Hackers Bring Down D.C Government Websites

Hackers launched a DoS denial of service attack on D.C. government websites today, clogging the system with a flurry of requests so that it operates extremely slow or is impossible to load.

“The District government has detected an attempted intrusion into it’s technology infrastructure system,” the D.C. Department of Homeland Security and Emergency Management said in an email to specified recipients around noon.

A DDOS or Distributed Denial of Service is one attack that is very difficult to thwart. Often a website can be brought down by attackers using many computers to send a synchronized flurry of requests toward specific ip addresses. “These attacks are not very difficult to construct and rely more on having a bevy of attacking machines under control at once, often Botnets are used to carry out these Denial of Service attacks.” Often, the only defense against these attacks is to simply throw more bandwidth at the problem. Networks that cannot handle the excessive traffic often just have to wait out the attack.

Homeland Security warned “Customers may experience intermittent difficulties in accessing the District’s web site as we attempt to address the issue. We are aggressively working to resolve this matter.”

In January the group launched a similar attack against the UFC for its support of the controversial Stop Online Piracy Act that was debated by Congress earlier this year. DDoS attacks have been launched by a variety of groups such as Anonymous and LulzSec against federal government websites and servers, including the FBI and CIA.

Google raises Hackers’ bounties to 20,000

Google has decided to raise the price they will pay to any hackers that report software bugs and vulnerabilities in Google’s online services.  Google has experienced success in the past rewarding hackers for exploiting and reporting bugs in Google Chrome.  The maximum reward for exposing a vulnerability that would let an intruder’s code get up to mischief in a Google data centre was increased from the U.S. $3,133 payout set when the bounty program was launched in November of 2010.

     Vulnerabilities that allow for Remote code execution found in Google’s Web apps will also be rewarded $20,000.  The term “remote code execution” refers to the most serious category of vulnerabilities, those which when exploited allow an attacker to hijack a system or inject malware on a machine.  Google has also stated that a $10,000 bounty will be paid for SQL injection bugs or significant authentication bypass or for leaks that allow the leakage of data.

At Google’s Pwnium contest in March, Google paid out $60,000 prizes to anyone that could exploit the Chrome browser. Two people managed to do so, and collected the money.  Google’s $20,000 top payment is likely still far below the market rate.  Many security researchers have said that Google is not offering enough money and that malicious hackers are able to get much more money on the black market.  By raising the bounty, Google hopes to inspire software savants to hunt for difficult-to-find, and exploit bugs hidden deep in Google’s sites, software, and services.  (

CISPA is the newest internet censoring bill to come before Congress.

The Cyber Intelligence Sharing and Protection Act is a new bill being introduced in Congress that is aiming to stop the ongoing cyber attacks that have occurred recently.. If passed through Congress, the bill would allow the government access to personal correspondence of any person of their choosing. Once again, we are being fucked by those corrupt politicians in our government.

     According to The Hacker News..."You should be very mad and very afraid because CISPA is far worse than SOPA and PIPA in its effects on the internet. The wording of this bill is mumbo jumbo, vague and broad. Reading through the nonsense, basically the act would allow Congress to circumvent existing exemptions to online privacy laws, and would allow the monitoring and censorship of any user of the internet."  The real problem is that it will also allow the government to stop online communications which they deem critical or disruptive to them. They can even decide they don’t like what you say about other private parties and take you offline.

Welcome to JG Network Security Consulting

Currently I am in the process of merging a couple of new information technology start-ups. We are going to merge our companies together to make it easier to support the current workload. We all agree on one thing; that it is impossible to find enough time in the day to keep up with all the aspects of running a successful consulting business. We are going to be merging our assets, skills, and knowledge together to create a computer repair business that specializes in keeping your information secure. More info will be coming in the next few weeks but for now, stay tuned for information security news…

I recently tuned in to a pretty interesting webcast about Amazon’s EC2 cloud hosting service and the risks associated with using them to rent a virtual image on a server that they host and charge you by the hour or day…
It’s not a service that I would recommend unless you have lots of money to throw away, or you just need a temporary server for a rather large enterprise endeavor.
Check it out if you still can. just search for it by name if the link doesn’t work.
Black Hat Webcast Series: A journey into the privacy and security risks of a cloud computing service

Apple Mac Attack “may have” Began With Infected WordPress Sites

So I recently read DarkReading’s post that the recent Apple Flashback Attack began with infected wordpress sites, however there is no proof to this and even Kaspersky said that theres no way to tell where the botnet originated from.  It is, however, obvious that many sites are still running vulnerable wordpress installations.  My wordpress blog was just updated to 3.3 yesterday, so I changed the layout.  I dont see why people are afraid to update their blogs from the ancient wordpress installations that you see out there.  I personally like change, and i definitely don’t mind changing what my site looks like often, it can be alot of work but if you just put a couple of hours into it, you can often get most of the job accomplished in less than a week or two.

