About these ads

Archive

Posts Tagged ‘LOIC’

Drones used as Proxies to get around ISP blocking and law enforcement: Predator’s to add server payload?

Cross Posted from TheAviationist.

Nearly in contemporary with the breaking news that a judge in New Zealand’s High Court has declared that the order used to seize Kim Dotcom’s assets is “null and void”, writing another page inside the endless MegaUpload saga, The Pirate Bay, one of the world’s largest BitTorrent sites, made another clamorous announcement. Tired of countering the block attempts that forced, last month, to switch its top-level domain, possibly to avoid seizure by U.S. authorities, and in October 2011 to set up a new domain to get around ISP blocking in Belgium, the infamous BitTorrent site is considering the hypothesis to turn GPS-controlled aircraft drones into proxies, in order to avoid Law Enforcement controls (and censorship) and hence evade authorities who are looking to shut the site down.

A Predator drone carries a few servers…as tin cans would trail a newly married couple’s car

The drones, controlled by GPS and equipped with cheap radio equipment and small computers (such as Raspberry Pi), would act as proxies redirecting users’ traffic to a “secret location”. An unprecedented form of (literally) “Cloud Computing”, or better to say “Computing in the Clouds”, capable to transfer, thanks to modern radio transmitters, more than 100Mbps at over 50 kilometers away, more than enough for a proxy system.

This is essentially what MrSpock, one of the site’s administrators, stated in a Sunday blog post (apparently unavailable at the moment). Curiously the drones are called “Low Orbit Server Stations”, a name not surprisingly much similar to the “Low Orbit Ion Cannon”, the DDoS weapon used by the Anonymous collective, capable of evoking very familiar hacktivism echoes.

Actually this is not the first time that hackers try to use air communication to circumvent Law Enforcement controls. At the beginning of the year, a group of hackers unveiled their project to take the internet beyond the reach of censors by putting their own communication satellites into orbit.

What raised some doubts (at first glance this announcement looks like an anticipated April Fools), is not the the use of a Low Orbit Server Stations, but the fact that moving into an airspace would be enough to prevent Law Enforcement Controls (and reactions).

Drones are subject to specific rules and restrictions and can only fly along reserved corridors to deconflict them from civilian and military air traffic. And they have to land every now and then, unless someone thinks these pirate robots can be air-to-air refueled.

As a commenter of The Hacker News correctly pointed out: “There seems to be a lot of misunderstanding about who “owns” the airspace of a given country“: definitely a drone flying too high would be classified as a threat and forcibly removed by an air force, a drone tethered to ground would be subjected to local zoning laws, while a drone broadcasting from an “intermediate” height would probably violate a number of existing laws and forced to shut down.

At the end it is better to turn back to “Ground Computing” as opposed to “Cloud Drones”. As a matter of fact “it’s probably a lot easier to find a friendly government and host a normal server in that country“.

If you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 (regularly updated) at hackmageddon.com. And follow the author of this article @pausparrows on Twitter for the latest updates.

About these ads

The Italian Job

March 13, 2012 5 comments

The Italian Anonymous did it again and today have attacked for the second time in few days the vatican.va website. Actually this time their attack has apparently been deeper since the infamous collective also posted a small portion of a database claimed to have been leaked from radiovaticana.org, the website of the official Vatican Radio.

The inevitable statement on pastebin (so far only in Italian) quotes Imperva, the Israeli Company Focused on Application Security which claimed, few days ago, to have prevented, in August, a summer attack against the Vatican, using the collected information to profile a typical Anonymous DDoS attack.

Of course the pastebin suggests that this attack has been a kind of retaliation against the information disclosed by Israeli Security Company in their detailed report, nevertheless this has been only the last DDoS attack in Italy in this troubled weekend that has seen several websites falling under the LOIC shots: Saturday the Italian Railways have been hit (three domains), and yesterday Equitalia, the company owning the concession, on behalf of the Government, to collect taxes.

This (un)expected revamp of DDoS activity in Italy comes approximately nearly a couple of months after the LOIC attacks unchained by the MegaUpload shutdown, and nearly nine months after the waves of attacks which made the Italian Summer a very hot season for Information Security.

