CleanTalk's blog

    Sign up

    Category: Security

    • CleanTalk, the launch of WordPress security

      While developing the Anti-Spam service, we often encounter other issues related to the security of websites. The most common questions were about brute force attacks. In addition to problems with the selection of passwords for the administrator account, often brute force attacks cause a high load on the server, and users receive notification from the hosting about exceeding the allowed load values for the processor.

      We thought if we are receiving such requests, why don’t we solve them? Since tasks relate to security functions, the decision to launch a separate security service was obvious.

      At the moment, the Security service is developed only under WordPress, there are several reasons for this: the greatest demand, a large number of websites use this particular CMS, the complexity of the development of several CMS.

      Despite the fact that anti-spam protection is a part of security, we decided to split these two services. There are several reasons for this:

      1. Complication of the plugin, which leads to increased errors, compatibility issues with other plugins/themes
      2. Promotion by search queries
      3. Easier development and independent release of updates
      4. The interface of the plugin is not complicated by a bunch of additional options that are not needed if the user uses only one function
      5. A separate management interface and logging in the control panel CleanTalk

      We decided to start with the implementation of protection against brute force attacks and further gradually expand the functionality.

      Protection from brute force attacks – implemented by adding delays between incorrect authorization attempts. A delay of 3 seconds is set for the first attempts, for a subsequent one in 10 seconds. If there were 10 unsuccessful attempts of authorization within an hour, the IP address will be added to the FireWall database for 24 hours. To protect against hackers trying to find a password for your account, this is enough, since they significantly increase the time between attempts, and they can be tens or hundreds of thousands. All logs of access attempts are available in the weekly report and in the service control panel, which allows you to quickly add IP addresses to the FireWall blacklist. Protection against brute force attacks extends only to users with administrator rights.

      Traffic control – allows you to view information about visitors, such as:

      • IP
      • Country
      • Date/time of the last query
      • The number of allowed/blocked HTTP requests
      • Status-banned or allowed
      • The URL of the page visit
      • User Agent

      Another option in traffic Control — “Block visitor if the number of requests is greater than” – blocks access to the site for any IP that exceeds the number of HTTP requests per hour. The number of requests can be set in the settings, the default is 1000. If the IP is exceeded, the Firewall will be added to the Blacklist for 24 hours.

      This will help solve the problem of DoS attacks on the site when a large number of HTTP requests are sent to the site, because of which it stops responding or starts to work very slowly. This situation is possible because of a massive brute force attack.

      Audit log – allows you to monitor the actions of users in the admin WordPress, keeps a log of visits to pages with the date/time and length of stay. Allows you to monitor the actions of administrators and unauthorized access and in case of problems to understand where by whom and what changes have been made.

      Malware Scanner – scans WordPress files, plugins and themes for malicious code and changes. If the changes in the files were made illegally, it allows you to restore the original files.

      Automatic scanning takes place every 24 hours, and you can also start it manually.

      Security FireWall – blocks access to the site for POST/GET requests by IP addresses. Base IP addresses for the FireWall is generated from our database of blacklists CleanTalk. It is possible to get IP addresses that have a high spam activity or was seen in attempts brute force attacks. It is possible to use their own blacklists, both for individual IP addresses/subnets and by country. Due to this, it is possible to reduce the load on the website or to block a DOS attack.

      Ready to release:

      • outbound link scanner
      • checking links against a database of domains that are promoted with spam
      • protection from XSS and SQL injections

      Development notes

      Everything was written from scratch, not peeking at other solutions. This was done specifically to not to pick up other people’s mistakes and to develop your own vision for the application.

      Further development for other CMS is planned, so it was decided to develop a modular design. Use an object-oriented approach and everything like that. Of course, in the process had to solve various problems that do not fit into this concept and did not do without a workaround.

      As a result, there are several classes that without significant improvements can be used on other CMS (including self-recording), using a couple of wraps, for example for the database.

      Was written our own class Cron is not dependent on Cron WordPress. Still, the application for security and should not rely on functionality that may or may not work, or which may interfere with the work of third-party developers.

      To implement heuristic code analysis, we have written our own code minimizer parser, which will continue to develop. With it, you can track dangerous variables, functions, constructions. Not sure if other plugins/anti-viruses/applications use similar solutions (probably not), but this pros and cons of independent development, our approach may have turned out unique.

