I did a news story in Infosecurity Magazine yesterday: Meetup Fighting Prolonged DDoS Attack. The gist is that the social network site, meetup — which promotes the idea of both dispersed and local ‘groups’ and group activities — had been under intermittent DDoS attack since last Thursday.
CEO Scott Heiferman has blogged about the attack. It started with an email warning that said the attacker had been commissioned by a competitor to attack him — but that he would abandon the attack on payment of $300. Heiferman thinks the $300 was just to test the water; to see if meetup would be susceptible to further extortion in the future.
That’s possible; but given the commoditization of DDoS as a service, it is equally likely to be the actual cost of the attack; and the attacker was seeing if he could get his fee without the effort of the attack.
But in all of this there is one question unanswered. Heiferman stresses that throughout the attack his engineers have been toiling to keep the site up and running, and actually says that he spends millions of dollars every year on security. What is clear is that he has spent little or nothing on DDoS mitigation — and is possibly still spending nothing on third-party mitigation (else his problem would probably have long been solved).
I spoke to Ashley Stephenson, CEO of Corero Network Security (a DDoS mitigation firm) to try to understand what’s going on. While we don’t yet know who is behind the attack, what if any competitor was involved, nor the type of DDoS attack used, what is clear, Stephenson told me, is that “it appears the meetup site had no proactive defence in place. Similarly their primary ISP or Hosting Provider was not able to successfully defend their customer against the volume or sophistication of the threat.”
But it would have started much earlier. “Long before the demand for cash was made, attackers were likely probing the meetup service, searching for vulnerabilities and preparing to launch an attack that would do the most harm.”
This is one reason why companies need to be proactive and mitigate DDoS before it starts rather than be reactive and attempt to contain an attack when in full sway. “A technology solution with the capabilities to detect, analyze and ultimately mitigate DDoS attacks, could provide an early alert on such suspicious activity, and help to protect against the malicious activity as soon as it escalates.”
Most companies’ preparation for a DDoS attack is simply to ask themselves, ‘would I pay or would I fight?’; but then they fail to ask themselves: ‘OK, how would I fight this?’
“The lesson to be learned here, unfortunately at the expense of meetup,” said Stephenson, “is that businesses need to think proactively and prepare for cyber attack scenarios, before they hit.”
It makes sense. Most companies buy an anti-malware system not because they have a malware infection, but because of the possibility that they might get one. The same mentality needs to be developed about DDoS attacks and DDoS mitigation — it’s best to get the defence in before the attack, because that attack is becoming increasingly more likely, and increasingly more dangerous.
Either we believe that the Snowden leaks are the biggest con in the history of the universe, or we accept that they are true. I know of no-one who has suggested the former – so they should be taken at face value.
The latest leak, published by NBC, is a presentation that discusses GCHQ’s DDoS attack against the anonops IRC channel, and its infiltration of the Anonymous chat rooms by GCHQ agents.
Nobody who has ever spoken to anyone in Anonymous will be surprised by this. Firstly, the group automatically assumes that every second person in the chat rooms is a ‘Fed’; and secondly they have been faced with DDoS attacks (either directly or via government supporters such as Jester) for many years.
So the reality is: no surprise here.
For me, the most worrying element is the response from GCHQ. It said, according to the NBC report:
All of GCHQ’s work is carried out in accordance with a strict legal and policy framework which ensure[s] that our activities are authorized, necessary and proportionate, and that there is rigorous oversight, including from the Secretary of State, the Interception and Intelligence Services Commissioners and the Parliamentary Intelligence and Security Committee. All of our operational processes rigorously support this position.
War on Anonymous: British Spies Attacked Hackers, Snowden Docs Show
Think about this. Firstly, GCHQ is saying that its use of DDoS is legal. I doubt if many Brits understand that the law (probably the Terrorism Act and/or RIPA) allows the spy agency to engage in broadbrush DDoS attacks against innocent citizens (not everyone who uses IRC is a criminal!).
Secondly, GCHQ is saying that everything it does is subject to the oversight of the Secretary of State. That the Secretary of State did not stop this DDoS attack means that the Secretary of State sanctioned it.
So what we have is a government and legislation that specifically allows GCHQ to engage in practices against innocent people of unknown nationality with impunity, when members of Anonymous doing similar would be, and are, locked up. The only alternative is that GCHQ is lying – in which case Sir Iain Lobban should be locked up. Either way, it is an unacceptable situation.
My peers may remember playing Saxons and Normans on the beach as small children (it was before black and white television and the rise of cowboys and indians and cops and robbers). The alternative was Saxons and Vikings; but suffered because apart from Harold we only knew two Saxons: Alfred and Aethelred. Aethelred was the short straw, because he was never ready – or more accurately, he was ill-advised and accepted bad or no counsel.