Besides, so far the preferred targets of The Anonymous in Italy have been Government and Politician Websites, targeting the Vatican Site, looks like this time the Anonymous crossed the line.

As a matter of fact I have decided to write down in a table all the hacktivism-led attacks carried on Italy from the 2011 onwards. I have collected the information on the attacks during the gathering of the necessary material to prepare my timelines for 2011 and 2012. In reading the list, please consider that several DDoS attacks were only claimed by the attackers, so it is really difficult discriminate if they were succesful or not, nevertheless I thought it appropriate to insert them all to provide a global view.

So far, you will notice that the Hackvism in Italy has passed three main phases: the summer phase, maybe interrupted by the wave of arrests in July; the winter phase, as quoted above, immediately after the Megaupload shutdown on the wake of the anti-SOPA/PIPA/ACTA movements; and the current phase (may we define it a spring phase?) triggered by the delicate internal sociopolitical situation….

March 2011

04/03/2011 finmeccanica.it DDOS Military Industry
04/03/2011 eni.it DDOS Energy
04/03/2011 unicredit.it DDOS Finance

June 2011

21/06/2011 ilpopolodellalibertà.it DDoS Political Parties
21/06/2011 governoberlusconi.it DDoS Political Parties
21/06/2011 pdl.it DDoS Political Parties
21/06/2011 governoberlusconi.it DDoS Political Parties
21/06/2011 silvioberlusconifansclub.org DDoS Political Parties
21/06/2011 forzasilvio.it DDoS Political Parties
22/06/2011 governo.it DDoS Government
22/06/2011 camera.it DDoS Government
22/06/2011 senato.it DDoS Government
22/06/2011 interno.it DDoS Government
22/06/2011 regione.campania.it DDoS Government
22/06/2011 pdl.it DDoS Political Parties
22/06/2011 renatobrunetta.it DDoS Political Parties
22/06/2011 innovazionepa.gov.it DDoS Government
23/06/2011 governo.it DDoS Government
23/06/2011 agcom.it DDoS Government
23/06/2011 leganord.org DDoS Political Parties
24/06/2011 governo.it DDoS Government
24/06/2011 giustizia.it DDoS Government
28/06/2011 agcom.it DDOS Government
29/06/2011 camera.it DDoS Government
29/06/2011 pdl.it DDoS Government
29/06/2011 mediaset.it DDoS Entertainment
30/06/2011 telecomitalia.it DDoS ISP
30/06/2011 poste.it DDoS Mail
30/06/2011 borsaitaliana.it DDoS Finance

July 2011

01/07/2011 leganord.org DDoS Political Parties
01/07/2011 agcom.it DDoS Government
02/07/2011 innovazionepa.gov.it DDoS Government
02/07/2011 governo.it DDoS Government
03/07/2011 agcom.it DDoS Government
04/07/2011 agcom.it DDoS Government
06/07/2011 19 Universities:                  unisi.it
unisa.it
uniroma1.it
anotonianum.eu
econoca.it
uniba.it
unibocconi.it
unifg.it
unime.it
unimib.it
uniurb.it
unibo.it
unipv.it
unina2.it
unile.it
polimi.it
unito.it
unimo.it
SQLi? Education
31/07/2011 vitrociset.it Defacement Contractor

August 2011

03/08/2011 vitrociset.it Defacement Contractor
06/08/2011 sappe.it Defacement Law Enforcement Agencies

September 2011

02/09/2011 Undisclosed Bank ? Finance

November 2011

29/11/2011 fiocchigfl.it Defacement Military Industry

December 2011

06/12/2011 torino-lione.it Defacement Transportation
06/12/2011 ghiglia.it Defacement Political Parties
19/12/2011 fabriziocorona.it Defacement Entertainment
19/12/2011 costantinovitaliano.it Defacement Entertainment

January 2012

10/01/2012 leganord.org Defacement Political Parties
13/01/2012 italia.gov.it DDoS Political Parties
22/01/2012 siae.it DDoS Entertainment
22/01/2012 universalmusic.it DDoS Entertainment
22/01/2012 copyright.it DDoS Entertainment
22/01/2012 giannifava.org DDoS Political Parties
22/01/2012 leganord.org DDoS Political Parties
24/01/2012 giustizia.it DDoS Government
26/01/2012 italia.gov.it DDoS Government

