Archive for December, 2010

Anonymous IRC Logs: A Moment in Time

Thursday, December 16th, 2010

The DDoS attacks against VISA and Mastercard (among others) were mostly symbolic and were executed by a group called The Anonymous. The group itself is comprised of anyone that wants to join; such loose membership requirements attracts a huge assortment of people. These attacks made by The Anonymous were the first Cyber Protests I have seen executed largely by non-techies. The average person was unaware of this, only hearing about the results of the attacks via pundits on the news. Typically, during a protest, photojournalists are able to capture the moment, showing the huge crowd in front of the White House or angry mobs of people with signs in Greek protesting against government austerity. In this case, (unless you know how to use IRC) it was quiet and invisible — a few web sites simply stopped working.

However, it was not quiet or invisible. There were some 10,000 angry people online with digital voices working towards the same goal. I logged (as many people did) their IRC servers and their public channels. I took those logs and put them into a browser format that anyone can read. What you see in these logs is a captured moment in time; it’s a captured moment of that protest. It is really the only visual representation of the passion of these thousands of Cyber Protestors.

The log represents about 30 hours of irc.anonops.net and are by no means complete. It’s a view into the protests of the future that don’t have lines drawn across tangible borders.

To directly access the full page log, you can visit http://blyon.com/Irc

Tags: , , ,
Posted in DDoS, Hackers, Opinion, Philosophy, Security, Wikileaks | No Comments »

Gawker and Your Password

Tuesday, December 14th, 2010
The other day, a popular site, Gawker Media, was brutally compromised resulting in the exposure of their entire user database of 1.3 million users. Basically each user ID and its associated encrypted password were compiled into a huge file that is accessible to the entire Internet. On the surface, who really cares if a basic site like Gawker was hacked, but digging a little deeper you’ll see that there is a cascading ramification that could potentially be dangerous to many of Gawker’s users – they probably use the same usernames and passwords for a lot of sites.

Yesterday, I received what appeared to be a four-page email from a friend of mine via LinkedIn. The email was rather grotesque and went on and on about her love for pedophiles. It was pretty obvious that someone logged into her account and emailed that message to all of her connections on LinkedIn. When asked if she thought her account was compromised from Gawker, she was not sure however the timing was rather suspect.

Today, I woke up to an email from LinkedIn stating that for security purposes my account has been locked until I change my password. They’re proactively locking accounts that appeared on the Gawker list; unfortunately other sites are not doing the same.

Aside from this specific event, how can the average person do a better job securing their passwords online? How can they reduce the risk of a fun site like Gawker from causing social or financial calamity? I’ve assembled some of the tricks I use, which may help the average Internet user have a little less exposure to something like a Gawker compromise:

Create Four Layers of Passwords:

    Some sites are more important than others, so rather than having a single password used on a lot of sits, create a “junk” or throwaway password that you use on sites that really have no bearing on your personal finances or privacy. For example, Gawker requires a login to comment on their posts, chances are you have accounts on a number of sites similar to Gawker, so use your junk password for those types of sites.

    For low security sites such as Gawker, you may also want to consider using OpenID or Facebook Connect rather than creating an account with the site itself. You’ll see those options presented when you’re about to interface with the site. Using a single ID such as OpenID does put all of your eggs in one basket, but it’s easy to change the password and update it.

    Social media sites should also have their own password set, thus a Gawker hack is only isolated to junk sites and not LinkedIn or Facebook. Shopping sites have a lot more importance because they may have personal information stored like your credit card, shipping addresses, etc. For those you should make a different password. Last, you should make a complex password that nobody knows, which you only use for online banking.

Use Phrases and Acronyms:

    When creating a password, try to think of a phrase that is easy to remember, and turn that phrase into an acronym or something fun to type and easy to remember. For example, for years I used the password “cats&d0gs!” (cats and dogs). It’s easy to remember and you don’t have to write it down. Other phrases such as, “Ilrits2sh!” or “I love running in the summer to stay happy!” makes for an easy password to remember. Find phrases and word replacements that can assist in remembering a password and help create unique passwords.

Replace Characters and Use Capitals:

    Replace common characters with replacement characters, the letter ‘o’ can be represented as the number ‘0’, or the letter ‘e’ can be the number ‘3’. You can swap characters such as I for L, or even toss in the occasional upper-ascii character or symbols such as an, ‘@’ or a, ‘#’. I cannot stress the importance of using symbols in your passwords, it greatly complicates the password and makes cracking them a bit more difficult.

Use a Password Schema:

    For example, you may use the password Il2sM0n3Y (I love to spend money) on your VISA and American Express logins. However, you could reduce the impact of a compromised password by adding a character that’s common only to that site, for example, on American Express you vary the password from Il2sM0n3Y to AIl2sM0n3Y, (A for American Express), and do the same for the VISA account (VIl2sM0n3Y). It’s essentially the same password, but it’s different enough to prevent someone with a list of passwords from walking into each and every one of your high profile user accounts.

I hope this helps out a bit. Keep safe out there folks!

Tags: , ,
Posted in Hackers, Opinion, Security | No Comments »

Wikileaks: Who’s Really at Fault?

