Monthly Archives: May 2015

Many parents today recall childhoods where we were pushed out of the house by our parents, while told simply to “go outside and play.” But our children seem to be growing up in a different world: one filled with scheduled activities, hovering parents, and a lot of screen time. A new startup called Tinkergarten, now backed by half a million in seed funding, wants to change that by offering a technology platform that enables a distributed workforce to host play-based learning classes for kids that take place outdoors in parks and other green spaces.

The idea is to encourage kids to have fun and be social, while developing various skills through hands-on activities that range from making mud pies to creating art using items found outdoors, like leaves and berries. But instead of structuring the class in a way where kids are told what to do, they’re encouraged to problem-solve in order to foster their independence.

For example, a teacher might say that today they want to make mud pies, but she forgot to bring the mud. The kids then brainstorm how they can create the mud using the dirt and water at the park. (Yes, the classes can get messy!).

If that problem sounds too easy, it’s because the program is aimed at a younger set of students – Tinkergarten classes are focused largely on attracting the “Mommy & Me” crowd with activities for children as young as 18 months old and up. The curriculum is being developed to support kids up to 8 years old, however, but a lot of the interest comes from parents looking for an alternative to constant playdates as a means of socializing their toddlers.

The idea for Tinkergarten comes from co-founders and husband-and-wife team Brian and Meghan Fitzgerald. Brian has a lengthy background in the tech industry, working for both startups and larger companies, including Yahoo, Audible, Amazon, and Knewton, and Meghan is a former teacher and elementary school principal.

As parents of three girls, the Fitzgeralds initially began Tinkergarten as a side project, hosting classes themselves, but later realized there was a potential business involving setting up a platform that would allow others to receive training and host their own classes anywhere in the U.S.

While, like many, the two have an appreciation for today’s technology-fueled world, they were also concerned that children weren’t given enough time to just “play” out in the real world.

“We were worried that they’re not going to be able to invent things without technology, or to be outside specifically,” explains Meghan. “Will they be able to think freely? Does time outside really matter to people? And what is this lack of time outside doing to kids?”

With Tinkergarten, prospective teachers are vetted through background checks and other processes similar to other on-demand startups, then offered virtual training through an online portal. They then purchase the initial materials needed for classes, like buckets, tarps, rope, tweezers and more, but subsequent materials are provided by the company.

Through the site, teachers can configure their schedules, customize their curriculum, communicate with parents by messages sent out via email and SMS, manage photo-sharing, and more. The idea is to provide a single place for the teachers to run their own programs, allowing them to earn extra income. With classes that range from $25-$30 per session, and are hosted a couple of times per week for different age groups, teachers have the potential to make a few thousand extra dollars, or as much as $10,000 extra per year.

Currently, the company has 30 class leaders signed up in the New York Metro area, including Manhattan, Brooklyn, Westchester, Northern N.J. and Southern Connecticut, and is now preparing to expand its platform nationwide. Tinkergarten generates revenue by splitting the class fees (they keep 70 percent) with teachers. The founders explain that split is necessary because of their investment in the technology infrastructure, the ongoing support, and the materials provided.

For parents, the classes could offer a nice alternative or addition to a kid’s schedule, which tends to favor more structured fare like dance, music and sports – even at young ages. But the classes are priced in the premium tier. At $100 per month and up for a once per week class, parents may have a hard time wrapping their heads around the value associated with outdoor time and mud pies when, for the same amount, they could put their kid in (possibly two!) more traditional classes.

That could limit Tinkergarten’s potential for growth and could see it needing to find a different way to monetize – like white labeling its tech platform for the extracurricular activity industry in general, perhaps.

The startup is today a team of five full-time based in Brooklyn and Northampton, Mass. Investors in the company include Brooklyn Bridge Ventures, Structure Capital, and edtech entrepreneurs John Katzman (founder of 2U, The Princeton Review, Noodle), and Don Katz (founder of Audible).

Via: techcrunch

United Airlines is offering up to 1 million free air miles in a new bug bounty program that rewards hackers who discover security flaws in the airline’s websites, apps and databases.

