“Enforcing Python’s engines, I wrote a script that generates some nicely crafted unique Http requests, one after the other, generating a fair load on a webserver, eventually exhausting it of resources. this can be optimized much much further, but as a proof of concept and generic guidance it does its job. As a guideline, the main concept of HULK, is to generate Unique requests for each and every request generated, thus avoiding/bypassing caching engines and effecting directly on the server’s load itself.”

In order to confuse the target Web server as thoroughly as possible, Shteiman has included a number of different features in HULK, including the ability to hide the actual user agent and obfuscate the referrer for each request. In his own tests, Shteiman said that the attack tool had no trouble taking down a target server within a minute or so.

“Basically my test web server with 4gb of Ram running Microsoft IIS7 was brought to its knees under less than a minute, running all requests from a single host,” he said.

The framework has also recently received an update but, most important of all, has also received a very prominent backer: Microsoft.

“Even though many vendors have followed Microsoft’s lead in providing comprehensive security updates to customers, the formats vendors use vary. CVRF provides the entire industry with a way to share and present data in a coordinated and structured manner,” stated Mike Reavey, Senior Director with Microsoft Security Response Center, and announced that Microsoft has presented the latest monthly security updates (released on May 8) in the CVRF format.

Extolling the virtues of the format, Reavey pointed out that even though home-computer users or small businesses haven’t got much use for it, big businesses could do without continually “copying and pasting” Microsoft’s security bulletin content into their risk management systems, spreadsheets and corporate notification emails manually as part of their IT security compliance and remediation task list.

“For these customers, this machine-readable format may enable more efficiency and automation. Faster and more efficient guidance for these customers means they can more quickly ensure protection, which is always our goal,” he wrote, and added that Microsoft’s bulletins will continue to be issued also in the current format for those who don’t require automation.

The steps to conduct similar attacks are:

• Collect a large number of URLs from the targeted website. Preferably big media files (jpg, pdf, mpeg and similar)
• Put these URLs in a Google feed, or just put them in a Google Spreadsheet
• Put the feed into a Google service, or use the image(url) command in Google spreadsheet
• Sit back and enjoy seeing Google launching a Slashdot-style denial of service attack against your target

Nasty.

Internet criminals are sidestepping the need to launch DDoS attack from large networks of malware-compromised bot PCs by using simpler server ‘booter shells’, mitigation firm Prolexic has warned.

America’s 10 most wanted botnets

‘Booter shells’ or plain ‘booters’ are simple PHP, .ASP or Perl script template files planted on compromised servers to direct Get/Post commanded HTTP floods to overload target servers.

As Prolexic explains in its advisory, the approach has several advantages over conventional botnet DDoS attacks, starting with technical simplicity. Even non-technical users can place them on hosted or compromised servers, building a bot from individual servers with up to 1,000 times the capacity of a single PC.

Internet criminals are sidestepping the need to launch DDoS attack from large networks of malware-compromised bot PCs by using simpler server ‘booter shells’, mitigation firm Prolexic has warned.

America’s 10 most wanted botnets

‘Booter shells’ or plain ‘booters’ are simple PHP, .ASP or Perl script template files planted on compromised servers to direct Get/Post commanded HTTP floods to overload target servers.

As Prolexic explains in its advisory, the approach has several advantages over conventional botnet DDoS attacks, starting with technical simplicity. Even non-technical users can place them on hosted or compromised servers, building a bot from individual servers with up to 1,000 times the capacity of a single PC.

What follows is a list of the best advice from security gurus, network administrators, and those responsible for securing company information. The lessons were passed down to them from real-world experience, a supervisor, an industry colleague, or in one case, a complete stranger.

Tip #1: Security must enable business, not prevent it

“I don’t know anything about what you do, for all I know, you are doing your job perfectly, but you have disabled my ability to do my job,” said a company executive to Stewart Allen, now an Information Security Consultant at Metrolinx.

Great list.

This adds up to a disturbing conclusion: China’s manufacturing rise has been illegally aided. Many advances are certainly due to the PRC’s own strengths; others stem from voluntary cooperation by foreign partners. But it is all too easy to find examples of Chinese theft that correspond well to spurts in manufacturing capability in advanced electronics, energy, autos, etc.

A Disturbing Trend

2001: Two people funded by state-owned Datang Telecom indicted for stealing secrets from Lucent.[1]

2002: Two people funded by Hangzhou city government indicted for stealing secrets from four firms.[2]

2003: PetroChina employee arrested for attempting to steal seismic imaging software from Silicon Valley firm (later pled guilty).[3]

2004: Canada’s Nortel discovers that China-based hackers have compromised its entire network.[4]

2005: Chinese national working at U.S. unit of Dutch firm AkzoNobel begins stealing material needed to replicate advanced industrial coating.[5]

2006: Two people indicted for stealing proprietary information from auto parts maker Metaldyne and seeking to pass it to Chinese firms.[6]

2007: Chinese national employed by Dow begins transferring trade secrets to Chinese government-controlled institutes.[7]

2008: Former DuPont employee picked by state-owned Pangang to make titanium dioxide, supposedly using DuPont production method (later pled guilty to espionage).[8]

2009: Ford Motor employee arrested for stealing trade secrets—later found guilty—supposedly on behalf of Beijing Auto.[9]

2010: Dozens of multinationals disclosed as targeted in China-based hacking of Google.[10]

2011: American Superconductor sues top Chinese turbine maker Sinovel for stealing software used to drive wind turbines.[11]

2012: NSA director acknowledges that China-based hackers compromised a company that provides computer security services to defense firms such as Lockheed Martin.[12]

---

[1]News release, “New Indictment Expands Charges Against Former Lucent Scientists Accused of Passing Trade Secrets to Chinese Company,” U.S. Department of Justice, April 11, 2002, at http://www.justice.gov/criminal/cybercrime/press-releases/2002/lucentSupIndict.htm (accessed April 9, 2012).

