Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet Security.ca and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet Security.ca today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

Dutch suspect arrested in Spamhaus DDoS attacks

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

April 28, 2013

Dutch police have confirmed the arrest of a suspect that took part in a massive DDoS attack against the anti-spam group Spamhaus last month.

The 35 year-old man is a Dutch national but was arrested at his home in Barcelona under a European arrest warrant, the Netherlands National Prosecution Office said.

His two computers and a mobile phone have been seized and he will be extradited to the Netherlands on charges of aiding unprecedentedly serious attacks on the non-profit organization Spamhaus.

"Spamhaus is delighted at the news that an individual has been arrested and is grateful to the Dutch police for the resources they have made available and in the way they have worked with us," said a Spamhaus spokesman.

"Spamhaus remains concerned about the way network resources are being exploited as they were in this incident due to the failure of network providers to implement best practice in internet security," he added.

Although the identity of the man hasn't been released yet, it has been suggested that he's Sven Kamphuis, the owner and manager of Dutch hosting firm Cyberbunker, which has been feuding with Spamhaus for years and is claimed by some to be responsible for the DDoS attack.

Cyberbunker is a Dutch company based in a former nuclear bunker that provides anonymous hosting of anything except terrorist or child pornography websites. The firm denies being responsible for spam, but Spamhaus has listed it on its spammers blacklist, to the Dutch firm's considerable annoyance.

Whether that irritation spawned the massive DDoS attack still remains to be proven, but investigators in the Netherlands, the U.K., and the United States are very keen to find out who was behind it. Numerous attacks in March on the Spamhaus servers saw 300 Gbps of traffic coming from an estimated 30,000 unique DNS resolvers and internet traffic was slowed as a result of the enormous flows in data.

In other internet security news

Britain's government is hit by over 33,000 pieces of malicious emails every single day, ranging from casual phishing attacks to specifically targeted espionage hacks to steal various personal data.

Chloe Smith, minister for political and constitutional reform at the Cabinet Office, told delegates at the Infosecurity Europe conference yesterday that despite this onslaught, cyber security represents an opportunity, as well as a threat for internet security firms based in Britain.

"On average, the U.K. has a history of being innovators in technology and in technical areas such as cryptography which is maintained to this day in our universities," Smith added.

"We know how to implement this technology as our ongoing strengths underpin our cutting-edge position in areas such as online commerce and banking. Undeniably, there is massive growth potential for U.K. businesses and innovators to do very well in the cyber security segment."

There are about 2,380 U.K. companies in the cyber security sector, which equates to about 21 percent of all security companies in the country. Information security firms have created 26,000 jobs, with collective sales estimated at £3.8 billion, bringing in revenues from exports of about £800 million.

"By 2017, cyber security global growth is forecast to be over twice that of the security sector as a whole, as economic constraints bite in traditional defence and security markets," added Smith. "This is a growth sector and one which we should encourage and nurture."

To further promote the security segment, the U.K.'s Department of Business, Innovation and Skills has joined up with IT trade group Intellect to launch the Cyber Growth Partnership as a way of promoting further growth in the U.K.'s higher technology segment, and in particular helping start-ups and smaller firms.

Smith went on to outline the threats Britain's government faces, calling for collaboration between government agencies and private business in combating state-sponsored cyber-espionage, online fraud and internet disruptions such as DDoS attacks.

"On average, over 33,000 malicious emails are blocked at the Gateway to the Government Secure Intranet every month," Smith said. "These are likely to contain or link to sophisticated malware, often sent by highly capable cyber criminals and state-sponsored groups. A far greater number of malicious emails and spam, but less sophisticated emails and spam are blocked each month as well."

As large as these numbers may seem, industry is by far the biggest victim of cyber threats, according to Smith. The U.K. government is launching new security guidance and a specific voucher system for small businesses through the Technology Strategy Board.

The voucher provides companies with a grant to work with outside consultants. The cyber security element of this program will fund one-hundred companies with Innovation Vouchers of up to £5,000 each.

The system is part of broader plans to make the United Kingdom one of the most secure places in the world to do online business and to make the country more resilient to cyber-attacks.

"About £650 million of investment over four years has been put in place in one of the tightest fiscal environments government has ever seen. This underlines the importance we place on cyber security," Smith added.

Christopher Boyd, senior threat researcher at Threat Track Security, welcomed the voucher initiative as well as its support of university research programs in cyber-security. "The government's commitment to investing in cyber security research and skills in the U.K. is commendable," Boyd said.

"Various organizations including central government, large and small businesses and academia can only benefit from better insight into cyber security challenges, and the same market intelligence will only help breed the next generation of security countermeasures."