      Example of the “minimizer”:

      Source code:

      <?php
	//$some = 'n'.'o'.'t'
	$some = 's'.'o'.'m'.'e'; // String concatenation
	$stuff = 'stuff';
	
	$first = 'first';
	$func = 'func';
	
	$first_func = $some."$first$func"; // Variable replacement
?>
$some = 'n'.'o'.'t';
<?php
	// Variable replacement
	$i = 'i';
	$c = 'c';
	$o = 'o';
	$co = $c.
	// some obfuscating comment
	$o;
	$ico = $i/* some obfuscating comment */.$co;
	
	require($some.'_'.$stuff.'.'.$ico);
	require($some.'_'.$stuff.'.php');
	require($some.'_'.$stuff.'.p'.$ico);

	$first_func();
?>

      Result:

      <?php $some='some';$stuff='stuff';$first='first';$func='func';$first_func='somefirstfunc';$i='i';$c='c';$o='o';$co='co';$ico='ico';require'some_stuff.ico';require'some_stuff.php';require'some_stuff.pico';somefirstfunc();?>

      If you bring in a more understandable form:

      <?php 
	$some='some';
	$stuff='stuff';
	$first='first';
	$func='func';
	$first_func='somefirstfunc';
	$i='i';$c='c';$o='o';
	$co='co';
	$ico='ico';
	require'some_stuff.ico';
	require'some_stuff.php';
	require'some_stuff.pico';
	somefirstfunc();
?>

      Some things that it can do: do concatenation, substitute variables, track the origin of variables (let’s say if they use unreliable $ _POST and $ _GET), track and check the file connections (include, require) for various parameters and much more. We can say that this is the basis on which the functional will be added.

      Especially I did not like to support WPMS, because for each functional I had to make exceptions taking into account whether the main site is this, whether the user of the secondary site inherits the key from the main site or enters his own access key, whether the secondary site allowed to activate plug-ins and the like. Unfortunately, we had to remove part of the functionality for WPMS and secondary sites due to non-compatibility.

      In general, it turned out a beautiful application in places from the point of view of the code, which we will develop in the future.

      The plugin itself can be found in the directory.

    • Checking Outbound Links with CleanTalk Security

      Checking Outbound Links with CleanTalk Security

      Outbound links have an effect on your SEO and when search crawls your web pages all of the outbound links may be an important thing for page ranking.

      We have added the option “Scan outbound links” in our WordPress Security Plugin.

      This option allows you to let know the number of outgoing links from your website and websites on which they linking to. All websites will be checked by our Database and will show results if they were used as links in spam messages. It allows you to check your website and find hidden links or spam links.

      You should always remember if you have links to other websites which have a bad reputation, it will be able to have an effect your on visitor’s trust and your SEO.

      To launch External Links Check go to your WordPress admin panel -> Settings -> Security by CleanTalk -> General Settings and pick Scan Links option. Next step, go to the tab “Malware Scanner” and press the button “Perform Scan”.

      The first step in the scanning is searching for malware in WordPress files, the second step is searching for links in your whole website including theme files, posts, and comments.

      The result of the scanning will be the list of each link you have. You can look it through and decide what links are unnecessary and delete them.

    • ‘WordPress Security by CleanTalk’ Review– Is it Potent Enough to Safeguard you?

      ‘WordPress Security by CleanTalk’ Review– Is it Potent Enough to Safeguard you?

      WordPress is a very popular open source website creation tool. But this is not only a blogging platform, WordPress is an open source content management system used by millions of people worldwide. It is popular mainly because WordPress is very easy to use and easy to start with. Also, very good support from WordPress itself and different forums are available. According to a research, more than 22.5% of the websites are powered by WordPress in 2017.

      Due to its huge popularity and continuous growth as the world’s most used CMS, WordPress is naturally vulnerable to security threats and attacks. WordPress security attacks from the very beginning are handles by WordPress security releases. But there is new type of attacks is coming in the picture every day and everything does not come under WordPress Security Release. Here comes the WordPress Security Plugins.

      WordPress Security by CleanTalk is one of the most important security plugins which helps your WordPress site protected and secured from the Brute Force attacks by creating a firewall. Check out what kind of attacks your website may face and how can you secure yourself from these attacks:

      Why does a WordPress site is attacked anyway?Why does a WordPress site is attacked anyway?

