Drones used as Proxies to get around ISP blocking and law enforcement: Predator’s to add server payload?
Cross Posted from TheAviationist.
Nearly in contemporary with the breaking news that a judge in New Zealand’s High Court has declared that the order used to seize Kim Dotcom’s assets is “null and void”, writing another page inside the endless MegaUpload saga, The Pirate Bay, one of the world’s largest BitTorrent sites, made another clamorous announcement. Tired of countering the block attempts that forced, last month, to switch its top-level domain, possibly to avoid seizure by U.S. authorities, and in October 2011 to set up a new domain to get around ISP blocking in Belgium, the infamous BitTorrent site is considering the hypothesis to turn GPS-controlled aircraft drones into proxies, in order to avoid Law Enforcement controls (and censorship) and hence evade authorities who are looking to shut the site down.
The drones, controlled by GPS and equipped with cheap radio equipment and small computers (such as Raspberry Pi), would act as proxies redirecting users’ traffic to a “secret location”. An unprecedented form of (literally) “Cloud Computing”, or better to say “Computing in the Clouds”, capable to transfer, thanks to modern radio transmitters, more than 100Mbps at over 50 kilometers away, more than enough for a proxy system.
This is essentially what MrSpock, one of the site’s administrators, stated in a Sunday blog post (apparently unavailable at the moment). Curiously the drones are called “Low Orbit Server Stations”, a name not surprisingly much similar to the “Low Orbit Ion Cannon”, the DDoS weapon used by the Anonymous collective, capable of evoking very familiar hacktivism echoes.
Actually this is not the first time that hackers try to use air communication to circumvent Law Enforcement controls. At the beginning of the year, a group of hackers unveiled their project to take the internet beyond the reach of censors by putting their own communication satellites into orbit.
What raised some doubts (at first glance this announcement looks like an anticipated April Fools), is not the the use of a Low Orbit Server Stations, but the fact that moving into an airspace would be enough to prevent Law Enforcement Controls (and reactions).
Drones are subject to specific rules and restrictions and can only fly along reserved corridors to deconflict them from civilian and military air traffic. And they have to land every now and then, unless someone thinks these pirate robots can be air-to-air refueled.
As a commenter of The Hacker News correctly pointed out: “There seems to be a lot of misunderstanding about who “owns” the airspace of a given country“: definitely a drone flying too high would be classified as a threat and forcibly removed by an air force, a drone tethered to ground would be subjected to local zoning laws, while a drone broadcasting from an “intermediate” height would probably violate a number of existing laws and forced to shut down.
At the end it is better to turn back to “Ground Computing” as opposed to “Cloud Drones”. As a matter of fact “it’s probably a lot easier to find a friendly government and host a normal server in that country“.
If you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 (regularly updated) at hackmageddon.com. And follow the author of this article @pausparrows on Twitter for the latest updates.
The Italian Anonymous did it again and today have attacked for the second time in few days the vatican.va website. Actually this time their attack has apparently been deeper since the infamous collective also posted a small portion of a database claimed to have been leaked from radiovaticana.org, the website of the official Vatican Radio.
The inevitable statement on pastebin (so far only in Italian) quotes Imperva, the Israeli Company Focused on Application Security which claimed, few days ago, to have prevented, in August, a summer attack against the Vatican, using the collected information to profile a typical Anonymous DDoS attack.
Of course the pastebin suggests that this attack has been a kind of retaliation against the information disclosed by Israeli Security Company in their detailed report, nevertheless this has been only the last DDoS attack in Italy in this troubled weekend that has seen several websites falling under the LOIC shots: Saturday the Italian Railways have been hit (three domains), and yesterday Equitalia, the company owning the concession, on behalf of the Government, to collect taxes.
This (un)expected revamp of DDoS activity in Italy comes approximately nearly a couple of months after the LOIC attacks unchained by the MegaUpload shutdown, and nearly nine months after the waves of attacks which made the Italian Summer a very hot season for Information Security.
Besides, so far the preferred targets of The Anonymous in Italy have been Government and Politician Websites, targeting the Vatican Site, looks like this time the Anonymous crossed the line.
