The motive behind Operation Last Resort was fueled in part by the suicide of Aaron Swartz, co-developer of Reddit and Internet activist. Swartz faced multiple charges for what federal prosecutors said was illegally downloading academic journals from a digital depository known as Journal Storage or JSTOR for short. Swartz took his own life shortly after he learned that the prosecution would not accept his lawyer’s plea bargain.
According to the national database on Common Vulnerabilities and Exposures, the Adobe Cold Fusion software package has 66 known vulnerabilities associated with the software package, which need to be mitigated. Some of these vulnerabilities allows attackers to obtain administrator-console access via unknown vectors, allows remote attackers to hijack web sessions via unspecified vectors, or allows remote attackers to cause a DoS by sending many crafted parameters.
The amount of vulnerabilities is unusually high amount for a specific system. Although it has been reported that eight ColdFusion hacks were used during Operation Last Resort, it is safe to assume at least one of the 66 vulnerabilities was in play.
Organizations need to be aware that the risk profile of their applications and security perimeter devices has substantially changed for the worse. Dramatic changes need to occur immediately and often in order to align these risks with satisfactory controls. The two major considerations or pieces of work that need to be incorporated are as follows:
Consideration #1 - Architecting the Perimeter for Attack Mitigation
Traditional network border devices are no longer sufficient to provide protection. Organizations must look at their security posture and take an in-depth approach in order to fully prepare for attacks. Part of this is to employ an anti-DDoS security strategy that alerts and mitigates all attack traffic at the very edge of the organizational network.
The solution should incorporate:
- Notification and alerting mechanism
- Sufficient network perimeter defenses to absorb network-based DDoS attacks
- Ability to discriminate between legitimate and illegitimate traffic
- Ability to quickly identify known threats & risks
- Ability to gain a “bird’s eye view” – a logging/correlation system to collect detailed attack data and produce reports on the fly.
As was widely reported during WikiLeak’s Operation Payback, MasterCard and Visa both suffered debilitating outages from this attack. It was also reported they had intrusion prevention tools and firewalls in place which alone were not adequate. However, there were a few organizations which fared remarkably better. Lessons can be drawn from the contrasting technologies.