The importance of ethical hacking according to HelpNetSecurity

The need for more effective information security practices is increasingly evident with each security breach reported in the media.
When adopting new technologies like cloud computing, virtualization, or IT outsourcing, enterprises are facing imminent security threats and must adjust their security processes, policies, and architectures accordingly.
Among the many options available to help customers to achieve this goal, organizations should consider the value of ethical hacking services, which are rapidly gaining attention as an essential security practice that should be performed on a regular basis.
The recently published white paper entitled “The Importance of Ethical Hacking: Emerging Threats Emphasise the Need for Holistic Assessments” by Frost & Sullivan, discusses benefits from independent ethical hacking assessments, the role of ethical hacking in an enterprise security architecture, as well as top technical concerns and solutions.
“The increased sophistication and success rate for recent cyber attacks is directly related to the shift in attacker profile, indicating that nation-states and large criminal organizations are funding well organized, highly motivated, and well trained teams of programmers,” points out Frost & Sullivan Industry Analyst, Chris Rodriguez. “The elevated threat landscape therefore, urgently dictates the need for a comprehensive, real-world assessment of an organization’s security posture. This assessment is a first vital step to enact effective security policies, procedures, and infrastructure that will prevent or mitigate the effects of a data breach.”
The major challenge for businesses is the complexity of security requirements due to changing hacking tactics, myriad security vulnerabilities, evolving business practices, new business technologies, and emerging security technologies. Those numerous organization-specific security challenges are best solved by professionals with extensive expertise.
Ethical hacking offers an objective analysis of an organization’s information security posture for organizations of any level of security expertise. The ethical hacking organization has no knowledge of the company’s systems other than what they can gather. Hackers must scan for weaknesses, test entry points, priorities targets, and develop a strategy that best leverages their resources. The objectiveness of this kind of security assessment has a direct impact on the value of the whole evaluation.
“The result of such an assessment is an actionable report with valuable remediation advice tailored to the customer’s unique IT environment, capabilities, and security objectives,” says Chris Rodriguez. “This helps businesses to prioritize their security efforts, fine-tune security tools such as firewalls and IPS devices, adjust policies, and identify any necessary training.”
As organizations of all sizes and sophistication levels can benefit from objective, expert, third-party analysis, ethical hacking has become a more mainstream service in the past decade. “However, businesses still remain skeptical about the risk inherent with inviting a third-party to attempt to access sensitive systems and resources.
To reduce this fear, businesses should hire only ethical hacking companies that implement practices to ensure privacy and confidentiality. They should also be accredited by international trade organizations such as the EC-Council and ISC,” advices Rodriguez.
Ensuring effectiveness of the enterprise security architecture should be verified on a regular basis. This represents a great challenge for increasingly sophisticated organizations due to complex IT environments which include security solutions, end-user awareness, policies, and new technologies. These systems not only change continually but also interoperate with each other and therefore must be tested as part of holistic assessment to best emulate a real-world attack scenario. “Ethical hacking services are the best way to attain valuable assessments and recommendations necessary to properly tune these complex security architectures,” summarises Chris Rodriguez.

this has been posted from help-net-security the link is http://t.co/FtKrI0mO


SPAM email brings malware to the amateur users

A spam email campaign that may trick a lot of users opening the malicious attachment has been spotted by Sophos.
Variations of “RE:Check the attachment you have to react somehow to this picture”, “RE:They killed your privacy man your photo is all over facebook! NAKED!” and “RE:Why did you put this photo online?” are used in the subject line, and the content of the email is changed to suit:

The lure is likely to pique the interest and the curiosity of a lot of recipients, especially if they receive the email from a friend’s compromised email account.
Unfortunately for them, the .zip attachment is actually a variant of the Bredolab Trojan, a popular piece of malware that proceeds to download and execute other malicious files from the Internet.  HELP-NET   http://www.net-security.org/malware_news