Tag Archives: Ars Technica

CyberBunker
                                  CyberBunker. Courtesy of Ars Technica

Recently, anti-spam organization Spamhaus became the victim of a large denial of service attack, intended to knock it offline and put an end to its spam-blocking service. By using the services of CloudFlare, a company that provides protection and acceleration of any website, Spamhaus was able to weather the storm and stay online with a minimum of service disruptions.

Since then, the attacks have grown to more than 300 Gb/s of flood traffic: a scale that##Q##s threatening to clog up the Internet##Q##s core infrastructure and make access to the rest of the Internet slow or impossible.

It now seems that the attack is being orchestrated by a Dutch hosting company called CyberBunker. CyberBunker specializes in “anything goes” hosting, using servers in a former nuclear bunker (hence the name). As long as it##Q##s not “child porn and anything related to terrorism,” CyberBunker will host it. This includes sending spam.

Spamhaus blacklisted CyberBunker earlier in the month. A CyberBunker spokesman, Sven Olaf Kamphuis, told The New York Times that CyberBunker was fighting back against Spamhaus because the anti-spam organization was “abusing [its] influence.”

Spamhaus DDoS Grows to Internet-threatening Size | DFI News.

shutterstockFacebook officials said they recently discovered that computers belonging to several of its engineers had been hacked using a zero-day Java attack that installed a collection of previously unseen malware. In an exclusive interview with Ars Technica, company officials said that the attack did not expose customer data, and it was contained to the laptops of a small number of Facebook engineers. But other companies who were affected by the same hacking campaign may not have been so lucky.

Facebook’s internal security team worked with a third party to “sinkhole” the attackers’ command server, taking over the network traffic coming into it from systems infected by its malware. They discovered traffic coming from several other companies, according to Facebook Chief Security Officer Joe Sullivan. Facebook notified those companies of the attack, and it has turned the case over to federal law enforcement. An investigation is still ongoing. While some of the affected companies were aware of an ongoing attack, others were unaware of the problem before being notified by Facebook.

Facebook Computers Compromised by Zero-day Java Exploit | DFI News.

The United States government has released a bulletin stating that users should disable Java on their computers, as recently the risk for potential hacks and security breaches using the software has increased drastically. Yet another Java exploit has been found in the most recent, fully patched version of the software, and according to Ars Technica this flaw is currently being exploited in the wild.

Even more concerning is how the exploit came to exist: last year Oracle released a patch to fix an earlier security issue, but the patch was incomplete and caused this current flaw to arise. The fact that Java is installed on more than a billion devices worldwide makes it a hot target for hackers, and with the recently discovered flaw the United States government has had to advise users to disable the software.

Oracle claims that a patch is in the works, but this could simply pave the way for more security issues. Java is well known for flaws among computer-savvy users, so as always we recommend not to install the software unless absolutely necessary.

Disable Java, warns US government.

Google revamped its reCAPTCHA system, used to block automated scripts from abusing its online services, just hours before a trio of hackers unveiled a free system that defeats the widely used challenge-response tests with more than 99 percent accuracy.

Stiltwalker, as the trio dubbed its proof-of-concept attack, exploits weaknesses in the audio version of reCAPTCHA, which is used by Google, Facebook, Craigslist and some 200,000 other websites to confirm that humans and not scam-bots are creating online accounts. While previous hacks have alsoused computers to crack the Google-owned CAPTCHA (short for Completely Automated Public Turing test to tell Computers and Humans Apart) system, none have achieved Stiltwalker’s impressive success rate.

“The primary thing which makes Stiltwalker stand apart is the accuracy,” wrote Adam, one of the three hackers who devised the attack, in an e-mail. “According to the lead researcher from the Carnegie Mellon study, the system we attacked was believed to be ‘secure against automatic attack,'” he added, referring to this resume from a Carnegie Mellon University computer scientist credited with designing the audio CAPTCHA.

Stiltwalker’s success exploits some oversights made by the designers of reCAPTCHA’s audio version, combined with some clever engineering by the hackers who set out to capitalize on those mistakes. The audio test, which is aimed at visually impaired people who have trouble recognizing obfuscated text, broadcasts six words over a user’s computer speaker. To thwart word-recognition systems, reCAPTCHA masks the words with recordings of static-laden radio broadcasts, played backwards, so the background noise would distract computers but not humans.

