Tag Archives: year’s

OnePlus Site’s Payment System Reportedly Hacked to Steal Credit Card Details

oneplus-credit-card-hacking

This year’s first bad news for OnePlus users—a large number of OnePlus customers are reporting of fraudulent credit card transactions after buying products from the Chinese smartphone manufacturer’s official online store.

The claim initially surfaced on the OnePlus support forum over the weekend from a customer who said that two of his credit cards used on the company’s official website was suspected of fraudulent activities.

The only place that both of those credit cards had been used in the last 6 months was on the Oneplus website,” the customer wrote.

Later a good number of users posted similar complaints on OnePlus, Twitter and Reddit forums, saying they also became a victim of credit card fraud.

Many of the customers claimed that their credit cards had been compromised after they bought a new phone or some accessories directly from the OnePlus official website, indicating that the leak might have been through the company itself.

Cybersecurity firm Fidus also published a blog post detailing the alleged issue with the OnePlus website’s on-site payment system. The firm suspected that the servers of the OnePlus website might have been compromised.

OnePlus

According to Fidus, OnePlus is currently conducting the transactions itself on-site, which means that all billing information along with all credit card details entered by its customers flow through the OnePlus official website and can be intercepted by attackers.

“Whilst the payment details are sent off to a third-party provider upon form submission, there is a window in which malicious code is able to siphon credit card details before the data is encrypted,” Fidus wrote.

Fidus went on to clarify that their findings did not in any way confirm that the OnePlus website was breached; instead, they suggested the attacks might have come from the Magento eCommerce platform—which is used by OnePlus and is “a common platform in which credit card hacking takes place.”

OnePlus has quickly responded to the issue on its forum, confirming that it does not store any credit card information on its website and all payment transactions are carried out through its PCI-DSS-compliant payment processing partner.

Only credit card-related information of users who have enabled the “save this card for future transactions” feature is stored on OnePlus’ official servers, but even they are secured with a token mechanism.

“Our website is HTTPS encrypted, so it’s very difficult to intercept traffic and inject malicious code, however we are conducting a complete audit,” a company’s staffer using the name ‘Mingyu’ wrote.

The Chinese smartphone maker also confirms that purchases involving third-party services like PayPal are not affected.

oneplus-credit-card-hacking

OnePlus does not reveal much information on the incident but confirms that its official website is not affected by any Magento vulnerability.

The company confirms that oneplus.net was indeed built on the Magento eCommerce, but said since 2014, it has entirely been re-built using custom code, adding that “credit card payments were never implemented in Magento’s payment module at all.”

There are almost 100 claims of fraudulent credit card transactions on the OnePlus support forums. OnePlus announces a formal investigation into the matter, and advises affected users to contact their bank to reverse the payment.

Fourth Fappening Hacker Admits to Stealing Celebrity Pics From iCloud Accounts

Fourth Fappening Hacker Admits to Stealing Pics From Celebrities’ iCloud Accounts

Almost three years after the massive leakage of high-profile celebrities’ nude photos—well known as “The Fappening” or “Celebgate” scandal—a fourth hacker has been charged with hacking into over 250 Apple iCloud accounts belonged to Hollywood celebrities.

A federal court has accused George Garofano, 26, of North Branford, of violating the Computer Fraud and Abuse Act, who had been arrested by the FBI.

Garofano has admitted to illegally obtaining credentials for his victims’ iCloud accounts using a phishing scheme, which eventually allowed him to steal personal information on his victims, including sensitive and private photographs and videos.

Among celebrities whose nude photographs were posted online back in 2014 are Jennifer Lawrence, Kim Kardashian, Kirsten Dunst, and Kate Upton. Also, female victims also include American Olympic gold medallist Misty May Treanor and actors Alexandra Chando, Kelli Garner and Lauren O’Neil.

Between April 2013 to October 2014, Garofano engaged in sending phishing emails pretended to be from Apple security team to several celebrities, tricking them into providing their iCloud account credentials, which they stole to access their accounts illegally.

“Garofano admitted that he sent emails to victims that appeared to be from security accounts of Apple and encouraged the victims to send him their usernames and passwords, or to enter them on a third-party website, where he would later retrieve them,” the Justice Department said.

Besides stealing victims’ personal information, including sensitive and private photographs and videos, from their iCloud accounts using stolen credentials, Garofano, in some instances, also traded the stolen credentials, along with the materials he stole from the victims’ accounts, with other individuals.

