I did a news story in Infosecurity Magazine yesterday: Meetup Fighting Prolonged DDoS Attack. The gist is that the social network site, meetup — which promotes the idea of both dispersed and local ‘groups’ and group activities — had been under intermittent DDoS attack since last Thursday.
CEO Scott Heiferman has blogged about the attack. It started with an email warning that said the attacker had been commissioned by a competitor to attack him — but that he would abandon the attack on payment of $300. Heiferman thinks the $300 was just to test the water; to see if meetup would be susceptible to further extortion in the future.
That’s possible; but given the commoditization of DDoS as a service, it is equally likely to be the actual cost of the attack; and the attacker was seeing if he could get his fee without the effort of the attack.
But in all of this there is one question unanswered. Heiferman stresses that throughout the attack his engineers have been toiling to keep the site up and running, and actually says that he spends millions of dollars every year on security. What is clear is that he has spent little or nothing on DDoS mitigation — and is possibly still spending nothing on third-party mitigation (else his problem would probably have long been solved).
I spoke to Ashley Stephenson, CEO of Corero Network Security (a DDoS mitigation firm) to try to understand what’s going on. While we don’t yet know who is behind the attack, what if any competitor was involved, nor the type of DDoS attack used, what is clear, Stephenson told me, is that “it appears the meetup site had no proactive defence in place. Similarly their primary ISP or Hosting Provider was not able to successfully defend their customer against the volume or sophistication of the threat.”
But it would have started much earlier. “Long before the demand for cash was made, attackers were likely probing the meetup service, searching for vulnerabilities and preparing to launch an attack that would do the most harm.”
This is one reason why companies need to be proactive and mitigate DDoS before it starts rather than be reactive and attempt to contain an attack when in full sway. “A technology solution with the capabilities to detect, analyze and ultimately mitigate DDoS attacks, could provide an early alert on such suspicious activity, and help to protect against the malicious activity as soon as it escalates.”
Most companies’ preparation for a DDoS attack is simply to ask themselves, ‘would I pay or would I fight?'; but then they fail to ask themselves: ‘OK, how would I fight this?’
“The lesson to be learned here, unfortunately at the expense of meetup,” said Stephenson, “is that businesses need to think proactively and prepare for cyber attack scenarios, before they hit.”
It makes sense. Most companies buy an anti-malware system not because they have a malware infection, but because of the possibility that they might get one. The same mentality needs to be developed about DDoS attacks and DDoS mitigation — it’s best to get the defence in before the attack, because that attack is becoming increasingly more likely, and increasingly more dangerous.
Either we believe that the Snowden leaks are the biggest con in the history of the universe, or we accept that they are true. I know of no-one who has suggested the former – so they should be taken at face value.
The latest leak, published by NBC, is a presentation that discusses GCHQ’s DDoS attack against the anonops IRC channel, and its infiltration of the Anonymous chat rooms by GCHQ agents.
Nobody who has ever spoken to anyone in Anonymous will be surprised by this. Firstly, the group automatically assumes that every second person in the chat rooms is a ‘Fed'; and secondly they have been faced with DDoS attacks (either directly or via government supporters such as Jester) for many years.
So the reality is: no surprise here.
For me, the most worrying element is the response from GCHQ. It said, according to the NBC report:
All of GCHQ’s work is carried out in accordance with a strict legal and policy framework which ensure[s] that our activities are authorized, necessary and proportionate, and that there is rigorous oversight, including from the Secretary of State, the Interception and Intelligence Services Commissioners and the Parliamentary Intelligence and Security Committee. All of our operational processes rigorously support this position.
War on Anonymous: British Spies Attacked Hackers, Snowden Docs Show
Think about this. Firstly, GCHQ is saying that its use of DDoS is legal. I doubt if many Brits understand that the law (probably the Terrorism Act and/or RIPA) allows the spy agency to engage in broadbrush DDoS attacks against innocent citizens (not everyone who uses IRC is a criminal!).
Secondly, GCHQ is saying that everything it does is subject to the oversight of the Secretary of State. That the Secretary of State did not stop this DDoS attack means that the Secretary of State sanctioned it.
So what we have is a government and legislation that specifically allows GCHQ to engage in practices against innocent people of unknown nationality with impunity, when members of Anonymous doing similar would be, and are, locked up. The only alternative is that GCHQ is lying – in which case Sir Iain Lobban should be locked up. Either way, it is an unacceptable situation.
