CounterMeasures - A Security Blog � Denial of Service

Polish Government under DDoS, Anonymous ACTA up again.

Rik Ferguson — Sun, 22 Jan 2012 22:54:55 +0000

Anonymous are again making headlines, as the majority of Polish government related web sites are taken offline in DDoS attacks over the weekend as a protest about an international agreement perceived as being cooked up in years of secret talks between governments and industry.

As the dust settles and the mutual back-slapping begins over the withdrawal of the SOPA bill in the US, an older and potentially uglier beast has once again reared its head in Europe. This particular beast is called ACTA (Anti-Counterfeiting Trade Agreement ) and you can certainly be forgiven if you haven’t heard of it before, even though it predates both SOPA and PIPA.

ACTA is what is known as a “plurilateral agreement” aimed at establishing international (not just US) standards on intellectual property rights enforcement. SOPA would have negligible effects outise of the US, but ACTA is a global agreement. It aims to create its own governing body outside of the existing World Trade Organisation, the World Intellectual Property Organisation and the United Nations. Preliminary talks began as far back as 2006 including Canada, the United States, Japan, the EU and Switzerland. Official negotiations began in 2008 with the addition of Australia, Mexico, Morocco, New Zealand, South Korea and Singapore. Alongside these national government representatives, an advisory body of large US-based corporations was involved, including the RIAA, the MPAA, International Intellectual Property Alliance and Pharmaceutical Research & Manufacturers of America.

The negotiations were classified as “Secret” in the US on the grounds that there was a risk of damage to national security. The process by which negotiations took place, without public scrutiny or judicial oversight and the way in which the details of ACTA only emerged as a series of leaks until a draft was eventually published in 201O, after the 8th round of negotiations, has attracted widespread criticism from academics and groups such as the EFF.

The major concerns regarding the actual content of the draft centre around a couple of important issues. Perceived infringement on communications privacy for Internet users, as ISPs are obliged to filter content in more depth as a result of their liability for the actions of their subscribers and an increase in liability for websites that link to copyrighted material (sound familiar?) . There has also been concern that the section dealing with border controls would authorise invasive searches of personal laptops or MP3 players in the search for copyright infringing material. It should be noted that EU legislation prohibits travellers from checks if the offending goods are not a part of “large-scale” traffic and US legislation amply demonstrates that unilateral implementation of invasive border searches is entirely to be expected.

So why Poland, and why today? Well, the government of the Donald Tusk made a surprise announcement ( two PDFs in Polish) on the 19th January that they would be signing ACTA one week later on the 26th, taking them down the road to ratification. Many Poles feel that this has been done without inclusion or open debate and without a mandate from the people. The strength of feeling is immediately visible in Twitter, with thousands of Poles making tweets of thanks to Anonymous for this initial and ongoing action. Even those not actively participating in the DDoS have contributed to the failures of multiple websites by attempting to access them in their browser to see if the site had been taken offline.

Whatever the rights and wrongs of the proposed agreement, it is certainly true to say that democracy is never served in secret, where the interests of only one side of the debate are represented. The Polish Minister for Administration and Digitalisation, Michal Boni has asked Prime Minister Donald Tusk to reconsider the decision before signing and a further meeting has been scheduled for the 24th Jan.

You can’t fight the power, but the power has shifted.

Rik Ferguson — Fri, 20 Jan 2012 11:04:35 +0000

One of the largest file sharing services on the Internet was shut down yesterday in US legal action. The site is charged with violation of copyright laws. The indictment (now available on scribd) charges seven individuals with online piracy, four of whom have already been arrested in New Zealand. This 72 page document also details the estimated cost to copyright holders at more than $500 million USD, while themselves allegedly earning $175 million in advertising revenue. The maximum penalty for the offenders could total 50 years of jail time.

Search warrants were executed in nine countries and 18 domain names, including mega-upload.com, were seized along with associated servers.

This indictment, unsealed right in the middle of impassioned debate over SOPA and PIPA quickly aroused the wrath of the Internet community, particularly Anonymous who have been exhorting their supporters to participate in Distributed Denial of Service attacks against US government web sites including the Dept of Justice, the FBI, the Copy right Office and the RIAA and MPAA, who were successfully taken offline as a result.

Anonymous supporters have been using the Low Orbit Ion Cannon (previously detailed here) as well as a new technique of embedded JavaScript. Several web pages have been loaded with JavaScript and the simple act of rendering that page in a web browser will in most cases recruit the browsing computer to the DDoS attack. The attacks have attracted a high level of participation and public sympathy and quickly became a trending topic on Twitter under the #OpMegaupload hashtag.

