SWITCH Security-Blog

SWITCH-CERT IT-Security Blog

1 Comment

DDoS and Open Resolvers: The Swiss view

About a month ago the openresolver project  published the results of a global scan enumerating open recursive DNS Servers. A daunting 27.200.613 systems where found.

In the past we’ve reported on large scale DDoS attacks in this blog. The attacks are real, and they are not just some rare random occurrences on the net. The recent attack on Spamhaus illustrates this quite clearly. People have different views on Spamhaus’ activities, but that’s not the point. The point is that there are people out there that can launch massive attacks that even Tier 1 carriers will feel. And it’s not only “Spammers against Spamhouse” that do this. A recent attack we analysed, weighting “only a few dozens MBits/s” was launched by a literal looser, someone who did not get what he wanted in an MMOG, against a game server. We also see attacks against competitors, to black mail people and, quite ironically in the name of “internet freedom of speech”, against disagreeable sites.

Continue reading

Who are the bad guys?

With the recent media attention to hysteria about cyber attacks we get questions like “Why would the Chinese attack a bee-keepers website?” Well, they don’t, as far as we can tell. But, then who is it? In this post we’ll try to give you an overview of the prime actors in the cyber-underground.

As numerous detective stories teach: “To solve a crime you have to know the motive”. Most of the miscreants in the internet underground have one goal: “Make money fast!”.  Now there are tons of different ways to make money fast. One thing internet criminals realize is, that this is a numbers game. Either rob a lot of people (and we mean a lot) of small amounts, or a few of big sums. Continue reading

ONE: The first NCSC conference

A year ago GovCERT.nl ceased to exist. The new kid on the block was the National Cyber Security Center (NCSC). Together with GovCERT.nl their famous conference went away and many were wondering if something like the Symposium would ever come back.

The opening ballet if the first NCSC conference in The Hague setting the high standards for the rest of the conference.

The opening ballet at the first NCSC conference in The Hague setting the high standards for the rest of the conference.

The comeback indeed was a flamboyant start of what hopefully becomes a new tradition. Restarting an already great event is never easy, but our Dutch colleagues showed us that it’s possible. With over 850 participants this was a mega event. Impressing was the mixture of participants. From suits to geeks and nerds. Strange world: the latter often seems to be more narrow minded than the former.

Equally diverse was the program, from highly political to deep technical. I was very impressed and touched with the two keynotes focusing on China. The inside view went far beyond what’s usually served in main stream media.

Continue reading

Cherries from the Belgian Internet Security Conference

Last week I was invited to the first Belgian Internet Security Conference in Brussels to talk about our Malware Domain program. The conference was hosted by Belnet, our Belgian sister NREN. Belnet also runs the government CERT.be which invited to this event. Attendants were people rom organisations operating critical infrastructure. The event was very well attended and the mix of talks covered a broad spectrum. You find the slides on the conference website. Find below my thoughts on the different talks:

Continue reading

Reducing malware infections in Switzerland

SWITCH helps reducing malware infections in Switzerland by a factor of four!

Malware is a big issue in Switzerland too. It comes in many flavours, there is malware which tries to get at your bank account, there is malware, that converts your PC in to a spam machine, the list could be extended.

Last we reported how we remedy websites that distribute this malware. But websites are not the only source of malware. Top on the list are also e-Mail attachments, supposedly originating from Lotteries, Postal offices and so on.

Many internet users get infected, worldwide and in Switzerland. So is that it? After an infection, will you be an eternal net-zombi? Not if you live in Switzerland. Thanks to its international network SWITCH-CERT receives a daily dose of reports about infected IP-addresses in Switzerland. By far the largest number come from Team Cymru‘s CSIRT Assistance Programm. But there are other sources, such as MELANI or our own sensors.

Continue reading