Posted by InfoSec News on Apr 22


By Aliya Sternstein
April 19, 2013

The Pentagon has for the first time detailed $30 million in spending on Air
Force cyberattack operations and significant new Army funding and staff needs
for exploiting opponent computers.

Since 2011, top military brass have acknowledged the United States has the
capability to hack back if...

Posted by InfoSec News on Apr 22


21 April 2013

The information spread at the websites about alleged stealing of the
Azerbaijani Communications and IT Ministry's confidential information is wrong.

The primary data investigation of the incident revealed that the letters and
documents made public, are fakes and are biased.

Earlier, representatives of Anonymous hacker group spread the information in...

Posted by InfoSec News on Apr 22


By Edward Moyer
Security & Privacy
April 20, 2013

The Twitter accounts for CBS News programs "60 Minutes" and "48 Hours" were
used by hackers earlier today to send out messages accusing the U.S. of aiding
terrorists, the network confirmed.

"We have experienced problems on Twitter accounts of #60Minutes &...

Posted by InfoSec News on Apr 22


By Ms. Smith

Did you hear about the big game last week? Perhaps not, since as "this annual
battle might not yet have achieved the same mythic status as, say, the
Army-Navy football game," but there was a simulated cyberwar being waged from
April 16 - 18. During the NSA's 13th annual Cyber Defense Exercise (CDX),
sponsored by the NSA's Information...

Posted by InfoSec News on Apr 22


By Phil Muncaster
The Register
22nd April 2013

Japan’s technology-illiterate police have put themselves in the firing line
once again after recommending what amounts to a blanket ban on the use of the
Tor anonymiser network in the country.

The FBI-like National Police Agency is set to request ISPs to voluntarily block
communications if the customer is found to have “abused”...
The largest bitcoin exchange, Mt. Gox, is in a continuing battle with miscreants trying to manipulate the price of the virtual currency.


John Bambenek

bambenek \at\ gmail /dot/ com

Bambenek Consulting

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

In the recent few days there was another denial of service attack launched at financial organizations. (Yeah, I know, DDoS on a bank, that's *totally* never happens). What is newsworthy isn't that it happened, it was the means used to execute the attack. Specifically, the organizations were flooded with UDP port 19 traffic which is the chargen protocol. I am not sure I've ever seen a legitimate use of this protocol or encountered a machine that had it on intentionally before.

For review, chargen is basically a character generation protocol that listens on port 19 with TCP or UDP.  If you connect to TCP, it continues to stream random characters until you close the connection. With UDP, it will respond with an up to 512 byte response depending on the request.  In this particular case, it was another amplification attack using UDP.  What makes chargen under UDP so desirable is that you can spoof sources without having to worry about establishing a fake connection and that it responds with packets much larger than the request. In short, if your networks are exposing a service that responds to UDP with packets much larger than the request (DNS in particular is popular these days), take due care that you are doing rate-limiting if those protocols are Internet-accessible.

It's not a common attack using chargen and there is some evidence that in a few of the cases in the past few years the attack was used as a smoke screen to hide other attack traffic.

In this case, many of the devices used were commodity multifunction copiers and the like. Which leads to two questions:

1) Why are these Internet accessible?
2) Why did the vendor enable this protocol by default? (or possible some malicious individual enabled it)

So your takeaways are two-fold:

- Check to make sure you don't have Internet-accessible devices that don't need to be (and if they need to be, you are regulating UDP requests).
- Make sure you are doing some form of BCP 38 where you filter outbound traffic to ensure that no packets leave your network that don't have internal addresses. Amplification attacks rely on spoofed packets and if every provider implemented this filtering, we would see these attacks greatly diminish overnight.

And don't forget old and dead protocols, sometimes they're still around. :)

John Bambenek
bambenek \at\ gmail /dot/ com
Bambenek Consulting

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
A malfunctioning log-in system affected millions of people's ability to access a variety of Google applications on Wednesday, including Gmail and Drive.
Mobile users in North America are hanging up and using email, text or social networking at a rapid pace, according to a survey by PriceWaterhouseCoopers.
Internet Storm Center Infocon Status