DDoS – what’s that?

I’m sure that if you’ve been watching the news recently, you’ll have heard the phrase DDoS, which stands for Distributed Denial of Service. It sounds fancy and complicated, but it’s actually pretty straightforward.

Let’s start at the beginning. A website is typically nothing more than one (or several, perhaps up into hundreds for some big companies) servers which all publish specific web pages. These may link back into the company that runs them, but that’s not important for our purposes. These servers are, unsurprisingly, called webservers, and again for simplicity we’ll just assume that a website only has one webserver.

If you had one computer that was constantly sending lots and lots of messages to the webserver, for example trying constantly to open multiple pages at a rate of hundreds or even thousands of requests per second, until it couldn’t cope with all that web traffic and stopped working, that would be called a Denial of Service attack, or DoS.

You can imagine that this would be straightforward to do as you would only need access to one machine, an internet connection and the relevant software.

A DDoS attack is very similar, except instead of using one machine to attack the server, multiple machines are used to  attack it.

These can be anywhere in the world, and are typically recruited by the bad guys to perform the attack as part of what is called a botnet. This is just a term for a collection of machines which are connected to the internet and which are being controlled from a single source. The way they are recruited is typically through the use of viruses and other malware (“bad” software), which then listen out for messages from their controller machine. This is called a Command and Control structure, and there may be a hierarchy to the structure, a bit like you find tiers of management in large companies. The owners of those machines typically have no idea that this is happening, and the problem is now exarcebated by the involvement of machines other than laptop and desktop computers. These are other devices connected to the internet which may include fridges, cookers, kettles etc – this is the Internet of Things. I’ll write a separate post about IoT in the future,  it for now it’s enough to know that these devices can be added to a botnet relatively easily.

In a DDoS attack then, the constituent machines in the botnet are ordered to attack a specific website or webserver on a specific date and time, by trying to access one or more pages at the same time as all the rest. When they all do that, the website may not be able to handle so many requests, and stops working.

Scary stuff, huh? Try not to worry too much about it though, because there are ways to reduce the risk of this happening, from hardware and software which recognises the attack to hosting the website in different locations, to buying services from companies which specialise in preventing such attacks.

You can also play your part in reducing the scale of botnets by practicing good cyber hygiene: make sure you use a reputable antivirus product and ensure it is update regularly; apply patches frequently; change your passwords regularly; and don’t click on email attachments or links which you weren’t expecting or from sources you don’t know.

What’s the deal with passwords?

In an earlier post I talked about password hygiene, and about the challenges we have in keeping passwords secret.  I realised that I’d missed the opportunity to talk about why we need passwords – so I thought I’d cover it now.

Computers will – if set up “normally” – ask for a username and password after you switch it on.  This is a process called authentication (though more commonly we call it logging in or logging on), and in the early days (before the Internet existed) was seen as quite a good way of ensuring that the person entering the username is who they say they are.  One reason why this is important is so that there is some accountability on systems: if something bad has happened, it can often be tracked back to a specific username. The person who “owns” that user name can be held accountable – and those who don’t “own” it can be discounted as the culprit.  It’s therefore quite a good protection mechanism for the other users.

Once that single computer was connected to lots of others, and particularly when connected over the Internet, some people found a challenge in trying to access those remote systems by trying to guess usernames and passwords (at a very basic level this is what hackers try to do).  Passwords which are easy to guess mean that the bad guys don’t have to work very hard to access your account.  Once they have access to your computer, they will often try to see what else they can get access to, such as your bank account, financial details, holiday plans etc.

Have a look at the image below:

image

It’s obvious that the most common passwords (and therefore the easiest to guess) haven’t changed much over the previous 5 years.  This is bad!

The bad guys use a range of software tools to try to break (or crack) passwords, and generally speaking the longer the password, the better.  But, length alone isn’t the answer.  If the password is just numbers, the bad guys “only” need to try combinations of 0 to 9 in increasing lengths i.e. 0,00,01,02,03 etc. If it’s just lower or upper case letters ie a to z or A to Z, then there are 26 variables which they need to try before moving on to a longer length.

