DDoS DDoS Attack Specialist DDoS Attacks DDoS Defense DDoS Protection Specialist Stop DDoS Stop DDoS Attacks
Security Company CloudFlare leaks sensitive customer information for tens of thousands of websites
February 24, 2017

cloudflare: Cloudflare Reverse Proxies are Dumping Uninitialized Memory

(It took every ounce of strength not to call this issue "cloudbleed")

Corpus distillation is a procedure we use to optimize the fuzzing we do by analyzing publicly available datasets. We've spoken a bit about this publicly in the past, for example:



On February 17th 2017, I was working on a corpus distillation project, when I encountered some data that didn't match what I had been expecting. It's not unusual to find garbage, corrupt data, mislabeled data or just crazy non-conforming data...but the format of the data this time was confusing enough that I spent some time trying to debug what had gone wrong, wondering if it was a bug in my code. In fact, the data was bizarre enough that some colleagues around the Project Zero office even got intrigued.

It became clear after a while we were looking at chunks of uninitialized memory interspersed with valid data. The program that this uninitialized data was coming from just happened to have the data I wanted in memory at the time. That solved the mystery, but some of the nearby memory had strings and objects that really seemed like they could be from a reverse proxy operated by cloudflare - a major cdn service.

A while later, we figured out how to reproduce the problem. It looked like that if an html page hosted behind cloudflare had a specific combination of unbalanced tags, the proxy would intersperse pages of uninitialized memory into the output (kinda like heartbleed, but cloudflare specific and worse for reasons I'll explain later). My working theory was that this was related to their "ScrapeShield" feature which parses and obfuscates html - but because reverse proxies are shared between customers, it would affect *all* Cloudflare customers.

We fetched a few live samples, and we observed encryption keys, cookies, passwords, chunks of POST data and even HTTPS requests for other major cloudflare-hosted sites from other users. Once we understood what we were seeing and the implications, we immediately stopped and contacted cloudflare security.

This situation was unusual, PII was actively being downloaded by crawlers and users during normal usage, they just didn't understand what they were seeing. Seconds mattered here, emails to support on a friday evening were not going to cut it. I don't have any cloudflare contacts, so reached out for an urgent contact on twitter, and quickly reached the right people.

After I explained the situation, cloudflare quickly reproduced the problem, told me they had convened an  incident and had an initial mitigation in place within an hour.

"You definitely got the right people. We have killed the affected services"

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1139
Block DDoS DDoS DDoS Attack Specialist DDoS Attacks DDoS Defense DDoS Protection Specialist Defend Against DDoS
Cloudflare bug data leak exposed
February 24, 2017

Private messages exchanged on dating sites, hotel bookings and frames from adult videos were among the data inadvertently exposed by a bug discovered in the Cloudflare network.

The firm protects websites by routing their traffic through its own network, filtering out hack attacks.

It has 4 million clients, including banks, governments and shopping sites.

Customers wouldn’t necessarily know which of the online services they use run on Cloudflare as it is not visible.

The bug came to light while Cloudflare was migrating from older to newer software between 13 – 18 February.

Chief operating officer John Graham-Cumming said it was likely that in the last week, around 120,000 web pages per day may have contained some unencrypted private data, along with other junk text, along the bottom.

He told the BBC there was no evidence yet that the data had been used maliciously.

“I can’t tell you it’s zero probability that nobody saw something and did something mischievous,” he said.

“I am not changing any of my passwords. I think the probability that somebody saw something is so low it’s not something I am concerned about.”

‘Ancient software’

Mr Graham-Cumming has written a blog about what went wrong and how Cloudflare fixed it.

“Unfortunately, it was the ancient piece of software that contained a latent security problem and that problem only showed up as we were in the process of migrating away from it,” he wrote.

The firm, whose strapline is “make the internet work the way it should”, has also been working with the major search engines to get the data scrubbed from their caches – snapshots taken of pages at various times.

It was discovered by Google engineer Tavis Ormandy, who compared it to the 2014 Heartbleed bug.

“We keep finding more sensitive data that we need to clean up,” he wrote in a log of the discovery.

“The examples we’re finding are so bad, I cancelled some weekend plans to go into the office on Sunday to help build some tools to clean up.”

Dodged bullet

Cybersecurity expert Prof Alan Woodward said the bug had been caused by “a few lines of errant code”.

“When you consider the millions of lines of code that are protecting us out there on the web, it makes you realise that there are bound to be other problems likely to be waiting to be found,” he said.

“It’s too soon to tell exactly what damage may have been done, but because of the way in which this was found the chances of individuals being compromised is relatively small.

“What it shows, bigly, is that we may have just dodged a bullet.”

Source: http://www.bbc.com/news/technology-39077611

Block DDoS DDoS DDoS Attack Specialist DDoS Attacks DDoS Defense DDoS Protection Specialist Stop DDoS Stop DDoS Attacks
Deutsche Telekom Cyber Attack ‘Mastermind’ Arrested At London Airport
February 24, 2017

The police plan to extradite him to Germany where he could face up to ten years in prison

A 29-year-old British man suspected of being behind the cyber attack which affected 900,000 Deutsche Telekom customers has been arrested at Luton Airport.

The German telecoms giant was forced to roll out a software update in November after nearly a million of its customers across the country were either cut off, or had issues with their broadband service.

The UK’s National Crime Agency (NCA) today said it has arrested the man under charges of computer sabotage on behalf of Germany’s federal criminal police force (BKA).

