This Bash bug will be a mess!

September 25th, 2014 by Barrett Lyon
Bash (GNU Bourne-Again SHell) is a common command line interface (shell) for newer styles of UNIX-like operating systems. It’s favored by Linux distributions and OS X because it is a little more user friendly than other shells. It has also had a 22 year old bug that allows an attacker possibly remotely execute arbitrary commands on the victim’s machine, typically as root.Read the full CVE-2014-6271 CERT report.

What does this mean for us OS X users? Well, not much, unless you run DHCP or Internet Connection Sharing (which uses DHCP) which could allow remote command execution.

What does this mean for your Linux box? If you have any idiotic applications that allow remote input, such as a form or setup script that passes unchecked variables to Bash, you’re in big trouble.

Implications are all over the place: Huge DDoS botnets powered by massively connected machines. People’s data being compromised everywhere. Scanners executing a simple command such as rm -rf / which will simply nuke the entire server’s disk…  It’s going to be messy for people that have followed poor development and security practices with their web applications, stats, log analysis software, or any application that passes external input to bash.

This doesn’t impact BSD (by default), which for the most part has shunned Bash since it’s beginning favoring a different shell called cshell (csh). It also probably not heavily impact services like Facebook and Google, because they shouldn’t be allowing shell calls from web applications and their user access should be limited to trusted applications and users anyway.

WAFs (Web Application Firewalls) are a huge help in this situation.  Rather than wait for all of your services to be patched you can deploy a rule or have your WAF service deploy a rule that can block this attack vector.  I consider this a huge advantage when combatting new exploits.

Anyway, it’s time to get patching and expect the Internet to be a little messy for the next few months.

What happens when National Geographic steals your art?

September 23rd, 2014 by Barrett Lyon
Short story: They throw lawyers on you and threaten you to take almost nothing in return, because as a starving artist, you’ll be unable to pursue them legally and the maximum damages are so low that it’s not worth pursuing.

National Geographic used my Internet image (opte.org) on the cover of its bookazine, 100 Scientific Discoveries that Changed the World, and in the book, The Big Idea, without my permission or respecting the Creative Commons license that allows it to be used for non-commercial purposes for free.  I charge a nominal fee for the license which can be obtained on www.opte.org in minutes.  The license helps covers costs and furthers development of the project.  They couldn’t be bothered.

They responded to me acknowledging my claim, agreeing that they had infringed on my work (several times in the magazine). If the infringement is ‘willful infringement’, the settlement range is typically $150,000. But they will fight you until you (and they) have spent far more that. Apparently, infringement happens often with National Geographic, and they are willing to spend more money on legal costs than they would have given to the artist in the first place.

Several other artists have already run into this same situation with National Geographic. Many have come forward with a lot of rage as they went through the same, frustrating and unsuccessful process.

The apology from National Geographic’s lawyer included the following explanation on why they would be paying me (and other artists) nothing compared to the damages caused by willful infringement:

“After further investigation, I must respectfully disagree with the implication set forth in your reply email that statutory damages for willful infringement in the range of $150,000 per work are applicable to this situation. National Geographic stands firm in its position that it was not aware and had no reason to believe that the image it used was your and not an image by the individual whom National Geographic credited. In this situation there were no facts that could put National Geographic on notice or would lead it to reasonably conclude ownership of the copyright to the image was in question.

As this situation is a mistake and inadvertent infringement, the maximum amount of statutory damages you may claim under Section 504(c) of Title 17 of the United States Copyright Act. Statutory damages are based on your ability to prove the following: (1) that the image in question was copyrighted within ninety (90) days of first publication and that (2) National Geographic acted in bad faith. The burden of proof is on you to prove both elements. If you filed with the U.S. Copyright Office, you should have a dated certificate documenting your registration. You would certainly need to provide this documentation to confirm that you had met the first requirement to be eligible for statutory damages. National Geographic can document that it made a mistake; therefore, there is no support for a claim that it acted in bad faith. For this reason, National Geographic would be deemed an “innocent infringer” under U.S. Copyright law. Under such a determination, the statutory damages could be reduced to $200.

National Geographic considers the appropriate measure of damages in this case is the license fee for the uses of the image a total of $1,380 ($750 bookazine for use on the front cover and one interior placement; $630 book for use on a portion of front cover, a spot on the back cover, and one interior placement), which amount National Geographic is willing to increase to $2,760 to resolve this matter amicably. National Geographic would also correct the credits on subsequent editions of the publications.