Mixing numbers, upper and lower case letters and special characters (eg !@£$%^) gives a much longer set of variables which need to be tried, and this mix is what is called a complex password.  In all cases, the longer the combination of these the better, but the industry standard is a minimum of 8 characters long.  Personally, I prefer at least 15 characters, because the maths shows that with current computing power complex passwords of that length are very, very difficult to crack

Obviously, the longer and more complex the password, the more likely you are to forget it, which is why good password hygiene is required.  Password hygiene can be compared to personal hygiene, and more particularly your underwear.

image

So – keep your passwords to yourself, change them regularly, and don’t show them to anyone else!

Password hygiene

By now, we probably all know that we should have different passwords for every account we have, and use different ones for each website.  You probably also know that they should be a mix of upper and lower case letters, numbers and special symbols. They should be more than 8 characters – and no that doesn’t mean $now White and the 7 Dwarves.  This is what’s known as password hygiene.

That’s all well and good, but how do you remember them all?  Most security professionals would express horror at the suggestion that you have to write them down, but unless the bad guys are actually in your house, they have no access to them if you do. One word of caution before you go and document everything – be sensible.

It might seem like a good idea having a book like the one in the image, but then the bad guys in your house know exactly what they’re taking!  If you are going to write your passwords down, make sure you lock the book away in a secure location where it’s not easily found by intruders.

An alternative is to use one of the many password management apps that are around, but as that’s connected to the Internet then by definition it is vulnerable – especially as it tends to require a master password and if you’ve not chosen a good one of those then your other passwords are easily found.  At the very least, make sure it encrypts your passwords with something like 128 or 256 bit AES.

As with all things, the choice is yours and based on your level of risk appetite.  Personally, I like the flexibility of the electronic app, but I’d combine it with a master password and another token, eg a PIN number sent to my mobile or use of a fingerprint reader.

Phishing and Whaling

I’m guessing that you’ve heard of phishing, and I thought I’d provide some words around related topics.  Let’s start at the beginning though.

Phishing

Most people with email will have received a phishing email at some point.  Essentially, it’s a mass mail sent to a lot of people indiscriminately, in the hope that one or more of the recipients will reply or click on a link in the message. The bad guys have either provided a link to a compromised website, or which will download and install malware, or something like that, or they note the replies they receive and build a list of people to target with the sort of fake IT support calls you’ve probably read about.  These types of attack are relatively simple and unsophisticated.  They don’t target individuals and are effectively a random attempt, a bit like fishermen on a trawler using a net: their catch is indiscriminate.

Spear Phishing

This type of attack is a bit more sophisticated.  It follows the same sort of approach as above, but focuses on specific individuals.  These emails typically include your name and may also include a little bit of information about you, and will likely be more targeted around some of your likes and interests.  Because they are specifically directed at you, and you are they prey, you become the fish that the bad guys try to get without looking at others around you: hence “spear phishing”.

Whaling

This is really just a version of Spear Fishing, but targeted at the biggest fish (OK, so I know that whales are mammals, not fish, but that’s beside the point).  As these are the big fish, you can imagine that these are the biggest prize.  Typically the bad guys try to get their hands on large sums of money, and may involve more skillful techniques like phoning an employee (a technique sometimes called voice phishing, or vishing) in finance and pretending to be one of the big fish, saying that they’ll be emailing shortly to request immediate payment of a bill.  Who queries the boss, right?  This type of attack is definitely on the increase.

So how do you protect yourself from these sorts of attack?  The following tips may help:

  • If it seems too good to be true, it probably is
  • Don’t click on unknown links in email
  • Don’t reply to messages from people you don’t know
  • If at work and you get an email from senior management which eg doesn’t follow normal processes, ask for confirmation / clarification – but not by replying to the mail
  • Be vigilant – phishing and related attacks are on the increase

Virus attacks and what can be done about them

I decided it would be a good thing to share some information other bloggers have written, as well as to present my own material. After all, if one of the key parts to good security is to keep things simple, then including information others have already produced probably helps, right? 

So, please check out this siteand I hope you enjoy it. I’ll add some thoughts of my own on virus defence in the next few weeks. 

The Cloud – Vapourware made real?