In a plea agreement signed Thursday in U.S. District Court in Los Angeles, Garofano agreed to plead guilty to one count of unauthorised access to a protected computer to obtain information, facing up to 5 years in prison.

Garofano is the fourth hacker charged in connection with the Celebgate incident. Emilio Herrera, 32, Edward Majerczyk, 28, and Ryan Collins, 36, pleaded guilty last year to being involved in the celebrity photo hack.

While Herrera is waiting for sentencing next month, Majerczyk was sentenced to nine months in prison and Collins was sentenced to 18 months last year.

The investigation into the Celebgate scandal is being conducted by the U.S. Federal Bureau of Investigation.

Microsoft Releases Patches for 16 Critical Flaws, Including a Zero-Day

Microsoft Issues Security Patches Critical Vulnerabilities

If you think that only CPU updates that address this year’s major security flaws—Meltdown and Spectre—are the only ones you are advised to grab immediately, there are a handful of major security flaws that you should pay attention to.

Microsoft has issued its first Patch Tuesday for 2018 to address 56 CVE-listed flaws, including a zero-day vulnerability in MS Office related that had been actively exploited by several threat groups in the wild.

Sixteen of the security updates are listed as critical, 38 are rated important, one is rated moderate, and one is rated as low in severity. The updates address security flaws in Windows, Office, Internet Explorer, Edge, ChakraCore, ASP.NET, and the .NET Framework.

The zero-day vulnerability (CVE-2018-0802), described by Microsoft as a memory corruption flaw in Office, is already being targeted in the wild by several threat actor groups in the past few months.

The vulnerability, discovered by several researchers from Chinese companies Tencent and Qihoo 360, ACROS Security’s 0Patch Team, and Check Point Software Technologies, can be exploited for remote code execution by tricking a targeted user into opening a specially crafted malicious Word file in MS Office or WordPad.

According to the company, this security flaw is related to CVE-2017-11882—a 17-year-old vulnerability in the Equation Editor functionality (EQNEDT32.EXE), which Microsoft addressed in November.

When researchers at 0Patch were analysing CVE-2017-11882, they discovered a new, related vulnerability (CVE-2018-0802). More details of CVE-2018-0802 can be found in a blog post published by Check Point.

Besides CVE-2018-0802, the company has addressed nine more remote code execution and memory disclosure vulnerabilities in MS Office.

A spoofing vulnerability (CVE-2018-0819) in Microsoft Outlook for MAC, which has been listed as publicly disclosed (Mailsploit attack), has also addressed by the company. The vulnerability does not allow some versions Outlook for Mac to handle the encoding and display of email addresses properly, causing antivirus or anti-spam scanning not to work as intended.

Microsoft also addressed a certificate validation bypass vulnerability (CVE-2018-0786) in .NET Framework (and .NET Core) that could allow malware authors to show their invalid certificates as valid.

“An attacker could present a certificate that is marked invalid for a specific use, but the component uses it for that purpose,” describes Microsoft. “This action disregards the Enhanced Key Usage taggings.”

The company has also patched a total of 15 vulnerabilities in the scripting engine used by Microsoft Edge and Internet Explorer.

All these flaws could be exploited for remote code execution by tricking a targeted user into opening a specially-crafted webpage that triggers a memory corruption error, though none of these has been exploited in the wild yet.

Meanwhile, Adobe has patched a single, out of bounds read flaw (CVE-2018-4871) this month that could allow for information disclosure, though no active exploits have been seen in the wild.

Users are strongly advised to apply October security patches as soon as possible to keep hackers and cybercriminals away from taking control of their computers.

For installing security updates, simply head on to Settings → Update & security → Windows Update → Check for updates, or you can install the updates manually.

15-Year-Old Apple macOS 0-Day Kernel Flaw Disclosed, Allows Root Access

macos-kernel-exploit

A security researcher on New Year’s eve made public the details of an unpatched security vulnerability in Apple’s macOS operating system that can be exploited to take complete control of a system.

On the first day of 2018, a researcher using the online moniker Siguza released the details of the unpatched zero-day macOS vulnerability, which he suggests is at least 15 years old, and proof-of-concept (PoC) exploit code on GitHub.