As a matter of fact I have decided to write down in a table all the hacktivism-led attacks carried on Italy from the 2011 onwards. I have collected the information on the attacks during the gathering of the necessary material to prepare my timelines for 2011 and 2012. In reading the list, please consider that several DDoS attacks were only claimed by the attackers, so it is really difficult discriminate if they were succesful or not, nevertheless I thought it appropriate to insert them all to provide a global view.
So far, you will notice that the Hackvism in Italy has passed three main phases: the summer phase, maybe interrupted by the wave of arrests in July; the winter phase, as quoted above, immediately after the Megaupload shutdown on the wake of the anti-SOPA/PIPA/ACTA movements; and the current phase (may we define it a spring phase?) triggered by the delicate internal sociopolitical situation….
|06/07/2011||19 Universities: unisi.it
|06/08/2011||sappe.it||Defacement||Law Enforcement Agencies|
|11/02/2012||circondarialetorino.it||Defacement||Law Enforcement Agencies|
|27/02/2012||polizia.it||DDoS||Law Enforcement Agencies|
|27/02/2012||carabinieri.it||DDoS||Law Enforcement Agencies|
There are really few doubts, this is the most (in)famous hacking collective. There is no new day without a new resounding action. They are Anonymous. They are Legion. They do not forgive. They do not forget. Expect Them.
B like Barrett Brown
Considered one of the early members, Barrett Brown is the alleged spokesperson of Anonymous.
C like Chanology (AKA Project Chanology, AKA Operation Chanology)
A protest movement against the practices of the Church of Scientology by Anonymous. The project (or Operation) was started in response to the Church of Scientology’s attempts to remove material from a highly publicized interview with Scientologist Tom Cruise from the Internet in January 2008 and was followed by DDoS attacks and other actions such as black faxes and prunk calls.
D like DDoS
Distributed Denial of Service (abbreviated DDoS) is the preferred weapon by Hackitivsts, since it does not need particular hacking skills and may also be centrally controlled (with a hive mind who define the target). The preferred tool for perpetrating DDoS attacks is LOIC, although next-gen tools are under development.
E like Encyclopædia Dramatica
A satirical open wiki, launched on December 10, 2004 and defunct on April 14 2011. It is considered one of the sources of inspiration for The Anonymous.
F like Fawkes Guy AKA Fawkes Guido
Guy Fawkes (13 April 1570 – 31 January 1606), also known as Guido Fawkes, belonged to a group of provincial English Catholics who planned the failed Gunpowder Plot, a failed assassination attempt against King James I of England. His stylised mask designed by illustrator David Lloyd and used as a major plot element in the “V for Vendetta“ Comic Book, is the symbol for the Anonymous. The failure of the Gunpowder plot has been commemorated in England since 5 November 1605.
One of the most visionary information security predictions for 2012, was the one issued by Fortinet which defined the term Crime As A Service: “Crime as a Service (CaaS), […] is just like Software as a Service (SaaS), but instead of offering legal and helpful services though the Internet, criminal syndicates are offering illegal and detrimental services, such as infecting large quantities of computers, sending spam and even launching direct denial of service (DDoS) attacks“. At first glance I marked this prediction as exaggerated but then I could not imagine that I should have witnessed a huge demonstration only few days after. Of course I am referring to the #OpMegaUpload when, immediately after the FBI takedown, the Anonymous redirected users towards a website when they could DDoS a large group of targets with a simple web click and most of all, without the need to install the Infamous LOIC.
Even if this has been, so far, the most noticeable example, is not the only one of a malicious tool used as a service for criminal (in this case one shot) campaigns. More in general, using very familiar terms (borrowed and adapted from Cloud Terminology) I believe the CaaS is assuming three shapes:
- Software As a (Crime) Service or Saa(C)S, in which the criminals offer malicious software (and the needed support) as a service. An example? The latest Zeus Variant dubbed Citadel, recently spotted by Brian Kerbs, which provides the purchaser with help desk and even a dedicated Social Network;
- Infrastructure As (Crime) Service or Iaa(C)S, in which the criminals offer malicious services (or infrastructures) to attack specified targets, services may include complex “traditional” infrastructures such as botnets, but also “innovative” large scale fashioned services such as DDoS or also sharper services such as password cracking. Try to surf the web and you will discover how easy it is to purchase such a criminal kind of services.