My peers may remember playing Saxons and Normans on the beach as small children (it was before black and white television and the rise of cowboys and indians and cops and robbers). The alternative was Saxons and Vikings; but suffered because apart from Harold we only knew two Saxons: Alfred and Aethelred. Aethelred was the short straw, because he was never ready – or more accurately, he was ill-advised and accepted bad or no counsel.
Well Aethelred and the Vikings are making a comeback. Aethelred is business and the Vikings are hackers; and it doesn’t seem to matter what good advice is given, Aethelred ignores it and the hackers come back – again, and to gain and again.
Good counsel: encrypt, but Aethelred does not. Use and enforce strong passwords, but he doesn’t. Undertake staff awareness training on a continuous basis, but he doesn’t bother. The list goes on and on.
But the absolute perfect proof that the spirit of Aethelred yet lives and breathes can be seen in a comment from Ashley Stephenson, CEO of Corero Network Security. He was talking about the DDoS attack on Battlefield 3, “yet another in a long line of attacks aimed at disrupting gamers.”
Sometimes such attacks come from the competition; other times its just for the lulz. But, he adds, “Another motive our clients in gaming and across other sectors continue to experience is cyber extortion. Malicious users specifically threaten gaming and other sites, demanding to be paid a ransom or be the victim of a Distributed Denial of Service attack. More often than not these blackmail threats go unreported as some companies opt to pay the ransom rather than go public with the attack in the hope that this will satisfy the hackers, though this is rarely the case and may lead to the site continually being targeted.”
Aethelred, a long-standing Anglo-Saxon tradition that believes we can yet get peace in our time, lives on. Looks like the Vikings are winning again.
Strange little article in ZDNet today: Senator warns banks of cyberattack risk, Chase Bank targeted within minutes.
It’s strange on several counts. Firstly, it seems that General Keith Alexander, head of the U.S. military’s Cyber Command, has been promoted (or demoted) to Senator – for it seems to be he who issued the warning.
Then he was gifted with prescient superpowers. He warns of further attacks on the banks.
As if in silent agreement, hackers — potentially with a morbid sense of humor — decided to attack Chase Bank’s website within minutes of the speech, and this was later confirmed by the bank to CNBC. It is unknown whether the cyberattack was connected, but either way, the timing was ironic.
The attack itself was, predictably, a denial-of-service (DoS) attack, although it is unclear whether any financial or account data has been compromised or stolen.
Senator warns banks of cyberattack risk, Chase Bank targeted within minutes
Hmm. How clever of the general to foresee this attack. Who else – certainly not ZDNet apparently – would have had the intelligence to translate the al-Qassam Cyber Fighters’ public statement last week that phase 3 of their operation against US banks had started; and that, as before “a number of american banks will be hit by denial of service attacks three days a week, on Tuesday, Wednesday and Thursday during working hours” into an actual attack on an actual US bank on an actual Tuesday.
I’d like to predict, based on my superhuman knowledge of the current threatscape, that a US bank will be hit on Thursday – and if not on Thursday, then next Tuesday or Wednesday or next Thursday. The motivation, however, is not a morbid sense of humour, but simple, plain, good old indignation.
TechWeekEurope published an article yesterday about a panel discussion on Anonymous at RSA 2012. Although the discussion seems to have included some very rational comments from a number of panelists, the article unsurprisingly headlined on some of the more extreme views voiced by Josh Corman – suggesting for example that within the collective “the common attribute is angst.”
Anonymous was not amused. They give me an ‘official’ (if anything within Anonymous can be official) response, which I used in an article in Infosecurity Magazine here. One thing I left out was the last two sentences: “Anonymous is forever mutating, like a virus responding to its host’s new defences. Today’s mutation will be based on finding out about Josh Corman and the real motivation behind his article, was it just to raise PR for his firm, is it linked to a gov contract etc.”
There is a threat here that I didn’t want to include in a news story.
