Security Blog

Your source for information security news and views.
Tags >> DDoS

Lulz Security, a seemingly innocent name you may actually confuse for a legitimate security company, has rapidly been boosting their hacking reputation since early 2011. They have managed daily hacks on dozens of websites all across the internet and even managed to set up call forwarding attacks on many customer support lines. Some of the most notable being hacks of Sony, the US Senate, the FBI, and the CIA. Many of their attacks have been simple perimeter breaches of security, things that many security professionals should have secured a long time ago.

These hacks highlight the waste of time many security managers spend attempting to secure only their outer defenses. True security should live directly around your most precious assets. The security method deployed by most sites hit by LulzSec have been primarily perimeter based security. This type of security is like building a wall around your home yet leaving your doors unlocked and expecting only the wall to keep people out. As we can now see, that methodology is unacceptable and simply is not enough.

Though this group has caused some major disruptions in many networks they do not seem to have a truly malevolent motive in these attacks. They do not seem to be out for financial or political gain. As their tweets and even their name 'Lulz' (a reference to 'laughs') suggests, they are doing this simply for the entertainment and the sport of it. They have even been operating what I like to call a hack-by-request system where anyone is free to contact them with a target to be hacked. The truly surprising fact is that they have actually been able to hack nearly every target they are given whether it be a simple gaming forum or a high level government website. They are breaking through what should be the most secure websites on the internet using simple DDoS and packet flooding attacks.

Beyond exposing a lack of perimeter defenses their hacks have also brought to our attention many other security issues that most of us are still ignoring. Their hack on Sony revealed not only inadequate security defenses on Sony's part but also an astonishing amount of password reuse by users, which we all know is one of the most prevalent security flaws that exists.

Lets face it, these attacks have been happening for years and organizations have simply been able to keep quiet while sweeping the mess under the rug. LulzSec's public hacking escapade has finally brought these attacks to the attention of the general public. They are exposing many organization's security systems for what they really are, weak. There is no more ignoring our simple mistakes. It is time we all step up our security to the level it needs to be at in this world of cyber threats. This should be a true eye opener for security professionals. It may be your only chance to get things right before your information is truly at risk of theft and misuse that will indeed result in financial loss and legal liability.

For those that don't know, tomorrow is world IPv6 day. A day when over 400 corporation, government, and university websites will switch their networking over to IPv6 protocol for a 24 hour period. The changeover will signify the start of a new generation of internet protocol and hopefully give credit to the IPv6 system, which has been driven into the market since 1999. With the now imminent depletion of all existing available IPv4 addresses, IPv6 day aims to push the remaining non-conformers over to the new system and bring much more attention to it as a necessary protocol. Though this will be a landmark day due to its introduction of the largest wide scale implementation of IPv6 to date, it could also be D-Day for the largest wide scale implementation of DDoS attacks. 

Though the trial changeover will only last from 8:00p.m. tonight  until 7:59p.m. tomorrow night, there is still the possibility for some major issues. One of the most probable being DDoS attacks. These attacks rely on jamming up network routers and devices with overwhelming amounts of traffic and thus causing the network to crash and deny all remaining requests. Since IPv6 header packets are four times the size of IPv4 header packets, they take four times as long to process by routers. In a digital world this takes only nanoseconds but multiply this by thousands of requests a minute or even per second combined with the increased processing time it takes to handle a larger IPv6 header and the system can potentially jam up very quickly.

Many large corporate websites on the IPv6 trial list, such as Google, Facebook, and Juniper, have seen their fair share of attempted attacks in the past. This vulnerable new system still in its infancy could be the perfect opportunity for hackers to finally break through to the information they want.

One advantage to being on this list of the 400 is that these corporations have done their homework on IPv6 and their systems have been built to handle this protocol. Another attack vector comes with those companies who have yet to make the switch to a dual stack implementation of their packet inspection network systems to handle both IPv4 and IPv6 traffic. These companies will be accepting uninspected IPv6 traffic through their devices thus holding the potential for a broad array of network attacks.

This trial period will be a major learning experience for all IPv6 amateurs. If your corporation has plans to implement increased network security, today would be the day to do so.  Be prepared to hear more about this all across the cyber world as the day goes on.