Denial-of-Service Attacks

One of the most popular news stories this month involves Julian Assange and the website WikiLeaks. Assange was granted bail in England yesterday, but must remain in the country pending a Swedish appeal. Assange’s bail was set at £200,000 (around $315,000), and many people are showing their support by donating money to WikiLeaks. Last week, many companies decided to halt donations the WikiLeaks claiming that the website promoted illegal activities. This refusal to donate money spawned a group of cyber attacks on the company websites of Paypal, Amazon, MasterCard and Visa. The type of attacks used are called DoS (Denial of Service Attack) or DDoS (Distributed Denial of Service Attack), and cause a website to become inaccessible to any users. In this post I will explain how DoS and DDoS attacks work, and what this recent attack on major websites means for Internet security.

DoS and DDoS attacks are caused when a website’s network is flooded with various requests, causing the CPU usage to reach 100 percent. This is achieved by sending large packets of data multiple times until the CPU cannot process any more of the requests. Since the CPU can no longer handle any tasks related to the website, users trying to access the page will be unsuccessful. The difference between these two types of attacks is simply the number of attacking computers being used, with the distributed denial-of-service using more than one computer. These types of attacks can be led by one person, or collectively with a group of people. The latter was demonstrated last week when some users of the website 4chan decided to organize a DDoS attack on the websites refusing to help WikiLeaks.

4chan is an image board that allows users to anonymously discuss topics and post images to the site. The users of 4chan are known for their involvement in various Internet pranks and attacks, mainly using DDoS attacks to disable targeted websites. These attacks are part of something called “Operation Payback”, which began after many torrent-downloading sites were taken down. In retaliation, the members of Operation Payback organized denial-of-service attacks on anti-pirating websites and organizations. The group has continued to show its “strength”, resulting in the recent attacks on the Paypal, MasterCard, and Visa websites. Although DDoS attacks from 4chan’s users is nothing new, the method in which the attack was conducted presents a new security threat to the Internet.

Denial-of-service attacks were originally conducted using the “ping of death” technique, which sent on oversized ping package to a targeted computer. Older computers were unable to handle these packages, causing them to crash. Since this type of attack today would not affect modern computers, newer types of DoS attacks have been created. One reason the recent attacks on MasterCard and Visa were so “successful” involves a new method of DDoS using the tool LOIC. The Low Orbit Ion Cannon is a stress tester for networks and floods the targeted website with various requests and pings.

The idea that a relatively small group of people was able to take major websites down for a number of hours is somewhat scary, but in the end no one’s information was obtained and purchases could still be made (for some users). Participating in a DDoS attack is illegal, and some of the people involved in the recent 4chan attack have been arrested and questioned in the last few days. Although the FBI probably wont spend too much time and money hunting down these activists, it makes you wonder what a larger more organized group of attackers could be capable of.

Christmas Scams

Since the Christmas season is coming soon, many people are scrambling to get the best gifts for their friends and family. Most people have turned to online shopping due to its convenience, but the online marketplace is often a haven for spammers and scammers who want to get your info. Although most people have realized how to spot fake e-mails and offers, there are still many people out there who should learn how to identify a scam when they see it. In this post, I will explain the most common ways that scammers attempt to obtain personal information, and the ways that shoppers can protect against this. The bottom line when it comes to an online offer: If an offers seems too good to be true, it probably is.

The most common form of Christmas scams involve some sort of gift certificate, promise of free merchandise, or charity websites. These links often take the user to a fake website which will attempt to steal personal information. These websites are called phishing sites, and many of these pages look like legitimate businesses or charities. Some sites will ask the user to sing up for an account using their an email address and password. This is problematic because many people use the same password for different accounts. The real danger comes when a user enters their credit card info on one of these pages, only to have it stolen by the host of the site.

The easiest way to avoid these scams is by sticking to reputable and trusted sites such as Ebay or Amazon. Stay away from sites that offer free products or prices that seem too good to be true. Customers should also check for a “trustmark” on the website address that ensures the page is reputable. All secure sites will begin with https (s for secure) instead of the normal http. Another thing to remember while shopping this holiday season is that online orders should never be placed on an unsecure network. Information sent over unsecure networks can easily be stolen, so never buy products in areas with unprotected connections.

Along with these classic phishing scams, the holidays also provide an opportunity to take advantage of social network users. Users of Facebook and Twitter have been tricked into giving up social security numbers and passwords with promises of well paying work-at-home jobs and free gift cards. One of the most recent scams takes the user to a Twitter look-alike and asks the user to sign in. Once they obtain the users login, they are free to spam the same message to your friends on twitter. Attackers are also targeting people through text messages and instant messages, making these scams one of the most common during the holiday season. 

Poste Español

Bienvenidas a todos. Para este poste, quiero escribir solamente en español. Yo tomé muchos años de español cuando yo estaba en escuela, y yo quiero practicarlo. Tengo que buscar algunos de las palabras en Internet, pero yo no utilizar un translatador cada vez. Para la semanas proximas, escribiré más articulos españoles y describo la seguridad de computadoras que están en las paises que hablan español.