Boyd continued-- "The innovation voucher system is a prime example of this, helping small businesses to engage with U.K. security solution providers to develop innovative solutions to emerging security issues," he said.

In other internet security news

Cody Kretsinger, a twenty-five year old man from Decatur, Illinois, and a former LulzSec hacker has been placed in federal prison for a year for hacking into Sony Pictures' servers.

Kretsinger was better known to his fellow LulzSec buddies as "Recursion" and was also ordered to carry out 1,000 hours of community service, and a year of home detention, following his release from prison.

He was sentenced by a Los Angeles court yesterday. Kretsinger had pleaded guilty to a single count of conspiracy and unauthorized impairment of servers in a plea-bargaining agreement.

Kretsinger admitted breaking into the Sony Pictures website and extracting information which he passed on to other members of LulzSec, who leaked the data in order to embarrass Sony, a hated enemy of the hacktivist group.

Sony claimed that the hack left it $600,000 out of pocket. Kretsinger was ordered to somehow repay this amount in restitution to Sony, the LA Times adds.

Earlier this month, a 26-year-old British man also pleaded guilty to computer hacking as part of LulzSec, a splinter group of mischief-makers from the larger Anonymous collective.

Ryan Ackroyd, from South Yorkshire, admitted taking part in attacks against numerous high-profile targets including Nintendo, News International, 20th Century Fox, Sony Group and the NHS. Ackroyd adopted the online persona of a 16-year-old girl named Kayla during much of his malfeasance.

Ackroyd and other convicted LulzSec suspects like Jake Davis, 20, from the Shetland Islands, Scotland, 18-year-old Mustafa Al-Bassam from Peckham, south London and Ryan Cleary, 21, from Wickford, Essex are all due to be sentenced on May 14.

Erstwhile LulzSec leader Hector Monsegur, was revealed in March 2012 as an FBI informer who had been grassing on his former cohorts for ten months after his arrest in June 2011. Sabu's sentencing was delayed by six months in February due to his "ongoing cooperation with the government".

In other internet security news

Internet security researchers say they have discovered a whole list of new malware that targets the QUIK stocktrading application used by some banks and financial institutions.

The malware has been used in a series of attacks since November 2012, according to Russian security firm Group-IB. Cyber criminals have traditionally targeted private and corporate banking accounts, using malware such as variants of the ZeuS cybercrime toolkit to log key-strokes and extract account information from investors and traders.

This isn't new-- online stock trading and brokerage systems have been hacked a lot in the past, but attacks have been successful through fake profiles and social engineering scams.

Recently however, trading fraudsters have diversified tactics and begun to use malware, in an effort to defraud the public and steal money.

Particularly, professional black hat coders have designed a new strain of malware targeting specialized trading software called QUIK (Quik Broker, Quik Dealer) from Russian software developers ARQA Technologies and FOCUS I-Vonline from New York-based EGAR Technology.

Such software is used by many banks in the Russian Federation including Sberbank, Alfa-Bank and Promsvyazbank.

Both of the applications are used for trading on MICEX, a leading Russian stock exchange. MICEX offers services including placing and trading stocks, listing securities, and even the facility to set up initial public offerings (IPOs) or company flotations.

Exchange clients trade in stocks and shares issued by the likes of Gazprom, VTB Bank, RusHydro, Mobile TeleSystems, and a few others.

Andrey Komarov of Group-IB says that the online trading malware was a variation of the Ranbyus spyware normally used to infect Windows computers and target online banking customers.

"It has quite similar functions to Zeus, as it uses a VNC spawning module which helps the hacker to be connected to the infected computer absolutely remotely and to do his fraud in silence, that's why it won't be detected by anti-fraud filters, as the theft will happen from the same IP address," Komarov explained.

Worse, another Trojan virus identified as Broker-J, also targets QUIK but uses other techniques instead, effectively stealing encryption keys from the QUIK storage and transferring them to cybercriminals, still using the same IP to avoid detection.

"The end customer should use standard methods of antivirus defense if he or she runs financial software on a personal computer which is connected to public networks," said Vladimir Kurlyandchik, head of business development at ARQA Technologies.

"People should use efficient internet security appliances and antivirus software, and also make use of firewalls. It is our standard recommendation," he added.

"In case of any suspicions of unauthorized access to an account the end user should immediately initiate the procedure of changing access keys, along with new user IDs and secure passwords," he added.

Kurlyandchik also stated that the QUIK platform incorporates several new technologies to also help prevent unauthorized access, including two factor authentications using either RSA Secure-ID tokens or SMS messages sent to a pre-registered phone, as well as other similar security devices.

