Archive

March 2019

Browsing

Remember how gravitational force pulls everything that goes up? These laws do not exclude websites too. It is estimated that websites are 0.5% more likely to have a 2 seconds downtime for every ten additional active users. It is essential to understand that these websites are made up of multiple web pages/resource which are available on a remote computer (hardware) and powered by an operating system among other software which is prone to many forms of error, making efficiency and availability of data less than 100%.

Website downtime
Facebook and Instagram appear to be partially down for many users around the world today, 03/13/2019 as at 7:00 PM EST making #Facebookdown trend massively on Twitter, making this outage the longest Facebook has ever experienced. It is unclear how long more this downtime will last, but currently, service had not yet been restored as of this writing.

Netscount’s engineer, Roland Dobbins, a renowned network performance engineer mentioned that the outage was due to an accidental network traffic jam between the cyberspace of a European internet company that collided with Facebook’s servers, mainly impacting Facebook as well as other resources hosted on these servers.

Some users of Whatsapp, a Facebook-owned cross-platform messaging application also reported delays and failure in sending texts and photos on the popular platform. Downdetector.com, a website status monitoring platform showed Facebook and Instagram blackouts in large portions of the world.

Is website down?Is your website currently down too? Here are a few reasons why your website might be acting up as well as preventive measures to avert these technical discrepancies.

Hacks and Data Breach
Depending on the worth of data on the website, this is always the main reason attackers might be interested in taking down a targeted website. In less organized attackers, key user login accounts may be compromised for the intent of defacing, redirecting or deleting website pages. In more sophisticated attacks, threat actors are geared towards monetary gains and make use of advanced threat methods including malware and rootkits, ransomware or botnets to initiate a DDOS attack.

Server Maintenance
Website hosting service providers often have scheduled server maintenance which is usually scheduled to commence and end withing off-peak periods, which can vary based on website types. In most cases, hosting providers reserve the rights to communicate this procedure to users. Sadly, this might impact customer productivity and result in loss of income in the case of unresolved outages.

Human and Machine Errors
Everyday websites hire software developers to write codes and consistently improve the UI/UX. Discrepancies in human-machine interactions as a result of mis-coding, bugging, and non-specific error handling and validation methodologies can result in an umbrella of errors.

website code error
Hardware Malfunction
Since most servers housing these websites still utilize traditional CPU circuits with continually moving parts, hardware failure is unavoidably imminent. Creating a redundant environment for an automated backup/fail-safe fosters continuity and ensure service remain uninterruptible.

DNS Changes or Expirations
DNS or Domain Name Services updates typically results in a temporary delay. If a website changes it’s hosting service, the IP address, physical hosting servers, network traffic hops, name servers, among other identifiers change as well. A proactive measure towards this point is budgeting more for domain life span and staying up to date with provider updates, suspension, and expiry notifications.

Server Overload
Server Overloads occur due to enormous traffic accessing a website at a given time. This sudden spike in traffic is usually to ensure safety on both the ends of the hosting provider and the customer. Hosts allocate bandwidth based on a customer’s subscription plan which consumes back end resources. Customers want to uphold the availability of crucial data to ensure users revisit their website.

Websites like Pingdom.com, Isitdownrightnow.com and downdetector.com are handy tools to check website uptime and downtime history. Bearing in mind that most  A-list websites will require more scheduled maintenance than websites with less active users, it is important to recall that web building platforms usually have vulnerabilities which might be susceptible to an exploitation or remain in it’s “zero-day” state for a period of time

Facebook and Instagram appear to be partially down for some users around the world today. While you can open both platforms, it looks like you can’t send or receive messages on either platform, and you can’t post new content either.

WhatsApp appeared to be fine for many people, but users in Paraguay, India, Bangladesh, Argentina, and more note that they are experiencing issues with sending messages. DownDetector indicates that those in Brazil were experiencing the most severe outages.

We tested multiple accounts at The Verge, and found that Messenger couldn’t load at all on desktop, although the mobile app was working. Instagram was worse: posts weren’t loading, Instagram Stories were down, and direct messages and the button to post new content were also not working. Facebook’s ad section was not functioning either, and it led to an internal error when you tried to buy an ad.

