
Story: DDoS History as a Cyber Weapon
Like so many advancements in human history, they often have a tendency to be used for more than what the originator had conceived. The internet provides a vast amount of various beneficial services. Yet, those same services are often besieged by those that weld the collective power of the internet to conduct distributed denial of service attacks. In this story, we look at the DDoS history and its impact as a cyber weapon.
For over the past 60 years, we have seen numerous movies showcase the idea of a weapon weld the ability to flash an invisible wave of power that could knock some opposition’s computer or electronic system offline. Sometimes it’s in the form of a futuristic pistol generating pulses or a kill switch as in the ship Nebuchadnezzar in the movie Matrix.
Back to earth, we have seen this force in reality starting with the nuclear bomb test blasts that the U.S. has recorded for half century. The electromagnetic pulse effect of such detonations in the megatons at various altitudes have shown to have a powerful effect. As we’ll see in the podcast, ramifications from those nuclear blast tests have been felt at places like Hawaii where businesses and services have been knocked offline.
In all of these examples, the results are the form of a denial of service. Where a service has been rendered unavailable. With the collective nature of the internet, we have seen the effective power of forcing a network, site or service offline due to denial of service attacks. This is especially evident when the attacking power is distributed over numerous computer resources such as we seen provided by the botnets formed from the Zeus Trojan.
In this first part, we’ll examine DDoS history (distributed denial of service) and its role that it has played over the last two and half decades. From the origins of nothing more than juvenile uses to take over chat networks to military weapons used to take down entire nations. Like the cyber weapon we saw in the story on Stuxnet, DDoS attacks have shown to be a viable private and state-level weapons used to for extortion, smoke screens or military pre-strike attacks.
Fabulous Failure
In natural for most people and society to hear about the benefits of an education. In this fabulous failure we’re here about the story of hackers how have managed to circumvent the network of the Central Bank of Bangladesh. But despite holding all the chips, education or possibly a lack of, causes them to loose out on $700 million.
Story: DDoS History as a Cyber Weapon
Like so many advancements in human history, they often have a tendency to be used for more than what the originator had conceived. The internet provides a vast amount of various beneficial services. Yet, those same services are often besieged by those that weld the collective power of the internet to conduct distributed denial of service attacks. In this story, we look at the DDoS history and its impact as a cyber weapon.
For over the past 60 years, we have seen numerous movies showcase the idea of a weapon weld the ability to flash an invisible wave of power that could knock some opposition’s computer or electronic system offline. Sometimes it’s in the form of a futuristic pistol generating pulses or a kill switch as in the ship Nebuchadnezzar in the movie Matrix.
Back to earth, we have seen this force in reality starting with the nuclear bomb test blasts that the U.S.
Jan 24, 2017
32 min

STORY: The Business Club and the Zeus Trojan
So You Want to Be a Gangster?
Whether you hail from the old school shows like Dragnet, or something more recent like The Saprano’s, theres a reason why those shows did so well and attracted long time loyal audiences – its exciting and daring and a life not known by the everyday person like myself. The Hollywood picture of organized crime is painted in a colorful brush, one that’s quite different than the true story behind many of history’s timeline of criminal families, bosses and the crews we have read about. Such as the story behind the organized crime syndicate using the Zeus trojan.
But organized crime of the digital age has a new face a new hustle, one that is moving at breakneck speed and causing record breaking cost to businesses. In this show, were going to hear about one of those organization, one that has lasted, for over a decade.
“The Business Club” is an organization that ran the highly successful and unprecedented “Gameover ZeuS” network. Named after the original ZeuS trojan. It was a highly skilled and organized crew who comprised of a number of key core members and extended faction crews, not unlike any criminal organization of the 20th and 21st century.
Various criminal organization around the world that engage in any number of illegal vices such as arms and arms trafficking, racketeering and money laundering, rely on various skills of their members or extended crews to turn a profit. The Business Club members were known for various skills that directly contributed to their multi-million dollar enterprise. Whether that consisted of writing the malware, hackers for distribution or organizing money mules, each played a role in its success.
Lead by a Russian Evigeniy Mikhailovich Bogachev, the crew would compromise the computers of various nations around the world for years. Originally developed by Bogachev, the Gameover Zeus network was a highly sophisticated network of botnets and command and control servers.
But undermining the bank accounts of individuals and corporations wasn’t the only use of this system. There was another sinister operation at hand, one that might trace back to a political and state sponsored motivation. Listen to show and get the full story on who was “The Business Club”.
Sources
http://money.cnn.com/2016/04/15/technology/ransomware-cyber-security/
http://cybersecurityventures.com/cybersecurity-market-report/
http://www.businessinsider.com/flashpoint-report-ransomware-2016-6
https://zeustracker.abuse.ch/faq.php
http://voices.washingtonpost.com/securityfix/2009/07/an_odyssey_of_fraud_part_ii.html
https://www.justice.gov/iso/opa/resources/2162014411104532407242.pdf
https://www.fox-it.
Dec 20, 2016
21 min