February 2012

11/02/2012 circondarialetorino.it Defacement Law Enforcement Agencies
17/02/2012 rivagroup.com DDoS Military Industry
17/02/2012 enel.it DDoS Energy
18/02/2012 mauriziopaniz.it Defacement Political Parties
22/02/2012 binetti.it Defacement Political Parties
27/02/2012 polizia.it DDoS Law Enforcement Agencies
27/02/2012 carabinieri.it DDoS Law Enforcement Agencies

March 2012

07/03/2012 vatican.va DDoS Religion
10/03/2012 trenitalia.it DDoS Transportation
10/03/2012 RFI.it DDoS Transportation
10/03/2012 viaggaintreno.it DDoS Transportation
11/03/2012 equitalia.it DDoS Services
12/03/2012 vatican.va DDoS Religion
12/03/2012 radiovaticana.org Defacement Religion

School of Hacktivism

March 2, 2012 2 comments

A like Anonymous

There are really few doubts, this is the most (in)famous hacking collective. There is no new day without a new resounding action. They are Anonymous. They are Legion. They do not forgive. They do not forget. Expect Them.

B like Barrett Brown

Considered one of the early members, Barrett Brown is the alleged spokesperson of Anonymous.

C like Chanology (AKA Project Chanology, AKA Operation Chanology)

A protest movement against the practices of the Church of Scientology by Anonymous. The project (or Operation) was started in response to the Church of Scientology’s attempts to remove material from a highly publicized interview with Scientologist Tom Cruise from the Internet in January 2008 and was followed by DDoS attacks and other actions such as black faxes and prunk calls.

D like DDoS

Distributed Denial of Service (abbreviated DDoS) is the preferred weapon by Hackitivsts, since it does not need particular hacking skills and may also be centrally controlled (with a hive mind who define the target). The preferred tool for perpetrating DDoS attacks is LOIC, although next-gen tools are under development.

E like Encyclopædia Dramatica

A satirical open wiki, launched on December 10, 2004 and defunct on April 14 2011. It is considered one of the sources of inspiration for The Anonymous.[1]

F like Fawkes Guy AKA Fawkes Guido

Guy Fawkes (13 April 1570 – 31 January 1606), also known as Guido Fawkes, belonged to a group of provincial English Catholics who planned the failed Gunpowder Plot, a failed assassination attempt against King James I of England. His stylised mask designed by illustrator David Lloyd and used as a major plot element in the “V for Vendetta“ Comic Book, is the symbol for the Anonymous. The failure of the Gunpowder plot has been commemorated in England since 5 November 1605.

Read more…

Crime As A Self Service

February 3, 2012 2 comments

One of the most visionary information security predictions for 2012, was the one issued by Fortinet which defined the term Crime As A Service: “Crime as a Service (CaaS), [...] is just like Software as a Service (SaaS), but instead of offering legal and helpful services though the Internet, criminal syndicates are offering illegal and detrimental services, such as infecting large quantities of computers, sending spam and even launching direct denial of service (DDoS) attacks“. At first glance I marked this prediction as exaggerated but then I could not imagine that I should have witnessed a huge demonstration only few days after. Of course I am referring to the #OpMegaUpload when, immediately after the FBI takedown, the Anonymous redirected users towards a website when they could DDoS a large group of targets with a simple web click and most of all, without the need to install the Infamous LOIC.

Even if this has been, so far, the most noticeable example, is not the only one of a malicious tool used as a service for criminal (in this case one shot) campaigns. More in general, using very familiar terms (borrowed and adapted from Cloud Terminology) I believe the CaaS is assuming three shapes:

  • Software As a (Crime) Service or Saa(C)S, in which the criminals offer malicious software (and the needed support) as a service. An example? The latest Zeus Variant dubbed Citadel, recently spotted by Brian Kerbs, which provides the purchaser with help desk and even a dedicated Social Network;

 

  • Infrastructure As (Crime) Service or Iaa(C)S, in which the criminals offer malicious services (or infrastructures) to attack specified targets, services may include complex “traditional” infrastructures such as botnets, but also “innovative” large scale fashioned services such as DDoS or also sharper services such as password cracking. Try to surf the web and you will discover how easy it is to purchase such a criminal kind of services.

