Lessons learned from Anonymous and Operation Last Resort
by Carl Herberger - VP of Security Solutions, Radware - Friday, 29 November 2013.
Activists that have links to Anonymous were able to gain access to U.S. government computers through a software flaw on the outdated Adobe ColdFusion platform. This left many agencies vulnerable to penetration and attackers were left undiscovered for almost 12 months.

The motive behind Operation Last Resort was fueled in part by the suicide of Aaron Swartz, co-developer of Reddit and Internet activist. Swartz faced multiple charges for what federal prosecutors said was illegally downloading academic journals from a digital depository known as Journal Storage or JSTOR for short. Swartz took his own life shortly after he learned that the prosecution would not accept his lawyer’s plea bargain.

According to the national database on Common Vulnerabilities and Exposures, the Adobe Cold Fusion software package has 66 known vulnerabilities associated with the software package, which need to be mitigated. Some of these vulnerabilities allows attackers to obtain administrator-console access via unknown vectors, allows remote attackers to hijack web sessions via unspecified vectors, or allows remote attackers to cause a DoS by sending many crafted parameters.

The amount of vulnerabilities is unusually high amount for a specific system. Although it has been reported that eight ColdFusion hacks were used during Operation Last Resort, it is safe to assume at least one of the 66 vulnerabilities was in play.

Organizations need to be aware that the risk profile of their applications and security perimeter devices has substantially changed for the worse. Dramatic changes need to occur immediately and often in order to align these risks with satisfactory controls. The two major considerations or pieces of work that need to be incorporated are as follows:

Consideration #1 - Architecting the Perimeter for Attack Mitigation

Traditional network border devices are no longer sufficient to provide protection. Organizations must look at their security posture and take an in-depth approach in order to fully prepare for attacks. Part of this is to employ an anti-DDoS security strategy that alerts and mitigates all attack traffic at the very edge of the organizational network.

The solution should incorporate:
  • Notification and alerting mechanism
  • Sufficient network perimeter defenses to absorb network-based DDoS attacks
  • Ability to discriminate between legitimate and illegitimate traffic
  • Ability to quickly identify known threats & risks
  • Ability to gain a “bird’s eye view” – a logging/correlation system to collect detailed attack data and produce reports on the fly.
Consideration #2 - The Need for Complementary Security Technologies

As was widely reported during WikiLeak’s Operation Payback, MasterCard and Visa both suffered debilitating outages from this attack. It was also reported they had intrusion prevention tools and firewalls in place which alone were not adequate. However, there were a few organizations which fared remarkably better. Lessons can be drawn from the contrasting technologies.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th