The bug is a serious local privilege escalation (LPE) vulnerability that could enable an unprivileged user (attacker) to gain root access on the targeted system and execute malicious code. Malware designed to exploit this flaw could fully install itself deep within the system.

From looking at the source, Siguza believes this vulnerability has been around since at least 2002, but some clues suggest the flaw could actually be ten years older than that. “One tiny, ugly bug. Fifteen years. Full system compromise,” he wrote.

This local privilege escalation flaw resides in IOHIDFamily, an extension of the macOS kernel which has been designed for human interface devices (HID), like a touchscreen or buttons, allowing an attacker to install a root shell or execute arbitrary code on the system.

“IOHIDFamily has been notorious in the past for the many race conditions it contained, which ultimately lead to large parts of it being rewritten to make use of command gates, as well as large parts being locked down by means of entitlements,” the researcher explains.

“I was originally looking through its source in the hope of finding a low-hanging fruit that would let me compromise an iOS kernel, but what I didn’t know it then is that some parts of IOHIDFamily exist only on macOS – specifically IOHIDSystem, which contains the vulnerability.”

The exploit created by Siguza, which he dubbed IOHIDeous, affects all versions of macOS and enables arbitrary read/write bug in the kernel.

Besides this, IOHIDeous also disables the System Integrity Protection (SIP) and Apple Mobile File Integrity (AMFI) security features that offer protection against malware.

The PoC code made available by Siguza has for some reason stopped working on macOS High Sierra 10.13.2 and works on macOS High Sierra 10.13.1 and earlier, but he believes the exploit code can be tweaked to work on the latest version as well.

However, the researcher pointed out that for his exploit to work, it needs to force a log out of the logged-in user, but this can be done by making the exploit work when the targeted machine is manually shut down or rebooted.

Since the vulnerability only affects macOS and is not remotely exploitable, the researcher decided to dumped his findings online instead of reporting it to Apple. For those unaware, Apple’s bug bounty program does not cover macOS bugs.

For in-depth technical details about the vulnerability, you can head on to researcher’s write-up on GitHub.

Imgur—Popular Image Sharing Site Was Hacked In 2014; Passwords Compromised

imgur-data-breach

Only after a few days of Uber admitting last year’s data breach of 57 million customers, the popular image sharing site disclosed that it had suffered a major data breach in 2014 that compromised email addresses and passwords of 1.7 million user accounts.

In a blog post published on Friday, Imgur claimed that the company had been notified of a three-year-old data breach on November 23 when a security researcher emailed the company after being sent the stolen data.

Imgur Chief Operating Officer (COO) then alerted the company’s founder and the Vice President of Engineering to the issue before began working to validate that the data belonged to Imgur users.

After completing the data validation, the company confirmed Friday morning that the 2014 data breach impacted approximately 1.7 million Imgur user accounts (a small fraction of its 150 million user base) and that the compromised information included only email addresses and passwords.

Since Imgur has never asked for people’s real names, phone numbers, addresses, or any other personally-identifying information (PII), no other personal information was allegedly exposed in the data breach.

The company also said that the stolen passwords were scrambled with older SHA-256 hashing algorithm—which can be easily cracked using brute force attacks.

However, Imgur’s COO Roy Sehgal said the website had already moved from SHA-256 to much stronger bcrypt password scrambler last year.

“We have always encrypted your password in our database, but it may have been cracked with brute force due to an older hashing algorithm (SHA-256) that was used at the time,” the image sharing service said. “We updated our algorithm to the new bcrypt algorithm last year.”

The company has begun notifying affected users along with enforcing a password change.

Moreover, those using the same email address and password combination across multiple sites and applications are also advised to change those details as well.

It’s still known how this incident occurred and went unnoticed for roughly three years. Imgur is still actively investigating the hacking intrusion and will be sharing details as soon as they become available.

Security expert Troy Hunt who notified Imgur of the incident praised the company for its swift response to the breach notification and disclosure of the data breach.

“I want to recognise @imgur’s exemplary handling of this: that’s 25 hours and 10 mins from my initial email to a press address to them mobilising people over Thanksgiving, assessing the data, beginning password resets and making a public disclosure. Kudos!” Hunt tweeted. 

“This is really where we’re at now: people recognise that data breaches are the new normal and they’re judging organizations not on the fact that they’ve had one, but on how they’ve handled it when it happened.”

