Tag Archives: hacktivism

DDoS ain’t all it’s cracked up to be

photo by simonminter on Flickr under Creative Commons


 
Serious organised Crime Agency hit by DDoS attack, UK police manage to bravely soldier on.
 
With the news that SOCA in the UK have had their web site knocked offline (again) as a result of a DDoS attack of unconfirmed origin, I wanted to publish the full text of my comments to the BBC as regards this nonsensical and pointless form of attack.
 
Ultimately DDoS is defeated by bandwidth, you need to have more than your attacker and this can be accomplished in a number of ways. You can buy bigger pipes and build bigger server farms locally, and you can try to block incoming requests based on geography if appropriate but this is not always cost effective or scalable, preferable is to use the power of the cloud. The cloud can help in a number of ways, either through the services of a content delivery network such as Akamai as your front end, relying on their infrastructure to absorb much of the attack volume, or you can take advantage of cloud based hosting with some of the bigger providers, like Google, Amazon, IBM, Rackspace etc. again hiding behind someone else’s big bandwidth, but of course there is an associated cost to this as well.
 
In reality, it all comes down to risk management. It may simply not be cost effective for you to spend on combating DDoS, if the impact on your business or your customers (or the public in the case of government websites) does not justify the expense of the solution. You must understand your business and your customers, evaluate the financial impact of such an event and plan your security budget accordingly.
 
In the case of SOCA, their website being unavailable for a period of time has no impact on their ability to do business and very little impact on the public at large. Is it worth the expense of large-scale DDoS mitigation technologies? Probably not. Does it harm the SOCA brand to be see to do nothing, or very little, to stop these attacks from happening? Again, probably not, SOCA are treating the attacks with the contempt they deserve.
 
The sensible person doesn’t walk around in a bee-keeper’s outfit to keep the wasps away from their ice-cream in summer. The sensible person accepts that wasps are attracted to ice-cream and that wasps will always outnumber ice-creams. Unless there is an overriding need to protect yourself from wasp stings, if the wasps impact your ability to breathe for example, you simply ignore them (or run around screaming). Both options are open, but treating them as the minor annoyance that they really are is probably the wisest.
 

Anonymous isn’t Sabu and Sabu certainly wasn’t anonymous

Isn't it ironic? Don't you think?


 
The news broke today via Fox that the LulzSec/Anonymous figurehead Hector Xavier Monsegur a.k.a. AnonymouSabu was under arrest and being charged with 12 counts of computer hacking conspiracy and other crimes. The case was initially opened last summer and the charges were filed via a criminal information, making it appear likely that Monsegur has since been cooperating with law enforcement in their investigations into other online criminal activities and individuals. In fact Monsegur had already been identified as the real person behind Sabu in other unrelated online investigations, but this was understandably downplayed.
 
The release from the FBI also details charges against Ryan Ackroyd (a.k.a. kayla), Jake Davis (a.k.a.Topiary), Darren Martyn (a.k.a pwnsauce) and Donncha O’Cearrbhail (a.k.a. palladium) for hacks on Fox, PBS, Fine Gael, HBGary and Sony Entertainment (among others), and Jeremy Hammond (a.k.a anarchaos) for the Stratfor hack. O’Cearrrbhail is also individually cited as the individual responsible for the recording and release of the infamous FBI conference call.
 
The same FBI release also makes it very clear that these allegations are based in part on information given at Monsegur’s guilty plea.
 
This news certainly looks like the endgame for the splinter group known as LulzSec and possibly AntiSec too. It should certainly be expected that law enforcement have gathered all evidence they feel is necessary to proceed effectively against those individuals they are currently charging. Sabu was certainly not their only source of intelligence, but undoubtedly their most important.
 
It’s worth remembering that LulzSec and Anonymous were never one and the same. In several cases, most notably the Stratfor hack, an Anonymous release was posted which passionately denied any involvement in hacking a “media organisation”.
 
Anonymous is a very different organisation to LulzSec and other more closely linked groups. Anyone can and does act in the name of Anonymous and their activities do not require individual hacker publicity or disclosure of personally identifiable details. The very fact that Sabu became the “celebrity” he was, illustrates the real difference between LulzSec and Anonymous. LulzSec may be finished, but it would be premature to say the same about Anonymous.
 