      There is a cut-throat competition in the market in any venture and everyone wants to get the success at the end of the day. Due to the huge pressure, hackers want to access your website to get all the sensitive information, block your access from the site, redirect your users to any other malicious websites, remove or delete your user and all the content from the website or simply use the backlinks from your website. Stealing your backlink information and using it in their website will just improve their page ranks in any search engine.

      Most of the popular websites get thousands of attacks every week or even every day.

      How does a good security plugin work to prevent a different type of attacks on a WordPress site?

      There are several types of security attacks a WordPress website gets every day. A good security plugin applies optimized algorithms to prevent those vulnerabilities and keep the website secure. Following are some form of security threats a WordPress website gets:

      1. Malicious Software: After hitting your website, hackers leave some malicious software or script, also known as malware into your website. Your security plugin should scan all the files, contents, data files, database, changes in the DNS, comments or any kind of post to find out the malicious code that could possibly be hidden in the website’s source code, or URL. These malwares are scanned and removed by the WordPress security plugin.

      2. Brute Force Attacks: This type of attack is performed using permutation and combination of possible login information. Hackers attempt to log in to the website using thousands of possible username and password combination through automated scripts. Security plugins block the users with the attempt of too many login attempts or clicking on forgot password option. It also prevents WordPress from giving sensitive information like username or password hints etc. or multiple entry point options to the hackers.

      3. Zero Day Exploits: There are some obvious vulnerability issues in WordPress websites or any kind of website. Hackers attack those using bots. The security plugins use known algorithms and security firewall for these already published vulnerabilities and stop them.

      4. Spear Phishing and Social Engineering: Spear phishing & social engineering are among some techniques through which hackers can crack the most difficult password too. Security plugins provide a two-factor authentication which can neutralize the risk of password cracking. This facility is used by banks, financial institutions or websites with very sensitive data.

      5. Rate Based Throttling: This type of attack is the most critical type till date. Hackers overwhelm your website, database, servers and network, all resources using bots or automated scripts. This will prevent your genuine customers from accessing your website and search engine crawlers. Also, script crawlers aggressively crawl the website to overwhelm the website contents and resources. Security plugins provide security through IP blocking. If access request exceeds the accepted threshold of a maximum number of requests from any IP address, security plugin blocks that specific IP address. It also prevents the bot crawlers from aggressive crawling.

      6. Country attacks: Hackers using IPs of different countries and networks attack the WordPress websites to find vulnerabilities and overwhelm its resources with aggressive crawling. Security plugins use the same mechanism as rate based throttling, blocks the specific countries from accessing the website.

      7. Password Cracking: Security plugins use password auditing to find out the password of your admin account is weak or strong; suggest changing the password or making a rule to change the password monthly etc. This will prevent attackers to use password cracking or brute force attacking using the similar script.

      8. Spam Ads: Hackers often use the website they have compromised to post spam ads. These ads include a link to some other malicious website or simply a virus to download. Security Plugins scan your site regularly to check if there is any kind of spam ad that has been posted, identify and remove it.

      9. Hacker Reckon: Hackers find vulnerabilities using the information like software version, operating system version, and software installed etc. and security plugin prevents your WordPress website from giving this information anyhow to these hackers.

      What is WordPress Security Plugin by CleanTalk? 

      WordPress Security Plugin by CleanTalk is a premium security plugin for WordPress Site. This is an end to end protection system for a WordPress site which helps to prevent and securing a site from brute force attacks, brute force account counting, blocking IPs and users using a firewall, providing security for WordPress forms and backend filter malicious IPs, networks or countries.

      It also sends daily security logs, audit logs and reports through emails to the users so that user can analyze and monitor vulnerabilities to their WordPress Websites.

      How to Install Security Plugin by CleanTalk?

      Installation of Security Plugin by CleanTalk is very easy both through the automated and manual way. Following are the steps to follow to install WordPress Security by CleanTalk into your WP.

      Automated Installation

      1. Go to ‘Plugin’ option at the left panel of your WordPress and click on it.
      2. Search ‘WordPress Security by CleanTalk’.
      3. It will show the plugin on the page.
      4. Click on ‘Install Now’ button.
      5. Now click on the ‘Activate’ button
      6. Click on ‘Get access key Automatically’
      7. This will take you to the ‘Security Log’ page of the plugin.
      8. Click on ‘Save Changes’ option.

      Manual Installation

      Installation can be done manually too.