Akamai’s Real-time Web Monitor is currently showing attack traffic online at more than 24% above normal, giving some idea of the scope and geographic spread of public sympathy.

Whatever your views on online file sharing, there is no denying that this is an issue urgently in need of a solution. Consumers, artists and corporations seem to have devised workable methods in the music industry. A return to the generation of income through live performance has reinvigorated the music scene in many countries and cites. Artists have harnessed the power of the Internet for a direct sales model that bypasses the increasingly archaic music industry and online music stores have evolved to facilitate this, with the participation of the corporations, providing music at reasonable cost. It could even be argued that the new iTunes Match service represents the capitulation of the music industry to the new reality of illegal downloads. This model is beginning to be repeated in the printed world too.

In the early 1900′s music publishers decried the arrival of the “player piano” as a threat to their way of life, when I was a kid, every record bore the legend “Home taping is killing music“, Hollywood was scared to death at the advent of the VCR…

The simple truth is, technology ever advances and with it come new opportunities. Many consumers are taking advantage of those opportunities to access copyrighted material quickly, easily and cheaply (or for free). It is only by facilitating that behaviour backed by a forward-looking business model that the traditional industry can hope to survive into the future.

It’s true that you can’t fight the power, but the power has shifted.

The best form of defence?

Rik Ferguson — Tue, 03 Jan 2012 16:19:41 +0000

Mutation by woodleywonderworks

A report in the Daily Yomiuri suggests that the Japanese government have commissioned Fujitsu Ltd to create a “defensive virus” and that after 3 years of work and a budget of $2.3 million, the project is nearing completion.

Technical details in the article are necessarily thin on the ground but it appears that the “cyberweapon” is designed to “springboard” from one compromised computer to another, tracing back to the original source of the attack and shutting down malicious processes en route.

Whilst I can see the attractiveness of the principle and have some sympathy for the thinly veiled claims in the article that “everyone else is doing it”, the concept of the “good” computer virus has been the subject of debate for many years and it has never gained widespread support.

Even a “good” virus or worm must execute on a machine without the permission of the owner of that machine. If that “good” virus has the objective of terminating malicious processes and/or patching security holes then, by definition it must modify or delete critical processes, memory content or files. If its design is to spread autonomously then system owners will have no opportunity to test whether its supposedly altruistic activities will have any negative impact on a running system. It will also consume bandwidth, disk space, memory and processor cycles, all adding to the load, just as a malicious worm does effectively creating a Denial of Service condition.

The “good” virus may also be hindered by effective security software, many of the actions it will be carrying out, such as modifying system components and terminating process, will be precisely those which are designed to be recognised and stopped by security programs.

Finally it really wouldn’t take much effort for criminal groups to take these white-hat tools and modify them for more malicious use, blurring the line even more between the “good” and the bad and putting professional grade carrier mechanisms in the hands of criminals.

The Japanese government seem less than coordinated right now on the actual use such a technology would be put to, the article reports them as saying that they are “not considering outside applications for the program as it was developed for more defensive uses, such as identifying which terminal within the Self-Defense Forces was initially targeted in a cyber-attack“. This is hardly surprising, as the creation of malware is currently a violation of Japan’s criminal code.

You have to wonder though, even in that limited scenario, wouldn’t such an automated “sprinkler system” pose a huge risk of destroying valuable forensic evidence in the case of a breach? Wouldn’t effective real-time monitoring of computers and networks, reporting to a centralised SIEM console provide as much intelligence in a less inherently risky way?

Post Script:

In 2004 Cyrus Peikari made a seemingly good case for Fighting Fire with Fire, but I feel that the medical analogy breaks down completely under close examination. In the digital case we are talking about releasing a self-replicating virus into the wild, whereas in the medical case we talk about manual and controlled introduction of an attenuated virus on an individual (and voluntary) basis.

What the Hack is going on?

Rik Ferguson — Thu, 16 Jun 2011 14:51:28 +0000

Used under creative commons from brittgow Flickr

With all the recent news stories of successful hacking attacks of some very prominent organisations, this seems like an entirely reasonable question. The litany of victims is impressive including such luminaries as Google, RSA, Visa, MasterCard, Citibank, Epsilon, the US Senate, the UK National Health Service, Fox, Sony (of course) and just last night the CIA website was targeted with what a Distributed Denial of Service Attack. The amount of prime time coverage these various activities are getting is prompting several questions. Is this hacking group stuff something new? Is this cyber-espionage or even cyber warfare? What impact will this have on me and the future of the internet?