One of the things that’s been a petty annoyance for me professionally over recent years is all the hype about Cloud services. Things like Amazon Web Services, Dropbox, Google Docs and Microsoft OneDrive. There have been pages and pages written about this new wonderful thing called the cloud, how it’ll revolutionise our lives, but at the end of the day, it’s your data on someone else’s machine. That’s it!

The only major difference I can see between services like the ones I named above and other remote services is scale. But the issues are the same. Where is the data held, who has access to it, how is it deleted when you don’t want it any more, how secure is that deletion.

Nearly 20 years ago there was a lot of hype about “e-business’, i.e. trading and doing business online. Nowadays (as I predicted back then) we don’t bother with the e- prefix, it’s all just business. [Though many companies are finding out that without the e- portion to their business, they struggle to stay afloat.]

The Cloud is no different. It’s the latest and greatest, a buzzword used to make business sexy, but at the end of the day you’re just renting out space on some machines that someone else owns. So you better believe it’s down to you to make sure it’s secure. The big providers have all sorts of physical security (fences, guards, access controls etc) and IT security (redundant disks and power supplies, industrial scale UPS etc) but if you want the data encrypted, or backed up securely etc then you need to sort that yourself.

We’re going to see it more and more, and it’ll become a de facto standard, but please just remember it’s nothing special!

If you can’t explain it to…

…those with no knowledge of a subject, then you probably don’t understand the topic well enough yourself.  (That’s more or less what Einstein said, but he contradicted himself by also saying, on another occasion, that “If I could explain it to the average person, I wouldn’t have been worth the Nobel Prize”.)

The first statement is a truism I think, one that I’ve sought to address with my posts here.  The main aim of that section on my blog is to get away from confusing words and language, and to explain things so the layman can understand them.  I’ve even had positive feedback on one of the articles from my father, who said he understood it all – not bad for a silver surfer! (Him, not me!)

Too often too much jargon is used, in all walks of life.  You just need to hear the experts being interviewed on the news – how many times do they launch into language which just confuses the rest of us? Using jargon, acronyms and other terms which have special meaning in that subject doesn’t help understanding for the uninitiated.

I’ve spent much of my working life in IT and Security, with a bit of engineering thrown in.  I’ve never been able to maintain the technobabble that so many of my peers manage, and have made a point of trying to explain things simply and in plain English.  It even helped me in one role where I actually worked as a sort of translator between the really bright, techie guy who couldn’t explain things simply, and his boss who was a technophobe.  I can effectively translate from very technical into English, but I’m not too good at going the other way.  That’s no bad thing though, in my opinion, as I never like to assume that people understand everything first time round anyway – if I’ve put my thoughts into plain terms in common usage, then there’s less chance of misunderstanding.

I got my inspiration from this piece from http://patriciasplace.me/in-other-words/ – it’s the item for #40.  Pop over to the site and have a look around!

What are backups, and when / why are they needed?

As I’m keeping this simple, I guess I should start by explaining what a backup is, and why it’s necessary. (Apologies to those who know, but if my blog item on Patching was Security 101, then this is surely part of IT 101!)

A backup is simply a copy of one or more files kept on a different device than your working version. You need one so that if the original file is lost, damaged or deleted, then you won’t have to recreate it from the beginning. Some files are irreplaceable e.g. family photos in the digital age (because we no longer get film negatives with our snaps) so we need to be careful.

Here’s a question: do you backup your home PC, laptop, smartphone, tablet etc on a regular basis?

  • Those of you using the iCloud or something similar – well done. (As an aside, and not part of this discussion – have you thought about how secure the data is there: after all, you don’t control who has access do you?) You probably just need to worry about how often you back up to that cloud storage and whether you have an Internet connection at the time you need it.
  • Those using iTunes or similar – that’s great, your device is backed up, but what if the place you backing up to e.g. your home PC dies?
  • As for the rest – do you use a thumb drive or external hard drive of some sort?

Another question to consider is: how often do your files change? If you have a document which you work on regularly e.g. accounts for a social club, it may be something you need to backup regularly. If it’s a treasured family photograph, or an invoice for an online purchase, the file won’t change but you should really have at least one backup copy.

