Cyber Arms Intelligence Report for 12/13/10

The biggest story this week is still Wikileaks. Okay let’s start with the latest DDoS targets. After a flood of DDoS attacks, a 16 year old kid was arrested by Dutch police. So, unbelievably the Dutch police come under attack:

Dennis Janus, a spokesman for the National Police Service confirmed that both the police website, and that of the National Prosector’s Office had been offline for much of the day, with many theorising that the likely reason is a distributed denial-of-service (DDoS) attack similar to that which was launched against Mastercard, PayPal and other firms.

What has been crazy is the DDoS and counter DDoS attacks seem to have no end in sight. One hacking group “Anonymous” is offering its DDoS tool (LOIC) and asking for volunteers to jump in and help. Apparently the 16 year old that was arrested may have been using LOIC and wouldn’t you know; LOIC attacks are not anonymous. They can be tracked back to the attacker.

It does make one wonder though if the government is involved with any of these attacks. Not sure, but one site does claim that the CIA is hosting one of the Wikileaks mirror sites as a honeypot.

We have even seen a casualty of mistaken identity in this DDoS war as a company that was not even involved at all gets taken down. EasyDNS was mistakenly reported by media outlets as the company that knocked Wikileaks offline. When in reality it was a company called EveryDNS. I wonder if the hackers, after recognizing the mistake apologized?

Well, Wikileaks hasn’t come out of this mess unscathed. According to an article on CNN, it looks like there is mutiny in the ranks. A group has broken off of Wikileaks and created a new whistleblower site called “openleaks.org” and will launch today:

“It has weakened the organization,” one of those founders, Daniel Domscheit-Berg says in a documentary airing Sunday night on Swedish television network SVT. He said WikiLeaks has become “too much focused on one person, and one person is always much weaker than an organization.”

But it looks like they are not the only group breaking up with the Wikileaks fiasco. It appears the members of the hacking group “Anonymous” are starting to turn on each other too. A Sydney based Anonymous  member had some colorful comment about fellow members:

He said that, rather than being full-blown hackers, the Anonymous members were “script kiddies” who only knew how to download the LOIC program and run it.”They’re very unprofessional, illogical and irrational and very much their actions are based upon emotions,” he said.

So apparently, LOIC is just a simple DDoS tool and many members have very little technical experience. They are just running the program. Thank goodness they aren’t using the much more efficient layer 7 DDoS attacks(OWASP PDF file).

In other news, even though Iran says they are A-OK after Stuxnet attack, computer security experts beg to differ:

Eric Byres, a computer expert who has studied the worm, said his site was hit with a surge in traffic from Iran, meaning that efforts to get the two nuclear plants to function normally have failed. The web traffic, he says, shows Iran still hasn’t come to grips with the complexity of the malware that appears to be still infecting the systems at both Bashehr and Natanz.

Okay, they are still infected, what will it take to finally get rid of all traces of Stuxnet? German security expert Ralph Langner had this to say:

“Here is their problem. They should throw out every personal computer involved with the nuclear program and start over, but they can’t do that. Moreover, they are completely dependent on outside companies for the construction and maintenance of their nuclear facilities. They should throw out their computers as well. But they can’t,“ he explained. “They will just continually re-infect themselves.”

“With the best of expertise and equipment it would take another year for the plants to function normally again because it is so hard to get the worm out. It even hides in the back-up systems. But they can’t do it,” he said.

Well, whoever was behind Stuxnet, it looks like they have done an amazing job of tying up and maybe even neutralizing the Iranian Nuclear plants. It also makes one wonder how prepared are other facilities to defend against threats like Stuxnet?

And lastly, a nasty new Botnet has been detected by ShadowServer. The Destination Darkness Outlaw System or “Darkness” is easy to purchase, easy to deploy, and is very effective and efficient in what it does. Darkness works against Windows 95- Windows 7 clients, runs as a Windows service and uses varying levels of bots to shut down target networks.

According to Shadowserver, 30 bots can overwhelm an average site, 300 bots a medium size site, 1000 bots a large site, 5000 a cluster even when using anti-ddos, and 15-20 thousand bots could theoretically bring down the Russian version of Facebook.