 

  • Platform As a (Crime) Service or Paa(C)S: in which the criminals offer malicious platforms that users may adapt to fit their needs. An example? The brand new HOIC (High Orbit Ion Cannon) the new DDoS tool, evoluti0n of the infamous LOIC, that may be assimilated to a real malicious service platform that users may tailor to fits their needs thanks to the booster scripts. I believe we are not so far from criminal organizations selling customized booster scripts for every kind of need and, why not, offering support services as well.

Last but not least this services are self provisioned, and this is the reason why I used the term “Crime as a Self Service”: in every scenario, be the malicious service a Saa(C)S, Iaa(C)S or Paa(C)S, the user selects directly the target (or the victim), and that’s it!

May I Be Arrested For Using LOIC?

January 20, 2012 4 comments

As you will probably know, as a consequence of the takedown of the famous storage site Megaupload and the consequent indictment and arrest of seven people (all accused of online piracy), the Anonymous have launched #OpMegaUpload, a giant DDoS attack defined “The biggest Internet attack ever” targeting, among the others: The White House, the FBI, Viacom and DoJ, (at this link a complete list of the targets). As a consequence, last night the LOIC cannons have shot once again, leading to a global fluctuation of the global Internet traffic is between 13 percent and 14 percent above normal.

Unfortunately it looks like that many habitual Megaupload users turned themselves into extemporaneous wannabe hackers, giving their contribution to this questionable cause: equipped with the Low Orbit Ion Cannon they started to fire against the designated targets. By midnight on January 20th, @AnonOps declared the operation a success with over 5,635 people using the Low Orbit Ion Cannon to bring down the targeted sites:

Curiously the night of January the 20th, my blog was flooded with an unusual number of requests coming from search engines looking for several strings with a common pattern. Scrolling down the Search engine terms list directed to my blog (ordered in rigorous ascending order), you may easily guess the common pattern:

using loic arrested

loic arrested

arrested for using loic

loic fbi

is using loic dangerous

can we be arrested for loic

risk of using loic

using loic

arrested loic

loic precautions

may i be arrested for using loic

arresting people for using loic

how to safely use loic

being arrested because of loic

can you be arrested for useing loic

anonymous loic safe

can i be arrested for using loic

loic not safe

danger of using loic

may i be arrested for using #loic

use loic

Yes, unfortunately it looks like that too many people have decided to use the Megaupload shutdown as the trigger for an improvised career of hackers, considering LOIC as a kind of magic wand capable of turning anyone into a hacker in few minutes. Maybe Several of these “wannabe hackers” were not that stupid and wondered if their action might have legal consequences. For those, the fundamental question and age-old dilemma is: “Is LOIC dangerous?”

Since I already dealt with this topic in a couple of posts during the hot summer of the Lulz Boat, their googling brought them to my blog. For sure this morning, before understanding what had happened during the night (in Italy) I was surprised by the unusual number of clicks for the two articles concerning LOIC, which you may read (No One has ever been arrested for using LOIC and Someone has been arrested for using LOIC), if you just need an answer (or maybe you do not need since the title of the latter is meaningful enough).

But please consider the fact that the fundamental question is not if using LOIC is dangerous or not, but rather “if I should play to be a hacker or not”, and the answer is quite straightforward…

BTW, I gave my humble contribution to the #SOPAblackout but, whether or not I agree with the Megaupload shutdown, I absolutely do not agree and do not support similar methods of protest.

The Secret Behind LOIC? Simple!

August 24, 2011 Leave a comment

Everyone dealing with Information Security knows very well that SNMP (which stands for Simple Network Management Protocol and corresponds to the standard UDP protocol used to monitor servers and network elements) is considered insecure. In too many circumstances network administrators forget to change the default community strings (the strings used to “softly” authenticate the manager and the agents) from their default values which are typically “public” for read-only access and “private” for read-and-write access on the monitored device. This happens sometimes for thoughtlessness, or simply because network administrators do not consider changing the default security strings a security issues.