The idea of a hacking group is certainly not a new phenomenon, in fact they began to flourish in the early eighties, the early days of home computing, acting as a forum for members to share information, learn and compare skills. Early groups bore names such as Legion of Doom, Cult of the Dead Cow or Masters of Deception and specialised not only in the nascent internet hacking scene and are responsible for the birth of hacktivism, but also in the perhaps dying are of phreaking (abuse of public telecommunications networks). The nineties saw the rise of a different kind of hacking group, L0pht Heavy Industries who operated more as a research organisation, providing software tools for penetration and security testing and issuing advisories. This group also famously testified to the US Congress that they could take down the entire internet in under 30 minutes back in 1998. L0pht later merged with @stake, who were eventually acquired by Symantec.

Now in the noughties we have witnessed the rise of Anonymous, and more recently LulzSec. Anonymous as a collective is something that began on message boards like the infamous 4chan, for the purposes of attacking the Church of Scientology, and has with generous media coverage evolved into a bigger deal. Instead of being a relatively closed group, Anonymous instead actively sought the participation of the general public when they began their actions in support of Wikileaks. Tens of thousands of volunteers are downloading tools which enable them to participate in the global assault on businesses with whom they feel personally aggrieved. The latest versions of this tool includes functionality which means the user can hand of control of their weaponised computer to a central authority (Anonymous) to better direct and control the attacks. Lulz Sec on the other had maintain the tradition of the closed group, and according to their own web site have no motivation but anarchy,

“We’re LulzSec, a small team of lulzy individuals who feel the drabness of the cyber community is a burden on what matters: fun. Considering fun is now restricted to Friday, where we look forward to the weekend, weekend, we have now taken it upon ourselves to spread fun, fun, fun, throughout the entire calendar year“.

Of course similar groups have emerged around the world in places as far flung as Pakistan and India, where there is fierce competition between the groups. In Romania groups such as HackersBlog have hit various companies. In China and Russia, many hackers are believed to act as proxies for their governments.

It’s not all about the hacking for fun and kudos gangs, organised criminal groups have been with us for many years now, and the last 12 months or so has seen a marked increase in the frequency of attacks on online aggregations of information, such as Sony, Epsilon or Citibank for the purposes of theft of information for financial reward. One single attack, if successful can yield such a vast amount of saleable or otherwise abusable personal data, that I’m only surprised the attacks took so long to gather pace.

Another phenomenon that has risen to prominence recently is purported nation-state activity. Again, despite recent press coverage this is also nothing new, the Titan Rain attacks for example date back to 2003 where the finger was firmly pointed at China for the theft of large amounts of information from military and governmental targets, gh0stnet in 2007 was similarly blamed on China, as were the Aurora attacks the following year. This year has already seen similarly motivated attacks on RSA, the European Council, the French Finance Ministry, the Canadian government, Lockheed Martin and of course Stuxnet.

So many technological and cryptographically advances have their roots in the centuries old art of espionage, we should really not be surprised to see national foreign intelligence services making use of cutting edge tools and techniques to further their national or economic interests.

None of this represents a global online meltdown, or the end of the internet economy or national security as we know it. Like everything else in this world we can trace a simple process of evolution at work here. Security companies, individuals and enterprises must evolve to keep pace and just maybe learn some of the lessons that some of these guys have been teaching us for years now. Encrypt your data, develop securely, configure correctly, test your defences effectively, use complex passwords, shield your vulnerabilities and build your systems under the assumption that a breach *will* happen.

Sony, Anonymous and the PSN.

Rik Ferguson — Tue, 26 Apr 2011 11:31:37 +0000

As the Sony Playstation gaming network PSN enters its fifth day of disruption, details from the parent company remain few on the exact cause and nature of the outage.

The most recent blog post from Patrick Seybold, Sony’s Senior Director of Corporate Communication & Social Media on the 25th April states simply “I know you are waiting for additional information on when PlayStation Network and Qriocity services will be online. Unfortunately, I don’t have an update or timeframe to share at this point in time.”

Speculation over the mechanics and motivation for the “external intrusion” has been rife with many pointing the finger at Anonymous. The “loose online collective” (how much do I hate using that term) launched OpSony on the 3rd of April as a response to Sony’s legal action against the hackers GeoHot and Graf_Chokolo, who have both been releasing tools to jailbreak and add, or replace functionality to the popular gaming console. It is Anonymous’ position that the information that was being shared by these hackers is being suppressed by Sony for reasons of “corporate greed and complete control of the users”. Sony have brought legal action againt these two individuals as well as reportedly requesting information from social media sites such as YouTube to surrender details of the IP addresses of all visitors to geohot’s postings. Anonymous also state that legal permission has been given to surrender the IP address of all visitors to geohot.com.

