Your DNS and IoT Vulnerabilities

Your DNS and IoT VulnerabilitiesAre you properly defended? In the sense of your computer and network safety, do you feel you have a good defence in depth strategy? This is not something to take lightly, and if you wish to truthfully answer yes, you have to be sure you have defences such as a DNS firewall, advanced malware protection, cloud security solutions, and more. Let us take a moment to understand just why this is important to anyone online.

Consider this – the source code for the Mirai botnet was shared online in late 2016. This is a form of malware that converts networked IoT devices into remote controlled bots. These are then used in enormous numbers to perform network attacks at an astonishing scale. In fact, the Mirai botnet actually knocked the entire nation of Liberia offline.

Once the Mirai botnet was shared, though, it split many times over, and now there are multiple Mirai derivatives at work. While you may not yet know what that means to you in terms of security, it is safe to say that you do not want to become victim to it – whether as a business owner or consumer.

To understand why a strong DNS firewall, real time malware protection, and internet security services are important, we need to look at what happened when the Mirai botnet set to work in October of 2016.

Mirai at Work

When the malware had infected enough machines, it attacked and disrupted websites as famous as Airbnb, PayPal, Spotify and the PlayStation network. It did this by taking over IoT (Internet of Things) devices like baby monitors, CCTV systems, DVRs and routers. Though you may not think that the processing power of your CCTV system would amount to much, imagine millions of devices pooling their resources…this is how the Mirai botnet (and many other botnets) operate.

What did it use the power for? It performed a DDoS or distributed denial of service attack that flooded the systems at a firm known as Dyn, a cloud DNS provider. While IT experts are consistently advising against online businesses relying strictly on a single DNS provider in order to ensure accessibility even when under an attack, there are steps that you can take directly to protect yourself.

Considering Real Time Solutions

A DNS firewall is easily one of the strongest ways to overcome the risk of IoT vulnerability, botnets, malware and other threats. It will prevent system connections to known or recognized malicious locations. However, it can also make you aware of the presence of botnets within, or threatening, your network. Because the availability of your website (which is your business) is linked to the availability of your network, you have no real choice but to find ways to implement DNS security solutions. It is the availability of those DNS services that make you reachable, and the botnet attacks are directly targeting this accessibility.
Until IoT devices and other vulnerabilities that plague the Internet are remedied, it is best to find options for a DNS firewall, DNS security solutions, advanced malware protection and other cloud security solutions.

Stack Buffer Overflows – Old Exploits Never Die

Buffer overflows remain one of the most highly exploitable vulnerabilities on the Internet. Just last month (Feb 2016), researchers from Red Hat and Google discovered a bug in the GNU C Library a.k.a.  Glibc that made machines running the glibc package vulnerable to stack-based buffer overflow exploits.

The glibc package is found in several Linux distributions, including those running on servers as well as some routers and other network devices, so the potential scope of impact is quite extensive. Fortunately, a bug fix has already been released and hopefully the majority of the affected machines should have been patched by now. Nevertheless, it doesn’t change the fact that buffer overflows continue to be a threat to information security.

Continue reading Stack Buffer Overflows – Old Exploits Never Die

Shadow Puppets – Domain Shadowing 101

Earlier this year (2016), WordPress sites were attacked by a massive malvertising campaign that employed an evasion technique known as domain shadowing. Domain shadowing is becoming increasingly popular among cybercriminals who employ exploit kits because of its superior ability to avoid detection. In this post, we explain what domain shadowing is, how it’s employed, why it’s so effective, and some of the ways to counter it.

What is domain shadowing?
Domain shadowing basically refers to the cybercriminal exercise of infiltrating multiple domain registrant accounts in order to spew forth several subdomains for malicious purposes.

Cyber criminals are able to acquire login credentials to these registrant accounts through methods like phishing and keylogging. Once they’ve gained access, these malicious individuals then create a large number of subdomains. These subdomains could then allow the crooks to carry out attacks behind perfectly legitimate domains, which make the attacks both hard to detect and counter.

domain_shadowingIn the exploit kit campaign discovered by Cisco’s Talos Group during their initial encounters with domain shadowing, the hijacked subdomains were set up in two layers. The first layer of subdomains, mostly third level subdomains (e.g., received traffic from the malicious ads served on legitimate web pages and then redirected the traffic to the second layer.

This second group of subdomains, now mostly fourth level subdomains (e.g., in turn hosted exploit kit landing pages. The exploit kit then scanned the victim’s system for vulnerabilities and infected it with malware that would in turn set the system up for more nefarious acts. The number of subdomains on this group is much larger than the first and are rotated rapidly.

Why domain shadowing is so effective

One of the reasons why this technique is so effective is that registrant accounts are rarely checked. Perhaps the only times they’re ever opened are when they’re created, i.e. when the owner registers his/her first domain, and when the owner adds new domains.

Thus, these accounts are only accessed by their real owners about once or twice a year. This gives the attackers ample time to create illegitimate subdomains without getting noticed.

Another reason is that when the subdomains are finally called into play in an attack, they’re rotated rapidly. In fact, each subdomain may not stay active for more than an hour, depriving security groups the time to gather enough information and come up with any meaningful analysis about the attack.

Thirdly, domain shadowing is immune to many of the countermeasures being used today. For instance, domain reputation systems, which assign scores to known domains and block or allow traffic from certain domains based on their scores, can have limitations when used against domain shadowing. If the malicious subdomains are built off of reputable domains like say, they can easily slip through.

Some people are suggesting that since the fourth level subdomains used in domain shadowing are usually made up of random alphanumeric characters, these kind of subdomains might be used as a basis to issue red flags. Unfortunately, several cloud based services also use such random naming conventions for the subdomains they generate, so using this characteristic as a filter can cause problems with false positives.

Clearly, any effective way of countering domain shadowing would require a combination of several approaches. First of all, domain registrants’ accounts must secured. Strong authentication, preferably 2FA, must be required in order to access these accounts to prevent them from being compromised. Reputation-based systems can also help in detecting malicious subdomains but, as stated earlier, must not be the only method.

Defence Intelligence solutions can help you prevent, detect or counter domain shadowing. To learn how, contact us today.

Cyber Risk No. 1: Loss Or Theft Of Confidential Information

Image representing Dropbox as depicted in Crun...
Image via CrunchBase
Cyber risks are a growing concern for every company, no matter the industry. The storage and transfer of data have become necessary parts of doing business, and “putting it out there,” so to speak, increases the chance of a hack-attack. 
File sharing in particular is a major concern for organizations concerned about their sensitive or proprietary data.  With services like Dropbox, Google Drive and Microsoft’s SkyDrive gaining traction daily, IT professionals need an effective way to manage and monitor the flow of their data.  It’s for this reason that both our Harbinger and Nemesis services include a dedicated file sharing category, giving you the ability to control the transfer and integrity of your data.
This month we’ll be looking at three cyber risks most often identified by companies open to disclosure. The first risk is loss or theft of confidential information, which has become even more of a concern for companies and individuals in this post-NSA PRISM world. 
Each year, security threats continue to be more costly and require greater vigilance as evidenced in a recent settlement that cost Sony more than $383,000 in UK-based fines for a 2011 breach of its PlayStation Network. Nintendo also faced similar issues in June of this year with more than 15 million hacking attempts resulting in 24,000 breaches in a single month, according to CBR Online.
The average cost of a breach lasting 3-5 days for a small company is $35,000 – $65,000.  For a large company, that number grows to a staggering $400,000 – $840,000.  If at first glance those figures seem high, consider the cost of the following: time spent responding to incident, lost business, lost assets, reputational damage, and that’s before any compliance issues or fines.
The more your business grows, the more likely it will attract the interest of cyber-attacks. So what can you do to protect yourself? 
1. Pinpoint the associated risks for the types of data that are important to your business. 
2. Define your security policy. 
3. Implement.
4. Review and revise.
Final word of warning: don’t think this is one-size-fits-all. Prevention is dependent on your company’s needs, and could involve establishing Internet use protection or safeguards against intrusion or remote access safety measures for backing up and accessing data. 