"The securities broker now has a few and improved tools to monitor suspicious activity and to block access to the system from suspicious IP-addresses, hosts etc," he said.

In other internet security news

Since last week, many hosting providers are reporting a huge increase in attempts to hack into blogs and content management systems, with WordPress implementations again being hit the most with hackers' offensive. It's not the first time that Wordpress blogs have been the subject of hacking attempts and it probably won't be the last.

Thousands of Wordpress installations across the globe were hit by a brute force botnet attack, featuring several attempts to hack into blogs using a combination of popular usernames (eg, "admin", "myblog" and "user") and an array of unsafe passwords such as "god", "sex", "love" and "1 2 3 4 5".

Attacks of this type are commonplace-- it's the sharp rise in volume late last week to around three to four times the normal volume rather than anything technically devious that has set many alarm bells ringing all over the web.

Around 90,000 compromised servers have been attempting to break into WordPress websites by continually trying to guess the username and password to get into the WordPress admin dashboard.

To help mitigate such attacks, the senior system administration team at Sun Hosting, a large Canadian hosting provider, has rolled out wide security policies to help contain and limit such attacks. For the time being, the company has removed any public information detailing the new way they're blocking the attacks, as the hackers seem to be actively monitoring for changes, and altering their tactics.

Sun Hosting says: "If your site or blog has been targeted in similar attacks, the security precautions we've implemented may limit the access to your WordPress admin dashboard. We have chosen to proactively protect our customers from such attacks in order to avoid a potentially larger security issue on your account. Your admin password should consist of a minimum of 12 characters, with upper case and lower case letters, numbers as well as ponctuation marks."

The primary target appears to be WordPress installations but Joomla users also reportedly took some hammering as well. Early suggestions are that hackers are looking to harvest "low-hanging fruit" as quickly as possible in order to gain access to a bank of compromised sites for follow-up malfeasance, which could be anything from hosting malware to publishing phishing pages or running some sort of denial of service attack.

"It's 'doorknob rattling' but on an industrial and international scale," notes Paul Ducklin, Sophos's head of technology for Asia Pacific.

WordPress founder Matt Mullenweg said that the attack illustrates the need to use a distinct username and a hard-to-guess password, common-sense advice that applies to using web services in general, not just for blog administration.

If you still use "admin" as a username on your blog, change it, use a strong password, if you’re on WP.com turn on two-factor authentication, and of course make sure you're up-to-date on the latest version of WordPress. Do this and you'll be ahead of 95 percent of sites out there and probably never have an issue."

Most other advice isn't great — supposedly this botnet has over 90,000 IP addresses, so an IP limiting or login throttling plugin isn't going to be great. They could try from a different IP a second for 24 hours, as an example.

Olli Niemi, internet security and vulnerability expert at Stonesoft outlined the range of possible motives behind the attack. “A concern of this attack is that by compromising WordPress blogs attackers may be able to upload malicious content and embed this into the blog," Niemi said.

"When readers visit the blogs in question they would then be subject to attack, come under compromise and develop into botnets. The attacks against the Wordpress blogs seem to be distributed, with automated attacks coming from multiple sources,” he added.

Matt Middleton, U.K. and Ireland regional director of corporate security firm Cyber-Ark, said that hacking attempts on corporate blogs might be used as an access point to hack into other much more sensitive enterprise systems. Weak passwords need to be changed ASAP, he argues.

“Common usernames and weak passwords are extremely risky online, however, and the dangers are compounded if users re-use the same login credentials for other sites as well. Once hackers have cracked a username and password, it’s extremely common that they’ll attempt to use the same combination for additional sites in the attempt to fraudulently use accounts, or access information such as credit card details or corporate data," added Middleton.

Many denial of service (DoS) attacks against large U.S. banks in January were powered from compromised WordPress sites and blogs rather than malware-infected zombie PCs.

The upsurge in attempts to hack into WordPress sites last week could be a prelude to something similar that could happen soon, or a suggestion of things to come.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

Source: UKBPA.

Save Internet Security.ca's URL to the list of your favorite web sites in your Web browser by clicking here.

You can link to the Internet Security web site as much as you like.

















Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet Security.ca    Terms of use    Privacy agreement    Legal disclaimer






Click here to order your new fully dedicated Plesk server with the Linux operating system.


Get your Linux or Windows dedicated server today.





Click here to order your new fully dedicated Plesk server with the Linux operating system.





Click here to order your new fully dedicated Plesk server with the Linux operating system.