SQL Injection

My last post dealt with the topic of SQL injection, so I think it is a good idea to look at this problem in depth. There are various types of code injection, but SQL injection is the most commonly used, making it the most troublesome. Code injection is a very serious security risk, and often results in personal data being compromised. For companies that keep track of high-risk info such as credit card numbers and social security numbers, SQL injection is a major threat that should be taken very seriously. Before I discuss the various methods that are used to protect against code injection, it will be helpful to describe exactly how these attacks work.

Code injection works by placing various programming commands in fields where they don’t belong. These mainly include user name and password fields, along with other user input fields. Although the “name” input field is expecting a name to be entered by a user, someone could easily insert a small line of code and change the function completely. I’ll give a quick example to show how easily SQL injection can be implemented.

When a website asks a user for their name and password, the values are inserted into a SQL statement. This statement checks with the database to make sure the user’s inputs are valid. If the login is unprotected, the SQL query will look like this:

SELECT id

FROM logins

WHERE username = '$username'

AND password = '$password’

If the values for $username and $password are not protected properly, an attacker can easily supply SQL code into one of the input fields and change the function of the query.

Suppose an attacker were to guess “Bob” as a username, and enter this code into the password field:

pass’ OR ‘x’ = ‘x    (“pass” could be named anything)

Now the SQL query will look like this:

SELECT id

FROM logins

WHERE username = 'Bob'

AND password = 'pass' OR 'x'='x'

By placing a single quotation mark after “pass” in the input field, the original SQL statement is replaced by one that now checks for two different things. First, “pass” will be compared against $password, and most likely remain false. Then, the injection occurs when the OR clause checks to see that ‘x’ = ‘x’. Since this statement will always be true, the attacker is able to bypass the login process and gain entry to the site. 

This is a simple example, but with a little knowledge of SQL commands and database naming styles, an attacker could easily navigate through a website’s database and gain access to confidential data. Even worse, once an attacker has gained access to the database, they could potentially delete all existing data. Many programmers today are aware of these risks, and take preventative measures to protect the user’s data. The first step is to make sure only valid text or number combinations are allowed in the input fields. Since the problem of SQL injection has been known for a while, most programming languages have created a way to validate the data being used with a simple function.

In PHP, for example, the function “mysql_real_escape_string” was created. This function simply takes a string entered by the user and strips off any unwanted characters that may have been added. This function is easy to use, and ensures that all user data is protected against injection attacks. Despite the simple solution to this problem, there are still many sites unprotected from these attacks. This is a serious, and dangerous problem since it is eventually the public’s information that is at risk. 

Blog Security

For my first post I thought it would be appropriate to discus the various security flaws that can be found on blogging websites, and what preventative measures need to be taken to protect blogs from malicious attacks. Since the invention of blogging, users have become victims of several different types of cyber attacks. Most of the issues come from HTML or SQL injection, which inserts new, and destructive, code into the bloggers source code. This causes visitors of the blog to be redirected to the attackers site, which often contains malware, spyware, and other phishing sites.

Blogger.com, the site that I am currently using, is no stranger to these attacks. In 2008, an article on CNET described Blogspot.com (now Blogger.com) as the number 1 host of malware. Link

One reason that Blogger.com saw so many of these cases is due to its high number of users. Because Blogger is free for anyone to use, and can be set up in a matter of minutes, it has become a clear target for attackers. Google, who owns Blogger, has taken many steps since 2008 to protect against these known attacks. (The only reason my blog is being posted on the site.) Although Google has helped protect against these SQL attacks, there are still other preventative measures that must be taken to protect your blog.

Now that most of the popular blogging websites have found a way to block SQL-injections, attackers have turned to posting malicious links in the blog’s comment section. These sites are currently working on comment spam filters, however it is eventually up to the blog owner to ensure no malicious links are posted. Although this can be harder to do for large blogs, the easiest way protect against these posts is by constantly monitoring your blog comments, and deleting and suspicious links. If you need to be certain, you might even consider disabling links in your comment section.

Along with these preventative measures, it is also a good idea to back up all of your blogs content as much ass possible. Even if your site is not the victim of a malicious attack, it is still possible for you to lose all your information. This is not only a huge annoyance, but also extremely damaging to anyone using their blog for business purposes. Most blog sites offer a method of saving your content, and I recommend taking full advantage of these methods.

For Blogger.com, the steps are as follows:

1. Log in to Draft.Blogger.Com

2. Click on Settings

3. Click on Export Blog

4. Click Download Blog

Intro

Hello to everyone that has found this blog. My name is Brian Long and I am a recent graduate from St. Edwards University in Austin, TX. I graduated with a computer science degree and was able to learn a variety of skills in the technology field. The reason I decided to start this blog is to educate others on the importance of security in both business and personal settings. I also hope to discover the newest, cutting-edge technologies in the security field and share them here. In the following posts I will explain what the current security methods are, and what types of improvements are expected to be seen in the near future.