Know what you need, and make sure you get it.  For more information about our Harbinger and Nemesis services, visit us at
Enhanced by Zemanta

Cyber Security Event for the Government of Canada and IT Industry

Dear Friends and Colleagues:

On behalf of the Canadian Internet Registration Authority (CIRA), I am pleased to invite you to attend a special Cyber Security meeting to be held at the Crown Plaza Ottawa, September 23, 2008.

Cyber Security is critical to ensuring the integrity of the network infrastructure of the federal government. This Cyber Security meeting offers an opportunity to discuss, share and learn what we can do and what we should do to respond to modern Cyber Security threats. It will be comprised of four sessions ranging from cyber-attacks, evolution of the modern malware, latest updates on the Kaminsky DNS Vulnerability and Electronic Espionage. Is the Government of Canada well safeguarded against these threats?

Topics include:

Update on the Kaminsky DNS Vulnerability

Christopher Davis, CEO Defence Intelligence

The Evolution of the Threat: From Fun to Profit

Christopher Davis, CEO Defence Intelligence

Meaghan Molloy, Threat Analyst Defence Intelligence

Information Protection Capability Gap

Aron Feuer/Wayne Boone, Cygnos IT Security

Cyber-Attacks: Experiences From the Trenches

Bill Woodcock, Packet Clearing House

We are delighted to welcome Mr. Bill Woodcockto this meeting. Bill Woodcock is research director of Packet Clearing House, a non-profit research institute dedicated to understanding and supporting Internet traffic exchange technology, policy, and economics. Bill has operated national and international Internet service provision and content delivery networks since 1989, and currently spends most of his time building Internet exchanges in developing countries.

This is a meeting not to be missed!

This CIRA Cyber Security event is limited to 60 participants. We urge you to register!


Norm Ritchie

Chief Information Officer
Canadian Internet Registration Authority (CIRA)

