Search results for search results for malware – online cyber security news electricity recruitment 2015

The growing popularity of Bitcoin and other cryptocurrencies is generating curiosity—and concern—among security specialists. Crypto mining software has been found on user machines, often installed by botnets. Organizations need to understand the risks posed by this software and what actions, if any, should be taken.

To better advise our readers, we reached out to the security researchers at Cato Networks. Cato provides a cloud-based SD-WAN that includes FireWall as a Service (FWaaS). Its research team, Cato Research Labs, maintains the company’s Cloud IPS, and today released a list of crypto mining pool addresses that you can use as a blacklist in your firewall. (To download the list, visit this page.)

Crypto mining is the process of validating cryptocurrency transactions and adding encrypted blocks to the blockchain. Miners solve a hash to establish a valid block, receiving a reward for their efforts. The more blocks mined, the more difficult and resource-intensive becomes solving the hash to mine a new block.

Today, the mining process can require years with an off-the-shelf computer. To get around the problem, miners use custom hardware to accelerate the mining process, as well as forming "mining pools" where collections of computers work together to calculate the hash.

Participating in mining pools requires computers run native or JavaScript-based mining software (see Figure 1). Both will use the Stratum protocol to distribute computational tasks among the computers in the mining pool using TCP or HTTP/S (technically, WebSockets over HTTP/S).

Mining software poses a risk to the organization on two accounts. In all cases, mining software is highly compute-intensive, which can slow down an employee’s machine. Running CPUs with a “high-load” for an extended period of time will increase electricity costs and may also shorten the life of the processor or the battery within laptops.

Mining software is also being distributed by some botnets. Native mining software accesses the underlying operating system in a way similar to how botnet-delivered malware exploits a victim’s machine. As such, the presence of native mining software may indicate a compromised device.

DPI engines can disrupt blockchain communications by blocking Stratum over TCP. Stratum uses a publish/subscribe architecture where servers send messages (publish) to subscribed clients. Blocking the subscription or publishing process will prevent Stratum from operating across the network.

Organizations could configure firewall rules to use a blacklist and block the relevant addresses. In theory, such a list should be easy to create as the necessary information is publicly available. Most mining pools publish their details over the Internet in order to attract miners to their networks (see Figure 4).

To address the issue, Cato Research Labs generated its own list of mining pool addresses for use by the greater community. Using Google to identify sites and then employing scraping techniques, Cato researchers were able to extract pool addresses for many mining pools.

Cato researchers wrote code that leveraged those results to develop a mining-pool address feed. Today, the list identifies hundreds of pool addresses (see Figure 5) and should be suitable for most DPI rule engines. See here for the full list.

Cato Research Labs provided a list of address that can be used towards that goal, blocking access to public blockchain pools. But there’s always a chance of new pools or addresses, which is why Cato Research Labs strongly recommend constructing rules using a DPI engine with sufficient encrypted-session capacity.

Moreover, there’s no substantial evidence yet available which can prove these allegations, but an article published by US media WSJ in October claimed that Kaspersky software helped Russian spies steal highly classified documents and hacking tools belonging to the NSA in 2015 from a staffer’s home PC.

Underlining that U.S. authorities have not provided any substantial evidence of wrongdoing by the company, CEO Eugene Kaspersky wrote in an open letter to the Homeland Security agency on Monday, stressing that the "DHS’s decision is unconstitutional" and based purely on "subjective, non-technical public sources."

"Unfortunately, in the case of Binding Operational Directive 17-01, DHS did not provide Kaspersky Lab with a meaningful opportunity to be heard before the Directive’s issuance, and therefore, Kaspersky Lab’s due process rights were infringed."

Kaspersky argues that the company was not given enough time to contest allegations before the DHS issued a ban, and that the documents available at the time of the ban were based more on references than a technical threat that the company could analyze and respond to.

The network architecture is also made far more complex, particularly for global organizations. Not only must they rollout multiple regional hubs, but multiple hubs must be deployed in geographically dispersed regions or those regions with a high concentration of branches.

Cloud computing offers a new way to solve the edge firewall dilemma. With "cloud bursting," enterprises seamlessly extend physical data center capacity to a cloud datacenter when traffic spikes or they exhaust resources of their physical datacenter.

Firewall bursting does something similar to under-capacity, branch firewalls. Edge security processing is minimized where firewall capacity is constrained, and advanced security is applied in the cloud, where resources are scalable and elastic.

Purpose-built, global Firewall as a Service (FWaaS) is another option. FWaaS providers, such as Cato Networks, create a global network of Points of Presence (PoPs), providing a full network security stack specifically built for cloud scalability.

While the PoPs are distributed, they act "together" as a single logical firewall instance. The PoPs are highly redundant and resilient, and in case of outages, processing capacity seamlessly shifts inside or across PoPs, so firewall services are always available.

The PoPs are capable of processing very large volumes of WAN and Internet traffic. Because adding processing capacity either within PoPs or by adding new PoPs is transparent to customers, you don’t have to adjust policies or reconfigure your environment to accommodate changes in load or traffic mix.