About an hour after users noted the outage, Facebook responded on Twitter. It also noted that “the issue is not related to a DDoS attack.”

Facebook down Facebook on desktop as of 4PM ET.

Facebook

@facebook

We’re aware that some people are currently having trouble accessing the Facebook family of apps. We’re working to resolve the issue as soon as possible.

Instagram on desktop as of 1PM ET.

According to DownDetector, it looks like the outages are mainly in New England; Texas; Seattle, Washington; parts of Latin America, including Peru; the UK; India; and the Philippines. Users have written in from Canada, Las Vegas, and Turkey to note outages there as well. We’ve reached out to Facebook and Instagram to learn more.

It now looks like Oculus is also down. One user in California wrote in to The Verge, “Nobody can log in to any multiplayer games purchased through the Oculus store. They also can’t access their Oculus Home environments.” Users also reported being unable to buy games from the Oculus store.

Victor E Garcia@otiteb

@oculus , i am having problems managing apps on the dashboard: users in release channel that were already in are not appearing now. Are your systems having some sort of issues today?

Oculus Support

@OculusSupport

Hey there, we’re currently looking into an issue on our end, and hope to have it resolved soon. We really appreciate your patience. Thank you!

See Oculus Support’s other Tweets

Other users noted that attempting to use Facebook to sign into apps like Tinder or Spotify wasn’t working either. Attempting to do so would bring up an error saying this feature isn’t available right now. If you were already signed into Spotify, it appears that your login is still valid, but once you sign out, you’ll be unable to get back in.

Makena Kelly and Esther Cohen contributed to this report.

Update March 13th, 2:08PM ET: This article has been updated with further details and comment from Facebook. It now appears that WhatsApp is also down for some users.

Update March 13th, 4:05PM ET: Some users have reported Oculus is also down and that the feature for authenticating logins through Facebook is down.

Source: The verge

THE NATIONAL SECURITY Agency develops advanced hacking tools in-house for both offense and defense—which you could probably guess even if some notable examples hadn’t leaked in recent years. But on Tuesday at the RSA security conference in San Francisco, the agency demonstrated Ghidra, a refined internal tool that it has chosen to open source. And while NSA cybersecurity adviser Rob Joyce called the tool a “contribution to the nation’s cybersecurity community” in announcing it at RSA, it will no doubt be used far beyond the United States.

You can’t use Ghidra to hack devices; it’s instead a reverse-engineering platform used to take “compiled,” deployed software and “decompile” it. In other words, it transforms the ones and zeros that computers understand back into a human-readable structure, logic, and set of commands that reveal what the software you churn through it does. Reverse engineering is a crucial process for malware analysts and threat intelligence researchers, because it allows them to work backward from software they discover in the wild—like malware being used to carry out attacks—to understand how it works, what its capabilities are, and who wrote it or where it came from. Reverse engineering is also an important way for defenders to check their own code for weaknesses and confirm that it works as intended.

“If you’ve done software reverse engineering, what you’ve found out is it’s both art and science; there’s not a hard path from the beginning to the end,” Joyce said. “Ghidra is a software reverse-engineering tool built for our internal use at NSA. We’re not claiming that this is the one that’s going to be replacing everything out there—it’s not. But it helped us address some things in our workflow.”

“There’s really no downside.”

FORMER NSA HACKER DAVE AITEL

Similar reverse-engineering products exist on the market, including a popular disassembler and debugger called IDA. But Joyce emphasized that the NSA has been developing Ghidra for years, with its own real-world priorities and needs in mind, which makes it a powerful and particularly usable tool. Products like IDA also cost money, whereas making Ghidra open source marks the first time that a tool of its caliber will be available for free—a major contribution in training the next generation of cybersecurity defenders. (Like other open source code, though, expect it to have some bugs.) Joyce also noted that the NSA views the release of Ghidra as a sort of recruiting strategy, making it easier for new hires to enter the NSA at a higher level or for cleared contractors to lend their expertise without needing to first come up to speed on the tool.