Based on the obstacles and costs you would face to bring this to trial, resolving the issue through negotiation seems the most cost effective way to settle the matter. This correspondence is solely for settlement discussions and may be used for no other purpose. Thank you for your patience, I look forward to moving this matter to a mutually satisfactory conclusion.”

I agreed to take a lower license fee if they would publish a correction and use their twitter account to tweet an apology.

This was their response:

“I have checked thoroughly, and I regret that National Geographic will not accommodate your request for “published correction and a tweet from the natgeo twitter account apologizing about the situation[.]” The works are already published; National Geographic publishes corrections in its magazines only that relate to the specific magazine. Book corrections are done for any reprints or new editions. I will have National Geographic Society records updated so that all references to the image in subsequent reprinting or new editions of the works will be correctly credited, consistent with the requirements on your website or the Commercial License granted from your website. National Geographic Society operates no twitter account for corrections, and the accounts it operates are for coverage topics only.

I can, however, produce the Settlement Agreement that will be necessary to process the payment to you. In addition to correcting references to the image in any reprints or new editions of the works in which it currently appears, National Geographic will correct its files to ensure that any inquires about the image are referred to your website. It will help me if you could answer the question I posed below regarding how the Commercial License granted from your website actually read; if there is any more than the language stating the grant on the website.”

It appears that when they willfully infringe on an artist they use an institutionalized policy of ripping off artists.  They used my work in a way I am not comfortable with. It’s like having someone steal your car and then after they’ve driven it for a few days they give it back and decide how much to pay you for the rent.  There is no price that is acceptable in these conditions.

An institution such as National Geographic only exists because of the amazing minds behind it, the people that go to the ends of the earth to take photos in dangerous areas, the people that give their craft to make the institution work. When National Geographic defends itself when it knows it’s been wrong… It just harms their brand, overall creditability, and integrity.

In a age where anything can be copied, one would think that National Geographic would be very careful about what new licensing arrangements exist such as Creative Commons.

At this point, I think I am going to push my legal options… Not just for me, but for the rights of all the people they have ripped off.

Shame on you National Geographic.

Why Defense.Net and F5: The Hybrid Cloud

May 27th, 2014 by Barrett Lyon
I have been hearing the term “hybrid cloud” for quite a while, but until recently, it sounded more like a marketing pipe dream than a reality. I’ve often wondered why hardware companies didn’t include cloud services that work harmoniously with their hardware offerings. Apple, Microsoft, and other software makers have figured out how to integrate the cloud with their own platforms, but hardware companies seem very slow to adopt the concept. I’ve had many conversations with SVPs at large hardware vendors, and it turns out the cloud is completely foreign to them. The billing models are different, the sales processes are different – and to a publicly traded company – the differences seem terrifying enough to stay out of cloud.

Then comes F5 Networks: These are the guys that you see in nearly every cage in every datacenter around the planet. The glowing red F5 logo might ring a bell. It turns out they are a security company with really robust offerings and they’ve been quietly building a solid security posture for their devices over the past decade. They also have open minds and have been working on a strategy to merge hardware with the cloud. They know that a DDoS defense as a cloud service may be one of the most difficult cloud services to build — but if built correctly and with innovation, it becomes one of the best and most solid cloud platforms possible. DDoS defense as a service is the foundation to all cloud services.

By having such a solid foundation, the next step is to seamlessly merge the DDoS defense network with F5’s hardware to create the world’s first true hybrid cloud. The vision is that customers can create their own local DDoS defense, and when volumetric attacks hit, at a specific point they’re “automatically” offloaded to the cloud.

This is obviously a huge step for F5, and it is going to take a lot of F5’s smartest people working together with Defense.Net’s group to make this happen. But it WILL happen. It’s a very exciting time for me to watch my company join forces with F5 to really change the game and create a platform that will help the Internet and businesses grow for the next decade.

Blue Apron: I’m not having fun.

