Wednesday, December 18, 2013

Threat level: puce

Errata Security is officially raising our cyberhack alert level to "puce".

In that 60 Minutes story about the NSA, they showed the "Cyber Operations Center", and the dashboard with "Current Cyber Alert Levels". The NSA gets their alerts from various organizations, like SANS, Symantec, and IT-ISAC.

These alert levels are never really as predictive as people would hope. They are more like the weatherman that tells "it's raining" when you can simply open your window and see outside for yourself.

But a lot of time, we can predict that something is going to happen, such as right now. Germany's Chaos Computer Club (CCC) is having their yearly Congress in Hamburg in a few days. They are going to provide the conference with an unprecedented 100-gbps Internet connection. There's a good chance something interesting will happen.

Hacker conventions usually have fast connections, like this last year's DEF CON that provided 100-mbps to the Internet. But these connections really aren't interesting. I can already use bitcoins to rent an anonymous VPS with a 100-mbps connection, so when I go to DEF CON, my first thought isn't how I can exploit this free Internet access.

But the CCC network is a thousand times faster. Suddenly, it becomes very interesting, especially now that we have tools that that can exploit that level of bandwidth. If things go according to plan, then everyone, everywhere on the Internet, is going to see a high level of incoming port scans from the Internet over those days. In the past, slow scans at a mere 100-mbps have caused organizations to panic, waking people up for midnight emergency conference calls, thinking they are under attack. What's going to happen at CCC congress is going to be a thousand times worse.

Therefore, I'm writing my own advisory. I'm setting the Errata Security Threat Level to "puce" to warn people that the dates Dec. 27 through Dec. 30, inclusive, are going to result in a high rate of incoming network traffic, primarily port scans. It's not necessarily a problem, but at the same time, your firewall administrators shouldn't panic, fearing a cyberblitz from the Germans.

No comments: