The effectiveness of DNS Reflective attacks over the past two years has raised the popularity of other reflective attacks, such as CHARGEN and Network Time Protocol (NTP) attacks. In the case of CHARGEN attacks, service is spoofed into sending data from one service on one computer to another service on another computer creating an infinite loop that results in a denial of service attack. Similarly with NTP attacks, an attacker sends a specially crafted query that ultimately redirects large volumes of traffic. The traffic is sent with a spoofed source address with the intention of having the NTP servers return responses to the spoofed address.
What exactly is the Heartbleed vulnerability?
On April 7, 2014, the OpenSSL community announced that it found a critical vulnerability in the TLS Heartbeat protocol. The nature of such an attack is very similar to a buffer overflow attack, where a remote attacker can exploit the protocol by sending a malformed “heartbeat” request with a payload size bigger than the actual request. In response, the vulnerable server would return a heartbeat response that contains a memory block of up to 64KB in the payload. This memory block can potentially reveal confidential information, including SSL private keys, user passwords and more. The researchers that found this vulnerability have put together an informative micro site that explains all of this.
As you’ve most likely heard, a very serious threat called CVE-2014-0160, commonly referred to as “Heartbleed” has been threatening the ultra-popular open-source OpenSSL package. Heartbleed is unique in the collateral damage it can create.
Heartbleed exposes the ugly side of open-source security components: In past events, where such Earth-shaking vulnerabilities were found, there was a vendor that would pay for the collateral damages that the vulnerability created. Who would pay for the collateral damages of this open-source vulnerability? It is likely be the users that are using OpenSSL.
“To err is human.”
This quote by British poet Alexander Pope gained new meaning to me after reading a follow-up article by Information Week on the massive security breach that the American retailer Target experienced this past November. According to the story, the Target security team reviewed and ignored urgent warnings about unknown malware spotted on their network. They simply made the wrong call. This can happen, but this erroneous call, ended up resulting in millions of dollars in lost revenues to the organization as well as exposed the personal and credit information of millions of their shoppers.
What comes to mind when the term “Denial of Service” is mentioned? Probably website outage.
This image has been crafted over the last couple of years with media, analysts and bloggers all talking about Denial of Service attacks, but mostly when the result of the DoS attack caused a site outage. Our latest report, the Radware Global Application and Network Security Report addresses this and other misconceptions about DDoS.
For a large number of online gamers that planned to spend their holiday break playing online games such as League of Legends, Minecraft, DayZ, Eve Online, and even ClubPenguin, they were met with an unpleasant surprise. A hacker group with the name “DERP” was attacking many of the Massively Multiplayer Online Games (MMOG) sites over the last couple of days.
The revised Payment Cards Industry Data Security Standard (PCI-DSS) that was released last Thursday did not provide any ground breaking news regarding the requirement for the protection of publicly facing web-applications against vulnerabilities and web-application attacks.