Well Aethelred and the Vikings are making a comeback. Aethelred is business and the Vikings are hackers; and it doesn’t seem to matter what good advice is given, Aethelred ignores it and the hackers come back – again, and to gain and again.
Good counsel: encrypt, but Aethelred does not. Use and enforce strong passwords, but he doesn’t. Undertake staff awareness training on a continuous basis, but he doesn’t bother. The list goes on and on.
But the absolute perfect proof that the spirit of Aethelred yet lives and breathes can be seen in a comment from Ashley Stephenson, CEO of Corero Network Security. He was talking about the DDoS attack on Battlefield 3, “yet another in a long line of attacks aimed at disrupting gamers.”
Sometimes such attacks come from the competition; other times its just for the lulz. But, he adds, “Another motive our clients in gaming and across other sectors continue to experience is cyber extortion. Malicious users specifically threaten gaming and other sites, demanding to be paid a ransom or be the victim of a Distributed Denial of Service attack. More often than not these blackmail threats go unreported as some companies opt to pay the ransom rather than go public with the attack in the hope that this will satisfy the hackers, though this is rarely the case and may lead to the site continually being targeted.”
Aethelred, a long-standing Anglo-Saxon tradition that believes we can yet get peace in our time, lives on. Looks like the Vikings are winning again.
Strange little article in ZDNet today: Senator warns banks of cyberattack risk, Chase Bank targeted within minutes.
It’s strange on several counts. Firstly, it seems that General Keith Alexander, head of the U.S. military’s Cyber Command, has been promoted (or demoted) to Senator – for it seems to be he who issued the warning.
Then he was gifted with prescient superpowers. He warns of further attacks on the banks.
As if in silent agreement, hackers — potentially with a morbid sense of humor — decided to attack Chase Bank’s website within minutes of the speech, and this was later confirmed by the bank to CNBC. It is unknown whether the cyberattack was connected, but either way, the timing was ironic.
The attack itself was, predictably, a denial-of-service (DoS) attack, although it is unclear whether any financial or account data has been compromised or stolen.
Senator warns banks of cyberattack risk, Chase Bank targeted within minutes
Hmm. How clever of the general to foresee this attack. Who else – certainly not ZDNet apparently – would have had the intelligence to translate the al-Qassam Cyber Fighters’ public statement last week that phase 3 of their operation against US banks had started; and that, as before “a number of american banks will be hit by denial of service attacks three days a week, on Tuesday, Wednesday and Thursday during working hours” into an actual attack on an actual US bank on an actual Tuesday.
I’d like to predict, based on my superhuman knowledge of the current threatscape, that a US bank will be hit on Thursday – and if not on Thursday, then next Tuesday or Wednesday or next Thursday. The motivation, however, is not a morbid sense of humour, but simple, plain, good old indignation.
TechWeekEurope published an article yesterday about a panel discussion on Anonymous at RSA 2012. Although the discussion seems to have included some very rational comments from a number of panelists, the article unsurprisingly headlined on some of the more extreme views voiced by Josh Corman – suggesting for example that within the collective “the common attribute is angst.”
Anonymous was not amused. They give me an ‘official’ (if anything within Anonymous can be official) response, which I used in an article in Infosecurity Magazine here. One thing I left out was the last two sentences: “Anonymous is forever mutating, like a virus responding to its host’s new defences. Today’s mutation will be based on finding out about Josh Corman and the real motivation behind his article, was it just to raise PR for his firm, is it linked to a gov contract etc.”
There is a threat here that I didn’t want to include in a news story.
Anonymous subsequently published the full source of its statement here; so the threat was revealed anyway. It seems that it is being taken seriously. An online chat between Tom Brewster of TechWeekEurope and ATeamAnon went thus:
[The log has been withdrawn at the request of one of the participants. It showed a conversation between the author of the TechWeekEurope article and Anonymous. The journalist was attempting to stop any issue between Anonymous and Josh Corman from escalating. Anonymous indicated that feelings were strong and growing. Updated 08:40, 12 October 2012]
What we don’t know is whether this angst/rage will focus into a coordinated action against Akamai, or whether it will evolve into disjointed small-scale anger from individual groups. That’s why I didn’t report it. But time will tell.
It was bank holiday Monday yesterday, so I didn’t spend all day in front of the computer. But I got a file from the Ministry of Lulz – it was the TangoDown http://www.justice.gov.uk graphic.
When and why, I asked; and was pointed at Saturday’s Anonymous message of support for Julian Assange.