The program is the “first of its kind within the airline industry,” United proclaims on its website.

Bug bounties, which reward security researchers for responsible disclosure of vulnerabilities, are offered by many tech companies such as Facebook,Google and Microsoft.

The bounties usually come in the form of cash: Google even offers up to “infinity dollars” in its program, although most bounties are far less.

United’s bug bounty program, however, offers rewards in the form of air miles – ranging from 50,000 free miles for low-level bugs (cross-site request forgery, bugs in third party software affecting United), to 1 million miles for the highest level kind of bug – remote code execution.

To qualify for a reward, hackers need to be signed up as members of the airline’s MileagePlus reward program – and they need to comply with a strict set of eligibility rules.

Some security flaws that aren’t permissible include tampering with aircraft systems such as in-flight Wi-Fi or entertainment.

Hackers could end up in a heap of trouble for trying certain types of attacks, United warns, resulting “possible criminal and/or legal investigation.”

Do not attempt:

Attempting any of the following will result in permanent disqualification from the bug bounty program and possible criminal and/or legal investigation.

* Brute-force attacks
* Code injection on live systems
* Disruption or denial-of-service attacks
* The compromise or testing of MileagePlus accounts that are not your own
* Any testing on aircraft or aircraft systems such as inflight entertainment or inflight Wi-Fi
* Any threats, attempts at coercion or extortion of United employees, Star Alliance member airline employees, other partner airline employees, or customers
* Physical attacks against United employees, Star Alliance member airline employees, other partner airline employees, or customers
* Vulnerability scans or automated scans on United servers

Maybe United has had this in the works for a while, but the announcement of the bug bounty program comes just a few weeks after the airline banned a security researcher from flying on United after he tweeted that he could hack onboard systems to deploy oxygen masks.

United cited its existing policies in banning the researcher, Chris Roberts, and preventing him from boarding his United flight from Colorado to San Francisco (where he was scheduled to speak at the RSA Conference about security vulnerabilities in transportation).

Recently, US government agencies have launched investigations into the security of systems such as avionics (onboard computers that control communication and navigation), and the antiquated air traffic control system that directs millions of flights annually across the US.

The findings of a US Government Accountability Office (GAO) report has raised the level of scrutiny on airlines by lawmakers, regulators, the media and general public.

Despite all of this attention on aircraft security, and presumably for reasons of aircraft safety, the United bug bounty program is limited to the security of its websites.

United, who has previously struggled to keep customer data secure, is stepping up its website security in other ways, too – just last week the airline announced the beta launch of a brand new united.com.

While United is touting upgrades to its website design like easier search and filtering of flight information, one unsung feature is the switch to default SSL encryption across the entire website (shown by the “HTTPS” part of the web address).

You can see on the homepage of the beta.united.com site that it has a security certificate telling you that this is really United’s website, as vouched for by the certificate authority GeoTrust.

The current united.com website doesn’t have that extra layer of security.

Let’s hope the other airlines follow United in taking proactive steps to protect customer data.

Via: sophos

Google quietly rolled out a new login screen for Gmail this week, and not everyone is happy with the update.

Where before, Gmail users would enter their username and password on the same page, the new login flow separates this process. Now, you’ll first enter your username, then be directed to a second page where you enter your password. Some complain that this change slows them down, while others point out that the update has broken their ability to log in using various password managers.

According to Google, the change was implemented to prepare for “future authentication systems that complement passwords.” The company is vague on the details as to what those may be, but may be referencing other methods to secure accounts like two-step/two-factor authentication, hardware dongles, or perhaps even some web-based variation of Android’s “Smart Lock” system.

That latter item allows Android users to keep their devices unlocked when they have a trusted Bluetooth device connected, are in a trusted location, have the device on their person (“on body detection”) or the device recognizes their face. While Google obviously wouldn’t say what it has planned for Gmail on the web in the future, like everyone else in the industry, it knows that securing accounts by way of a username/password combination is far from ideal.