Imgur is yet another company in a series of security breaches that took place years ago but have only come to light in 2017. Other companies revealing previously-occurred major breaches years after included Yahoo, Uber, LinkedIn, Disqus, and MySpace.

After Getting Hacked, Uber Paid Hackers $100,000 to Keep Data Breach Secret

uber-data-breach

Uber is in headlines once again—this time for concealing last year’s data breach that exposed personal data of 57 million customers and drivers.

On Tuesday, Uber announced that the company suffered a massive data breach in October 2016 that exposed names, e-mail addresses and phone numbers of 57 million Uber riders and drivers along with driver license numbers of around 600,000 drivers.

However, instead of disclosing the breach, the company paid $100,000 in ransom to the two hackers who had access to the data in exchange for keeping the incident secret and deleting the information, according to a report published by Bloomberg.

Uber said none of its own systems were breached, rather two individuals outside the company inappropriately accessed and downloaded 57 million Uber riders’ and drivers’ data that was stored on a third-party cloud-based service.

The cyberattack exposed the names and driver license numbers of some 600,000 drivers in the United States, and the names, emails, and mobile phone numbers of around 57 million Uber users worldwide, which included drivers as well.

However, the company said other personal details, such as trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth, were not accessed in the attack.


Uber Hid 57 Million User Data Breach For Over a Year

According to Bloomberg report, former Uber CEO Travis Kalanick learned of the cyber attack in November 2016, when the company was negotiating with the Federal Trade Commission (FTC) on a privacy settlement.

So, the company chose to pay the two hackers $100,000 to delete the stolen information and keep quiet about the incident and finally agreed to the FTC settlement three months ago, without admitting any wrongdoing.

Uber Technologies Inc. only told the FTC about the October 2016 data incident on Tuesday, when the breach was made public by Bloomberg.

However, this secret payment eventually cost Uber security executives their jobs for handling the incident.

Now Uber CEO Dara Khosrowshahi has reportedly asked for the resignation of Uber Chief Security Officer Joe Sullivan, and one of his deputies, Craig Clark, who worked to keep the attack quiet.

“None of this should have happened, and I will not make excuses for it. While I cannot erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes,” Khosrowshahi said.

“We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”

Uber is notifying regulatory authorities and offering affected drivers free credit monitoring and identity theft protection.

The company also says that it is monitoring the affected accounts for fraudulent activity and that riders do not need to take any action against this incident. It’s likely that Uber will be forcing its customers to reset their passwords for its app.

2-Year-Old Linux Kernel Issue Resurfaces As High-Risk Flaw

linux-kernel-hacking

A bug in Linux kernel that was discovered two years ago, but was not considered a security threat at that time, has now been recognised as a potential local privilege escalation flaw.

Identified as CVE-2017-1000253, the bug was initially discovered by Google researcher Michael Davidson in April 2015.

Since it was not recognised as a serious bug at that time, the patch for this kernel flaw was not backported to long-term Linux distributions in kernel 3.10.77.

However, researchers at Qualys Research Labs has now found that this vulnerability could be exploited to escalate privileges and it affects all major Linux distributions, including Red Hat, Debian, and CentOS.

The vulnerability left “all versions of CentOS 7 before 1708 (released on September 13, 2017), all versions of Red Hat Enterprise Linux 7 before 7.4 (released on August 1, 2017), and all versions of CentOS 6 and Red Hat Enterprise Linux 6 are exploitable,” Qualys said in an advisory published yesterday.

The vulnerability, which has been given a CVSS3 Base Score of 7.8 out of 10, resides in the way Linux kernel loads ELF executables, which potentially results in memory corruption.

Researchers find that an unprivileged local user with access to SUID (or otherwise privileged) Position Independent Executable (PIE) binary could use this vulnerability to escalate their privileges on the affected system.

In order to mitigate this issue, users can switch to the legacy mmap layout by setting vm.legacy_va_layout to 1, which will effectively disable the exploitation of this security flaw.

Since the mmap allocations start much lower in the process address space and follow the bottom-up allocation model, “the initial PIE executable mapping is far from the reserved stack area and cannot interfere with the stack.”

Qualys says this flaw is not limited to the PIEs whose read-write segment is larger than 128MB, which is the minimum distance between the mmap_base and the highest address of the stack, not the lowest address of the stack.

So, when passing 1.5GB of argument strings to execve(), any PIE can be mapped directly below the stack and trigger the vulnerability.