The NSA announced Joyce’s RSA talk, and Ghidra’s imminent release, in early January. But knowledge of the tool was already public thanks to WikiLeaks’ March 2017 “Vault 7” disclosure, which discussed a number of hacking tools used by the CIA and repeatedly referenced Ghidra as a reverse-engineering tool created by the NSA. The actual code hadn’t seen the light of day, though, until Tuesday—all 1.2 million lines of it. Ghidra runs on Windows, MacOS, and Linux and has all the components security researchers would expect. But Joyce emphasized the tool’s customizability. It is also designed to facilitate collaborative work among multiple people on the same reversing project—a concept that isn’t as much of a priority in other platforms.

Ghidra also has user-interface touches and features meant to make reversing as easy as possible, given how tedious and generally challenging it can be. Joyce’s personal favorite? An undo/redo mechanism that allows users to try out theories about how the code they are analyzing may work, with an easy way to go back a few steps if the idea doesn’t pan out.

The NSA has made other code open source over the years, like its Security-Enhanced Linux and Security-Enhanced Android initiatives. But Ghidra seems to speak more directly to the discourse and tension at the heart of cybersecurity right now. By being free and readily available, it will likely proliferate and could inform both defense and offense in unforeseen ways. If it seems like releasing the tool could give malicious hackers an advantage in figuring out how to evade the NSA, though Dave Aitel, a former NSA researcher who is now chief security technology officer at the secure infrastructure firm Cyxtera, said that that isn’t a concern.

“Malware authors already know how to make it annoying to reverse their code,” Aitel said. “There’s really no downside” to releasing Ghidra.

No matter what comes next for the NSA’s powerful reversing tool, Joyce emphasized on Tuesday that it is an earnest contribution to the community of cybersecurity defenders—and that conspiracy theorists can rest easy. “There’s no backdoor in Ghidra,” he said. “Come on, no backdoor. On the record. Scout’s honor.”

Google spinoff Alphabet rolls out a new cloud-based security data platform that ultimately could displace some security tools in organizations.

RSA CONFERENCE 2019 – San Francisco – Chronicle, the division that spun out of Alphabet’s X, rocked the cybersecurity industry today with a new security data platform that ultimately could whittle down the number of security tools organizations run today to monitor and manage incidents.

The new Backstory cloud-based service works with Chronicle’s VirusTotal malware intelligence platform, and lets organizations view previous security data over time and more quickly spot and pinpoint details on malicious activity. “It gives security teams insight into what’s happening in the enterprise right now, with the same level of visibility into what happened yesterday, a month ago, even a year ago,” for example, Stephen Gillett, Chronicle CEO and co-founder said today in a media event for the rollout.

What makes Backstory unique from other security offerings, not surprisingly, is its Google-esque approach to drilling down into activity on the network and devices and its ability to store, index, and search mass amounts of data. Most enterprises are constrained by the amount of data they can store and manage over a long period of time.

Backstory, however, could prompt some housecleaning for security teams and security operations centers that for years have been amassing multiple, and sometimes redundant security tools and threat intelligence feeds. The platform is Chronicle’s first commercially developed product.

Rick Caccia, chief marketing officer at Chronicle, told Dark Reading that among the tools that Backstory ultimately could replace or streamline are network monitoring, network traffic analysis, log monitoring, security information event management (SIEM) tools, and even threat intelligence feeds. Tool overload has become a chronic problem for organizations: the average company runs dozens of security tools and often doesn’t have the people power to properly employ or even stay on top of the tools and the data they generate.

Several companies already are using Backstory, including manufacturing firm Paccar, Quanta Services, and Oscar Health, and several security vendors today announced partnerships to integrate with Backstory — Carbon Black, Avast, CriticalSTART, and others.

Chuck Markarian, CISO at Paccar, which builds trucks, said his company expects Backstory to replace anywhere from three- to six of its existing security tools in the next year.

“In general, managing our costs is huge, [and] managing our spend in security, and figuring out how we can use less feeds,” he said during a customer panel during the media event. Managing multiple security tools is challenging, he said, so whittling down the number of tools is key.

“I can’t find the people to manage it and I keep going back to our board and saying ‘I need another tool, I need another tool,'” Markarian said. “I want to get that number [of tools] dramatically down.”