And even if SNMP version 3 is used (which grants encryption and mutual authentication between the manager and the agents -at least the attackers may not spoof the default community strings-) in 12 years of honorable career I never found so far the right combination between manager and agent versions: I mean when you have a network manager supporting version 3, the agents only support version 1 or 2c and vice versa if the agents support version 3 you may be sure that the manager only supports version 1 or 2c.

Now there is a reason more to consider SNMP (and its default configurations) an hazard for Information Security. This reason is four letters long and is called LOIC, the infamous tool used by Anonymous to perpetrate the well known DDoS attacks.

So far the infosec community has been divided into two opposite factions: on one side those who think that Anonymous-perpetrated DDoS attacks are successful even with a small number of “enrolled cannons” since the same Anononymous owns a Botnet which from time to time is unleashed against the target. On the other side those claiming that this kind of attacks may be successful only if a huge number of participants volunteer accomplices is enrolled.

Today an article written by Alex Holden, Cyopsis Director of Enterprise Security, offers an alternative hypothesis. The attack method Holden describes is called a Reflected Denial of Service (RDoS) and just utilizes SNMP, which is UDP-based, exploiting the weaknesses in default configurations which populate many devices composing the Internet, with devastating consequences.

The SNMP paradigm, as the name suggests, is very simple: each device (server, network device or application) which must be monitored provides some status variables to the external world. The variables may be queried by a special application called network manager. The variables are organized in different groups (or leaves), and identified by OIDs (or Obiect IDentifiers). Querying the main OID (1.3.6.1) returns all the variables (this is an operation called snmpwalk).

If the assumption of Holden is correct, suppose you are able to spoof a manager with the same address than the target of the attack, and suppose to generate continuous SNMP queries with that address, querying the main OID from all the Internet devices which are known to have standard community strings. The unaware target will be flooded by SNMP replies from those devices with a lethal amplification effect and consequently an apparently innocent misconfiguration (that is the unchanged default community string) becomes an hazard for the Internet.

Of course this is a mere speculation (I did not verify source code), but this would explain why the Anonymous claimed that LOIC traffic is was hard to detect (but not always): the SNMP protocol is very popular and widespread on the Internet.

The same arrests of LOIC users are the reason why a new tool is in development called #RefRef. Developed with JavaScript, the tool is said to use the target site’s own processing power against itself, causing the target to succumbs to resource exhaustion: looks like a Reflected attack against itself).

(Original link via Infosecisland).

Hacking In The Time of Twitter

August 5, 2011 2 comments

So, after announcing an alleged hack to Italian Prison Guards, the threatening tweets anticipating the latest hack, have suddenly disappeared from @LulzSecITALY and replaced by a tweet announcing a day of relax. Of course the doubt if the announcement was a hoax or not remains… But in my opinion this is not the most relevant point of the story.

As a matter of fact this is only the last occurrence of a strange phenomenon that is changing the rules of hacking. In the old world, the attacks were performed silently, and disclosed (if discovered) only several months later and never because they were directly announced by the alleged authors.

What is happening after the example of Anonymous and LulzSec is a kind of “Consumerization of Hacking”, not only because the public availability of tools such as LOIC or TOR has allowed to enroll many “would-be” hackers, but most of all because in these strange days, advertising an attack, too often before performing it, has become even more important than the effect of the attack itself, that is the quality of the data leaked. In this scenario the social media play as a sounding board allowing a viral spreading of the information (which grants more importance to the action itself rather than to its content)

This trend has several consequences:

  • Sometimes the attack are advertised even if they are not particularly sophisticated (for instance the massive DD0S campaigns), or the quality of the data stolen is irrelevant;
  • Attacks are often anticipated or followed by many claims which make hard to identify the real author. Before or after an attack appears, different alleged authors claim the paternity (consider for instance the case of Italian Cyber Police Hack), also because many attacks of the last days are poor in quality, so that the author does not need to prove its skills.
  • Also the quality of hacking is decreasing, as it often happens when something become available for (too) many, most of all because the many lack the necessary skills.

This dos not mean that information security professionals do not need to be worried, but only that the landscape is changing: more attacks, maybe less sophisticated, with an impact more quantitative than qualitative.

Have you ever tried to think to Stuxnet developers announcing with a pastebin their intention to stop the Iranian Nuclear Program, or a tweet announcing the Shady RAT, rather than the Mother of All Breaches disclosed by The Pentagon?