Linux distributions, including Red Hat, Debian, and CentOS, have released security updates to address the vulnerability.

The Qualys team has promised to publish a proof-of-concept soon exploit that works on CentOS-7 kernel versions “3.10.0-514.21.2.el7.x86_64” and “3.10.0-514.26.1.el7.x86_64,” once a maximum number of users have had time to patch their systems against the flaw.

Stay Tuned!

Powered by WPeMatico

Here’s How Hackers Can Hijack Your Online Bitcoin Wallets

hacking-bitcoin-wallets

Researchers have been warning for years about critical issues with the Signaling System 7 (SS7) that could allow hackers to listen in private phone calls and read text messages on a potentially vast scale, despite the most advanced encryption used by cellular networks.

Despite fixes being available for years, the global cellular networks have consistently been ignoring this serious issue, saying that the exploitation of the SS7 weaknesses requires significant technical and financial investment, so is a very low risk for people.

However, earlier this year we saw a real-world attacks, hackers utilised this designing flaw in SS7 to drain victims’ bank accounts by intercepting two-factor authentication code (one-time passcode, or OTP) sent by banks to their customers and redirecting it to themselves.

If that incident wasn’t enough for the global telecoms networks to consider fixing the flaws, white hat hackers from Positive Technologies now demonstrated how cybercriminals could exploit the SS7 flaw to take control of the online bitcoin wallets to steal all your funds.

Created in the 1980s, SS7 is a telephony signalling protocol that powers over 800 telecom operators across the world, including AT&T and Verizon, to interconnect and exchange data, like routing calls and texts with one another, enabling roaming and other services.

Here’s How Hackers Hacked into Bitcoin Wallet and Stole Fund

While demonstrating the attack, the Positive researchers first obtained Gmail address and phone number of the target, and then initiated a password reset request for the account, which involved sending a one-time authorization token to be sent to the target’s phone number.

Just like in previous SS7 hacks, the Positive researchers were able to intercept the SMS messages containing the 2FA code by exploiting known designing flaws in SS7 and gain access to the Gmail inbox.

From there, the researchers went straight to the Coinbase account that was registered with the compromised Gmail account and initiated another password reset, this time, for the victim’s Coinbase wallet. They then logged into the wallet and emptied it of crypto-cash.

Fortunately, this attack was carried out by security researchers rather than cybercriminals, so there wasn’t any actual fraud of bitcoin cryptocurrencies.

This issue looks like a vulnerability in Coinbase, but it’s not. The real weakness resides in the cellular system itself.

Positive Technologies has also posted a proof-of-concept video, demonstrating how easy it is to hack into a bitcoin wallet just by intercepting text messages in transit.

Different SS7 Attack Scenarios

This attack is not limited to only cryptocurrency wallets. Any service, be it Facebook or Gmail, that relies on two-step verification are vulnerable to the attacks.

The designing flaws in SS7 have been in circulation since 2014 when a team of researchers at German Security Research Labs alerted the world to it.

The flaws could allow hackers to listen to phone calls and intercept text messages on a potentially massive scale, despite the most advanced encryption used by cellular network operators.

Last year, the researchers from Positive Technologies also gave demonstrations on the WhatsApp, Telegram, and Facebook hacks using the same designing flaws in SS7 to bypass two-factor authentication used by those services.

At TV program 60 Minutes, Karsten Nohl of German Security Research Labs last year demonstrated the SS7 attack on US Congressman Ted Lieu’s phone number (with his permission) and successfully intercepted his iPhone, recorded call, and tracked his precise location in real-time just by using his cell phone number and access to an SS7 network.

Although the network operators are unable to patch the issues anytime soon, there’s little a smartphone user can do.

Avoid using two-factor authentication via SMS texts for receiving OTP codes. Instead, rely on cryptographically-based security keys as a second authentication factor.

Powered by WPeMatico

Linux Subsystem on Windows 10 Allows Malware to Become Fully Undetectable

bashware-windows10-linux-malware

Microsoft has been expressing its love for Linux for almost three years now, and this love costs Microsoft an arm and a leg.

Last year, Microsoft surprised everyone by announcing the arrival of Windows Subsystem for Linux (WSL) in Windows 10, which brings the Linux command-line shell to Windows, allowing users to run native Linux applications on Windows system without virtualization.