May 12th, 2014 by Barrett Lyon

Open letter to Blue Apron from a dyslexic guy:

Your instructions look cute and fun… They’re well designed for someone without a learning disability.  To me… they are a confusing mess:


“Blue Apron makes cooking fun and easy.” (For people without learning disabilities)
  • Your “knick knacks” pack is never referenced in the directions.
  • You’re putting pictures of the ingredients that don’t look anything like what you’ve delivered.
  • The instructions require you to flip between two sides of a page (for someone like me that’s difficult and it fucks with my head).
  • I can’t follow directions like:  “gather the produce”.  You give me nothing labeled produce or anything that even matches a picture or what produce is.  I know what produce is but I am concentrated on following the instructions and they just scramble me.
  • The lettering is too small on the pages, you’re compressing too much into a single page.  Why?  Hell add additional directions online if you’re worried about printing costs.
  • Honestly, the pages are overwhelming to me and I shutdown just looking at them.
  • It’s not fun if I don’t have my wife participating. :(

Anyway… thank you, we did enjoy trying the service.  However, when my wife is not helping me navigate your instructions I am left angry and embarrassed.

Further, I can’t find any auxiliary ways to learn or get direction.  You could easily provide links to videos that show the directions without the awful back-to-back vague “recipe”.

I, like many people, learn differently and a lot of people process information differently.  You should help people like me have fun with your product by providing different ways to ingest your information.

So sadly I am canceling… I’ll come back if you guys fix this a bit. Startups are hard! I know! I’ve done a few. I hope you guys can help folks like me and I will become a loyal customer.

PS:  This is exactly why I don’t bake.  Oh and I love to cook.

I finally updated opte.org

May 12th, 2014 by Barrett Lyon

 

It’s been almost 11 years since www.opte.org has seen an update.  Today I updated the entire site with new code, a new image, and a new format.  This will be the foundation for releasing and creating new images starting this month.

Take a look and enjoy!

Defense.Net Squashes The Heartbleed Bug

April 9th, 2014 by Barrett Lyon
http://heartbleed.com:
CVE-2014-0160

“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.“

Unless an OpenSSL implementation has been patched anyone can remotely view 64K chunks of memory. Said another way, whatever was left behind in the memory of the vulnerable server… becomes public data… This could be passwords, accounts, personal data, and the SSL private keys of the server itself!

To give you an idea of how big of a problem this is, this software is used in everything from web sites, VPNs, specialized networking equipment, email communications, phones apps, you name it.

There are at least half of a million web sites that are exposed to this and this may be one of the most catastrophic bugs in secure computing history.

Whether or not this is a bug or an intentional addition is all speculation at this point and it’s been in the software for over two years, exposing anyone using OpenSSL.

To make matters worse, once the bug has been patched globally, it’s highly likely that every SSL certificate that has been on an exposed server will have to be re-issued creating an absolute logistical and security nightmare.

The cost of replacing half a million SSL certificates could range in the several hundreds of millions of dollars and it’s unclear when this can or will happen

 

How Defense.Net squashes the Heartbleed Bug

My company, Defense.Net has built a secure network the primary purpose for which is to provide DDoS mitigation.  However, the safeguards we put in place with our proprietary DefenseD scrubbing system to protect against DDoS attacks also protects against the Heartbleed attack vector.

The byproduct of DDoS defense in this case is a better more protected network and further explains why DDoS defense is more than keeping your sites online when they’re attacked with hundreds of gigabits of garbage… they’re full defensive networks.  In the process of cleaning up invalid bots and removing attack traffic, we also validate legitimate network protocols against illegitimate ones.  This ability to safeguard our customers from more than just DDoS attacks helps outline our goals and the future of our network.

We’re capable of doing this because we’re using a proprietary SSL implementation on one layer of our network and on another layer of our network we can monitor and block the behavior of traffic that attempts to exploit the bug.

What’s going on with WhatsApp?

February 22nd, 2014 by Barrett Lyon

WhatsApp went down today around 8:30 AM Pacific and was lights out for about six hours and still continues to struggle to connect users into their network.  In addition, when connected it’s not possible to share images, videos, and audio.