In the ongoing comments on the OpSony page, on the 6th of April an initial network diagram of Sony’s internet presence was made available, along with an appeal for further information and on the same day PSN users were already complaining in the same thread about disruption caused to their access to online gaming.
News reports across the internet still state that it is still unclear who is behind the attack on Sony, however an undated news update from Anonymous does appear to, at least implicitly, claim responsibility.

The attack methodology has not currently been revealed by Sony and at present they have taken the PSN offline in order to “strengthen our network infrastructure”.

Whatever your moral position on the rights or wrongs of violating end user license agreements and copyright law, it is undeniable that the action taken, which has resulted in this protracted period of downtime, has resulted in an outpouring of very strong negative feeling towards Anonymous with one poster commenting:

“The Day Anonymous became no better than the people they claim to stand against”

The irony of denying millions of people access to services and information in the name of defending freedom of information is certainly not inconsiderable.

This post comes to you on World Intellectual Property Day, would you like some irony with your irony sir?

Libya goes dark

Rik Ferguson — Fri, 04 Mar 2011 16:50:37 +0000

After a week of flaky Internet connectivity, traffic to and from Libya has come to a halt. The country is effectively offline; as is shown very clearly by this Google Transparency report.

Image courtesy of Google

Details of how this shutdown was achieved are few right now. It seems that routes to the country are still being advertised, but there is simply no response from any destination inside the country, the traffic is almost certainly being “blackholed“. This will also mean that Internet users inside Libya are disconnected from the outside world as they will not receive any response to their Internet requests.

Every Libyan website (by this I mean sites hosted in Libya, www.bit.ly for example is still live) that I tested was unreachable, with traffic simply failing to get a response after the last hop on the Internet backbone outside the Libyan address space. By blackholing traffic rather than using the blunt instrument of BGP as Egypt did, it is still possible to selectively allow individual computers or networks to access the internet.

Traceroute to LTT Libya web site

The best analogy I can think of is that, although the figurative canal system is still in place to get traffic to the right destination, Libya simply pulled the plug and drained the water.

Egypt: The Plague of Darkness

Rik Ferguson — Fri, 28 Jan 2011 09:16:54 +0000

“Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers.” – Universal Declaration of Human Rights 1948 – Article 19

Credit: Arbor Networks

At approximately 10:30 UTC last night, the internet in Egypt began to go dark. Many of the major ISPs have disappeared completely from the internet including LINKdotNET, Raya Telecom, Internet Egypt, Vodafone Egypt and IDSC. Most of the remaining service providers also have significantly less connectivity than at this time yesterday. The only ISP who currently appears unaffected is Noor Data Networks who remain resolutely 100% available. This is the provider used by the Egyptian Stock Exchange. The availability of this network and normal connectivity to the rest of the geographic region demonstrates that this is not a cut cable or other physical outage.

Even the National Telecoms Regulatory Agency is currently unreachable as are most major news outlets, schools, businesses and official and unofficial information sources. SANS are reporting that external access to resolve any address in the .eg domain is inaccesible. From my own tests, the top-level domain server at the Egyptian Universities Network cannot be resolved over DNS and does not respond to communications over TCP/IP, illustrating the effectiveness of this total shutdown using both Domain Name System (DNS) and Border Gateway Protocol (BGP) approaches. DNS is the protocol used to translate human readable wed addresses into numeric IP addresses and BGP is the protocol that Internet Service Providers use to advertise the IP addresses for which they are responsible.

This sudden severing of internet connectivity appears to have all occurred at a similar time and the assumption must be that it is a part of officially sanctioned tactics to attempt to contain the growing political unrest in the country. The crackdown first started with the censoring of social network in the country but as Iran learned, determined people quickly find ways around this with help from the outside world.

If indeed this action is officially directed then it would seem that the regime in Egypt has learned lessons from the Iranian attempts to censor communications there last year and taken even more drastic measures. This action is unprecedented in internet history.

Currently Egypt is effectively isolated from the internet and anecdotal reports are that similar action has been taken against mobile phone networks disrupting telephone and text communications.

Appeals are being made for amateur radio enthusiasts to lend their support in giving a means of communication with the outside world back to the Egyptian population.

Freedom exists in a school book.

Rik Ferguson — Thu, 09 Dec 2010 10:00:14 +0000

Declaration of Arbroath by Martin Burns

The continuing DDoS attacks on major commercial websites in support of Operation Avenge Assange raise some interesting questions about internet freedom.