What the hackers—identified only as C-P, Adam, and Jeffball—learned from analyzing the sound prints of each test was that the background noise, in sharp contrast to the six words, didn’t include sounds that registered at higher frequencies. By plotting the frequencies of each audio test on a spectrogram, the hackers could easily isolate each word by locating the regions where high pitches were mapped. reCAPTCHA was also undermined by its use of just 58 unique words. Although the inflections, pronunciations, and sequences of spoken words varied significantly from test to test, the small corpus of words greatly reduced the work it took a computer to recognize each utterance.

Enter the neural network

With the sounds isolated, the hackers then funneled each word into a battery of mathematical solvers to translate the characteristics of each isolated word into text that would solve the CAPTCHA puzzle. An early version of the attack worked by using the open-source pHash software library to generate a “perceptual hash” of each sound. Unlike cryptographic hashes, which typically produce vastly different ciphertext when even tiny changes are made to the plaintext input, pHash outputs vary minimally when generated by similar-sounding words. By comparing the perceptual hashes of the collected sounds to a table of hashes, the team could make educated guesses about which words were being included in the audio tests. But they ultimately scrapped the technique because its level of accuracy didn’t break 30 percent.

The hackers eventually devised a machine-learning algorithm that produced significantly better results. Their neural network was seeded with data from 50,000 reCAPTCHA utterances along with human-generated input for each corresponding word. They then combined the tool with a separate attack that exploited another weakness they discovered in the audio version—namely its habit of repeating the same challenges verbatim in pseudo-random fashion. By using cryptographic hashes to fingerprint 15 million of the estimated 25 million challenges in reCAPTCHA’s repertoire, their attack was able to crack most of the tests.

“The majority of the time, we can look at the challenge and not do any computation at all,” Adam said. “It takes less than a second to get an answer with the MD5 solver.”

Their attack became all the more effective after discovering that Google’s audio CAPTCHA accepted multiple spellings for many of the challenges based on the approximate phonetic sounds of each word. As a result, an audio test that included the word “boat” could be solved by entering “boat,” but it could also be solved by entering “poate.” Similarly, a test that included the word “plate” could be solved by entering “plate,” but it too could also be solved by entering “poate.” Tests for words that included “Friday,” “fairy,” or “four” were also solved by entering “Friay.” By fashioning the same alternate spelling for a variety of different sounding words, the hackers could pare back the number of guesses required to solve a specific puzzle, a technique crackers call “reducing the keyspace.”

In the end, the hackers said their computer-generated attack solved 17,338 out of 17,495 challenges they attempted, a success rate of 99.1 percent. At one point, the attack was able to deduce answers to 847 tests in a row before being tripped up. More details of the hack are here.

The Googleplex strikes back

About two hours before the hackers were scheduled to present the attack on Saturday at the Layer One security conference, Google engineers revamped reCAPTCHA. Suddenly, Stiltwalker, which the hackers had carefully kept under wraps, no longer worked. Adam told me that he has no proof anyone tipped off Google employees—but he doubts the timing was coincidence.

The updated reCAPTCHA system uses a human voice uttering unintelligible sounds as background noise, making it impossible for Stiltwalker to isolate the distinct words included in each audio challenge. The puzzles have also been expanded from six words to ten words and each challenge lasts 30 seconds, compared with only eight seconds under the previous reCAPTCHA.

 

 

A Google spokesman declined to offer specifics of the reCAPTCHA upgrade beyond issuing a statement.

“We took swift action to fix a vulnerability that affected reCAPTCHA,” it said, “and we aren’t aware of any abuse that used the techniques discovered. We’re continuing to study the vulnerability to prevent similar issues in the future. We’ve found reCAPTCHA to be far more resilient than other options while also striking a good balance with human usability. Even so, it’s good to bear in mind that while CAPTCHAs remain a powerful and effective tool for fighting abuse, they are best used in combination with other security technologies.”

While the changes stymied the Stiltwalker attack, Adam said his own experience using the new audio tests leaves him unconvinced that they are a true improvement over the old system.

“I could only get about one of three right,” he said. “Their Turing test isn’t all that effective if it thinks I’m a robot.”

How a trio of hackers brought Google’s reCAPTCHA to its knees | Ars Technica.