- Platform As a (Crime) Service or Paa(C)S: in which the criminals offer malicious platforms that users may adapt to fit their needs. An example? The brand new HOIC (High Orbit Ion Cannon) the new DDoS tool, evoluti0n of the infamous LOIC, that may be assimilated to a real malicious service platform that users may tailor to fits their needs thanks to the booster scripts. I believe we are not so far from criminal organizations selling customized booster scripts for every kind of need and, why not, offering support services as well.
Last but not least this services are self provisioned, and this is the reason why I used the term “Crime as a Self Service”: in every scenario, be the malicious service a Saa(C)S, Iaa(C)S or Paa(C)S, the user selects directly the target (or the victim), and that’s it!
As you will probably know, as a consequence of the takedown of the famous storage site Megaupload and the consequent indictment and arrest of seven people (all accused of online piracy), the Anonymous have launched #OpMegaUpload, a giant DDoS attack defined “The biggest Internet attack ever” targeting, among the others: The White House, the FBI, Viacom and DoJ, (at this link a complete list of the targets). As a consequence, last night the LOIC cannons have shot once again, leading to a global fluctuation of the global Internet traffic is between 13 percent and 14 percent above normal.
Unfortunately it looks like that many habitual Megaupload users turned themselves into extemporaneous wannabe hackers, giving their contribution to this questionable cause: equipped with the Low Orbit Ion Cannon they started to fire against the designated targets. By midnight on January 20th, @AnonOps declared the operation a success with over 5,635 people using the Low Orbit Ion Cannon to bring down the targeted sites:
Curiously the night of January the 20th, my blog was flooded with an unusual number of requests coming from search engines looking for several strings with a common pattern. Scrolling down the Search engine terms list directed to my blog (ordered in rigorous ascending order), you may easily guess the common pattern:
using loic arrested
arrested for using loic
is using loic dangerous
can we be arrested for loic
risk of using loic
may i be arrested for using loic
arresting people for using loic
how to safely use loic
being arrested because of loic
can you be arrested for useing loic
anonymous loic safe
can i be arrested for using loic
loic not safe
danger of using loic
may i be arrested for using #loic
Yes, unfortunately it looks like that too many people have decided to use the Megaupload shutdown as the trigger for an improvised career of hackers, considering LOIC as a kind of magic wand capable of turning anyone into a hacker in few minutes. Maybe Several of these “wannabe hackers” were not that stupid and wondered if their action might have legal consequences. For those, the fundamental question and age-old dilemma is: “Is LOIC dangerous?”
Since I already dealt with this topic in a couple of posts during the hot summer of the Lulz Boat, their googling brought them to my blog. For sure this morning, before understanding what had happened during the night (in Italy) I was surprised by the unusual number of clicks for the two articles concerning LOIC, which you may read (No One has ever been arrested for using LOIC and Someone has been arrested for using LOIC), if you just need an answer (or maybe you do not need since the title of the latter is meaningful enough).
But please consider the fact that the fundamental question is not if using LOIC is dangerous or not, but rather “if I should play to be a hacker or not”, and the answer is quite straightforward…
BTW, I gave my humble contribution to the #SOPAblackout but, whether or not I agree with the Megaupload shutdown, I absolutely do not agree and do not support similar methods of protest.
- Anonymous Launches Largest Attack Ever Following Megaupload Closure (techfleece.com)
Everyone dealing with Information Security knows very well that SNMP (which stands for Simple Network Management Protocol and corresponds to the standard UDP protocol used to monitor servers and network elements) is considered insecure. In too many circumstances network administrators forget to change the default community strings (the strings used to “softly” authenticate the manager and the agents) from their default values which are typically “public” for read-only access and “private” for read-and-write access on the monitored device. This happens sometimes for thoughtlessness, or simply because network administrators do not consider changing the default security strings a security issues.
And even if SNMP version 3 is used (which grants encryption and mutual authentication between the manager and the agents -at least the attackers may not spoof the default community strings-) in 12 years of honorable career I never found so far the right combination between manager and agent versions: I mean when you have a network manager supporting version 3, the agents only support version 1 or 2c and vice versa if the agents support version 3 you may be sure that the manager only supports version 1 or 2c.