      1. You need to go to ‘https://wordpress.org/plugins/security-malware-firewall/#description’ and click on Download button.
      2. Zip file with an Installer will be downloaded. Save the installer and login to your site’s WP Admin.
      3. Click on ‘Add New’ button and then click on ‘Upload Plugin’
      4. Select the Zip file from the Dialog Box and click OK.
      5. The plugin will be installed. Then click on Activate
      6. The rest of the steps are similar.

      Features of WordPress Security Plugin

      Brute force attacks

      Brute force attacks are very different from cracks or in layman words ‘hacks’. Brute force attackers try to login into the WP admin using the easiest method of login, i.e., the username and password. They use permutations and combinations of common and most possible username and password to try logging in until they are successful. The easiest attack is the weakest link and username like ‘admin’ and password like’12456′.

      1. Brute force attacks come from different countries and IPs. If you have single access and IP, it is easy to block all the IPs other than your IP using the .htaccess file. But, if you have multiple users, log in from multiple locations, it is very difficult to identify the IP of the attacker and prevent it.
      2. WordPress Security plugin, blacklists all the IPs and users with too many attempts of login, scripts, failed attempts of forgot passwords. It also prevents WordPress from providing users multiple login points and giving away login information to the hackers. WordPress security plugin blocks or locks out any user who is using an invalid username and password.
      3. It sends email to the user as soon as a brute attack attempt is done. It also shows the attacker’s IP, location, and country through the email.

      Cleantalk Security Log

      Along with the plugin, Cleantalk security log is the additional feature which helps the user keep track on the logs for different events performed on their website.

      The security log consists of Date, Status, IP, Country and other details for the Admin Login for the user’s website for events like Login, Logout, Invalid Username, Invalid Email, Authentication Failed and Invalid Email. Logs can be filtered for different services like Anti- Spam, Hosting Anti-Spam, Database API, Site Security or SSL Certificates.

      Email Notifications

      Email notifications are very important and must have feature for any security firewall to have. Emails are sent to registered admin user’s email whenever an activity is logged in a WordPress site. WordPress Security by Cleantalk sends email for the following activities:

      Admin Login:
      It sends email to the registered admin user’s email so that the user is aware that an admin login has taken place on his website.

      New installation and Signup:

      Cleartalk WordPress Security plugin sends a notification to the user’s email when he installs and signs up for the plugin.

      Access Key:

      Email notification is sent when a user opts to get access key manually.

      Daily Security Report:

      Daily security Report email notification is sent to admin user which includes information about the SITE Time, Username, IP and Country and a number of brute attacks, failed login and authentication failures have taken place.

      CleanTalk Security Firewall

      The WordPress Security plugin security firewall works like a fence against the security attacks to a WordPress website. It uses CleanTalk database of bad IP’s and blocks the vulnerabilities from compromised IP’s. Firewall runs even before other codes run including the WordPress site and this prevents the security threats to attack the WordPress site. The firewall shields the site and blocks the threats even before they appear.

      And provides the WordPress sites security features like

      • Personal Blacklist Management
      • Country and IP blocking
      • Protection from aggressive users and web crawlers

      Traffic Control Analysis

      Traffic analysis is one of the important features for any WordPress website, in terms of security and CPU overloading. From which IP, country and location traffic is coming, the users that are online, who is on your page and how much time they have spent, etc. information is easily provided by the WordPress Security Plugin to the admin user.

      Unlike other plugins, it enables traffic control analysis to all the visitors even if they have not enabled javascript in their browsers. It gives information about visitors on traffic parameters like:

      • Date and Time of the visit to the website
      • Visitor’s spent time on the website
      • Source Country
      • Visitor’s IP Address
      • Browser
      • Operating System and version
      • Type of the visitor – Person, Bot, Search Bot or suspicious bot, script etc.
      • Number of page hits

      Cleartalk Traffic control can block the IP addresses from any country or any network from the interface itself. IP addresses will be automatically blocked by the Traffic Control if they exceed the threshold of the average page visit quantity. This helps the monitoring and blocking of the traffic real time.

      BlackIP Database

      This is the new feature launched by CleanTalk. BlackIP database is the collection of blocked or blacklisted IP addresses. This database helps to analyze which type of IPs, locations or countries from which the most frequent brute attacks come from. You can also manage the blacklisted IPs from your CleanTalk Dashboard-> “Use CleanTalk Database of Dangerous IP Addresses”. If you want to add an exception to your blacklisted IP addresses, you may add any IP to the whitelist IPs and it will not be blocked.