I also received a copy of legal counsel concerning the Information Commissioner – so I started work on an article.
But it was bank holiday Monday; so I didn’t rush – and got overtaken by events. In the early evening I got another message from the Ministry of Lulz: ‘justice.gov.uk is down for last 2 hours’.
So in some senses my draft story became irrelevant – but I’m pasting it below anyway. Now, however, it is an explanation for downing the Ministry of Justice – and perhaps a warning for the Information Commissioner. Here it is…
The voice behind The Ministry of Lulz is Winston Smith (named after the hero of Orwell’s 1984). The problem with this association is that the fictional Winston Smith was lured into joining a secret organization determined to bring down the Big Brother government. That secret organization clearly translates to Anonymous. But the fictional recruiter (O’Brien in the novel) turns out to be a government agent (Fed) – and Smith is betrayed. In real life, Smith was ‘recruited’ into Anonymous by ‘XX’. Smith must hope that life doesn’t mirror fiction too closely.
The Ministry of Lulz would appear to have two immediate targets in the UK: the Ministry of Justice and the Information Commissioner. Smith sent me a ‘TangoDown’ graphic. It names ‘www.justice.gov.uk’. Asked why, he pointed to the Anonymous video that was posted to YouTube on Saturday. It’s a message of solidarity with Julian Assange following the failure of his High Court plea to prevent extradition to Sweden – from where, suggests Anonymous, there is little doubt that he will rapidly be extradited to the USA.
This second extradition would seem particularly likely following the recent publication of Parmy Olson’s new book, ‘We are Anonymous’. A small section of this book is reproduced on John Young’s Cryptome site (it seems to be the subject of a takedown notice from the DtecNet Anti-Piracy Team but was still available at the time of writing this). In this book, Olson (the London bureau chief for Forbes) states very clearly that “Assange and q appeared to want LulzSec to try to grab the e-mail service of government sites, then look for evidence of corruption or at least evidence that the government was targeting WikiLeaks.” While proof of nothing, especially since FBI-informant Sabu was involved, the suggestion of involvement in a conspiracy to attack government sites merely makes the probability of extradition from Sweden to the USA more likely.
With the tango down graphic I also received copy of a legal opinion on the ICO. The UK’s Information Commissioner’s Office is likely to be targeted for what the Ministry of Lulz considers to be corruption. The legal opinion related to a case where personal medical records were passed to the subject’s (now ex) wife’s solicitors without his permission. The subject also claimed they were incorrect. He complained to the GMC, who ruled that his GP’s action had ‘fallen below the standards expected from a medical practitioner in processing and disclosing information.’ He then complained to the Information Commissioner who rejected his complaint, ruling amongst other things that the accuracy of personal information is not an issue if he (the IC) considers it to be lawfully disclosed. Consider that for a moment: if disclosure is allowed, you can spread lies without hinderance from the ICO.
The subject then took legal counsel (which is what was sent to me). Counsel concludes that “there is a 60-65% prospect of success in an application for permission to apply for judicial review against the IC…” It goes on to say that “the IC is interpreting the justification provisions in the [DPA] 1998 very widely and in a way which is not compatible with guidance and codes from professional organisations such as the GMC and also not in tune with comments from the courts,” and that “issues of wider public interest are raised by the case, namely the correct scope of the justifications in s35 DPA 1998 and the schedules to the Act, especially when seen in the light of the right to respect for private life in Art 8 ECHR.”
That, perhaps, is what you get when you put a marketing man rather than a legal man in charge of the ICO. But given the experience of the Ministry of Justice yesterday, he should look to his defences for the future.
TheWikiBoat’s OpNewSon, which commenced at midnight on Friday 25th May, falls somewhere between a fail and an abject fail.
It was announced on 11 April. “On the day of the operation, we plan to hit and attack several high corporate entities,” said TheWikiBoat. “Those targets are none other then the ones who ultimately rule: the high revenue making companies of the world.” The attack would be multi-phased: first a DDoS followed by a hack resulting in the leak of “highly classified data from the targets”.
Somehow, this description grew into an attack on 46 major global companies, including Bank Of America, Apple, Wal-Mart, Tesco and others. I can find no source for this, so it could either be journalistic licence or a passing comment on an IRC channel. I did a preview of OpNewSon on Infosecurity Magazine: TheWikiBoat’s OpNewSon fires today.
But OpNewSon never matched its claims. In the event, it seems that only one site, BethBlog, was attacked with debatable success. BethBlog is the online home of Bethesda Software, a game developer and publisher and not of “the ones who ultimately rule”. In security terms it would be classified a soft target.