Attack suspect

Cologne public prosecutor Dr Daniel Vollmert said the man is “accused of being the mastermind behind the attack”, with the police planning to extradite him to Germany where he could face up to ten years in prison

He supposedly planned to hack the Deutsche Telekom router in order to integrate in to a networked “botnet” for cyber criminal activities and prosecutors allege that he tried to sell the botnet on the dark web “attack scenarios like so-called DDoS attacks”.

At the time, Deutsche Telekom was able to mitigate the attack by instructing customers to disconnect their routers and only restart them after carrying out a software update.

Attacks such as this were extremely prevalent throughout 2016, as businesses struggled to come to terms with a growing attack surface and the increased sophistication of cyber attacks, emphasising a need for next generation security products.

DDoS attacks in particular are a serious threat to businesses. Earlier this month a suspected DDoS attack took down the Austrian Parliament website and the same type of attack was deemed responsible for an outage at Lloyds Banking Group in January that left customers unable to access online banking services for three days.

Corero Network Security warned businesses to prepare for bigger and badder DDoS attacks in 2017 and, if the first two months of the year are anything to go by, this prediction looks set to come true.

Source: http://www.silicon.co.uk/security/deutsche-telekom-attack-arrested-206020

DDoS DDoS Attacks DDoS Defense Denial of Service Attack Stop DDoS Stop Hackers
Bitfinex Targeted in “Severe” DDoS Attack Amid Bitcoin Price Surge
February 22, 2017

Prominent bitcoin exchange Bitfinex revealed it was struck by a significant DDoS attack late Tuesday night (UTC).  However, the denial of service attack was promptly mitigated, with minimal impact on operations.

The Hong Kong-based cryptocurrency exchange confirmed it was “under severe DDoS attack” on a social media post yesterday. The attack coincides with bitcoin prices reaching some of the highest prices set in its entire history, as bitcoin-seeking extortionists continue to attack the most straightforward target for demanding bitcoin ransoms.

Screen Shot 2017-02-22 at 13.07.32

The disruption impacted users, some of whom pointed to the crypto-exchange’s chosen DDoS protection service CloudFlare blocking API functions.

Screen Shot 2017-02-22 at 13.07.40

The exchange further confirmed that API performance took a hit.

The attacks began late Tuesday night as BitFinex began investigating the disruption at 21:34 UTC. To its credit, Bitfinex took measures to identify and block the DDoS attack in a 15-minuite monitoring period.

“We have taken steps to identify and block the attack. The system is returning to normal” the exchange confirmed soon after.

Information from its status page reveals that all services were back to normal, less than an hour after the attack caught attention.

Bitfinex has faced outages due to DDoS attacks in the past. In mid-2015, when the website was still in its “beta” phase, the website was completely knocked offline following a DDoS attack. The exchange had previously made headlines that year following a hack of its hot wallet. It is speculated that just about 0.5 percent of the exchange’s bitcoin holdings, approx. 1,400 BTC, was stolen during the hack. The hack pales in comparison to the infamous 2016 theft of nearly 120,000 bitcoins, approx. $65 million at the time, which promptly sent bitcoin price crashing after the exchange suspended trading.

In recent times, Bitfinex has become the dominant bitcoin exchange by daily trading volume globally.

Figures from CoinMarketCap reveal the Hong Kong-based exchange leading others by a significant distance.

Screen Shot 2017-02-22 at 13.08.28

Bitfinex also leads the pack in overall trading of cryptocurrencies including bitcoin, followed by Kraken.

Source: https://www.cryptocoinsnews.com/bitfinex-targeted-in-severe-ddos-attack-amid-bitcoin-price-surge/

DDoS DDoS Attack Specialist DDoS Attacks DDoS Defense DDoS Protection Specialist Stop DDoS Stop Hackers
Homeland Security Wants To End The Scourge Of DDoS Attacks
February 20, 2017

In 2017, Homeland Security has as much to do with securing digital borders as it does geographical ones. One push the DHS is leading to make cyberspace safe for Americans is the DDoSD project.

The first four letters — DDoS — should be familiar enough by now. We’ve numerous distributed denial-of-service attacks in the recent past, with targets ranging from African wireless carriers to cybercrime bloggers to one of the largest DNS providers in the world.

It’s the last letter in DDoSD that makes all the difference. That D stands for defense, and the Department of Homeland Security’s Cyber Security Division (CSD) is funding multiple systems that have the potential to stem the rising tide of DDoS attacks.

In a post published last week, the DHS stated that its goal is to “build effective and easily implemented network defenses and promote adoption of best practices by the private sector.” With the right tools and the public’s cooperation, the DHS hopes “to bring about an end to the scourge of DDoS attacks.”

The DHS post points to a best practices document that was shared by The Internet Society way back in the year 2000. That document describes “a simple, effective, and straightforward method for using[…]traffic filtering to prohibit DoS attacks.” It’s a good starting point, but the DHS post notes that no one defense system can repel every attack.

That’s why the DHS has multiple teams working on multiple solutions. One is a peer-to-peer system that would allow Internet providers around the globe to collaborate on the automated detection and mitigation of DDoS attacks. Others are focused on neutralizing high-powered attacks.

There’s still work to do, but it’s great to see the DHS leading a coordinated effort because something needs to be done. Last year, DDoS protection provider Imperva Incapsula reported helping its customers fend off an average of 445 attacks every week. Their intensity increased dramatically, too, up from around 200Gbps in 2015 to 470Gbps in 2016.

Add in a report from Verizon that named the three biggest targets of DDoS attacks as cloud and IT service providers (49% of all attacks), the public sector (32%), and banks (9%), and it becomes very clear why we need the DDoSD project to succeed.

Source: http://www.forbes.com/sites/leemathews/2017/02/20/homeland-security-wants-to-end-the-scourge-of-ddos-attacks/#527bd1556c0f