Google already separated its login flow on Android last year in order to support such features, so it’s interesting that the company is now doing the same on the web.

In addition to whatever future login methods Google aims to support, the company notes that the new system will be a “better experience” for SAML SSO users, meaning corporate users or students, who sign in with a different identity provider than Google, and will “reduce confusion” among people who have multiple Google accounts.

Those two points are debatable, however. So far, the responses to Google’s announcement have not been too positive. Users are complaining that the change wastes time, as it now displays two pages where there used to be one. Others have been bothered by the fact that entering their user ID then displays their full name and sometimes even their photo before they confirm their identity by way of their password, which they feel is a privacy violation.

And of course, most of the popular password managers used today now don’t work with the new Gmail login screen, though this is likely a temporary situation. (LastPass, for example, says its fix will be released today).

Clearly this change is an incremental step between the old way of doing things, and some future where Google hopes to augment or otherwise improve logins either by adding another layer on top of the password entry, or by doing away with the password altogether. But rolling it out before this “better” system is fully introduced has confused a number of users, it seems.

Via: techcrunch

Skype has removed the sign-up requirement for its Skype Translator Preview program, letting anyone download the app to their Windows 8.1 or Windows 10 preview-powered PC. Previously, you had to be approved to get the app, but now you can start using it right away without any special permissions required.

The Skype Translator preview app works in English, Spanish, Italian and Mandarin for spoken word, and in 50 languages for IM conversations. Both provide near real-time translation, with the IM component taking what you type and delivering it directly to the recipient in the language of their choice after you hit ‘send.’

Skype’s Translator team originally started letting people test the preview software last December, and they’ve since made progress by refining the original translation and also offering up new languages consistently. User testing is likely a key ingredient in further progressing the translator’s efficacy, so this wider beta launch should mean that it’s closer to being ready for prime time, and that it’s about to get smarter, faster thanks to a sizeable user-pool increase.

By way of providing a look at how Skype Translator is working in practice, the company is offering a look at Pro Mujer, a nonprofit that’s using the tech to help with its mission of providing key services to women in Latin America. You can check out their story in the video below.

Skype’s Translator tech initially looked like science fiction, but now it’s available to anyone (provided they own a modern Windows device). It’s Babel fish time, folks; hope you brought your towels.

Via: techcrunch

Walmart is preparing to test a new, unlimited shipping service that will compete to some extent with Amazon Prime, but at a lower price point of just $50 per year. The shipping service will be offered to select customers on an invite-only basis starting this summer, offering more than 1 million products for free delivery in three days or fewer.

The company has not yet finalized what the service will be called when it launches into beta in the coming weeks, but, as with Amazon Prime, only a subset of the products Walmart sells online will be available for free shipping. These will be flagged or labeled on the Walmart website so customers can easily identify which items are eligible.

Online, the company offers over 7 million products for sale, but during the beta trials, 1 million-plus items will be eligible for free shipping through the program.

Walmart is not yet committing to rolling out the service to the wider public, but instead positions this as just another of the many market tests it currently operates, which are meant to gather data about customer interest and engagement with different ways of online and offline shopping.

Walmart has, over the years, run a number of e-commerce experiments, ranging fromsubscription-based sample boxes to local grocery delivery. Some of these tests didn’t pan out (like the former), but the company today continues to experiment with both local store pickup and/or home delivery of groceries in markets like Huntsville, Ala., Phoenix, San Jose, Bentonville, Ark., and Denver.

The idea with this forthcoming Amazon Prime alternative, however, is not necessarily to test whether customers want fast, free delivery (Prime has proven that they do) but whether Walmart could interest them in the option at a lower-price point.

In particular, Walmart is determined to test the theory that what appeals to customers the most is not the speed of Amazon’s service or the newer “same-day” services now gaining traction, but the reliability of these options. That is, you know with Prime your orders will arrive in two days. For half the price (Prime is now $99/year), would customers wait an extra day?