So what do we make of TheWikiBoat now? Is it a group of wannabees looking for the notoriety of LulzSec and the fame of Anonymous, but with more chutzpah than skill? That is bound to be the first reaction, and it may well be right. It may also be wrong.
TheWikiBoat seems to be blaming VoxAnon for pulling the IRC channel and effectively leaving the wiki boat without a rudder. Given the global nature of its members and the many different time zones involved, it became impossible to focus the fire power. Could be. Or it could be the group just didn’t get the LOIC critical mass; it could be they didn’t have the fire power to focus.
Either way, you cannot imagine either Anonymous or LulzSec making such a mess of such a well publicised plan. Personally, I hope TheWikiBoat disbands. If they have skills, then they should use their skills for good. Lulz for lulz sake is just childish. And if they are wannabees, they should simply grow up. There is already too much wrong in this world to add to it.
News stories for Thursday 3 May and Friday 4 May 2012:
OpBayBack announced by Anonymous look-alike: TheWikiBoat
It was only a matter of time before one hacktivist group or another would react to the UK court-ordered ISP block on The Pirate Bay.
04 May 2012
The UK Protection of Freedoms Bill this week; telecommunications surveillance next week?
A major plank of both the Conservative and LibDem election campaigns was to ‘roll back the database state’ and curtail invasive bureaucratic surveillance. But has the Coalition achieved this? And what about the proposed communications monitoring bill?
04 May 2012
Website infection hits Israeli Institute for National Security Studies
Israeli websites frequently come under cyber attack. Now Websense reports that the Israeli Institute for National Security Studies (INSS) has been infected with malicious code ultimately leading to a Poison Ivy variant.
04 May 2012
LOIC DDoS tool – is it ‘safe’ for the user?
The DDoS weapon of choice for Anonymous activists, the Low Orbit Ion Canon (LOIC), was downloaded from the internet 381,961 times during 2011. That number has already been exceeded in 2012, with daily downloads averaging more than 3400.
04 May 2012
SOCA knocked off the web by DDoS – again
The UK’s Serious Organised Crime Agency has today confirmed that a DDoS attack forced it take its website off-line at 22:00 Wednesday. As of writing, 14:30 Thursday, it is still down.
03 May 2012
UK wi-fi connectivity is inadequate
As the UK economy headed into another recession, a UKFast round table of business and technology experts, slated to discuss the digital wallet, inevitably discussed the economy and what government should do about it.
03 May 2012
The evolving role of the CISO – new study by IBM
A study by IBM’s Center for Applied Insights concludes that there are now three ‘types’ of CISO: influencers, protectors and responders. Evolution towards the ‘influencer’ role is necessary, and happening.
03 May 2012
Hackers levy an ‘idiot tax’ on Belgian bank
“While this could be called ‘blackmail,’ we prefer to think of it as an ‘idiot tax’ for leaving confidential data unprotected on a Web server,” announces an unidentified hacker group in a news statement on Pastebin.
03 May 2012
My news stories on Infosecurity Magazine from Tuesday 10 April until Friday 13 April, and Monday 16 April until Wednesday 18 April
NHS needs a security czar to prevent continuous data walkabout
While the South London Healthcare NHS Trust signs a Data Protection Undertaking, the security industry wonders why we have learnt nothing in the last two years – and calls for a new NHS data protection czar.
18 April 2012
PwC 2012 Information Security Breaches Survey: Preliminary findings report continued mobile insecurity
New statistics show that while many companies appear to understand the business threat from BYOD, many others are taking no precautions whatsoever.
18 April 2012
(ISC)² launches its new EMEA advisory board
In a move designed to offer genuine hands-on security experience to EMEA’s different security initiatives, professional body (ISC)² has launched a new Advisory Board for Europe, the Middle East and Africa (EAB).
18 April 2012
Google co-founder worries about the future of the internet
In an interview with the Guardian, the co-founder of Google lists the threats facing the future vitality of the internet.
17 April 2012
Shadowserver uncovers campaign against Vietnam in Hardcore Charlie’s file dump
An analysis of the hacked files dumped by hacker Hardcore Charlie fails to prove Chinese culpability, but finds evidence of ‘yet another cyber espionage campaign against Vietnam.’
17 April 2012
Iranian software manager hacks and dumps card details of 3m Iranians
Khosrow Zarefarid found and reported a flaw in the Iranian POS system. He reported it, but was ignored – so he used it and hacked 3 million Iranian debit card details.
17 April 2012
Dutch Pirate Party forced to take its Pirate Bay proxy off-line
In a move that will be monitored by the UK’s music industry association (BPI), its Dutch equivalent BREIN (translates as ‘Brain’) has obtained a court injunction forcing the political party, the Pirate Party, to take down the proxy site that was allowing users to continue using the blocked Pirate Bay (TPB).