Looking at their network design it’s clear to me that they appear to have their eggs in one basket. The application initially connects to the host “c.whatsapp.net” which is hosted on a single /24 block on SoftLayer (mid-tier hosting provider):

c.whatsapp.net. 3600 IN A 50.22.231.54
c.whatsapp.net. 3600 IN A 50.22.231.55
c.whatsapp.net. 3600 IN A 50.22.231.56
c.whatsapp.net. 3600 IN A 50.22.231.57
c.whatsapp.net. 3600 IN A 50.22.231.58
c.whatsapp.net. 3600 IN A 50.22.231.59
c.whatsapp.net. 3600 IN A 50.22.231.60
c.whatsapp.net. 3600 IN A 50.22.231.36
c.whatsapp.net. 3600 IN A 50.22.231.44
c.whatsapp.net. 3600 IN A 50.22.231.45
c.whatsapp.net. 3600 IN A 50.22.231.46
c.whatsapp.net. 3600 IN A 50.22.231.47
c.whatsapp.net. 3600 IN A 50.22.231.48
c.whatsapp.net. 3600 IN A 50.22.231.49
c.whatsapp.net. 3600 IN A 50.22.231.50
c.whatsapp.net. 3600 IN A 50.22.231.51
c.whatsapp.net. 3600 IN A 50.22.231.52
c.whatsapp.net. 3600 IN A 50.22.231.53

50.22.231.0/24 appears to host all of the c.whatsapp.net hosts which makes it vulnerable to a DDoS attack and hijacking.  It’s generally bad design to put all of your critical services on a single host that’s routed to a single network provider in a single location.

In addition, 184.173.136.0/24 is at the same datacenter with the same provider and hosts a bunch the mms and chat functions of the application… which was also not working properly.

Discounting the design, the SoftLayer network looks like it’s healthy and there are no indications of a volumetric DDoS attack such as latency or jitter and the network itself appears to be up working just fine.

So what’s wrong?  Well, the c.whatsapp.net IP addresses are not answering on port 443 reliably.  Sometimes they open and function and sometimes they don’t.  That indicates that there is one of three things going on:

  • Application layer DDoS on port 443 (SSL) to their c.whatsapp.net host
  • Application bug
  • Extreme growth

Given this has gone on all day I would imagine a bug would have been fixed quickly.

So… Is it an application layer DDoS attack?  I don’t know.  The Facebook acquisition angered a lot of users and the timing of the outage looks pretty suspect, however, calling it a DDoS is still speculative.  The service has been stable for me for years.

If I were to guess:  It’s a rapid growth problem which helped them discover new limits in either their firewall hardware or their load balancers.  They tend to be the thing that breaks first. Replacing or upgrading hardware like a load balancer in hours is typically not easy.

Regardless of if it’s an application layer DDoS attack or just unprecedented growth I am really worried about their design… It reminds me of the early days of Twitter.  

P.S.:  I wish the team at WhatsApp best of luck to get this fixed whatever it is…  I miss chatting with my friends.

The European Cyber Army Has Bits

January 31st, 2014 by Barrett Lyon

After enough taunting of the European Cyber Army (ECA) launched modest attack against blyon.com.  The traffic has yet to exceed 1 Gbps and it’s comprised of a smorgasbord of attack methods:

Initially the attack came in as a HTTP HEAD and GET flood requesting different items from my site.  Shortly after a DNS reflection attack and an ICMP reflection attack came into blyon.com as well.

The HEAD attack was directed to a single image with the User-Agent of “ICAP-IOD”.

The GET flood contained a User-Agent of  “LOWC=@ECA_Legion&ID=1391196316226″

Luckily I am the CTO/Founder of a DDoS defense company (Defense.Net), so getting an attack like this to my personal blog is really not a big deal. However with this modest attack, an unprepared or unprotected web site will struggle.  If this attack was in fact directed at paser.gov or other small unprotected sites they probably would be impacted.

This is not a confirmation that the ECA launched the attack to the targets they boast about.  The attack to me could be a random sympathetic user to the ECA, however, they do have the ECA Twitter handle as part of the User-Agent string in the attack hitting my server.

If you’re a server administrator at any of their alleged targets, contact me if you saw any of the User-Agents I saw.

Is the “European Cyber Army” Capable of Big DDoS Attacks?

January 31st, 2014 by Barrett Lyon

I follow what’s happening in the DDoS world very closely and when I see banks go down for extended periods of time, that tells me that someone has a large botnet. On Twitter, a group calling itself the “European Cyber Army” took claim for the attacks on January 29th. Their claim prompted me to do a little digging and Tweeting to learn more.