Now there is a reason more to consider SNMP (and its default configurations) an hazard for Information Security. This reason is four letters long and is called LOIC, the infamous tool used by Anonymous to perpetrate the well known DDoS attacks.
So far the infosec community has been divided into two opposite factions: on one side those who think that Anonymous-perpetrated DDoS attacks are successful even with a small number of “enrolled cannons” since the same Anononymous owns a Botnet which from time to time is unleashed against the target. On the other side those claiming that this kind of attacks may be successful only if a huge number of participants volunteer accomplices is enrolled.
Today an article written by Alex Holden, Cyopsis Director of Enterprise Security, offers an alternative hypothesis. The attack method Holden describes is called a Reflected Denial of Service (RDoS) and just utilizes SNMP, which is UDP-based, exploiting the weaknesses in default configurations which populate many devices composing the Internet, with devastating consequences.
The SNMP paradigm, as the name suggests, is very simple: each device (server, network device or application) which must be monitored provides some status variables to the external world. The variables may be queried by a special application called network manager. The variables are organized in different groups (or leaves), and identified by OIDs (or Obiect IDentifiers). Querying the main OID (188.8.131.52) returns all the variables (this is an operation called snmpwalk).
If the assumption of Holden is correct, suppose you are able to spoof a manager with the same address than the target of the attack, and suppose to generate continuous SNMP queries with that address, querying the main OID from all the Internet devices which are known to have standard community strings. The unaware target will be flooded by SNMP replies from those devices with a lethal amplification effect and consequently an apparently innocent misconfiguration (that is the unchanged default community string) becomes an hazard for the Internet.
Of course this is a mere speculation (I did not verify source code), but this would explain why the Anonymous claimed that LOIC traffic
is was hard to detect (but not always): the SNMP protocol is very popular and widespread on the Internet.
(Original link via Infosecisland).
So, after announcing an alleged hack to Italian Prison Guards, the threatening tweets anticipating the latest hack, have suddenly disappeared from @LulzSecITALY and replaced by a tweet announcing a day of relax. Of course the doubt if the announcement was a hoax or not remains… But in my opinion this is not the most relevant point of the story.
As a matter of fact this is only the last occurrence of a strange phenomenon that is changing the rules of hacking. In the old world, the attacks were performed silently, and disclosed (if discovered) only several months later and never because they were directly announced by the alleged authors.
What is happening after the example of Anonymous and LulzSec is a kind of “Consumerization of Hacking”, not only because the public availability of tools such as LOIC or TOR has allowed to enroll many “would-be” hackers, but most of all because in these strange days, advertising an attack, too often before performing it, has become even more important than the effect of the attack itself, that is the quality of the data leaked. In this scenario the social media play as a sounding board allowing a viral spreading of the information (which grants more importance to the action itself rather than to its content)
This trend has several consequences:
- Sometimes the attack are advertised even if they are not particularly sophisticated (for instance the massive DD0S campaigns), or the quality of the data stolen is irrelevant;
- Attacks are often anticipated or followed by many claims which make hard to identify the real author. Before or after an attack appears, different alleged authors claim the paternity (consider for instance the case of Italian Cyber Police Hack), also because many attacks of the last days are poor in quality, so that the author does not need to prove its skills.
- Also the quality of hacking is decreasing, as it often happens when something become available for (too) many, most of all because the many lack the necessary skills.
This dos not mean that information security professionals do not need to be worried, but only that the landscape is changing: more attacks, maybe less sophisticated, with an impact more quantitative than qualitative.
Have you ever tried to think to Stuxnet developers announcing with a pastebin their intention to stop the Iranian Nuclear Program, or a tweet announcing the Shady RAT, rather than the Mother of All Breaches disclosed by The Pentagon?
One could say that this attacks were mostly driven by military reasons, nevertheless honestly speaking, at this point I would not be surprised from Cyberwar Tweets announcing sensational operations in the fifth domain of war. Probably they are already between us even if hidden between us: this explains the intention for Department of Defense to invest millions in Twitter Tracking.