Incapsula (full disclosure:  Incapsula is a subsidiary of Imperva) today released a great bit of research. They asked:  "What is the overhead of all the automated bot traffic?"  Today, most people think that a cost is incurred from bad bots only when a breach occurs.  Not true if more than up to 80% of your total web traffic comes from machines.  The automated traffic has a drag-like effect seen in aerodynamics. They write:

Most of this traffic is automated and is entirely unrelated to the website’s real human traffic. Basically, each website spun up by a hosting provider will suffer a set level of Bot traffic regardless of how many real visitors it attracts. We like to compare this to an analogous a phenomenon in aerodynamics known as parasitic drag, which occurs when moving a solid object through a gaseous medium – a common example is an airplane wing’s drag during flight.

What is the impact of parasitic drag?

Bots seriously degrade the user experience and performance of your website. Would-be customers abandon shopping carts or flee to a competitor when your website doesn’t perform.

Incapsula does provide recommendations that any website should carefully review.



Or is law enforcement behind it?  Can’t say who compromised the Bitcoin site, but it has been compromised.  It looks like the database was stolen:

Reminder again: Please do not reuse your Bitcoinica passwords as the database server was compromised.

For reference, here’s the leaked memo from the FBI expressing concern over the Bitcoin site.

Ironically, this news comes as hacktivists lament tougher times:

• First, there’s this interview from Canada where fugitive hacker, Christopher Doyon, a.k.a. Commander X,  states, “I think it’s a stalemate at the moment.”  Though he does go onto predict that Anonymous will be the most powerful organization on Earth.”
• Second, Barrett Brown states, "Anonymous is, for now ... in a crippled state.”

Amnesty International UK's website was hacked courtesy a backdoor dropped on visitors systems. Most likely done by a foreign government, many speculate that it's the Chinese.  Websense's blog gives a good technical overview of the attack.  But what does it mean for security teams?

In some cases, hackers don’t want to steal the data from the website but rather want to infect the users who are visiting. This can lead to more access to business critical data which, for example, is often stored as files on a fileserver.  In the Amnesty case, the real prize isn't Amnesty's data per se, but the corporate and individual data and files of those who visit the site.

IC3's warning about malware in hotels is interesting because of it fails to identify who the aggressor is with clarity.  The key passage is this:

The FBI recommends that all government, private industry, and academic personnel who travel abroad take extra caution before updating software products on their hotel Internet connection.  

What does this mean? This warning is targeted to academics and government officials traveling abroad because state-sponsored actors use the malware installed via these networks to steal intellectual property and/or government secrets.  The main concerns?  China and Russia.

What can travelers do?  There are two options:

• Use a temporary computer.  Some companies now have policies where employees who travel abroad travel with a disposable laptop to ensure that no IP or secrets available on their machines are stolen.
• Go off the grid.  Tough to stomach for some but not so when compared to data or intellectual property loss.

The warning singles out laptops.  But let's not forget how India's government forced RIM to provide access to BlackBerry messages.

Finally, let's hope your frequent flyer miles aren't stolen while you get infected with malware overseas.

Two articles are out today on WAFs:  one from Imperva's Noa Bar Yosef and the other a blog from our partner Acunetix.

Let's start with the Acunetix blog.  The basic argument is this:  WAFs are being used as a band aid that substitutes for a more comprehensive approach that primarily consists of vulnerability scanning (note that Acunetix is a vulnerability scanner).  Two points:

• A truly comprehensive appsec program, though necessary, is neither easy or nor always an option.  We profiled an attack against a temporary website, for example, that had little time to develop a secure website.  And the WAF proved to be a very effective defense.  Just because someone uses a WAF doesn't mean they're being lazy--there are very tangible pragmatics factors driving the decision.  For this reason, one CISO echoed what I've heard in many places, "A WAF should be the first and last line of defense."
• Not all WAFs are created equal, and we detailed why here.  The market for WAFs is very broad and large, so making generalizations about WAFs is tricky.

Noa’s column makes a comprehensive case to help WAFs integrate into SDLCs effectively.  

Did you know 70% of employees plan to take sensitive business data with them when they leave their job? Further, did you know over 50% feel they have rights to this data? If you think your organization has avoided the insider threat, you may need to look deeper.

Pinpointing the source and scope of data theft is often hard to quantify, especially since your largest internal threat may actually be one of your most loyal employees. This webinar presents findings from the first-ever global insider threat study that catalogs common practices used by leading organizations across numerous verticals.

Speaker: Rob Rachwald, Director of Security Strategy, Imperva
Date and Time: May 23rd 11AM (PDT)/2PM (EDT)
Register

This presentation will:

• Define the insider threat
• Quantify the prevalence of the problem
• Uncover controls that have proven most effective at minimizing the risk of insider threats

And no one should be surprised.  With all the automated vulnerability scanning tools, finding web apps is easy and profitable.  Specifically:

1. Google:  We've written extensively about Google Dorks.  Here's an example of what hackers can find.
2. Automation:  We wrote a report on it last month.  Not only are tools automated, they're getting better.

Great interview with Imperva's Tal Be'ery on the motivators, process and technologies behind hacktivism.

The podcast is here.

Late last year, we described how DDoS attacks were moving up the stack, targeting applications themselves.  How does this work in reality?

In our February report on hacktivism, we mentioned how DDoS is the last resort after data theft.  Traditionally, DDoS has focused on the network layer.  Note that LOIC has an HTTP capability, as well (click to BIGGIFY):

How does this work in reality?  In our profile of a hacktivist attack, we noticed that hackers conducted reconnaissance focused on the search engine.  Why the search engine?  Simple:  to maximize computational intensity on the back end.  How doest his work?  Let’s say, theoretically, we’d like to perform an app DDoS focused on a website with recipes.  The search term “chicken” gives nearly 9,000 returns:

By contrast, searching for “brussel sprouts” gives much less.

By crafting an attack URL that includes a computationally-heavy search term, you’ve just constructed a simple application DDoS:

The DDoS tool, Low Orbit Ion Canon (LOIC), has hit a milestone this week:  cumulative downloads for 2012 have surpassed cumulative downloads for 2011.  In 2011, there were 381,976 total downloads.  This week, total LOIC downloads exceeded the total downloads from last year.  It only took four months or, more precisely, 112 days.

The actual break even date was 22 April (Vladimir Lenin’s birthday, incidentally).  What does this mean?

• There were about 3,432 downloads per day.
• 142 downloads per hour.
• 2.3 downloads per minute.

There was a large burst of downloads early in the year driven by attacks on the FBI and other government agencies (click to BIGGIFY):

Downloads have dropped off significantly since then, likely due to the conversion of LOIC into a Javascript version that requires no download (and was used to great effect in Anonymous Brazil attacks on banks).

Another interesting trend?  The change from year to year in downloads by country.  The US, France and Brazil were the respective gold, silver and bronze medalists.  However, France has caught up significantly.   Germany saw the biggest drop, moving from 3^rd place to 6^th.  France was up more than 35% and Brazil saw the biggest jump with a 60% increase in downloads.