The online collective dubbed “Anonymous”, a group of individuals from various message boards and online fora have established their own “voluntary botnet”. This is being used to target sites which have suspended or terminated their services with Wikileaks in the wake of the latest publication of formerly confidential material. Sites targeted so far have included Visa, Mastercard, Paypal, EveryDNS, Sarah Palin & the Swedish Prosecution Authority among others. The DDoS attacks against these sites have been made by computers using a modified version of Low Orbit Ion Cannon (LOIC) which Anonymous supporters choose freely to install. This voluntary DDoS bot is controlled via IRC giving coordinators the ability to act quickly and decisively against discrete targets.

These recent attacks (as well as previous attacks relating to online file-sharing prosecution activity) have been, and are being carried out in the name of internet freedom by volunteer supporters of the cause.

What is internet freedom? Is it freedom for a company to choose the individuals with whom they wish to do business as long as the choice is made under a published code of conduct and within the law? Is it freedom to express a political or emotional opinion according to the dictates of your conscience? Is it freedom to publish information relating to activity which you believe to be wrong or reproachful in order to expose and highlight the activity? Is it freedom to be able to divulge other people’s secrets simply because words spoken in private are often ridiculous, outrageous or amusing when repeated in public? Is it freedom that in making your statement you deny millions of other people access to their own freedoms or in many cases their own livelihoods?

The truth is, freedoms collide. For every bit of freedom one person asserts, whether internet or otherwise, someone else will lose some of their own. When a relatively small, loose collective of individuals come together; with the power and the will to remove content they disagree with from the internet, almost at will, at what point does that stop being freedom? When do we stop burning bras and find we started burning books?

Freedom and censorship may very well be two sides of the same coin. Heads, or tails?

Cybercriminal Call Centres?

Rik Ferguson — Mon, 23 Mar 2009 20:57:35 +0000

As the cybercrime economy matures so does the range of services being offered.

We are familiar with seeing cybercriminals offering the resources at their disposal to carry out Distributed Denial of Service attacks (DDoS) against IP addresses. Imagine though, how much more effective an attack against your fiercest competitor could be if you could take out their telephone connection to the outside world at the same time as their web site…

Well those services are available in the underground community, the vendor below, for the price of just 340WMZ (1WMZ WebMoney is equal to about 0.65 Euros), offers to flood a phone number of your choice with calls for 10 days straight!

Of course if you need your calls to be made with a purpose in mind, perhaps some outbound social engineering or maybe to take inbound calls to support your latest Spear Phishing or Whaling campaign? Then you need “Perfect Call Service”

Translated, they are offering

“We call all contracts, drops, Banking, Shopping, eBay, Documents, UPS, anything you can think of. These calls can be received at our or your numbers

We do everything rapidly, with high quality and most importantly you will be amazed by our prices. The following discount system applies.

Cost of call in English only $10.

If you order more than two calls in the course of day,.beginning from the third call cost falls to $7.

The cost of calls in the remaining languages and time of the call are discussed separately in the ace with each!

Thus, languages are accessible in the service

ENGLISH (3 male voices, 3 female + possibility to arrange the timing of the call)

GERMAN (2 male voices, 2 female + possibility to arrange the timing of the call)

SPANISH (1 male voice, 2 female + possibility to arrange the timing of the call)

ITALIAN (1 male voice, 1 female + possibility to arrange the timing of the call)

FRENCH (1 male voice, 2 female + possibility to arrange the timing of the call)

DUTCH (1 female + possibility to arrange the timing of the call)

THE FOLLOWING LANGUAGES ARE UNDER TEST:

CZECH (1 female voice)

POLISH (1 female voice)

Are ready to carry out the transfers of different languages. In the arsenal always there are translators of European, eastern and many other languages. Also there are carriers for checking your texts. All translators are the degreed specialists and have large work experience. We can show linguistic support to your drop projects, help with the correspondence on dating, localize site on the necessary language and so on. We also allow the services of copywriting, SEO of written copy, naming, writing of content in different languages, the compositions of spam, letters, advertising articles and so on.

On the whole, we can ensure the complete linguistic support of your projects. Prices completely acceptable and will pleasantly you astonish Be turned, we will be glad!”

Never call the telephone numbers provided to you in email messages, even to verify whether or not the mail you are reading is real or a scam. Always use the telephone number printed on your bank statements or credit cards. Otherwise, you could be greeted by an interective menu system designed to have you enter your credit card number over the phone, or even more worryingly you could be connected to a representative from “Perfect Call Service”.