      Generic Tips and Tricks to keep your WordPress website safe:

      Other than using CleanTalk’s WordPress Security plugin and its advanced features, you can use these simple tricks to keep your WordPress website safe and secure all time:

      • Use email for login other than username. Usernames are easy to predict but hackers can’t easily guess any unique email ID. WordPress use unique email Id as login identifier for each user.
      • The default login URL for all the websites are similar. For example: wp-login.PHP, /wp-admin/ etc. You should change them to something your unique and own. This will prevent the hackers to get the admin logged in page’s URL or the dashboard URL.
      • Password of a WordPress site should consist capital letters, small letters, numeric and all type of symbols. Generally, an eight character password is considered as a strong password. Make it 16, it will be stronger and permutation and combination will be difficult.
      • Secure the WP-Admin directory from getting accessed by hackers.
      • SSL should be used to encrypt your sensitive data.
      • If your site has multiple admins, add them carefully after thorough scanning.
      • Admin username should not be kept as “Admin”.
      • Keep backup of your site regularly. You may buy professional services for backup and recovery routine.
      • Protect your wp-config.php file from hackers by keeping it one step higher than the root directory.
      • If you have multiple admin access, just do not allow the dashboard to be edited, by changing it in the wp-config.php file.
      • You should disable the directory listing using .htaccess.
      • Update your plugins and themes regularly.
      • Do not download or install any theme from an unknown site or provider. You do not know what is written in their code.
      • Plugins and WordPress itself should be updated regularly to get all the new security features.
      • Last but not the least, take precaution before installing any plugin. You should check the documentation, ratings, and reviews before installing them and that should be from a trusted source.

      Conclusion

      WordPress Security Plugin by CleanTalk is one of the best world-class security plugins for WordPress which facilitates your WordPress Website an end to end security solution and helps to grow your business without getting the headache of being attacked. CleanTalk’s Security Feature plugin is regularly updated with new features to cope with the new type of attacks and threats and to provide you smooth and flawless security services. Follow the tips and tricks and install a good security plugin will provide all round your WordPress website.

    • CleanTalk Traffic Control — analyze web traffic in real-time

      CleanTalk Traffic Control — analyze web traffic in real-time

      We are happy to inform you about launching our new feature for the WordPress CleanTalk Security plugin.

      One of the most important component of Traffic Analysis is ability to monitor traffic in real time.

      Tracking of your website activity in real time. You can see how many visitors of your website or blog are online and what pages they are on, plus how much time they spent being there.

      Many tools only track traffic of visitors who enabled JavaScript in their browsers, thus they are not capable to show you the whole picture. CleanTalk Traffic Control will track every single visitor no matter if they are using JavaScript or not and provides many valuable traffic parameters such as:

       • Date and time of the visit to your website;
       • Spent time on your website;
       • IP-addresses;
       • Source country;
       • Browser;
       • Operational System;
       • Type of the visitor — Visitor, Search Bot, different bot, suspicious bot and so on;
       • A number of visited pages.

      Abilities:

       • Block specific IP-address, network or country directly from the interface.
       • Block IP-address automatically if the threshold of average quantity of visited pages was exceeded.

      This is great monitoring tool to see attacks in real time and to block them if necessary.

    • AI will play an increasing role in online security

      AI will play an increasing role in online security

      Neural Networks were introduced as far back as the 40’s of the 20th century and first works about them started in the 50’s. Nowadays this technology is being used in different fields. We believe that the CleanTalk machine teaching technologies of spam detection could be upgraded with the help of Artificial Intelligence and the CleanTalk features could be expanded to define an emotional aspect of a comment.

      Theoretical researches of spam filtering with Neural Networks say that these algorithms could achieve 100% efficiency.

      The CleanTalk Company has started to develop Neural Networks Algorithms for spam presence analysis of comments and messages which could provoke negative effects, rudeness, abuse or fraud in discussions.

      There is a big data safety problem in online security. There are too much data to process anomalies that could be the signs of spambots presence.

      There are about 1.5 millions of requests the CleanTalk Cloud processes every day and each request contains set of about 40 parameters. The Cloud uses them to decide whether a request should be approved or blocked so AI could improve our possibilities in spambot patterns detection.

      We intend to supplement technology of spam protection and moderation with more reliable feature and take into account such things as slang, typos, context and other traits of a visitor behavior.

