
Tally of Cyber Extortion Attacks on Tech Companies Grows - mantraxC
http://bits.blogs.nytimes.com/2014/06/19/tally-of-cyber-extortion-attacks-on-tech-companies-grows/?_php=true&_type=blogs&_r=0
======
baudehlo
And one that resulted in a full shut down:
[http://www.codespaces.com/](http://www.codespaces.com/)

~~~
shiven
Looking at the armchair post-mortems on HN, they had it coming, one way or
another. Putting your only backups the same place you host your full product?
Priceless foolhardiness!

~~~
baudehlo
Tough call. S3 is supposed to have 99.999999999 (or whatever) reliability (not
uptime, just storage reliability). It's hard to justify backing up to
somewhere else when they give you that figure.

~~~
shiven
All your family jewels in one place? Accessible from a common front-panel?
Abso-f-ing-lutely NO offline backups that count? Like I said, they had it
coming.

Seriously, if you don't have the code-and-data backup that will enable you to
switch service providers, even with a downtime penalty, then you and your SAAS
truly have it coming. If these guys had any real backups, they could have let
the clusterfuck at AWS play out the way it did and still be able to upload
everything to DigitalOcean or a colo or _whatever_ and still come back alive a
month later. Now that 99.999999999999999 ( _ad nauseaum_ ) ain't worth squat,
is it?

I mean, basic (Dev)-Ops-(Sec), real _basic_. But, then again, I'm just another
armchair, after-the-fact, analyst-dude on the internet.

------
jqm
It's amazing to me that people would screw around with this for 2 or 3 hundred
dollars.

I realize wages are low in many parts of the world and this might represent a
significant amount of money, but anyone with access to the resources and
possessing the technological know how, to pull this off maybe could make that
in a legitimate way.

I have no idea, but maybe state actors are involved. Maybe it is a low level
warning of what "could" be done. Probably not... but maybe. $300 doesn't seem
like it would be worth the trouble and risk but maybe it is.

------
nitrogen
DDoS attacks like this wouldn't be so easy if governments actively fixed
backdoors in hardware and software instead of creating and stockpiling them.
Much harder to build a botnet if there are fewer vulnerable systems to recruit
via exploits.

~~~
jgrahamc
A. I don't see how "the government" is behind botnets.

B. You don't need many machines to create DDoS attacks because of
reflection/amplification.

C. You can rent machines without having to use a botnet.

~~~
nitrogen
A. I never said the government was "behind botnets." Nor did I refer to any
singular government. Yet, Stuxnet did create, in effect, a botnet.

B. A government interested in network security would inform managers of
reflection- and amplification-vulnerable systems (such as misconfigured DNS
resolvers), as well as design and release open, verifiable, trustable
specifications for filtering hardware and packet matching algorithms to block
DDoS attacks at the same points they currently tap network traffic.

C. Rented machines can be shut down far more easily than a botnet.

------
troels
One thing I don't quite understand - wouldn't it be possible to unravel a
botnet? If you acquire one of the infected machines, a bit of reverse
engineering (or perhaps just monitoring its network traffic) should presumably
be able to reveal where it gets instructions from. It would probably take the
cooperation of law enforcement, but assuming that, wouldn't it be possible -
even practical - to do?

~~~
Mandatum
Yes, in the past when they were more centralized with only a few IRC/C&C's
this was an easy solution.

However now, a botmaster is able to generate thousands of C&C centers's from
hacked boxes, via hidden TOR or I2P nodes, or shared hosting, as well as
hundreds of thousands of varying infected malware almost instantly. The only
thing that requires effort from the botmaster now is spreading and constantly
updating their slaves so they can keep them in control longer.

The actual implementation is the easy part of it.

~~~
troels
I see. Still, the attacker has multiple surfaces to try and trace them
through. Unless they are very careful, you would expect that they tend to slip
every now and then, making it possible to find them? I would imagine that a
dedicated security team within law enforcement would be able to get a pretty
good success rate, but that doesn't appear to be the case?

------
codeddesign
i dont get it...why not just switch your dns to cloudflare or a similiar
service and run under their protection?

~~~
joncameron
Right there in the article... Moz signed up with CloudFlare "but Mr. Skinner
said the attacker has found new ways to attack their systems."

Does anyone know what that might be? There are quite a few people on HN who
have zero sympathy for DDoS victims who don't pony up for Cloudflare etc., but
I'm curious about situations when that isn't going to help or other attack
vectors that will get you regardless.

~~~
ceejayoz
The underlying hosting that CloudFlare proxies to can be attacked, for one.

------
microcolonel
Anyone want to start a registry of threatening bitcoin addresses, so we can
prevent funds from these transactions from being used? (aside from paying
other organized criminals)

~~~
_delirium
Isn't that difficult to enforce, unless you also blacklist the public mixers?
It's easy to launder moderate amounts of Bitcoins through the mixers, after
which blacklisting the original wallets would no longer impede the money being
spent. Though if the major mixers were willing to go along with such a
blacklist it'd get considerably more effective.

~~~
microcolonel
You can track the amount through the transaction logs though, and mixers don't
want to get stuck with bitcoins which will eventually be invalidated by other
parts of the ecosystem.

Not a perfect idea at this point though, it'd require considerable
organization to get this done, certainly better than throwing away Bitcoin or
waiting for it to become criminalized. IMHO

------
mantraxC
I posted this because I found it of particular interest that the blackmailers
ask for payment in Bitcoin.

It makes you think if Bitcoin is turning into a giant example of "be careful
what you wish for".

We have exchange after exchange get hacked and legit Bitcoin users losing
their money, and now Bitcoin enables extortion schemes that couldn't work so
effortlessly before.

Where is this going?

~~~
Shinkei
Bitcoin is only pseudoanonymous. At some point, the 'bad actor' has to access
'legitimate' banking institutions to exchange the Bitcoins to fiat and that is
the weakest link. It requires reporting to relevant tax or other authorities
based on arbitrary (and secret) amounts, but targets money laundering, drug
trade, gamlbing, etc.

I suppose if I had to throw a potentially disruptive idea out there, you could
create a database of 'blacklisted addresses.' Let's say when Bitlocker came
out, you entered that address into a database and it was verified as being
associated with this scam, well it is trivial to track those coins between
addresses and every address it enters is blacklisted until it enters a mixer
or exchange, at which point you have a potentially complicit corporation that
you could actually target with the subpoena or other legal action for
discovery of IPs, login, etc.

~~~
dsl
People have suggested this before. A bad actor then just takes 100 illicit
bitcoins and sprinkles them in random amounts across many addresses, 11 to
himself at another address, 6 to a non-profit, and 14 to you. You are now
indistinguishable from the bad guy.

~~~
Shinkei
I can't say I would complain if thousands of dollars was given to my address,
but you are right... it would represent a difficult problem for enforcement
and creative people would come up with clever workarounds.