Web experts scrambling to patch security flaw

Code published that could allow hackers to direct surfers to fake websites
Jessey Bird
The Ottawa Citizen
Security experts are urging Internet server administrators to act quickly to head off what they are calling the “single largest threat to Internet security.”They say a critical flaw in the system used to route Internet traffic could let hackers redirect users to dangerous websites, and then steal their personal information.While the flaw was discovered six months ago, and a fix released two weeks ago, the exact nature of the problem was kept secret.That was until yesterday, when a program to exploit the flaw was posted on the Internet, allowing anyone around the world to simply download it and run it.According to Christopher Davis, chief executive of Ottawa-based Defence Intelligence, the “exploit” allows hackers to replace search engines, social-networking sites and even banking websites with their own “malicious” content.So far, government and Internet service provider officials say they are taking the threat to their domain-name servers seriously, but do not have any actual examples of the attack, which is called “DNS cache poisoning,” to report.The attack is aimed at how Internet addresses function, particularly the domain-name servers (DNS) that route Internet traffic.While websites are all identified by addresses using words that are easy for people to remember — like or — they are also identified by addresses of just numbers. Domain-name servers serve as the translator in between — connecting a user that types in a web address to the correct computer.”DNS is kind of the 411 for the Internet,” said IOActive security researcher Dan Kaminsky, who discovered the flaw six months ago.What he realized was that in just seconds, a malicious hacker could poison a domain-name server and reroute users to different websites from the ones they are seeking. Hackers could also route people to copycat websites that would enable them to steal people’s personal information.”This attack works very, very well,” he said. “Any website that you trust is not necessarily the website that you are looking for. Every e-mail you send is not necessarily going where you think.” Even people who take precautions could be fooled.At the time of the discovery, Mr. Kaminsky and industry giants such as Microsoft and Cisco acted quickly to create a patch for the flaw, while keeping the exact nature of the problem secret. They released their fix two weeks ago.Mr. Kaminsky promised to discuss the problem at a technical conference in August, so other security experts could learn from his work; that would give Internet providers about a month to install the fix. But after another expert’s public speculation on the details of the DNS flaw hit too close to home on Monday and the details of the flaw were leaked, Mr. Kaminsky and Mr. Davis say they are worried hackers might know enough to cause problems — and service providers haven’t had enough time to install the patch.”The majority of DNS servers have not yet been patched,” said Mr. Kaminsky.”It is a serious vulnerability,” said Bruce Schneier, chief security technology officer for British Telecom. “It is one that can be used by criminals to steal identity.”Mr. Schneier also stressed that there is no need for the public to panic.”Kaminsky was hoping there would be a full month for people to patch their system,” said Mr. Schneier, adding that the leak has made Internet users “more vulnerable.””But let’s face it — you’re not going to die,” he said. “Money is stolen out of banks every day. This is another way to do that.”Is it a worse way than all the other ways? Probably not,” he continued. “Is it a serious way? Yes. Have there been other serious ways? Yes. Are we still here? Yes.””It is not armageddon,” he said. “We are not going to die.”Officials from Rogers Cable Inc., one of Ontario’s major Internet providers, said they haven’t detected any problems with their system.”Built into our network today are intrusion detection and prevention systems,” said Nancy Cottenden, director of communications for Rogers Cable, adding that Rogers monitors vulnerabilities on a “regular basis.”Ms. Cottenden also said Rogers is in the midst of installing Mr. Kaminsky’s patch.”It takes some time,” said Ms. Cottenden. “Any vendor will tell you it takes some time. The good news is, it is being loaded.”Bernard Beckhoff, spokesman for Public Safety Canada, said there have been “no confirmed incidences of the threat being applied in Canada or elsewhere.”The Canadian Cyber Incident Response Centre will continue to monitor the threat, said Mr. Beckhoff.Mr. Davis said that while the Canadian government has been quick to respond, many are still downplaying the issue.He urged Internet users to contact their service providers to find out whether they’ve patched their systems.”It scares the hell out of us,” said Mr. Davis. “And we know what we’re doing.”

Major Security Flaw Discovered: Internet Privacy Compromised at All Levels

OTTAWA, ONTARIO–(Marketwire – July 22, 2008) – Yesterday, details were leaked of possibly the single largest threat to Internet security. Earlier this year, Dan Kaminsky, director of penetration testing for IOactive, discovered a major flaw in how Internet addresses function. The issue is in the design of the Domain Name System (DNS) and is not limited to any single product. An attacker could easily take over portions of the Internet and redirect users to arbitrary and malicious locations to engage in identity theft. For example, an attacker could target an Internet Service Provider (ISP) replacing search engines, social networks, banks, and other sites with their own malicious content. Against corporate or government environments, an attacker could disrupt or monitor operations by rerouting network traffic, capturing emails and other sensitive data.

Kaminsky immediately reported the issue to major authorities, including the United States Computer Emergency Response Team (part of the Department of Homeland Security), and began working on a coordinated fix; a patch was released July 8th, 2008. Chris Davis, CEO of Ottawa-based Defence Intelligence, has been working in coordination with Kaminsky to brief key agencies in the Canadian government. Details of the vulnerability were to remain a closely held secret until Kaminsky’s public presentation on August 6th, 2008 in order to provide organizations with enough time to protect themselves. However, this window was drastically reduced due to the accidental posting of the details by an uninvolved party.

Defence Intelligence is determined to make Canadian companies fully aware of the flaw and the steps they can take to protect themselves. The general public should be particularly vigilant while conducting business online. Kaminsky is urging people to act quickly, “Patch. Today. Now. Yes, stay late.”

“This may be the worst information security vulnerability ever, and I’m very impressed at the speed and agility with which the Canadian government is responding,” said Davis. The common goal of all involved parties is the implementation of the patch and monitoring of networks to ensure security.