One could say that this attacks were mostly driven by military reasons, nevertheless honestly speaking, at this point I would not be surprised from Cyberwar Tweets announcing sensational operations in the fifth domain of war. Probably they are already between us even if hidden between us: this explains the intention for Department of Defense to invest millions in Twitter Tracking.

Someone has been arrested for using LOIC

July 20, 2011 6 comments

Probably LOIC is not so safe as it was supposed to be.

Yesterday FOX News (curiously the American province of the Murdoch Empire which had suffered an hacking attack by the Lulz Boat the day before) was the first to report of three FBI Raids at the New York homes of three suspected members of notorious hacking group Anonymous early Tuesday morning. Later on the same day more details came clear, including the fact that the raids were part of a wider ongoinhg operation involving, to date, more than 35 search warrants issued by FBI (for a total of 75 searches to date), after which sixteen suspected members of Anonymous were arrested in Florida, New Jersey and California (more details in the official FBI press release including the names of the arrested individuals).

The arrested individuals were considered responsable for the DDoS attacks against Visa, Mastercards, PayPal and more, after the companies decided to suspend donations for WikiLeaks.

In the same hours, again according to Fox News, officers from the Metropolitan Police’s E-Crime Unit in London arrested a 16-year-old boy in South London Tuesday afternoon, on suspicion of breaching the Computer Misuse Act. The suspected individual could be Tflow, a key member of the infamous hacker group LulzSec, and he has beeen charged of the Infragard hacking, an affiliate to FBI, on June, the 3rd 2011.

This is not the first example of raid against alleged Anonymous members since similar police actions were performed a couple of weeks ago in Italy and Switzerland leading to the arrest of 15 individuals, and also in similar in Spain last month, which saw another three suspects arrested.

If we exclude the arrest of the alleged Lulzsec member, as I already suggested, probably in many cases the alleged Anonymous members are “Would-be” hacker, recklessly involved in hactivism campaigns on the wave of enthusiasm butwithout the necessary skills. This explains the low average age of the teens purportedly involved. As a confirm I found this interesting post on ReddIt in which a family man tells, triggering the predictable comments from taxpayers, of an FBI in his house with a search warrant (20 agents, guns drawn) because they seemed to believe his 13 year old son was an integral part of the ANON ddos attack on Paypal (I must confess that for an European grown with Sci-Fi U.S. Movies like I am, the imagine of 4 cars and a black van filled with FBI agents invading a common house is priceless). It looks like this is not the only example.

No One has ever been arrested for using LOIC? Not anymore…

Dump Up The Kids

July 8, 2011 2 comments

Not even a single day has passed since the raid of the Italian Police against some alleged Italian Anonymous members, and a new hacker group, whose name LulzStorm reminds unequivocally the Lulz Boat, has been the author of a clamorous action of hacking against several Italian universities.

On July the 6th, the “Silence of the Tweets” following the Italian Police raids has been broken by @LulzStorm (which had not been taking part to #opitaly until then) with some tweets announcing the availability of the Italian University Dump.

That tweet has broken the silence in which @anonitaly and @LulzSecITALY had apparently fallen, and, as easily predictable, has immediately been retwitted all over the web at incredible speed.

Besides the data, the torrent contains a real declaration of war:

Targets included:

unisi.it (Università Degli Studi di Siena)
unisa.it (Università Degli Studi di Salerno)
uniroma1.it (Università La Sapienza di Roma)
antonianum.eu (Pontificia Università Antonianum)
econoca.it (Università Degli Studi di Cagliari, Facoltà di Economia)
uniba.it (Università Degli Studi di Bari)
unibocconi.it (Università Commerciale Luigi Bocconi)
unifg.it (Università Degli Studi di Foggia)
unime.it (Università Degli Studi di Messina)
unimib.it (Università Degli Studi Milano Bicocca)
uniurb.it (Università Degli Studi di Urbino)
unibo.it (Università Degli Studi di Bologna)
unipv.it (Università Degli Studi di Pavia)
unina2.it (Seconda Università Degli Studi di Napoli)
unile.it (Università del Salento)
polimi.it (Politecnico di Milano)
unito.it (Università Degli Studi di Torino)
unimo.it (Università Degli Studi di Modena e Reggio Emilia)

Is not clear if the attack was perpetrated as a revenge for the campaign against the “Italian Chapter” of Anonymous, but, of course, it had ample space on media, rasing many questions and concerns even among non-professionals. The chancellors of the affected universities (among which “La Sapienza di Roma and the Politecnico di Milano, etc), immediately replied that the deployed countermeasures were able to stop the attack and in many cases no sensitive data were stolen.