      About CleanTalk

      CleanTalk is a SaaS spam protection service for Web sites. CleanTalk uses protection methods which are invisible for site visitors. Connecting to the service eliminates needs for CAPTCHA, questions and answers and other methods of protection, complicating the exchange of information on the site. Their solutions are reliable, easy and efficient. The module is completely invisible to the visitors and allows you to permanently abandon the ways of protection that impede the communication of visitors to the site (CAPTCHA, question-answer, etc.). CleanTalk allows you to automate protection against distributed from spam and registration spam bots.

      The CleanTalk team has been developing a cloud spam protection system for 5 years and has created a truly reliable anti-spam service designed for you to ensure your safety.

    • Email Notifications when administrators are logged in

      Email Notifications when administrators are logged in

      Do you want to receive a notice each time a user with administrator rights is logged into the WP Dashboard?

      We added this option to our security plugin. Now you can receive notifications if you want to know about an unauthorized entrance to your WP Dashboard.

      Notification will be sent only when a user was able to authorize entering login and password. If you are logged into the admin panel from the saved session, then the alert won’t be sent.

      You can enable the option “Receive notifications for admin authorizations in your CleanTalk Dashboard. Choose “Site Security” in the “Services” menu, then click “Settings”.

      Download Security & Firewall by CleanTalk.

    • Strengthening brute force protection

      We added the new logic to prevent brute force attacks. Service will check your log in status once per hour and if some IP’s have 10 and more attempts to log in, then these IP’s will be banned for next 24 hours.

      It makes the brute force protection tougher and doesn’t waste the server’s resources on these IP’s.

      Download Security & Firewall by CleanTalk.

    • New version of the Security Service by CleanTalk

      New version of the Security Service by CleanTalk

      As we informed CleanTalk launched its website security project. The service protects administrator control panel from brute-force attacks and records users’ actions.

      Since the 29th of November Security by CleanTalk has become the Cloud Service and now all main data will be available in The Service Dashboard. The cost of the service is $20 per year for 1 website.

      Switching to Cloud Data Storage allows to show more data and use the information more flexible thanks to different filters in your Dashboard.

      In the previous versions all data were being stored in a website database and big amount of information alongside with its operations would affect website speed, all this could give a result of bad website ranking of search engines. Cloud Data Storage is safer than website database. If an intruder could get access to your website then he could delete all data he might be traced with.

      Cloud Service provides data storage for the last 45 days including users action log, brute-force attacks statistics and successful backend logins and you can always get to know who and what actions were made if it is necessary.

    • DDoS on 600 GB/s as the democratization of censorship

      DDoS on 600 GB/s as the democratization of censorship

      Well-known American journalist Brian Krebs for a long time writes on the topics of information security, revealing the identity of dark speculators mainly from Eastern Europe. Over the years, Brian had to over pass through a lot. Evil Ukrainian hacker has gathered on the forums for two bitcoins to buy heroin and send it to Krebs by post, other hackers have sent a SWAT team into the house on call 911 supposedly his number, took out a loan for $20 thousand to his name, has transferred $1000 to his Paypal account with stolen payment card. The authors of malicious software mention Brian Krebs even in the code of their programs. What can we do, these are the costs of the work of journalists in the field of information security.

      Now Krebs has been targeted with new attacks. This time the attackers organized the most powerful DDoS-attack 600 Gbps on the website KrebsOnSecurity.com. A few days later the company Akamai gave up. To protect other customers, it brought out KrebsOnSecurity.com from under its protection.

      The attack began on the evening of Tuesday September 20. Initially, it had no effect thanks to the operational work of Akamai engineers. Traffic was filtered out, but experts Akamai have admitted that this attack was almost twice as powerful as the biggest DDoS ‘ and what they saw in life. And probably one of the biggest in the history of the Internet in general.

      September 20 at 20:00 the flow of garbage traffic reached 620 GB/s. This is more than enough to drop any website. Up to this maximum DDoS -ttack on Akamai resources was 363 Gbit/s.

      DDoS was not organized by the standard method with amplification of queries through DNS servers. Instead, most of the traffic consisted of packets of data generic routing encapsulation (GRE). Communication protocol GRE is used to establish direct P2-connections between network nodes. Such a large amount of traffic surprised the experts – it is not entirely clear hot the amplification is carried out. If amplification was not, it turns out that the attacker used to attack hundreds of thousands of infected machines. It’s some kind of record botnet. Perhaps it consists of IoT devices such as routers, IP-cameras and digital consoles (DVR).