I wrote a blog post that was loaded with items that would intentionally irritate them. I wanted to see what kind of reaction I would get. It was not met with a warm reception and they began to threaten me on Twitter and hit me with a little tiny 6Mbps GET flood:

ECA_Legion: …We have a mind to destroy your website!

[I say nothing and an attack starts.]

BarrettLyon: It was a cute GET flood
ECA_Legion: thank you!
BarrettLyon: It didn’t do anything.
BarrettLyon: I guess I was expecting a real DDoS and not a cute one.
ECA_Legion: If we want the site to go down we will hit it! Right now we are busy on an important target!
ECA_Legion: At times we will threaten and never follow through! But like we said, hit us up when we aren’t busy and we will take it down!
BarrettLyon: Sounds like you’re just finding site outages and reporting them as if you did the DDoS. Your “attack” kinda proves my theory.
ECA_Legion: Believe what you what!
BarrettLyon: I thought you were going to attack me? That’s what you threatened me with right?
ECA_Legion: We did threaten to do that! But sadly your site isn’t injectable! Dammit!
BarrettLyon: What does an injection attack have to do with DDoS?
BarrettLyon: So all this #tangodown stuff is what I thought it was. #faildown
ECA_Legion: You doubt our DDoS abilities?
BarrettLyon: I’m pretty sure that’s what I said.
ECA_Legion: Then you will enjoy the upcoming attacks! Lulz
BarrettLyon: Okay cool, well… I’m going to dinner with my family. Have fun sending me “upcoming attacks”.

At that point I went to dinner and I have not seen a single DDoS attack. Meanwhile they keep Tweeting that they’re taking sites down and defacing sites with an injection attack.

They may be taking sites down with their 6Mbps GET flood but I don’t think they’re doing it with a 200 Gbps capable botnet.

So, that begs the question: Who is behind the big attacks?

Here Comes the European Cyber Army

January 30th, 2014 by Barrett Lyon
With the disappearance of the Izz ad-Din al-Qassam Cyber Fighters, DDoS attacks have not been on the top of the headlines for a few months. Well, a new group calling itself the “European Cyber Army” (@ECA_Legion or ECA) has been making some news. They claim to be targeting the US military and banks, however, based on their twitter feed it appears they are taking claim for site outages and passing them off as attacks.

They claim to have attacked and downed over 60 web sites ranging from bankofamerica.com, Japanese retailers, theme parks, US military sites, and numerous foreign sites.

I found it odd they were targeting such a wide list of web sites, so I tweeted about the random list of hosts they were targeting. They responded directly to me with, “‪@BarrettLyon Casualties of warfare”.

What war they are fighting or starting is not exactly clear. They’ve posted a YouTube propaganda video, which basically declare they’re mad at nearly everything and everyone:

The Bank of America and Chase attacks made public news as the attacks clearly impacted their sites. The European Cyber Army tweeted the following statement:

Bank of America’s site was unresponsive during the tweet but it’s unclear if they were calming responsibility or if they actually did the attack.

Following Bank of America, someone launched an attack to chase.com.  The Euro Cyber Army guys made the following statements on their Twitter account:

Some large attacks have happened (maybe not carried out by these guys) and they appear to have been extremely successful and were at rates of around 190 Gbps.  I believe the actual attacks were accomplished with a derivative of the Brobot, which was what the al-Qassam Cyber Fighters were using.  There are other rumors that they have some control over the IADAQ botnet but that does not seem to be true.

To date, the would-be attacks appear to be sprinkled around as they make a stir at each of their targets. They take a site down for a few hours and then shift the focus to a new target. They may be shifting the attack to create pain at their target without having their botnet overly exposed or they’re just reporting outages as attacks and eventually the site goes back online.

Who are these guys?  Based on a pastebin post that they are a group of hackers from LeakSecurity (#LeakSec) , possibly people affiliated with @OpFunKill, and @oG_maLINKo.

Stay tuned for more updates.

UPDATE:  They didn’t like my blog post and threatened to attack me, “We have a mind to destroy your website!”  They did actually attack with a little 5Mbps GET Flood which was quickly shut-off.

I responded with, “@ECA_Legion Sounds like you’re just finding site outages and reporting them as if you did the DDoS. Your ‘attack’ kinda proves my theory.”

The conversation ended with, “@BarrettLyon Believe what you what!”

Still no major attack.