16 April 2012
Is ACTA dead in the water, or is it resurfacing via the G8?
David Martin, European Parliament’s rapporteur on the ACTA treaty, is expected to recommend that parliament should reject ACTA. Does this mean the end for the Anti-Counterfeiting Trade Agreement?
16 April 2012
Commotion Wireless: an open source censorship buster
The great contradiction in modern techno-politics is the need for democracies to promulgate free speech in other countries while controlling it in their own.
16 April 2012
Boston police release unredacted Facebook data of ‘Craigslist killer’
The complete Facebook account of Philip Markoff, in hard copy and including friend IDs, was given by the Boston Police to the Boston Phoenix newspaper.
13 April 2012
EC asks how we would want the internet of things to be controlled
The European Commission (EC) has issued an online ‘consultation’ document: How would you envisage ‘governance’ of the ‘Internet of Things’?
13 April 2012
City trader fined £450,000 by the FSA
“For the reasons given in this Notice…”, says an FSA Decision Notice, “…the FSA has decided to impose on Mr Ian Charles Hannam a financial penalty of £450,000.”
13 April 2012
MPAA’s attempted takedown of Hotfile gets more and more difficult
Don’t throw the baby out with the bathwater says Google; and there’s more baby than bathwater suggests Prof. James Boyle.
12 April 2012
UK private members bill designed to censor pornography on the internet
Baroness Howe of Ildicote has introduced the Online Safety Act 2012, designed to force ISPs to install and operate pornography filters.
12 April 2012
Financial services the target in massive DDoS increase
A new analysis from Prolexic shows a huge increase in DDoS attacks, largely sourced in Asia and primarily attacking financial institutions.
12 April 2012
Smartphones are still firmly ‘enterprise-unready’
Research from by Altimeter Group, Bloor Research and Trend Micro shows that the ‘consumer marketing’ legacy of many smartphones makes them ill-equipped to meet enterprise security demands.
11 April 2012
EU trade committee’s draft opinion on ACTA: Don’t ratify
The European Parliament’s Industry, Research and Energy committee for the Committee on International Trade has published its draft opinion on ACTA. Don’t ratify, it tells parliament.
11 April 2012
DHS gets California company to hack game consoles
In a project that started from law enforcement agencies’ request to the US Department of Homeland Security (DHS), which was then farmed out to the US Navy, Obscure Technologies of California has been awarded a contract to find ways of hacking game consoles.
11 April 2012
Real-time data mining comes to Twitter
Twitter is usually described as a micro-blogging social network. To many who monitor its ‘trending topics’ it is also an early warning news service, frequently pointing users to breaking news before the traditional news media reports it.
10 April 2012
Iran bids farewell to the internet; welcomes its own halal intranet
Iran’s answer to ‘criminality’ on the internet is not to fight criminality, but to block the internet. In the future, Iranians will have access to only the official national intranet and a whitelist of acceptable foreign sites.
10 April 2012
What an Englishman does in bed
Companies that monitor the end point behavior of their remote workers will have to start monitoring their (internet) behavior in bed. That at least is the inference to be drawn from a new street survey conducted by Infosecurity Europe.
10 April 2012
It appears that the Anonymous protest against UK/US extradition was fairly successful. The BBC reports that the Home Office website was “inaccessible for several hours on Saturday night.” Although the BBC goes on to say that “It is not clear whether the protest was against email surveillance or extradition, but it could be both,” this was AnonOpUK’s #OpTrialAtHome (see my report on Infosecurity Magazine for details). The call was for a denial of service attack in protest against the extradition of McKinnon, O’Dwyer and Tappin, and that is exactly what happened.
It will not, of course, have any effect on the UK Government, a government that continually shows itself to be impervious to public opinion and in thrall to the US (McKinnon) and the entertainment industry (O’Dwyer). At the moment, McKinnon’s imminent extradition seems increasingly likely – although Home Secretary Theresa May has been given a little wriggle room. The psychiatrist Declan Murphy has now said he is not a serious suicide threat (having earlier said he was), but added, “The risk of actual self-harm could be ameliorated by regular contact with mental health professionals and with supportive counselling and listening services of the type that are available within UK prisons.”
Not being a threat could see him on a plane to the US – but he’s only not a threat if treated in a UK prison…
Talking of extradition – or more specifically rendition – I notice that the US courts have said that the UK has no right to ask the US what the UK knew about it. We have to ask them what we knew, and they won’t tell us? And these people are in charge of running the country?