Does this undermine “trust” in Anonymous? If anything would make that community laugh, that proposition certainly would! The hackers we really need to worry about are those that trusted no one and sought no glory in the first place and the best place to look to thwart them is in better securing our own networks and assets.
 
I am reminded of one of my all time favourite films, Angels with Dirty Faces. Maybe if Sabu has been informing on his erstwhile associates that is the most good that can come of this. Just like Rocky Sullivan eventually “turned yeller” much to the disillusionment of the street kids, maybe Sabu’s dramatic fall from hacker glory will also serve as an object lesson.
 

KPN: The stolen data that wasn’t and the 8 year-old that was to blame.

On Wednesday February 8th, the giant Dutch ISP, KPN announced that their network had been breached. KPN first became aware of the breach around January 27th of this year and since that date have worked with the National Cyber Security Centre, the regulator OPTA, the Data Protection Agency, the Ministry of Economic Affairs, Agriculture & Innovation, the Ministry of Justice and Safety and the Public Prosecutor in an effort to contain and trace the intruder(s).
 
A conscious decision was made in January not to make a public announcement regarding the intrusion, this decision was apparently made for two reasons; to increase the chances of success of the investigation and to mitigate the possibility that the hacker would do some kind of damage if they knew they were discovered.
 
In the initial announcement, KPN recognised that some customer data may have been affected but stated that servers containing credit card data or passwords were not compromised.
 
One day after this announcement a list of 537 KPN user accounts (name, address, email address & password in clear text) were posted up on pastebin. There was no direct context given for the data or where it came from, the title of the post was simply “KPN HACK PROOF, KPN houdt vol: geen klantgegevens gestolen” which translates as “KPN insists: no customer data stolen“, so the insinuation was clearly that the two events were linked.
 
As a result of this data leakage KPN immediately shutdown access to all of its 2 million consumer email accounts (as a precautionary measure). It took fully 25 hours before KPN were able to restore outbound email service to their customers on Friday night, and it wasn’t until Saturday that inbound email services were restored in a phased approach. At the same time KPN invested in extra bandwidth and services to enable all their customers to go through an online password reset procedure. Business services remained unaffected although business users were also strongly advised to change their passwords. By midday Sunday, more than 100,000 customers had already done so.
 
In an article published this weekend, it became clear that the 537 user accounts were in fact not associated with this attack at all. Instead the user accounts were a subset of a much larger list stolen earlier in the year from the online store babydump.nl. The information published is at least a year out of date although several of the victims on the list were unaware that their information had been stolen or leaked at all.
 
According to the ongoing analysis by KPN, in agreement with the information given by the self-confessed attacker, the underlying reason for the successful intrusion was the use of outdated software. According to the hacker, the first system breached was running SunOS 5.8 with patch 108528-29, a version that dates back to 2004. SunOS 5.8 is due to be end-of-support next month. In addition, the hackers claim to have downloaded at least 16GB of data, which they have subsequently destroyed and to have breached the systems to the point where they were able to individually control a customer’s Internet access.
 
KPN appear in large part to agree with the assertions of the hacker, their statement from today says, “Several experts in their analysis around the digital break-in suggested that KPN were using seriously outdated systems, and that they also failed to regularly update them. Joost Farwerck, Director of KPN Netherlands said “Granted, developments in our sector are of course very fast. That said, by research in recent weeks we have seen that the maintenance of Internet IT systems has not always been optimal.We are drawing lessons from this to make the service for our customers better and safer.”
 
As if the Sony debacle were not enough, here is yet another salutary lesson that vulnerable and outdated systems should not be Internet-facing if they are not adequately protected. It is a relatively simple matter to discover the versions of operating systems and applications running on a given server and an even more simple task to uncover the disclosed vulnerabilities.
 
While it may be unrealistic to expect an enterprise to install each and every patch as it becomes available, attaching an inadequately protected system, with an eight year out of date operating system and application stack is inexcusable. Even in an internal environment enterprises should be shielding known vulnerabilities with effective host-intrusion protection software until patches are deployed and patches themselves should be deployed in as timely a manner as possible. Don’t be the next KPN.
 
If you believe that your account may have been affected by this intrusion, the password reset service is here, although it appears to be suffering under heavy load right now and I could not get a response. You would also be advised to check out the password advice I posted earlier and avoid reusing one password across multiple web sites.