However, security researchers from security firm Check Point Software Technologies have discovered a potential security issue with the WSL feature that could allow malware families designed for Linux target Windows computers—undetected by all current security software.

The researchers devised a new attack technique, dubbed Bashware, that takes advantage of Windows’ built-in WSL feature, which is now out of beta and is set to arrive in the Windows 10 Fall Creators Update in October 2017.

Bashware Attack Undetectable by All Anti-Virus & Security Solutions

According to CheckPoint researchers, the Bashware attack technique could be abused even by a known Linux malware family, because security solutions for Windows are not designed to detect such threats.

This new attack could allow an attacker to hide any Linux malware from even the most common security solutions, including next generation anti-virus software, malware inspection tools, anti-ransomware solution and other tools.

But why so? Researchers argue that existing security software packages for Windows systems have not yet been modified to monitor processes of Linux executables running on Windows operating system.

“Existing security solutions are still not adapted to monitor processes of Linux executables running on Windows OS, a hybrid concept which allows a combination of Linux and Windows systems to run at the same time,” Check Point researchers say. 

“This may open a door for cyber criminals wishing to run their malicious code undetected, and allow them to use the features provided by WSL to hide from security products that have not yet integrated the proper detection mechanisms.”

Who is the Culprit? Microsoft or Security Vendors?

In order to run the target Linux application in an isolated environment, Microsoft introduced “Pico processes“—containers that allow running of ELF binaries on the Windows operating system.

During their tests, the Check Point researchers were able to test the Bashware attack on “most of the leading antivirus and security products on the market,” and successfully bypass all of them.

It is because no security product monitors Pico processes, even when Microsoft already provides Pico API, a special application programming interface that can be used by security companies to monitor such processes.

“Bashware does not leverage any logic or implementation flaws in WSL’s design. In fact, WSL seems to be well designed,” the researchers concluded. 

“What allows Bashware to operate the way it does is the lack of awareness by various security vendors, due to the fact that this technology is relatively new and expands the known borders of the Windows operating system.”

Bashware Attackers Requires Admin Rights—Is that Hard on Windows PC?

Yes, Bashware requires administrator access on the target computers, but gaining admin privileges on Windows PCs via phishing attacks and/or stolen admin credentials is not a difficult task for a motivated attacker.

However, these additional attacks could also alert antivirus and security products, subverting the attack before the actual Bashware attack can be executed to hide malware.

Since WSL is not turned on by default, and users are required to manually activate “development mode” on their computer systems in order to use it and reboot the system, the risks posed by the feature are mitigated to some extent.

However, the Check Point researchers say it is a little-known fact that the developer mode can be enabled by modifying a few registry keys, which can be done silently in the background by the attackers with the right privileges.

The Bashware attack technique automates the required procedures by silently loading the WSL components, enabling developer mode, even downloading and extracting the Linux file system from Microsoft’s servers, and running malware.

No Need to Write Separate Malware Programs

What’s interesting about Bashware? Hackers using Bashware are not required to write malware programs for Linux to run them through WSL on Windows computers.

This extra effort is saved by the Bashware technique which installs a program called Wine inside the downloaded Ubuntu user-space environment, and then launches known Windows malware through it.

The malware then initiates into Windows as pico processes, which will hide it from security software.

400 Million Computers Potentially Exposed to Bashware

The newly discovered attack technique does not leverage any implementation of WSL vulnerability, but is due to the lack of interest and awareness by various security vendors towards WSL.

Since the Linux shell is now available to Windows users, researchers believe that Bashware can potentially affect any of the 400 million PCs currently running Windows 10 across the world.

Check Point researchers said their company had already upgraded its security solutions to combat such attacks and are urging other security vendors to modify and update their next-generation anti-virus and security solutions accordingly.

Powered by WPeMatico

Incapsula Updated Review — New Security Options, Improved Delivery and Reliability

incapsula-cdn-ddos

It’s been close to five years since we last looked at Incapsula, a security-focused CDN service known for its DDoS mitigation and web application security features.

As one would expect, during these five years the company has expanded and improved, introducing lots of new features and even several new products.

Most recently, Incapsula underwent an extensive network expansion that includes new PoPs in Asia including two new data centers in New Delhi and Mumbai.

This seems like an excellent opportunity to revisit the service and see how it has evolved.

Acquisition, Award and Growth

Before we jump into Incapsula’s service upgrades, we want to mention the changes in the company itself briefly.