Story: The Story of Stuxnet [01:40]
In June 2010, a infected computer was discovered with a unknown strain of malware would end up kicking off a year long investigation that redefined the term cyber warfare. While many of the anti-virus and security communities opted for sidelining research on the newly discovered malware dubbed Stuxnet by Microsoft, there were a handful of small and enterprise groups that would relentlessly chase the answers to the malware’s unprecedented mysteries. Mysteries that would include nuclear weapons, assassinations and nation-state endorsed military offensives before it was all said and done.
At the end of 2009, the International Atomic Energy Association (IAEA) would discover that the Iranian uranium enrichment facility at Natanz Iran was loosing an unprecedented amount of centrifuges with in a short number of months. Centrifuges are a key component device in the the facilities ability to produce highly enriched uranium, now believed to be for the end goal of developing nuclear weapons. Loosing an enormous amount of centrifuges would highly impact the country’s nuclear program and their ability to produce enriched uranium. After months of a steady increase in the facilities operational centrifuges and produced enriched uranium, was this sudden down turn a product of scientific malfunction or was it sabotage?
If it was sabotage, there was only one problem. The facility at Natanz was disconnected from the outside world.
In military history, the sabotage of a strategic location would require ground forces at the target location. This is the story about a new covert military operation never seen before. A new cyber weapon, that once launched, could achieve the same physical sabotage and destruction without the intervention of a military force.
The Burning Question [56:20]
This episodes burning questions is about avoiding improper implementations of HTTP Strict Transport Security (HSTS).
I’ve talked extensively before about implementing HSTS in your web application. But the problem that I see out in the wild when it comes to HSTS is implementation details that could make all the difference to the level of benefit it adds to your application.
Transparency can have a benefit where it applies, such as knowing what a non-profit organization does with your donation, or certain government processes can be. But, transparency has no place when it comes implementing HSTS. However, it is quite common to find a web application announce its HSTS details over unsecured HTTP.
What does this mean and whats the big deal? The whole benefit of HSTS is to reduce the surface area of a man-in-the-middle attack by possibly reducing the number of HTTP request to your web application. It does this by allowing the browser to intercept insecure HTTP requests to your site and instead send the request over HTTPS. But in order for the browser to do that, your site does have to notify the browser about its HSTS policy.
However, if you’re HSTS policy never makes it to the browser, then the typical redirect song and dance will commence with each insecure HTTP request being vulnerable to a man-in-the-middle attack for the user. How would it not make it to the user? Through a man-in-the-middle scenario. Any attacker who sees the policy being issued can subsequently remove it. Leaving your browser none-the-wiser.
Therefore, in this episode we talk about when to provide the browser with your sites HSTS policy as well as what kind of redirect should be issued when it comes to HSTS.
Fabulous Failure [01:02:27]
It’s quite common place for hackers to ridicule a target for their poor security implementation after...
Mar 30, 2016
1 hr 7 min