“One of things that we’ve heard from customers is that they want shopping that’s predicable and they want it to be affordable,” notes company spokesman Ravi Jariwala. “[This test is] really to understand is this yet another new way that we can serve customers?,” he says.

Supporting Walmart’s theory on customer interest in the matter is a 2013 comScore study that found that 92 percent of consumers were willing to wait four or more days if free delivery was provided. These customers chose the most economical shipping option three-quarters of the time, and only picked the fastest option 1 percent of the time.

However, Amazon Prime’s membership program is today far more extensive than a free shipping service, though that’s its big draw. It also offers members free streaming video and music, unlimited photo storage, access to the Kindle Lending Library and more.

Walmart’s lower-cost alternative only addresses the shipping aspect, though that could change in time. The company has other assets it could leverage if it felt the need to offer an Amazon Prime competitor, including its video streaming service Vudu. The service even offers a Chromecast-like stick called Vudu Spark, which at a retail price of $25 could be used as a loss leader to encourage sign-ups if Walmart wanted to go that route.

Walmart says the shipping service will “evolve with customer feedback,” which means that it’s already thinking about how it could make its service more on par with Amazon’s in the future.

It’s unclear how Walmart plans to select who will be given access to the beta program, but typically the company tries to find a representative sample of Walmart shoppers when trialing new programs. That’s why some of its more interesting experiments around things like grocery delivery aren’t necessarily in tech hotspots like San Francisco, but rather in suburban or even somewhat rural markets where shopping at Walmart is a part of everyday life.

The company’s official announcement comes on the heels of an in-depth look into Walmart’s business, published by The Information.

Via: techcrunch

Federal law enforcement have arrested five men for filing close to 1,000 fraudulent tax returns using the stolen information they obtained from a breach that compromised the data of 125,000 people, 88,000 of whom were listed in an Oregon employment company’s database.

Lateef A. Animawun, 34, of Smyrna, Georgia; Oluwatobi R. Dehinbo, 30, of Marietta, Georgia; Oluwaseunara T. Osanyinbi 34, of Marietta, Georgia; Oluwamuyiwa A. Olawoye, 28, of Marietta, Georgia; and Emmanuel O. Kazeem, of Maryland have all been indicted by a federal jury on conspiracy to commit wire fraud and mail fraud, wire fraud, mail fraud, and aggravated identity theft.

All but Kazeem have been arrested. They will be arraigned in the District of Oregon at a date to be determined by the court.

According to OregonLive, the group obtained the names, Social Security Numbers, and other personal information from a database owned by CICS Employment Services, which provides background checks for customer employees.

The breach compromised the information of at least 88,000 customers, 38,000 of whom live in Oregon. Residents of Washington and Nevada were also affected.

It is unclear at this time where the additional 40,000 breached records came from.

The group then used the stolen information to obtain electronic filing PINs from the Internal Revenue Service (IRS), which they used to file 980 fake tax returns seeking $6.6 million in tax refunds between April 2013 and July 2014.

The IRS rejected more than $4 million of the fraudulent returns, but the indicted were able to successfully claim $2.2 million.

Back in February of this year, CICS Employment Services began notifying its customers of a possible data breach. The company has since moved its database from a Phoenix-based server host, where the information was previously unencrypted.

As of this writing, several forensics investigations have been unable to determine how or when the breach at CICS Employment Services occurred.

Via: tripwire

Misunderstanding these important tools can put your company at risk – and cost you a lot of money.

You’ve just deployed an ecommerce site for your small business or developed the next hot iPhone MMORGP. Now what?

Don’t get hacked!

An often overlooked, but very important process in the development of any Internet-facing service is testing it for vulnerabilities, knowing if those vulnerabilities are actually exploitable in your particular environment and, lastly, knowing what the risks of those vulnerabilities are to your firm or product launch. These three different processes are known as a vulnerability assessment, penetration test and a risk analysis. Knowing the difference is critical when hiring an outside firm to test the security of your infrastructure or a particular component of your network.

 Let’s examine the differences in depth and see how they complement each other.