There are many backup solutions available. Perhaps the simplest is to use an external hard drive or a thumb drive (also called a memory stick, USB drive, pen drive etc) and simply copy the files you want across to it. Make sure you keep the drive in a safe place (not next to your computer though: if the computer goes up in flames during a house fire, having files copied on a device sitting next to it probably won’t be any use) and, if the data on it is sensitive you may want to encrypt it. (Hmm, I think I’ll need to write a separate post on encryption!)

As you can infer from above, there are many cloud based services like the Apple iCloud or Microsoft’s Office 365 where you can hold all your files and not have to worry about messing around with thumb drives etc. Personally, if I was going to use them for some of my own sensitive files, I’d ensure I used some of their more secure services like two factor authentication.

That sounds scary and technical, but it’s basically a combination of a password and a code generated on a separate device (as they say in the trade, it’s something you know and something you have, which “proves” you are you). That device may be software on a phone, a pin code that’s sent to your phone or email, or it may be a physical thing like a fob which your bank provides: I have one which looks a bit like a small calculator which I have to slide my bank card into, and it gives a code which I have to type in on the website before I can access my account details.

There’s another time when you should seriously consider making sure you have backed up your data properly, and if you don’t do it at any other time then you should make sure you do it when … upgrading your device and / or the operating system software on it. Apple tend to force the backup if you use iTunes, because that’s the first thing they do before upgrading the software. Given that right now many people will be eligible to upgrade their Windows version for free (if it’s a personal device which is compatible and running specific earlier versions, it’s worth making sure your essential files are backed up before you start.

Patching – what’s all the fuss about?

I suppose this falls under Security 101, one of the most basic things we’re all encouraged to do with our technology, but there’s always a reason to postpone it:

  • My machine slows down while it’s downloading the latest patches
  • I’m worried that things won’t work afterwards
  • I keep having to reboot my machine, sometimes several times during one set of updates
  • I’m busy just now, can I not just do it later?
  • I don’t use the Internet much, so my device can’t be infected
  • I’m not using Microsoft, so there’s no need to patch
  • ….and, well, you know how it goes on….

I’m sure you’ve got your own versions of these, but the point is that these are all just excuses for something that should just be part of your normal experience – in my opinion.

Should we patch absolutely everything? I.e. should we install all updates for all products as soon as they’re available? No, I don’t think so. We should base our patching strategy on a risk assessment. If you find out about a patch for one software programme – let’s say Microsoft PowerPoint – but don’t have PowerPoint on your device, do you need to apply that patch? Not if it only addresses vulnerabilities in PowerPoint, as your device doesn’t have that vulnerability. But if the patch includes other packages which you do have installed eg Excel, then yes, you should.

Why am I picking on Microsoft? Just in order to use program names that we’re most likely to be familiar with. The same principles apply equally to other vendors and other software packages. Software has vulnerabilities, it’s inevitable. If there are none on the day it is released someone somewhere will find some soon afterwards. And the more valuable the data you access through the software, the more likely someone is try to create an exploit for that vulnerability.

In my opinion, you should patch regularly i.e. keep patches up to date. Apart from anything else, this lessens the amount of time spent downloading updates, as you’re keeping on top of things (in many respects, the same goes for antivirus updates too). Patch what you have to, but eg if the patch is for a Mac and you’re using Linux, why apply a Mac patch unless the patch also applies to Linux devices.

Not using the Internet often is no protection either. The only truly secure device (from Internet attack anyway) is one which does not have any form of external interface (wifi, wired, serial cable, whatever) and which is never connected. Some well known legitimate websites have been targeted and have had malicious code embedded in them, infecting users who are only browsing (because no software is totally secure, right?). Botnets are out there looking (in an automated way) for vulernable machines, so you only need to connect once to run the risk of infection. It’s a bit like contraception – if you don’t ever have sex, you’re unlikely to get pregnant, but do it just once without any form of protection and pregnancy is a very real risk.

If you’re only looking at your personal / home PC / laptop / tablet etc, then you’re unlikely to have a test environment. This is the best place to try out new patches, but if you’re a home user then you probably don’t have the luxury of testing things there. In any event, its notoriously difficult to configure your test environment to exactly match your real, live environment, down to version numbers of DLLs and other components, so you’re probably just testing in a representation of your live environment and there will still be some risk when you deploy for real. So what should you do?

This is where having a good, robust (and tested) backup regime comes in. More on that in a future post, so watch this space…