The most notable of those is Incapsula’s 2014 acquisition by Imperva—an authority in web application security and a four-time Gartner Magic Quadrant leader for web application firewalls.

The acquisition boosted Incapsula’s security capabilities, resulting in its own cloud-based WAF also being recognised by Gartner analysts. Similarly, Incapsula’s DDoS mitigation solutions were awarded a leadership position in a Forrester Wave for DDoS Service Providers report.

Even more impressive is the company’s growth.

When we reviewed Incapsula, its services had a few thousand users. It is now the platform of choice for numerous prominent organisations, including some of the largest bitcoin exchanges (BTC China, Bitstamp & Unocoin), online retailers (KickUSA) and popular SaaS companies (Moz).

Today, Incapsula services are being used by over 160,000 organisations worldwide.

Incapsula Service Review

Leveraging its newfound success and resources, Incapsula spent the last five years investing heavily in its technology, both to boost its legacy business and to venture into new directions, such as addressing its customers’ non-security needs.

New DDoS Protection Options

Incapsula-ddos

Incapsula was always known for its DDoS mitigation. Playing to its strengths, many of its newest features expand its DDoS mitigation capabilities.

When we first reviewed Incapsula, they were already mitigating layer 3-4 and layer 7 DDoS attacks.

Today, Incapsula has evolved to protect against direct-to-DNS attacks. It now also offers a BGP-enabled DDoS mitigation service to complement its previous CDN-based offering. This BGP-based solution allows Incapsula to protect any type of online service (email servers, FTP, you name it) in addition to websites and web applications.

To address the increase in attack sizes and demand from new customers, Incapsula improved network protection by upgrading its scrubbing capacity to over 3.5 tbps.

One of its most interesting solutions is DDoS protection for individual IPs.

Usually, this kind of protection is only available to companies that have an entire Class C subnet. Incapsula, however, has found a smart way around that requirement, which makes it an excellent choice for small and medium businesses that don’t own a subnet but still find themselves bombarded by DDoS assaults.

Incapsula-ddos-attack
Incapsula recently mitigated a massive 650gbps DDoS flood

Using its array of new technologies, Incapsula has mitigated some of the largest and highest profile attacks in recent memory, including a record-setting 650gbps DDoS flood and a recent 54-hour assault against a prominent US college.

These are just a few prominent examples. To give you some idea of the entire scope of Incapsula activity, in the first quarter of 2017 the company mitigated an average of 266 network layer attacks and 1,099 application layer assaults every week. This adds up to just over 17,500 attacks in a quarter.

Performance and Reliability

Incapsula

In addition to its new anti-DDoS solutions, and the benefits that Imperva brought to its cloud-based WAF, Incapsula also expanded its offering to include several reliability and performance features.

In our opinion, the most interesting of these is a cloud-based load balancer that offers one centralised option for both in-data center and cross-data center load management.

The service is not TTL reliant, which enables near-instant rerouting. What’s more, the traffic distribution techniques it uses are more accurate than most appliance counterparts. Specifically, it has the ability to distribute the load, based on the actual volume of process requests on each end server and the ability to perform failover in a matter of seconds.

These benefits and the fact that the service is offered in a subscription-based model makes it great value for money; especially for organisations that operate several data centers and need to purchase multiple services and appliances. On the performance front, Incapsula’s CDN offering was boosted by a host of additional control and optimisation features. These offer granular control over caching policies based on resource type and file location, as well as the ability to purge cache in real-time, a standard issue for many CDN platforms.

Other new control features include an Incapsula application rule engine that governs application end delivery through custom policies. These offer a literally limitless amount of custom optimisation options that are most likely to benefit larger and more complex sites.

A Security First Application Delivery Platform

Five years ago we mostly viewed Incapsula as a CDN based WAF with some DDoS mitigation solutions. The service has since outgrown that description.

Incapsula’s new availability and application delivery services, as well as many new security features, make Incapsula what it always claimed to be: a full-fledged application delivery platform that marries security, performance and availability in one cost-effective service package.

That said, Incapsula is still a security first enterprise-grade service, so it isn’t a good alternative to free CDNs on the market.

However, for commercial organisations looking for more than an underlying CDN and check box security, we recommend checking out Incapsula. You can start by signing up for a free enterprise plan trial to see if it’s a good fit.

Powered by WPeMatico