[2]News release, “Pair from Cupertino and San Jose, California, Indicted for Economic Espionage and Theft of Trade Secrets From Silicon Valley Companies,” December 4, 2002, at http://www.justice.gov/criminal/cybercrime/press-releases/2002/yeIndict.htm (accessed April 9, 2012).

[3]Rachel Konrad, “Chinese Man Sentenced to 2 Years for Silicon Valley Fraud,” Associated Press, December 18, 2004, at http://www.usatoday.com/tech/news/computersecurity/2004-12-18-corp-spy_x.htm (accessed April 9, 2012).

[4]CBC News, “Nortel hit by suspected Chinese cyberattacks for a decade,” February 14, 2012, at http://www.cbc.ca/news/world/story/2012/02/14/nortel-chinese-hackers.html (accessed April 9, 2012).

[5]Ann Woolner et al., “The Great Brain Robbery,” Businessweek, March 15, 2012, at http://mobile.businessweek.com/articles/2012-03-14/the-great-brain-robbery (accessed April 9, 2012).

[6]David J. Lynch, “FBI Goes on Offensive Against China’s Tech Spies,” USA Today, July 25, 2007, at http://www.usatoday.com/money/world/2007-07-23-china-spy-2_N.htm (accessed April 9, 2012).

[7]News release, “Chinese National Pleads Guilty to Economic Espionage and Theft of Trade Secrets,” October 18, 2011, at http://www.justice.gov/opa/pr/2011/October/11-crm-1372.html (accessed April 9, 2012).

[8]Karen Gullo, “Former DuPont Worker Pleads Guilty in Economic Espionage Case,” Businessweek, March 2, 2012, at http://www.businessweek.com/news/2012-03-02/former-dupont-worker-pleads-guilty-in-economic-espionage-case (accessed April 9, 2012).

[9]China Daily, “Ford Engineers Yuxiang Dong China Steal Secrets Jailed for 70 Months,” April 14, 2011, at http://www.china-daily.org/China-News/Ford-engineers-Yuxiang-Dong-China-steal-secrets-jailed-for-70-months/ (accessed April 9, 2012).

[10]Kim Zetter, “Google Hack Attack Was Ultra Sophisticated, New Details Show,” Wired, January 14, 2010, at http://www.wired.com/threatlevel/2010/01/operation-aurora/ (accessed April 9, 2012).

[11]Ed Crooks and Leslie Hook, “American Superconductor Sues Chinese Group,” Financial Times, September 15, 2011, at http://www.ft.com/intl/cms/s/0/df685246-df17-11e0-9af3-00144feabdc0.html#axzz1qvfY4yzA (accessed April 9, 2012).

[12]Jason Mick, “NSA: China Is Destroying U.S. Economy Via Security Hacks,” DailyTech.com, March 28, 2012, at http://www.dailytech.com/NSA+China+is+Destroying+US+Economy+Via+Security+Hacks/article24328.htm (accessed April 9, 2012).

It’s not hard to imagine what happens when an American company pays for research and a Chinese firm gets the results free; it destroys our competitive edge. Shawn Henry, who retired last Friday as the executive assistant director of the F.B.I. (and its lead agent on cybercrime), told Congress last week of an American company that had all of its data from a 10-year, $1 billion research program copied by hackers in one night. Gen. Keith B. Alexander, head of the military’s Cyber Command, called the continuing, rampant cybertheft “the greatest transfer of wealth in history.

Idea: any U.S. position that deals with sensitive IP should require that you can get a government clearance. And in order to get such a clearance you’d have to NOT be a threat for sharing information with any country that is known to be ACTIVELY and AGGRESSIVELY pursuing U.S. secrets via hire-and-steal tactics.

Problem addressed.

Racism? No. This is country and government based–not race. Japan? Fine. Korea? Fine. It’s China that’s the threat here, and if that were to stop then this would be lifted.

Until then, sorry. The people that lose their job opportunities as a result then become victims of the Chinese government–not ours. They’re playing dirty, and we must stop letting our politically correct tendencies hamstring us while our enemy watches with smiles on their faces.

On Friday, we heard the news that payments processor Global Payments was hit with a massive security breach involving MasterCard and Visa cardholders. At the time it was unclear the reach of the security issue, which was being investigated by the U.S. Secret Service. Tonight, Global Payments reports that those cards affected in the breach processing system were confined to North America and up to 1.5 million card numbers may have been exported. Visa had originally pegged that number at around 50,000 cards stolen.

In one of the flaws the researchers exposed, for example, not all websites confirmed that a verification coming from OpenID included all of the items the website asked to be confirmed, such as the first name, last name and email address. The researchers were able to access the request, delete one piece of requested information (the email address, for example) as it went to OpenID and simply re-insert it in the signed okay from OpenID. In this way, even a hacker who didn’t control the email address linked to the user’s account on the website in question could log in, and potentially make purchases, using that person’s account.