      Brian Krebs is not offended by Akamai. For four years they are many times together with a subsidiary firm Prolexic protect it from DDoS-attacks. Just the current DDoS was too large. When it became obvious that the attack will affect other customers, the company Akamai in advance on September 21 at 16:00 warned Brian Krebs that he has two hours to go to another network, and at 18:00 they remove the protection.

      The company’s management later explained that otherwise the reflection of such an attack would cause them loss of millions of dollars. Perhaps the head is a bit exaggerated, but in fact protect against attacks of this scale really worth from $100 thousand to $150 thousand per year. They always defended Krebs for free.

      In order not to fail their host, the journalist asked to redirect all traffic to 127.0.0.1, and he tried to use the services of Project Shield — Google’s charity project, designed specifically to protect journalists from DDoS attacks. It turned out that this is ideal, so that on 25 September the site was back online and still works flawlessly.

      These events pushed Brian Krebs to philosophical thoughts about the nature of Internet censorship. He recalls the famous words of businessman and libertarian John Gilmore about the impossibility of censoring the Internet. Gilmore said: “the Network recognizes censorship as damage and avoids it.” Those are some great words that have been repeatedly confirmed by life. Even now in Russia can be clearly seen how ineffective censorship of the Internet. Attempts of Roskomnadzor and other censors to block specific network resources really perceives as damage to the integrity of its structure, as an anomaly in normal operation — and offers options to work around this anomaly.

      But this principle applies only in the case of “political” censorship, which is traditionally implemented by governments of different countries, limiting free access of its citizens to information.

      In the case of a DDoS-attack, we see another example of an attempt to “gag” an opponent, to silence him. Here the state is not involved. Censorship is implemented by the coordinated efforts of many people or bots. In this sense, we can say that a DDoS-attack is a “democratic” version of censorship when the majority imposes its will on the minority and silences the opponent (of course, to a true democracy, such actions are irrelevant).

      Brian Krebs believes that currently the greatest threat of censorship are just not the toothless attempts by state officials to ban something on the Internet (officials still understand absolutely nothing about technology and are not capable of inflicting significant damage), and namely acts of experienced professionals. Underground hacker community in recent years quietly turned into a powerful transnational organization, in whose hands is concentrated the enormous computer resources. These resources under certain conditions can turn into cyber weapon.

      It is difficult to imagine that the government of any country could organize a DDoS-attack with a capacity of 600 GB/s, it’s incredible. But transnational hacker community — can. In this sense, Brian Krebs speaks of “the democratization of censorship”.

       

      This text is a translation of the article “DDoS на 600 Гбит/с как демократизация цензуры”  published by @alizar on habrahabr.ru.

      About the CleanTalk service

      CleanTalk is a cloud service to protect websites from spam bots. CleanTalk uses protection methods that are invisible to the visitors of the website. This allows you to abandon the methods of protection that require the user to prove that he is a human (captcha, question-answer etc.).

    • Vulnerabilities of CCTV systems allow hackers to create massive botnets

      Vulnerabilities of CCTV systems allow hackers to create massive botnets

      According to a statement from US-CERT, in the firmware of digital video products (DVR) AVer Information EH6108H+ found serious vulnerabilities that could allow attackers to easily get to them with remote access and even to form botnets.

      Vulnerabilities

      Security researchers have found three critical vulnerabilities. The first (CVE-2016-6535) is the presence of two hidden accounts to connect remotely. Each of them has root-rights, the password to access code written in the firmware — as a result, accounts cannot be disabled or removed from the system. As a result, an attacker who knows the IP specific camera can easily connect to it by Telnet.

      In addition, attackers can gain access to the admin panel and all without administrator passwords through an error in the authentication system (CVE-2016-6536).  To access the control panel, the hacker just need to go to the address [IP-device]/setup and choose the option “handle” — then the administrative page opens without a password. To access it, an attacker can change the device settings and even change the passwords for all users of the system.

      The third vulnerability (CVE-2016-6537) leads to the disclosure of confidential information — the problem occurs because of an error in the mechanism of processing user credentials.

      How to be protected

      According to a statement from US-CERT, at the moment there are no patches to fix discovered vulnerabilities. Manufacturer of AVer firmware on its website describes it as “no longer supported” (discontinued).