Anonymous subsequently published the full source of its statement here; so the threat was revealed anyway. It seems that it is being taken seriously. An online chat between Tom Brewster of TechWeekEurope and ATeamAnon went thus:
[The log has been withdrawn at the request of one of the participants. It showed a conversation between the author of the TechWeekEurope article and Anonymous. The journalist was attempting to stop any issue between Anonymous and Josh Corman from escalating. Anonymous indicated that feelings were strong and growing. Updated 08:40, 12 October 2012]
What we don’t know is whether this angst/rage will focus into a coordinated action against Akamai, or whether it will evolve into disjointed small-scale anger from individual groups. That’s why I didn’t report it. But time will tell.
It was bank holiday Monday yesterday, so I didn’t spend all day in front of the computer. But I got a file from the Ministry of Lulz – it was the TangoDown http://www.justice.gov.uk graphic.
When and why, I asked; and was pointed at Saturday’s Anonymous message of support for Julian Assange.
I also received a copy of legal counsel concerning the Information Commissioner – so I started work on an article.
But it was bank holiday Monday; so I didn’t rush – and got overtaken by events. In the early evening I got another message from the Ministry of Lulz: ‘justice.gov.uk is down for last 2 hours’.
So in some senses my draft story became irrelevant – but I’m pasting it below anyway. Now, however, it is an explanation for downing the Ministry of Justice – and perhaps a warning for the Information Commissioner. Here it is…
The voice behind The Ministry of Lulz is Winston Smith (named after the hero of Orwell’s 1984). The problem with this association is that the fictional Winston Smith was lured into joining a secret organization determined to bring down the Big Brother government. That secret organization clearly translates to Anonymous. But the fictional recruiter (O’Brien in the novel) turns out to be a government agent (Fed) – and Smith is betrayed. In real life, Smith was ‘recruited’ into Anonymous by ‘XX’. Smith must hope that life doesn’t mirror fiction too closely.
The Ministry of Lulz would appear to have two immediate targets in the UK: the Ministry of Justice and the Information Commissioner. Smith sent me a ‘TangoDown’ graphic. It names ‘www.justice.gov.uk’. Asked why, he pointed to the Anonymous video that was posted to YouTube on Saturday. It’s a message of solidarity with Julian Assange following the failure of his High Court plea to prevent extradition to Sweden – from where, suggests Anonymous, there is little doubt that he will rapidly be extradited to the USA.
This second extradition would seem particularly likely following the recent publication of Parmy Olson’s new book, ‘We are Anonymous’. A small section of this book is reproduced on John Young’s Cryptome site (it seems to be the subject of a takedown notice from the DtecNet Anti-Piracy Team but was still available at the time of writing this). In this book, Olson (the London bureau chief for Forbes) states very clearly that “Assange and q appeared to want LulzSec to try to grab the e-mail service of government sites, then look for evidence of corruption or at least evidence that the government was targeting WikiLeaks.” While proof of nothing, especially since FBI-informant Sabu was involved, the suggestion of involvement in a conspiracy to attack government sites merely makes the probability of extradition from Sweden to the USA more likely.
With the tango down graphic I also received copy of a legal opinion on the ICO. The UK’s Information Commissioner’s Office is likely to be targeted for what the Ministry of Lulz considers to be corruption. The legal opinion related to a case where personal medical records were passed to the subject’s (now ex) wife’s solicitors without his permission. The subject also claimed they were incorrect. He complained to the GMC, who ruled that his GP’s action had ‘fallen below the standards expected from a medical practitioner in processing and disclosing information.’ He then complained to the Information Commissioner who rejected his complaint, ruling amongst other things that the accuracy of personal information is not an issue if he (the IC) considers it to be lawfully disclosed. Consider that for a moment: if disclosure is allowed, you can spread lies without hinderance from the ICO.
The subject then took legal counsel (which is what was sent to me). Counsel concludes that “there is a 60-65% prospect of success in an application for permission to apply for judicial review against the IC…” It goes on to say that “the IC is interpreting the justification provisions in the [DPA] 1998 very widely and in a way which is not compatible with guidance and codes from professional organisations such as the GMC and also not in tune with comments from the courts,” and that “issues of wider public interest are raised by the case, namely the correct scope of the justifications in s35 DPA 1998 and the schedules to the Act, especially when seen in the light of the right to respect for private life in Art 8 ECHR.”
That, perhaps, is what you get when you put a marketing man rather than a legal man in charge of the ICO. But given the experience of the Ministry of Justice yesterday, he should look to his defences for the future.