Vulnerability assessment

Vulnerability assessments are most often confused with penetration tests and often used interchangeably, but they are worlds apart.

Vulnerability assessments are performed by using an off-the-shelf software package, such as Nessus or OpenVas to scan an IP address or range of IP addresses for known vulnerabilities. For example, the software has signatures for the Heartbleed bug or missing Apache web server patches and will alert if found. The software then produces a report that lists out found vulnerabilities and (depending on the software and options selected) will give an indication of the severity of the vulnerability and basic remediation steps.

It’s important to keep in mind that these scanners use a list of known vulnerabilities, meaning they are already known to the security community, hackers and the software vendors. There are vulnerabilities that are unknown to the public at large and these scanners will not find them.

Penetration test

Many “professional penetration testers” will actually just run a vulnerability scan, package up the report in a nice, pretty bow and call it a day. Nope – this is only a first step in a penetration test. A good penetration tester takes the output of a network scan or a vulnerability assessment and takes it to 11 – they probe an open port and see what can be exploited.

For example, let’s say a website is vulnerable to Heartbleed as many websites still are or your datacenter to ‘Venom’. It’s one thing to run a scan and say “you are vulnerable to Heartbleed” and a completely different thing to exploit the bug and discover the depth of the problem and find out exactly what type of information could be revealed if it was exploited. This is the main difference – the website or service is actually being penetrated, just like a hacker would do.

Similar to a vulnerability scan, the results are usually ranked by severity and exploitability with remediation steps provided.

Penetration tests can be performed using automated tools, such as Metasploit, but veteran testers will write their own exploits from scratch.

Risk analysis

A risk analysis is often confused with the previous two terms, but it is also a very different animal. A risk analysis doesn’t require any scanning tools or applications – it’s a discipline that analyzes a specific vulnerability (such as a line item from a penetration test) and attempts to ascertain the risk – including financial, reputational, business continuity, regulatory and others –  to the company if the vulnerability were to be exploited.

Many factors are considered when performing a risk analysis: asset, vulnerability, threat and impact to the company. An example of this would be an analyst trying to find the risk to the company of a server that is vulnerable to Heartbleed.

The analyst would first look at the vulnerable server, where it is on the network infrastructure and the type of data it stores. A server sitting on an internal network without outside connectivity, storing no data but vulnerable to Heartbleed has a much different risk posture than a customer-facing web server that stores credit card data and is also vulnerable to Heartbleed. A vulnerability scan does not make these distinctions. Next, the analyst examines threats that are likely to exploit the vulnerability, such as organized crime or insiders, and builds a profile of capabilities, motivations and objectives. Last, the impact to the company is ascertained – specifically, what bad thing would happen to the firm if an organized crime ring exploited Heartbleed and acquired cardholder data?

A risk analysis, when completed, will have a final risk rating with mitigating controls that can further reduce the risk. Business managers can then take the risk statement and mitigating controls and decide whether or not to implement them.

The three different concepts explained here are not exclusive of each other, but rather complement each other. In many information security programs, vulnerability assessments are the first step – they are used to perform wide sweeps of a network to find missing patches or misconfigured software. From there, one can either perform a penetration test to see how exploitable the vulnerability is or a risk analysis to ascertain the cost/benefit of fixing the vulnerability. Of course, you don’t need either to perform a risk analysis. Risk can be determined anywhere a threat and an asset is present. It can be data center in a hurricane zone or confidential papers sitting in a wastebasket.

It’s important to know the difference – each are significant in their own way and have vastly different purposes and outcomes. Make sure any company you hire to perform these services also knows the difference.

Via: csoonline

According to reports, hackers have gained access to a number of Starbucks mobile app accounts.

The source of the compromise is reportedly due to account passwords being guessed or reused, giving attackers access to customer accounts through the application program interface (API).

If an attacker gained access to a username and password, he or she is able to refill the customer’s app account and then gift the balance to an attacker’s email address.

A key weakness that is being exploited is the lack of two-factor authentication, which should be available in any mobile app with purchasing capabilities in order to verify the transaction.

