Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Cyber Security Services
Showing posts in English
uuallan | 26 Dec 2013 | 2 comments

Over the last few weeks Symantec has seen a significant spike in NTP reflection attacks accross the Internet.


NTP is the Network Time Protocol, it is a relatively obscure protocol that runs over port 123 UDP and is used to sync time between machines on a network.  If you have ever set up a home computer or server and been asked which time server you want to use, that is an NTP connection.

NTP is one of those set-it-and-forget-it protocols that is configured once and most network administrators don't worry about it after that.  Unfortunately, that means it is also not a service that is upgraded often, leaving it vulnerable to these reflection attacks.

How do NTP reflection attacks work?

Similar to DNS amplification attacks, the attacker sends a small forged packet that requests a large amount of data be sent to the target IP...

Vince Kornacki | 18 Dec 2013 | 0 comments

In our last blog series we explored horizontal password guessing attacks. Check out Horizontal Password Guessing Attacks Part I and Part II in case you missed them. This time we'll test our web application with vertical password guessing attacks. Whereas horizontal password guessing attacks entail trying only a few common passwords against a long list of usernames, vertical password guessing attacks entail trying a long list of passwords against a single username. But where do you get a long list of passwords? Wordlists are readily available on the internet. For example, CrackStation offers a ridiculous 15 GB wordlist containing 1,493,677,782 words. CrackStation also offers a more practical 684 MB wordlist containing approximately 64 million common passwords. However, before getting our hands dirty let's consider several important factors:

  • Does the web application allow valid account determination? For example, does login functionality return deterministic error...
Trent Healy | 11 Dec 2013 | 0 comments

Customers tend to ask me "how do I integrate data loss prevention into my enterprise"? Before any integration of a data loss solution, I give my customers an idea of where data loss can help them. Lets me discuss in an abstract case study.

One large oil company was concerned with losing their bid data to their competitors, and they wanted to understand how a data loss prevention solution can help guard their intellectual property. First to understand the threat to bid data we should start by understanding the underlying business processes that create that data (note: this is not all the processes involved, merely an abstract)

  1. The company performs a geological survey on land that is up for bid to see if it will produce oil, natural gas, etc. During this stage scientists are deployed to the land to do drilling and deploy equipment to view the layers of earth and rock below the surface of the land.
  2. Scientists take snap...
Joseph.Rogalski | 04 Dec 2013 | 0 comments

As most of us have come to realize not all data is created equal and it should not be protected equally. Lets face it treating everything equal equals nothing but failure, frustration and a big bite out of your budget.  That being said we do need to protect our most valuable data appropriately based on risk and value or possible compliance requirements from cyber attacks.  What would happen if the most important data was encrypted by malware and held for ransom?  There is a very nasty piece of malware named cryptolocker that is doing just that.

Cryptolocker is a very nasty piece of malware that is encrypting Windows files shares and locking users out of their files.  The malware encrypts Office documents and other commonly used documents then denies access to the files.  Users are required to pay $300 for to have the files unencrypted and have a limited time to do so, 72 hours, before the private key is destroyed.  Researchers at...

Vince Kornacki | 15 Nov 2013 | 0 comments

​If security is a heavy duty chain, what's the weakest link? I'll give you a hint, it might be scribbled on a little yellow sticky note stuck on your monitor or stashed under your keyboard! That's right, passwords are the culprit! Brute force password guessing attacks are a favorite technique of malicious attackers everywhere. Whether the target is an SSH server, a financial web application, or a webmail application, as you read this sentence an attacker somewhere is launching a brute force password guessing attack. And before you finish this blog post, that attacker has likely cracked a password or two.

So what's the solution? Account lockout is widely regarded as an effective deterrent to brute force password guessing attacks. After a certain number of unsuccessful login attempts within a certain amount of time, the target user account is locked out for a certain amount of time. For example, after three unsuccessful login attempts within one hour, the target user account...

Vince Kornacki | 15 Nov 2013 | 0 comments

Welcome back! In our last installment we started planning our horizontal password guessing attack by identifying the ten most common passwords. Hopefully none of those terrible passwords are scrawled on little sticky notes anywhere in the vicinity of your cubicle! But what about usernames?  What usernames should we guess? If the target application employs an established username format, you can easily predict common usernames. For example, consider an application that constructs the username by combining the user's first initial and last name. For example, the username for John Doe would be "jdoe". According to the United States Social Security, these are the top ten male names issued during the 1980's:

      1. Michael
      2. Christopher
      3. Matthew
      4. Joshua

uuallan | 15 Nov 2013 | 0 comments

On October 23rd the Internet Corporation for Assigned Names and Numbers (ICANN) announced the roll out of the first 4 gTLDS under its New gTLD Program. The new domains could pose a potential security threat to your organization.

gTLD stands for Generic Top Level Domain, these are widely used domains that are open to anyone who wants to register one like .com, .net, and .org.  gTLD domains are distinct from Country Code Top Level Domains (ccTLD) like .us, .uk, and .nz in that ccTLD often have some restrictions in place as to who can register a domain and they are maintained by the individual country's Network Informatin Center (NIC) -- though this task is often outsourced. 

Prior to the announcement of the New gTLD Program initiating a new gTLD was a costly and laborious task, in fact the last set of new gTLDs to roll out (.aero, ....

MSS Global Threat Response | 07 Nov 2013 | 0 comments


Who:  Anonymous - a politically motivated group of hacktivists (mostly US and UK based).

What:  Multiple Operations have been named by various groups, the primary two are OpNov5th and OpVendetta.  These Operations may involve Denial of Service and website defacement attacks directed at Government facilities around the world.

When:  Circa November 5th 2013.

Why:  November 5th is the anniversary for activists and hacktivists to gather online and in public to protest Government.  It is known to Anonymous members as “Guy Fawkes day”.


Members of the hacktivist group Anonymous, based out of the US and the UK, have publicly stated they will target "all" government facilities across the globe in support of the ‘Occupy’ movement.  Anonymous calls this a day of "global civil...

uuallan | 15 Oct 2013 | 0 comments

One commonly used method of Distributed Denial of Service (DDoS) attack is a DNS Amplification attack.  DNS Amplification takes advantage of the stateless nature of DNS requests to create forged DNS requests through open recursive DNS servers and directs those requests to the target of the DDoS attack.

If the last sentence seemed like complete gibberish, it might help to given an example.  A hactivist decides she has a grudge against your fast food company becuase you only offer your Halloween Pumpkin Milkshake 2 months a year.  This hacker controls a botnet with 5,000 nodes, which can launch a 100 Megabit attack against your website.  This is not enough to take down your website, so you don't worry about it.  But, our determined hactivist has done his homework and identifies thousands of open resolvers.  An open resolver is a caching DNS server that allows anyone to make queries (if you have one you really should disable it).  

MSS Global Threat Response | 03 Oct 2013 | 0 comments


On Monday September 30, 2013, an article was posted on the Symantec Security Response blog detailing Symantec’s efforts at sinkholing 500,000 of the bots belonging to the ZeroAccess botnet. As of August 2013, the botnet is one of the largest in existence today with a population in upwards of 1.9 million computers. ZeroAccess uses peer-to-peer (P2P) as its command-and-control (C&C) communications mechanism.

In March of this year, Symantec security engineers began to study the mechanisms used by ZeroAccess bots to communicate with each other in an attempt to determine if they could be sinkholed. On June 29, they observed a new version of ZeroAccess being distributed through the P2P network. The updated version addressed the design flaw that made the botnet vulnerable to being sinkholed. However, Symantec was still successful in sinkholing a large portion of the botnet.

On July 16, Symantec began sinkholing...