      The only effective way to prevent the attack using these holes is to limit access to devices through a firewall or network hardware setup.

      The extent of the problem

      The presence of simple-to-use vulnerabilities and “backdoors” in DVR devices is not news. Previously, Positive Technologies experts have found critical vulnerabilities and the so-called “master passwords” that allow attackers to easily get access to these devices, hundreds of thousands of which are available from the Internet. For example, problems have been found in video surveillance systems Samsung, as well as popular firmware DVR-systems used by many vendors.

      Also, not so long ago it became known that the worm BASHLITE were infected more than 1 million DVR devices — attackers formed them into botnets for DDoS attacks.

      Also earlier this year, researchers from the company Sucuri found the botnet of 25,000 Internet connected devices for video surveillance. In addition, the botnet to conduct DDoS attacks, consisting of infected Webcams was found by specialists from the Security Engineering and Response Team of the company Arbor (ASERT).

      It is important to understand that the attackers often do not need to apply a much effort to detect gaps in the protection of surveillance systems, because, as a rule, they contain the vulnerabilities which are very primitive.

      The situation is aggravated by the fact that the manufacturers of DVR-system often not themselves fully create firmware for their devices, and use third-party development. Such firmware can be distributed in various dubious ways, potentially, they may contain a hidden undocumented logic, about which manufacturers of the final DVR cannot know nothing at all.

      For example, our experts discovered vulnerabilities present in the popular firmware, which was used in its own way and complements many of the DVR manufacturers. Accordingly, vulnerabilities in these firmwares endanger a lot of different devices from different manufacturers.

      However, many manufacturers do not pay enough attention to release updates and develop mechanisms to centrally deploy them on end-devices or user notifications. In the case of using firmware third party, the remediation process becomes more complicated: in such cases, the manufacturer of the DVR cannot fully control the firmware and not be able to change it.

      For example, with one of the producers of such a popular and vulnerable firmware, we have not been able to establish contact, so they can correct any problems found. More detailed information was provided in the report at the forum Positive Hack Days III:

      Vulnerabilities and hacking DVR devices are a serious threat to private companies. With access to the CCTV system, the attacker can use them as a springboard for further attacks invisible within the network of the company (APT). The typical remedies that are used in companies are often unable to detect such penetration (e.g., the classic antivirus approach is powerless here).

      In fact, in the corporate network appears malicious device – a minicomputer, inside of which an attacker could install their software. Backdoor in such devices can be very long and imperceptible to exist.

      What to do

      In order to protect themselves, experts Positive Technologies advise to isolate access to digital video systems from the Internet (for example, the settings of the router and/or firewall). It is desirable for devices from the internal network to limit access to the DVR and give access to only those addresses, which it definitely needed (e.g., administrators only). And similarly to limit the network access of the DVR, giving him access only to the desired locations. It is best to place these devices in a separate isolated network.

      In general, with the development of “Internet of things” opportunities for the creation of such botnets increase significantly, many new gadgets are developed and delivered to market without any regard for safety (on the contrary: connection schemes to the Internet are simplified as much as possible). In this situation, we can advise private individuals and companies to be more selective in the purchase of equipment and to carry out the security analysis of new devices.

      Identifying botnets and investigating incidents is also more complicated when the infected are not personal computers, and many automated systems, the behavior of which no one is watching.

      This text is a translation of the article “Уязвимости систем видеонаблюдения позволяют хакерам создавать масштабные ботнеты”  published by @ptsecurity on habrahabr.ru.

      About the CleanTalk service

      CleanTalk is a cloud service to protect websites from spam bots. CleanTalk uses protection methods that are invisible to the visitors of the website. This allows you to abandon the methods of protection that require the user to prove that he is a human (captcha, question-answer etc.).

    CleanTalk

    About

    Dashboard

    Pricing

    Sign up / Sign in

    Solutions

    Anti-Spam for websitee

    Blacklists

    Filter fake emails

    Gantt charts

    Hide contact data

    Stop spam emails in Contact form 7 (CF7)

    Stop spam in Elementor form builder

    Stop spam in WPForms

    Website malware scanner

    WordPress Security & Firewall Plugin

    Documentation

    API

    Help

    License agreement

    Privacy Policy

    Refund Policy

    Signs of Malware

    Contact us

    Create a support ticket

    Telegram

    Contact us