Even if the attack details have not been unleashed, it looks like this might be yet another occurrence of an SQL Injection attack which may be considered the real lethal weapon of this tremendous 2011 (if we do not consider DDoS attacks which are not considered an elegant vector by “purists”). I do not know if, as Veracode claims, 10.000 bucks would have prevented the Sony Breach, but for sure more secure coding and a more efficient deploying of Web/DB firewall are necessarily needed.

Another aspects concerns the Italian 193/2006 law, which in theory obliges each institutions managing sensitive data (such as passwords), to keep them encrypted. Regulations are useless if not properly audited: I must confess I had the opportunity to analyze the torrent and I may confirm that in several cases leaked data include e-mails and passwords in clear. As a consequence, the question among infosec professionals is legitimate: why those data were not stored in compliance with the above quoted law? Regardless of the method used, if the attackers meant to show security weaknesses (in technology and regulations) probably they were successful, up to the point that several lawyers with expert knowledge in privacy claim that students may in theory obtain compensation for damage caused by poor security measures taken by universities.

In any case the declarations made by the Italian Anonymous suggest that this could only be the first occurrence. Are we ready for that?

No One has ever been arrested for using LOIC

July 6, 2011 6 comments

Update 07 July 2011: Updated content with the Italian Anonymous Press Release in English.

Today the front pages of Italian newspapers dedicate ample space to raids carried out by the Italian police against the local cell of Anonymous.

The group started a campaign against AGCOM (the Italian Authority For The Communications) that is discussing a draft law concerning new regulations in defense of Copyright against piracy, which provide, in case a violation of copyright is reported, the removal of the indicted content through administrative and the eventual obscuration of the site, bypassing the ordinary laws.

The detractors consider these new regulations as a potential form of censorship and most of all a way for the government to maintain the control about the content of web sites with the possibility to remove unwelcome information.

On the wake of the protests following the draft law, the Italian Anonymous group, with the labels of #antisec (does it remind anything to you?), #opitaly, #freeweb, #nowebcensure, has performed, in the last two weeks, several DDoS attacks targeted against different Italian sites, not only related to the government (for instance against the same AGCOM or the Senate), but also belonging to other institutions such as Telcos (Telecom Italia), Utilities (energy firm ENI, defence firm Finmeccanica), and financial institution (UniCredit).

Yesterday the Italian Police carried out 32 dawn raids across the Italian peninsula (and Switzerland), which led to the arrest of 15 people, including the alleged leader of the organization, an Italian 26 years old guy, residing in Switzerland, which used to sign his actions with the Nick of “Phre” (which sounds like Frey his surname).

The raids follow similar police action in Spain last month, which saw another three suspects arrested and quite curiously they happened in the same day in which Sabu, the leader of the LulzSec group declared he has hit the point of no return.

If I look at the events from an information security perspective, I cannot help noticing that the actions performed by Anonymous and LulzSec on the Web Sites all over the world, have probably risen a kind of “desire to emulate” which has led to the involvement (enrollment) in the cause of individuals, who probably lack the necessary skills to perform hacking activities. I nearly would say, paraphrasing an abused term, that the desire to emulate the actions by LulzSec and Anonymous has led to a kind of “consumerization of hacking”, which not only is really dangerous, but also risks to downplay a subject that requires skill and know-how far above average, and not only the availability of hacking tools on the shelf.

As a matter of fact, from the early exploits, the group’s activities were widely publicized on social media, used to gather followers, hold virtual meetings in chat rooms, and share the results of the campaigns under the well known motto  “Tango Down” brought in the spotlight by the LulzSec group in its 50 days of fun (Lulz).

But yet even then, I think there was something wrong….