Dave Rael is a dedicated father and husband and a seasoned software professional. He specializes in building distributed systems and understanding problem domains, especially via Domain-Driven Design and Behavior-Driven Development. Outside work, he’s usually playing with kids, playing basketball, lifting weights, coaching youth sports, and enjoying dirty jokes. He blogs at optimizedprogrammer.com about writing software and getting the most out of life and is the host of the Developer on Fire podcast at developeronfire.com, where he extracts inspiring stories from successful software geeks.
Dave is the voice behind the popular Developer on Fire podcast, but he is also a seasoned developer, and just like you and I, he’s down in the trenches. He’s learned a lot about software security over the years and his experience and journey has been similar to a lot of developers. In this interview, we get to learn some of Dave’s thoughts, experience, revelations and tips on developing secure applications.
Below are some highlight points of the interview:
[Interview]
(00:02:30) A bit about Dave.
(00:12:00) Eye opening Threats.
(00:14:50) Updates, Updates, Updates.
(00:25:00) Bolted on or Baked in?
(00:30:00) Hardest part about writing secure software
(00:32:00) Dave’s security recommendations for leaders
* BEEF Browser exploitation framework
I Need You: If you like the show, help me out and leave a review for the podcast on iTunes but also in Stitcher and don’t forget to check out other Lock Me Down podcast shows.
Dave Rael is a dedicated father and husband and a seasoned software professional. He specializes in building distributed systems and understanding problem domains, especially via Domain-Driven Design and Behavior-Driven Development. Outside work, he’s usually playing with kids, playing basketball, lifting weights, coaching youth sports, and enjoying dirty jokes. He blogs at optimizedprogrammer.com about writing software and getting the most out of life and is the host of the Developer on Fire podcast at developeronfire.com, where he extracts inspiring stories from successful software geeks.
Dave is the voice behind the popular Developer on Fire podcast, but he is also a seasoned developer, and just like you and I, he’s down in the trenches. He’s learned a lot about software security over the years and his experience and journey has been similar to a lot of developers. In this interview, we get to learn some of Dave’s thoughts, experience, revelations and tips on developing secure applications.
Below are some highlight points of the interview:
[Interview]
(00:02:30) A bit about Dave.
(00:12:00) Eye opening Threats.
(00:14:50) Updates, Updates, Updates.
(00:25:00) Bolted on or Baked in?
(00:30:00) Hardest part about writing secure software
(00:32:00) Dave’s security recommendations for leaders
* BEEF Browser exploitation framework
I Need You: If you like the show, help me out and leave a review for the podcast on <a href="https://itunes.apple.
Feb 16, 2016
40 min

We all have our favorite stories of adventures whether on the big screen or a novel that we just can't put down. Today I have a story about someone you might have heard of, he's an author, speaker, computer security expert. But he hasn't always been. Known as one of the forefathers of hacking, who was on the run from the authorities for a number of years, evading the law, accumulating hacking trophies, he was, the notorious hacker.
We'll also talk briefly on handling password resets in your app and finally a Fabulous failure that we'll make you question all your software.
Show Notes: http://lockmedown.com/the-notorious-hacker
Jan 19, 2016
40 min

You know those mysteries you might have read about, you know, those ones you couldn't put down. We'll I am glad you joined, because today, I have a mystery that you might know about, you might even have been part of, an unsolved mystery that is known as black Wednesday.
We'll also talk about that security risk with the wacky acronym (XSS) cross-site scripting. And with all the news about hacker ransom ultimatums, we'll they had to have inspiration from somewhere, we'll hear about how one mobile company feed the trolls. Get the show notes @ http://lockmedown.com/black-wednesday
Dec 16, 2015
28 min

Not all security analysts out there have a strong development background that helps them related to the everyday developer’s perspective. But when security analysts do, it translates in their capabilities to not only approach their analysis but also in their teaching and training to developers, you know the ones writing the potentially vulnerable code? Well, I got to sit down with a security analyst that has a strong background in both areas.
Sijmen Ruwhof has been working in the development and security space for the past 17 years and I had a chance to sit down with him and discuss with him a plethora of topics that directly related to developers in their pursuit to write more secure code, such as best practices, changes in the security landscape, recommended tools just to name a few.
Get this episode's show notes @ http://lockmedown.com/interview-sijmen-ruwhof
Dec 16, 2015
57 min

Back in August of 2015, Avid Life Media received a stunning ultimatum from some unknown hackers to shut down various sites after having breached the controversial cheating site Ashley Madison or face the consequences of having tens of gigabytes of customer information, source code, and other sensitive data be released to the public. Little to nothing was known about the team of hackers only known as "Impact Team" insinuating that there was more than one hacker. Or was it possibly a lone hacker that we know more about than originally thought. Find out on this episode of the Lock me down podcast.
Today, you will learn the 3 absolute ingredients needed for properly storing user passwords for your application and we'll discuss the fabulous failure that put one company out of business. You can find all the show notes for this episode at http://lockmedown.com/ashleymadison
Dec 16, 2015
26 min

You know how you are mesmerized by stories of double agents in your favorite spy movie, or the adventures you've heard about during the cold war. We'll, what about double agents in the hacker community? Listen to today's story about how one hacker established an international for-profit syndicate while working with the U.S. Secret service.
Also on today's episode, we'll find out the absolute solution to securing your application against the number one web security vulnerability, SQL Inject. And finally, I got a fabulous failure you won't want to miss - Sijmen Ruwhof turns up a blunder by the largest Danish bank that will knock your socks off.
You'll find all of the show notes at http://lockmedown.com/doubleagent
Dec 16, 2015
31 min