Thursday, December 9th, 2010
Someone in the US Government (supposedly a US soldier) downloaded over 250,000 diplomatic cables and somehow NOBODY noticed. Imagine someone walking into Fort Knox and walking out with a bunch of gold and the theft wasn’t really noticed until the gold was given away on Craigslist. Who do you blame in that situation? Craigslist? In the Wikileaks debacle, doesn’t some of the blame fall on the shoulders of the US Government and their outdated information technology framework? After all, they were asleep at the wheel. It appears that there was a lack of auditing, no encryption, and no digital rights management on the documents. There were even compromises to physical security. Think of how much other information may have walked out the door and went unnoticed. Think about who else could have had access to these cables before Wikileaks. Julian Assange, the figurehead of Wikileaks, cannot be fully blamed for this mess. I disagree with some of the actions Wikileaks has taken, but I also disagree with the mob mentality hell-bent on taking them down, there were other people to blame as well — the operators of SIPRnet.

If the diplomatic cables were not exposed on Wikileaks, nobody would have ever known that they were walking around in the wild.

Now, granted, the US Government is trying to be open and share documents between its different agencies, and this is a good thing. However, they’re doing it like morons. They should look to Netflix or the adult video industry to see how to share secure documents. I’m willing to bet that the videos hosted on Netflix are more secure than shared data from compartmentalized top-secret documents. Why? Because the video industry uses encryption (DRM) to allow people to view videos (information) when they need to view it, and they have control of how and when someone can view a video. They can make videos expire; they can make them self-destruct. The same technology should be used for confidential documents within the Government’s SIPRnet (which has millions of people attached to it).

Some streaming companies even have high-end watermarking technology that embed the viewer’s information such as the date and time the content was accessed, the user’s ip address, and user account information into the video itself. Why isn’t the US Government doing this?

If the diplomatic cables were under a type of DRM technology and watermarked, the documents themselves would have no longer functioned by the time they were sent to Wikileaks. The reading and usage patterns could be tracked and if there were anomalies, the documents could have been locked. If they were transcribed, they would have had watermarks pointing directly back to the person that stole the information and exactly when they did so, and from where.

Now, I am not suggesting that the US Government should use the same weak encrypt technology as Netflix, I would expect something a little more beefy. I am suggesting by using existing models for sharing and revoking access to content the government could have prevented the leaks and kept an environment of information sharing intact.

In a world where everyone’s focused on how awful Wikileaks is, no one has taken a moment to look back and think, “how was this allowed to happen in the first place? Who else and what else is floating around out there?”

Tags: , , ,
Posted in Hackers, Opinion, Security, Wikileaks | 12 Comments »

The Story Behind the Mastercard and VISA DDoS Attacks

Wednesday, December 8th, 2010
Right now, as you read this, there is a random group of about 5,000 people talking and plotting on how to exact revenge on various corporations that have been less than helpful with the operations of WikiLeaks. They call this “OperationPayback” and it has been broken down into several specific attacks to corporations like MasterCard, Visa, Amazon, Paypal, Swiss Postal Finance, and more. The group itself is called Anonymous, but they are operating under the online infrastructure called “anonops” (which is a tech term for anonymous operations).

So, what is Anonymous? Well, it could be you. The general concept is simple, there are people that want to send a message that the Internet is a sovereign territory and they are grouping together on a specific cluster of Internet Relay Chat (IRC) servers. The active server right now is irc.anonops.net. When you join the server it suggests several channels for you to join (channels are like chat rooms): #vhost, #target, #WikiLeaks, #propaganda, #recruit, #setup, #lounge, and #anonops

So what you do is join #setup and it tells you to go to a specific URL to get the DDoS attack software. There’s a really nice helpful FAQ and help page, which will show you want to do.

Their DDoS tool is called LOIC or “Low Orbit Ion Cannon”, which was originally a web site load testing utility that was open sourced. These guys hacked in a new feature called HIVEMIND, which allows you to start LOIC and have it connect back to anonops for instructions. Once they get your computer to join their botnet, your computer joins the attack, at your will.

“<snape:#Setup> TARGET: www.mastercard.com IP: 216.119.208.50 – 0 REQUESTS MEANS TARGET DOWN!”


Support page/FAQ on how to attack Anonymous targets

What is amazing is that these people are having success, they are operating a full PR campaign that has created logos, Wikipedia pages, web sites, operations infastructure, and attack software. Now, they are getting angry people all over the world to join in on their cause and start attacking whatever they choose. It’s hacktivism at its best.

Their botnet is also rather unusual. Unlike botnets in the past (which take advantage of holes in operating systems to install the bot software) this botnet is made up of volunteers. It’s opt-in and if you follow their instructions, once it is up and running, you are to, “Sit back and watch the show”.

Right now they are a bit disorganized and they don’t have much polish to what they are doing. For example, their IRC servers are not tuned for high amounts of users and often crash (which is when Mastercard’s web site comes back online). They are also heavily dependent on the domain anonops.net and anonops.info so if those sites go down it will take some work to get reorganized. Yet, over time, this could really become something resembling Flight Club where the group creates better attack software, better processes, has heightened security, membership vetting, and eventually their own governmental structure.

Despite all of their rough edges — they do currently have a streaming radio station (which is quite good) radio.anonops.net and they did take down Mastercard and VISA.

Welcome to the age of the Digital Native

Tags: , , , , ,
Posted in Crowdsourcing, DDoS, Hackers, Security | 27 Comments »