Backstory initially provides a tool for threat hunting and security investigations, said Jon Oltsik, senior principle analyst for Enterprise Security Group. “In its current iteration, I think Chronicle [Backstory] assumes a role for threat hunting and security investigations. Its pricing, data capacity, and query speed are built for this,” he said.

Oltsik also predicts Backstory will streamline and also eliminate the need for some point security tools.

“In the future, I could see Chronicle becoming an aggregation hub for other security analytics tools [such as endpoint detection & response, network traffic analysis, and threat intelligence, for example] and then subsuming some of these standalone technologies over time,” depending on Chronicle’s roadmap for the platform, he told Dark Reading.

Many large companies already have multiple security products for the same function, Chronicle’s Caccia said. “They have three network monitoring tools and multiple SIEMs,” for example, he said. Chronicle is pricing Backstory by customer, he said, hoping to target the pricing below its potential competitors. Some companies already spend a half-million dollars per year on tools, including subscribing to cloud-based capacity for storage and computing power for cloud services like that of Amazon, he said

Operation Aurora’ Roots

Backstory grew out of the Google’s firsthand experience in 2009 when the company was hacked by Chinese nation-state actors, during the so-called Operation Aurora. Former Google security engineers who used big data analytics to build internal security tools for the search engine giant in the wake of the attacks. That work influenced Chronicle’s development of Backstory, led by former Google engineers and Chronicle co-founders Gillett and Mike Wiaceck, CSO at Chronicle.

During a demonstration of Backstory at the media event today, Wiaceck said the more data you add to Backstory, the more detailed a picture and story it provides of a threat or attack. “Attackers can’t hide” in Backstory, he said.

Meanwhile, ICS/SCADA vendor Siemens, plans to offer Backstory as part of its managed security service for ICS customers, according to Leo Simonovich, global head of industrial cyber and digital security at Siemens, which partnered with Chronicle on Backstory.

“For us, it’s providing our customers the understanding of what’s happening in their enviornment,” Simonovich said in an interview. “We’re hoping one day it [Backstory] will become the backgone of [our] managed security service.”

Source: Dark Reading

At 19, Santiago Lopez is already counting earnings totaling over USD 1 million from reporting security vulnerabilities through vulnerability coordination and bug bounty program HackerOne. He’s the first to make this kind of money on the platform.

In 2015 when he was 16-years old, Lopez started to learn about hacking. He is self-taught, his hacker school being the internet, where he watched and read tutorials on how to bypass or defeat security protections.

Two years to get to $1M in bounties

The rewards came a year later when he got a $50 payout for a cross-site request forgery (CSRF) vulnerability. His largest bounty was $9,000, for a server-side request forgery (SSRF).

He spent his first bug bounty money on a new computer, and as he accumulated more in rewards, he moved to cars.

At the moment, he has a record of 1676 distinct vulnerabilities submitted for online assets belonging to big-name companies like Verizon, Automattic, Twitter, HackerOne, private companies, and even to the US government. Lopez ranks second on HackerOne.

A hacker’s work week, tools and experience

In 2018, the researchers on HackerOne earned over $19 million in bounties; the amount is a big jump from the more than $24 million paid in the previous five years. However, the goal of the program is to reach $100 million by the end of 2020.

The recent report from the platform shows that there are over 300,000 registered hackers that submitted more than 100,000 valid vulnerabilities.

Most of the hackers (35.7%) spend up to 10 hours on average per week looking for bugs. A quarter of them works between 10 and 20 hours every week.

According to the survey, the researchers with plenty of experience in cybersecurity, over 21 years, represent the smallest percentage. The majority of the hackers, 72.3% have between one and five years of the experience.

Over 72% of the hackers surveyed by HackerOne for the report look into website security and 6.8% research APIs and technology that holds its own data. The favorite tool of the trade is Burp Suite for testing web apps.

Making money, leaning the ropes, being challenged and having fun are the top reasons for the work of the researchers submitting bugs via HackerOne, while bragging rights fall in the last place.

HackerOne’s 2019 report also shows that cross-site scripting (XSS) is the preferred attack method, followed by SQL injection. The full report is available here.