* Posts by @Cloudmark

2 publicly visible posts • joined 10 Nov 2014

Syrian Electronic Army in news site 'hack' POP-UP MAYHEM

@Cloudmark

Websites are only as secure as their weakest components

The Syrian Electronic Army is claiming to have hacked a number of sites, but evidence points to an advertising network at the heart of the attacks. This attack combines two weak points in the Internet's infrastructure, ad networks and DNS – and highlights how both were not built with security in mind.

A website is only as secure as the weakest component on that website. If you display adverts from a third party advertising network, your visitors are vulnerable to any security holes on that advertising network. We saw how problematic this can be recently when visitors to AOL, Match.com and Yahoo! clicked on a malicious advert and were then infected with the Cryptowall ransomware. The DNS system, one of the fundamental building blocks of the Internet, dates back to the days when everyone on the network trusted everyone else. Security in the DNS system has come as an afterthought and therefore, taking control of someone else's DNS account does not require any great technical expertise. It can be as simple as tricking the registrar into assigning the account to someone else.

The Syrian Electronic Army are experts at social engineering and spear phishing. Most registrars would think twice before changing ownership of the domain name of a major newspaper to another owner - though it did happen to Craigslist recently - but they probably won't pay the same attention to the domain name of a startup ad network.

Securing the internet’s infrastructure has been a continuous discussion within the technology industry, and threats like this bring the conversation back into the spotlight. Large parts of the Internet's infrastructure need to rebuilt from the ground up to be more secure. DNS is one of those parts. The controls on transfer of domain ownership need to be tighter, requiring at minimum dual factor authentication, with the option of certificate or key based authentication for mission critical domain names. However, the DNS protocol itself is also subject to abuse. It can easily be used for DDoS amplification attacks such as the one on Spamhaus, and also lends itself to other abuses such as data exfiltration and botnet C&C. It can represent a single point of failure for critical systems, and as such, must be considered a key security concern for any enterprise.

Bitcoin is great and safe, says, er, the Bitcoin Foundation

@Cloudmark

Whilst Bitcoin has many potential benefits, before any form of regulation or potential integration into the mainstream, there needs to be a nod towards the security concerns attached to cryptocurrencies – including implementing stronger measures to better combat Bitcoin theft and phishing attacks.

Theft and phishing attacks have already caused serious issues for both Bitcoin stability (see: Mt Gox) and individual users. If your credit card or bank account credentials are stolen, the criminal will still need to extract money from your account and the chances are that you can raise this as fraud and your bank will protect you and take the hit. However, if your Bitcoin wallet is compromised, the content is gone for ever, and there is no way to get anything back. Unfortunately this is one of the reasons why Bitcoin fraud is becoming popular. Extrapolating this concept a step further to the realm of banks and Bitcoin exchanges highlights an inherent issue (often used as a benefit) of cryptocurrencies.

Another major driver for Bitcoin phishing and theft seems to stem from it’s entanglement with illegal activities such as unlicensed gambling and illegal drug sales, two activities that commonly take place on the Bitcoin market. Both crimes, and arguably any crime would, benefit from the anonymity and irreversibility of Bitcoin transactions even though this leads to unrelated users having no recourse if they are cheated or defrauded as a part of the system.

If they want to truly address issues with Bitcoin and it’s pitfalls, they need to address, not sidestep, these type of issues highlighted Mt Gox.

- Tom Landesman