-security/obsolete-internet-protocol-once-again-becomes-an-attack-vector.html

#DDoS
#routing
#net_neutrality

Software developers are failing to implement #crypto correctly, data reveals
▻http://www.infoworld.com/article/2940551/encryption/software-developers-are-failing-to-implement-crypto-correctly-data-reveal

Windows 7 users beware of the Windows 10 wolf

Mircrosoft is preparing, behind your back, to upgrade everything to Windows 10. For Windows 8/8.1 I can understand.

But users of Windows 7 who might not want that, and who have not been paying too much attention to the updates the last three months, probably have already installed updates that will nag you about updating to Windows 10...

This article describes which updates you should NOT install, and if you have already, how to remove them.
▻http://www.ghacks.net/2015/04/17/how-to-remove-windows-10-upgrade-updates-in-windows-7-and-8

Some of these updates collect telemetry data on users...

▻http://www.infoworld.com/article/2911609/operating-systems/kb-2952664-compatibility-update-for-win7-triggers-unexpected-daily-teleme

The Microsoft Compatibility Appraiser task runs %windir%\system32\rundll32.exe appraiser.dll,DoScheduledTelemetryRun with the description “Collects program telemetry information if opted-in to the Microsoft Customer Experience Improvement Program.”

I found that the program runs* whether or not you’ve opted into* the Microsoft Customer Experience Improvement Program (CEIP). And even if you opt out, the program still runs.

Can somebody tell me why Microsoft is performing a telemetry run on PCs that have opted out of the CEIP? This results from an “important” update in the Automatic Update chute, for heaven’s sake.

#nagware

9 programming languages and the women who created them

►http://www.infoworld.com/article/2920296/application-development/9-programming-languages-and-the-women-who-created-them.html

– 1950 : ARC Assembly (Automatic Relay Calculator), Kathleen Booth
– 1955 : Address, the first to support indirect addressing, for the MESM computer, Kateryna Yushchenko
– 1959 : COBOL (Common Business-Oriented Language), Grace Hopper
– 1962 : FORMAC (FORmula MAnipulation Compiler), an extension of FORTRAN that was able to perform algebraic manipulations, Jean Sammet
– 1967 : Logo, for educational programming, Cynthia Solomon (et al.)
– 1974 : CLU, first language to support data abstraction and a precursor of OO programming, Barbara Liskov, the first woman in the United States to be awarded a PhD in computer science.
– 1980 : Smalltalk, a graphical programming environment introducing the concept of garbage collection, Adele Goldberg (et al.)
– 1981 : BBC BASIC, a BASIC version for the Acorn BBC Micro, Sophie Wilson
– 1991 : Coq, a new implementation based on the Calculus of Inductive Constructions, Christine Paulin-Mohring (et al.)

#programming

9 programming languages and the women who created them
►http://www.infoworld.com/article/2920296/application-development/9-programming-languages-and-the-women-who-created-them.html

Software development has a well-known reputation for being a male-dominated world. But despite this, women have made many important and lasting contributions to programming throughout the decades. One area, in particular, where many women have left a mark is in the development of programming languages. Numerous pioneering women have designed and developed the languages programmers use to give computers instructions, starting in the days of mainframes and machine code, through assemblers and into higher level modern day languages. Use the arrows above to read the stories behind 9 programming languages that have had a significant impact over the years and the women who created them.

VMware heads to court over GPL violations
▻http://www.infoworld.com/article/2893695/open-source-software/vmware-heading-to-court-over-gpl-violations.html

The Software Freedom Conservancy alleges that VMware is using GPL-licensed code in its proprietary products

Hypertext Transfer Protocol version 2 #HTTP/2
▻https://tools.ietf.org/html/draft-ietf-httpbis-http2

Après 16 ans de HTTP/1.1, voici le HTTP/2 qui recevra le statut d’RFC IETF. Il devrait entre autre accélérer le chargement de pages HTML, ceci en multiplexant différents requêtes http vers un serveur web, ce qui devrait diminuer le nombre de connections actives par rapport à http/1.1
L’encryption TLS sera également plus efficace, et il y aura du http header compression.

HTTP/2 est largement basé sur le protocole #spdy développé par Google.

A lire sur le blog du président du HTTP Working Group
▻https://www.mnot.net/blog/2015/02/18/http2

En complément à ▻http://seenthis.net/messages/320887
Microsoft vs. DoJ: The battle for privacy in the cloud
▻http://www.infoworld.com/article/2859897/internet-privacy/microsoft-vs-doj-the-battle-for-privacy-in-the-cloud.html

What issue can unite the #EFF and #BSA? Fox News and The Guardian? Amazon and eBay? The ACLU and the Chamber of Commerce?

The issue is the demand by the Department of Justice that #Microsoft deliver the email correspondence and address book data from one of their customers as demanded by a warrant, apparently related to a drugs case (although all the documents remain sealed). Microsoft won’t. The reason? The customer, the email, and the server it’s on are all in Ireland and operated by a local subsidiary.

#surveillance

Is #Google Too Big to Trust ?
▻https://www.schneier.com/blog/archives/2014/04/is_google_too_b.html

Interesting essay[1] about how Google’s lack of transparency is hurting their trust:

The reality is that Google’s business is and has always been about mining as much #data as possible to be able to present information to users. After all, it can’t display what it doesn’t know. Google Search has always been an ad-supported service, so it needs a way to sell those users to advertisers — that’s how the industry works. Its Google Now voice-based service is simply a form of Google Search, so it too serves advertisers’ needs.

In the digital world, advertisers want to know more than the 100,000 people who might be interested in buying a new car. They now want to know who those people are, so they can reach out to them with custom messages that are more likely to be effective. They may not know you personally, but they know your digital persona — basically, you. Google needs to know about you to satisfy its advertisers’ demands.

Once you understand that, you understand why Google does what it does. That’s simply its business. Nothing is free, so if you won’t pay cash, you’ll have to pay with personal information. That business model has been around for decades; Google didn’t invent that business model, but Google did figure out how to make it work globally, pervasively, appealingly, and nearly instantaneously.

I don’t blame Google for doing that, but I blame it for being nontransparent. Putting unmarked sponsored ads in the “regular” search results section is misleading, because people have been trained by Google to see that section of the search results as neutral. They are in fact not. Once you know that, you never quite trust Google search results again. (Yes, Bing’s results are similarly tainted. But Microsoft never promised to do no evil, and most people use Google.)

[1] ▻http://www.infoworld.com/print/239815

#modèle_économique #evil #neutralite

NSA Said to Have Used Heartbleed Bug, Exposing Consumers

The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.

The NSA’s decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government’s top computer experts.

Heartbleed appears to be one of the biggest glitches in the Internet’s history, a flaw in the basic security of as many as two-thirds of the world’s websites. Its discovery and the creation of a fix by researchers five days ago prompted consumers to change their passwords, the Canadian government to suspend electronic tax filing and computer companies including Cisco Systems Inc. to Juniper Networks Inc. to provide patches for their systems. ►http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html
#NSA

MySQL man pages silently relicensed away from GPL
►https://blog.mariadb.org/mysql-man-pages-silently-relicensed-away-from-gpl

It has recently been brought to our attention that the MySQL man pages have been relicensed. The change was made rather silently going from MySQL 5.5.30 to MySQL 5.5.31. This affects all pages in the man/ directory of the source code.

#mysql #opensource #gpl

“Once a declining company becomes a patent troll, it’s a sign that the ability of individuals to use human values to overcome reptilian corporate instincts has ended” - ▻http://www.infoworld.com/print/188738