  • Regardless of any style considerations (the DDoS is not really considered an elegant weapon to hack), hackers (whether for the purpose of cybercrime or hactivism) are not too willing to publicize their actions, especially during the execution phase. It is not a coincidence that the excessive echo on their actions was probably one of the reasons who originated the haunt to LulzSec by other Hackers Group (an hacker called Warv0x even decided to hack again PBS after LulzSec just to show that the latter were not “as goodas they think they are”). The understatement has not been so far a prerogative for the Italian Anonymous who have immediately pointed to broaden their horizons (and followers) making wide use of Social Media.
  • There are mainly two groups leading the protests on Twitter: @anonitaly, and @LulzSecITALY. The first group, despite re-appearing on Twitter on April, the 6th, has begun to heavily tweet by June, the 21st, that is during the “hot days” (and not for the arrival of the Summer) of the Lulz Boat. The second one has officially twitted for the first time on June, the 25th, on the trail of the LulzSec group which at that time was sowing the seeds of havoc (real or alleged), and attracting on itself the interest of FBI and others hunters. Well, does the date of June, the 25th remind nothing to you? Exactly! few hours later LulzSec would have announced its own dissolution, leaving the “Italian chapter” orphan. For sure the sequence of the events has not given the impression of a strict coordination between the groups;
  • As of June 28, both groups have begun to tweet in unison, posting the same information, searching for new followers and sharing targets and tools. I do not question on “the weapons” deployed for the campaign, but the impression given out, has been that being an hacker and taking down a web site was a simple job (on June, the 24th @anonitaly also provided publicly the link to LOIC, the tool used to take down the targets). The impression that using LOIC and being an hacker was something apparently simple, was further reinforced by an @Anon_central  tweet on using LOIC, which stated, among the other things:

[FYI] No One has ever been ‘arrested’ for using LOIC.

(maybe not in Italy I would comment).

Actually Anonymous has released the “OpNewBlood Super Secret Security Handbook” in an effort to recruit more would-be hacktivist types to further their cause. This is a tutorial-style guide which aims to instructs users on multiple subjects, particularly how to set up secure Internet Relay Chat (IRC) access for group discussion participation. Maybe, but this is a mere speculation, due to the short time taken to set up the groups for the Italian Chapter, many individuals without the necessary skills have been embarked on the boat, ignoring the indications contained on the book.

It is not a coincidence that, suddenly after the so called “Secure Italy” Operation, the Italian Police released a statement, which apparently downplays Anonymous’ hacking skills.

Out of all of the current hacker groups, Anonymous is the largest, but is also populated by the least technical people. Some of its members carry out attacks using software downloaded from the Internet and do not carry out the most basic attempts to secure their IP address.

It is even more curious that I only found it in foreign reports, since this statement was not quoted in any newspaper I read.

Is this really the end for @anonitaly? Yesterday, suddenly after the raids, the group released a statement denying the dismantling of the Italian Anonymous Network (since there is no leader) and announcing “consequences” for the actions of the Italian Police.

The original Press Release is as follows (typos and misspellings included):

A few hours ago, the Italian police announced complaints, arrests and raids against a number of members of Italian anonymous.
The media has spread the news that the entire Italian network of anonymous has been dismantled and the “leader’s” of Italian anonymous was arrested.

Anonymous denies these media reports an reiterates that this is impossible: Anonymous is not been dismantled. Anonymous has no leaders, no structure. All anonymous members operate at the same level. Those arrested are not “dangerous hackers”as the media calls them, but people like you. They have been arrested while peacefully protesting for there and your rights. Our protest will continue louder than ever.

The Italian Anonymous have not fallen because of this cowardly attempt to dismantle them and announce consequences for there actions taken by the police, to demonstrate that anonymous is present and fights on, like it did in the past and will in the future, for the freedom of the internet. Italy anonymous calls all citizens of the internet and the international anonymous: We need you! Let them have it, stronger than ever.

We are Anonymous
We are Legion
We do Not forget
We do not Forgive
Expect Us

Today, after a silence of approximately 20 hours, both groups restarted to tweet and @LulzSecITALY has just released the Italian Universities’ dump database…

Follow

Get every new post delivered to your Inbox.

Join 2,705 other followers