Hopefully, this incident will push Starbucks, and other applications used to make purchases, to reevaluate their payment systems’ security and enable two-factor authentication to mitigate the risk of fraudulent transactions.

Users of the Starbucks mobile app should ensure that they are using a strong, different password on their Starbucks account. If they use the same password for multiple accounts, this could leave them vulnerable if that password account is compromised somewhere else.

Similar reports of activity like this have been reported with other applications, as well, including Uber, who claims their systems have not been hacked.

However, their application also lacks two-factor authentication and if a user’s password is compromised, someone can use their credentials to request rides that are charged to their account.

Via: tripwire

Security researchers say the zero-day flaw affects “millions” of machines in datacenters around the world.

Move over, Heartbleed. There’s a new catastrophic vulnerability in town.

A security research firm is warning that a new bug could allow a hacker to take over vast portions of a datacenter — from within.

The zero-day vulnerability lies in a legacy common component in widely-used virtualization software, allowing a hacker to infiltrate potentially every machine across a datacenter’s network.

Most datacenters nowadays condense customers — including major technology companies and smaller firms — into virtualized machines, or multiple operating systems on one single server. Those virtualized systems are designed to share resources but remain as separate entities in the host hypervisor, which powers the virtual machines. A hacker can exploit this newly-discovered bug, known as “Venom” — an acronym for “Virtualized Environment Neglected Operations Manipulation” — to gain access to the entire hypervisor, as well as every network-connected device in that datacenter.

The cause is a widely-ignored, legacy virtual floppy disk controller that, if sent specially crafted code, can crash the entire hypervisor. That can allow a hacker to break out of their own virtual machine to access other machines — including those owned by other people or companies.

The bug, found in open-source computer emulator QEMU, dates back to 2004. Many modern virtualization platforms, including Xen, KVM, and Oracle’s VirtualBox, include the buggy code.

VMware, Microsoft Hyper-V, and Bochs hypervisors are not affected.

“Millions of virtual machines are using one of these vulnerable platforms,” said CrowdStrike’s Jason Geffner, the researcher who found the bug, in a phone interview Tuesday.

The flaw may be one of the biggest vulnerabilities found this year. It comes just over a year after the notorious Heartbleed bug, which allowed malicious actors to grab data from the memory of servers running affected versions of the open-source OpenSSL encryption software.

“Heartbleed lets an adversary look through the window of a house and gather information based on what they see,” said Geffner, using an analogy. “Venom allows a person to break in to a house, but also every other house in the neighborhood as well.”

Geffner said that the company worked with software makers to help patch the bug before it was publicly disclosed Wednesday. As many companies offer their own hardware and software, patches can be applied to thousands of affected customers without any downtime.

Now, he said, the big concern is companies that run systems that can’t be automatically patched.

To take advantage of the flaw, a hacker would have to gain access to a virtual machine with high or “root” privileges of the system. Geffner warned that it would take little effort to rent a virtual machine from a cloud computing service to exploit the hypervisor from there.

“What an adversary does from that position is dependent on the network layout,” said Geffner, indicating that a datacenter takeover was possible.

Dan Kaminsky, a veteran security expert and researcher, said in an email that the bug went unnoticed for more than a decade because almost nobody looked at the legacy disk drive system, which happens to be in almost every virtualization software.

“It’s definitely a real bug for people running clouds to patch against,” said Kaminsky. “It shouldn’t be too much of a headache as the big providers who might expose systemic risk have all addressed the flaw.”

As the bug was found in-house at CrowdStrike, there is no publicly known code to launch an attack. Geffner said the vulnerability can be exploited with relative ease, but said developing the malicious code was “not trivial.”

From the point of disclosure in late April, it’s taken companies about two weeks to begin patching affected systems.

Rackspace said in an emailed statement that it was notified of the vulnerability that affects a “portion” of its cloud servers, and that its systems are patched.

Oracle, which develops VirtualBox, said in an emailed statement that the company was “aware” of the problem, and fixed the code, adding that it will release a maintenance update soon.

