Category Archives: IT Security (InfoSec)

AutoIT based DDoS Attack on my personal blog

I received several messages saying that my blog was reaching it’s allocated bandwidth. Which I found pretty curious considering this is not a very popular blog. That said, I keep the bandwidth limits set pretty low just to protect myself from an attacker abusing my bandwidth resources. The first time I got the notification, I figured someone must be really excited to read about Litecoin or ergonomic keyboards or something and thought nothing of it.

That said, I logged into view my raw access logs today, and it appears as if a script is being running on dozens of different servers just to perform the lowest speed DDoS of all time. It appears as if this attacker is just trying to slowly eat away at my bandwidth 40k at a time.

AutoIT Bandwidth Attack

This attacker seems really concerned about me sharing the message of Litecoin and Yoga Balls with the world

Every time I block one of the IPs involved in the attack, the attacker seems to have several dozen in IP ranges all over the world. I contacted Hostgator to see if they have any ideas on how to mitigate the abuse. This wouldn’t be surprising as an attack, if it wasn’t for the curious fact this is probably the least exciting blog I can think of!

I’m just going to have to assume someone is very upset that people are using my Litecoin mining guide to mine litecoin. If anyone has any ideas or feedback let me know! I’ll post the IP Addresses in hope that some of their owners will notice that they may have compromised equipment.

IP Addresses causing abuse:

195.81.148.254
184.43.106.90
189.107.54.18
97.117.200.170
88.236.220.233
39.115.64.22
97.117.204.27
79.119.95.176
97.117.201.239
97.117.202.144
151.227.57.109

Does Bitcoin need more regulation?

I’ve been casually involved in the Bitcoin community now for almost two years. A very close friend of mine and contributor to this site Andrew Miller introduced me to Bitcoin well before the topic had garnered much traction. I had the opportunity once while visiting him to meet a handful of the core developers and have some very good conversations about Bitcoin.

As a result of that conversation, and my experience in IT Audit and Compliance while working for Greenwire IT Consulting, I’ve noticed some “low-hanging-fruit” in Bitcoin. Although, I definitely feel like the lack of a central authority is what gives Bitcoin it’s flexibility and arguably a lot of its security. I do feel that as with any industry conducting financial transactions, industry best practices should be established externally, and even the best run companies require both internal and external scrutiny.

My Bitcoin Governance Suggestions:

  • Implement PCI-DSS

Realistically, all companies accepting Bitcoin probably should already be conducting PCI-DSS audits. Although they are not directly accepting Credit Cards, audits of private data and standardised retenention policies are a must for all businesses. If the pizzeria around the corner has to meet PCI-DSS, Bitcoin processors should too.

  • Outside Audit

I’ll be the first person to concede that PCI-DSS lacks teeth. It’s designed as a bare minimum to protect typical businesses from IT Risk. It could be said that Bitcoin doesn’t fit that risk profile, as we’re more or less dealing with Digital Cash. That doesn’t mean that there shouldn’t be an audit mechanism. It’s generally accepted that companies when left to their own devices will inadvertently ignore certain forms of risk. The Bitcoin industry should move to a form of voluntary audit and compliance to maintain best practices consistently. This also would serve to help identify ponzi schemes and other untrustworthy players from gaining unrealistic traction in the community.

  • Penetration Testing

Pentesting is not cheap, and not 100% effective. But it is an industry best practice for a reason. Although we don’t yet know the details of the successful MtGox attack, there’s a reasonable chance that the exploited vulnerability may have been identifiable beforehand by a competent security professional. With the value of Bitcoins currently very high, there undoubtedly will be further attacks. Until all Bitcoin transactors start employing full time InfoSec professionals, hacks will continue to be the norm.

  • Industry Group

Although there are a few attempts at building a Bitcoin industry group, one example being the Bitcoin Foundation, there is not set of industry best practices yet to govern how to handle digital cash.

Realistically, all of my suggestions are probably premature. Bitcoin is so new, and unstable the cost of compliance may cripple the small startups on the Bitcoin scene. But that said they need to happen, the cost of security compromises is hurting Bitcoins reputation and relegating it to the wild-west of currencies. When in reality when mixed with good governance Bitcoin could be as sound as traditional currency. As of now, however, in this author’s opinion the attitude against self-regulation is creating an environment that is unnecessarily risky.