“We will release a VirtualBox 4.3 maintenance release very soon. Apart from this, only a limited amount of users should be affected as the floppy device emulation is disabled for most of the standard virtual machine configurations,” said software lead Frank Mehnert.

A spokesperson for Oracle declined to comment.

A spokesperson for The Linux Foundation, which runs the Xen Project, declined to comment on specifics, but noted that a security advisory was published.

Via: zdnet

Researchers have discovered a botnet which comprises of tens of thousands of hijacked home routers.

A massive DDoS botnet made up of a slave network of hijacked home and office routers has been revealed.

According to a report released by cybersecurity firm Incapsula on Wednesday, lax security practices concerning small office and home office (SOHO) routers has resulted in tens of thousands of routers becoming hijacked — ending up as slave systems in the botnet network.

Distributed denial-of-service (DDoS) attacks are a common way to disrupt networks and online services. The networks are often made up of compromised PCs, routers and other devices. Attackers control the botnet through a command and control center (C&C) in order to flood specific domains with traffic.

This, in turn, can overwhelm a service, causing websites to effectively turn down legitimate traffic under the onslaught. DDoS attacks are also occasionally used as a distraction while a threat actor uses other methods to break into corporate networks.

Several dozen Imperva Incapsula customers were recently targeted by a DDoS botnet comprised of hijacked routers through a series of application layer HTTP flood attacks. The attacks were first detected in December last year, and the company has been mitigating the flood ever since. However, in the last 30 days, attacks have risen to a new height with double the number of attacking IPs than previous records.

After investigation, Incapsula discovered the attacks on domains the company monitors were only a small part of the bigger picture — a far larger DDoS botnet assaulting “hundreds” of other domains outside of the Incapsula network. In addition, attack vectors beyond application layer HTTP flood attacks are being used and include network layer barrages.

However, what makes this botnet special is its reliance on SOHO routers, which are predominantly ARM-based Ubiquiti devices.

ISPs, vendors and users themselves — who do not lay down basic security foundations such as changing default passwords and keeping networks locked — have likely caused the slavery of “hundreds of thousands […] more likely millions” of routers now powering DDoS botnets which can cause havoc for both businesses and consumers, the firm says.

While it is not known exactly how many SOHO routers are part of the newly-discovered botnet, Incapsula researchers found that all of the units were remotely accessible via HTTP and SSH on their default ports — and on top of this, “nearly all are configured with vendor-provided default login credentials.”

Incapsula believes that new devices are added to the network through the execution of shell scripts which seek out devices with open SSH ports which can be accessed using default credentials.

As a result of these poor security practices, threat actors which have compromised these routers could potentially eavesdrop on communication, perform man-in-the-middle (MITM) attacks, hijack cookies and gain access to devices connected to the local network.

After analyzing 13,000 malware files, the researchers determined that the victim routers were all compromised through variants of the MrBlack malware — Trojan.Linux.Spike.A — as well as Dofloo and Mayday, all previously used for DDoS attacks. However, the researchers believe several groups or individuals are pulling the strings, and new malware types are constantly being added.

Between December 30, 2014 and April 19 this year, Incapsula recorded attack traffic from 40,269 IPs belonging to 1600 ISPs worldwide, as well as at least 60 C&C centers. The majority of compromised routers, 85 percent, are in Thailand and Brazil. However, the majority of C&C centers are within China and the United States, at rates of 73 percent and 21 percent respectively.

Attack traffic has been traced from 109 countries.

The new botnet is similar to hacking group Lizard Squad’s DDoS for hire scheme. The Lizard Stresser is a DDoS botnet, reportedly also making use of slave routers, which can be hired for as little as a few dollars. However, while Incapsula’s botnet uses Spike to compromise devices, Lizard squad relies on Linux.BackDoor.

Prior to publishing their findings, the cybersecurity firm contacted the router vendors and ISPs “found to be most open to abuse.” Router owners are urged to disable all remote access to their router management platforms and change their login credentials.

Via: zdnet