Other Top Security Stories from around the Web:

Cybersecurity Must Balance ‘Need to Know’ and ‘Need to Share’ – Robert J. Butler said sharing information within the military, with coalition partners and even with outside agencies will continue, but there will be more controls placed on the information.

NATO Works to Set Right Cyber Balance – “I could envision within the NATO alliance an operational command that focuses on cyber,” he said. “At the moment, that work is imbedded in several of the NATO agencies. But I think we are seeing this as an operational task, so I will be advocating putting more of this on the operational side.”

Army’s plan to modernize intell rides on the cloud – The Army’s efforts to enlist cloud computing to modernize its intelligence capabilities is in step with similar efforts across the military services.

NASA sold computers without properly scrubbing them, IG says – A NASA inspector general’s audit found that the agency had released to the public 10 computers that had not had their memories wiped. Nine of them might have contained highly sensitive data.

NIST Announces SHA-3 Hash Function Finalists – The SHA-3 finalists include Skein, developed by a group including Bruce Schneier and Jon Callas.

Wikileaks Out, The Jester Speaks Out, Anonops Freaks Out

The insanity that is Wikileaks continues. As you may know if you have been following this soap opera, PayPal, MasterCard and Visa all suffered attacks after cutting off funding to the Wikileaks site.

According to one website, a Hacktivist groups called Anonymous (“Anonops” – See video above) that attacked the financial companies is offering its hacker toolkit (LOIC – Low Orbit Ion Cannon) free to any one who wants to join in on the offensive. There are currently about 500 computers in the LOIC Botnet Hive. Wow, what were they thinking there?

It looks like a full war of Hacktivists has started as Anonops itself suffered a Denial of Service Attack. Pandalabs has an exceptional timeline with charts of the ongoing DDoS war.

And lastly, The Jester breaks the silence and releases a statement. Basically saying that there is a Jester imposter, and vengeance is mine.  

Craziness, and I was hoping this Wikileaks nonsense would stop this week. Now it seems that it has created a DDoS storm of pro and anti-Wikileaks followers.

What is next? Tune in next week for the next exciting episode of “Why isn’t Assange in Federal Prison yet”? Or “Obama shuts down internet to stop DDoS attacks”.

Jester an Imposter? Wikileaks without Home & White House Warning

The Wikileaks saga continued today. After Wikileaks attacker “The Jester” stated that an imposter had claimed that his home was raided by police, reports have come out saying that “The Jester” may in fact be pretending to be the imposter.

It seems that Wikileaks is currently looking for a new home. After being under constant DoS attacks, Wikileaks moved their site back to the Amazon cloud. Amazon summarily canceled their site claiming that it violated the terms of use policy.  Wikileaks then released a statement denying Amazon’s claim of breach of terms and posted this on Twitter:

“Amazon’s press release does not accord with the facts on public record. It is one thing to be cowardly. Another to lie about it”

Next Wikileaks moved to the Swiss hosted domain “Wikileaks.ch”. This domain is hosted by both French and Swiss servers. But, on Friday France moved to ban Wikileaks from its servers due to the political backlash of the document release:

Industry Minister Eric Besson says it’s “unacceptable” for French servers to host the site, which “violates the secret of diplomatic relations and puts people protected by diplomatic secret in danger.“”

It also looks like Sweden may be turning on Wikileaks also as it finally finalized an arrest warrant for founder Julian Assange:

“Swedish officials issued a Europe-wide arrest warrant for Assange earlier in the week, only to have to refile it when British officials got in touch to say that it did not meet their standards. Swedish authorities said they have now passed on all supplementary information asked for by British police, meaning that an arrest could be imminent.”

It looks like time may be running out for Assange.

In the meantime, the White House released a memo to government employees warning them not to read the classified memos on the Wikileaks site. Apparently, even though they are on a public site, it does –

“…not alter the documents’ classified status or automatically result in declassification of the documents. To the contrary, classified information, whether or not already posted on public websites or disclosed to the media remains classified, and must be treated as such by federal employees and contractors, until it is declassified by an appropriate U.S. Government authority”

But could a government employee be fired for reading classified documents on the Wikileaks site? Possibly, says White House Office of Management and Budget spokesperson Moira Mack:

Any breaches of protocols governing access to classified material are subject to applicable sanctions under long-standing and existing law.”

Well, it seems that the entire world can read the documents on the Wikileaks site, but you better stay clear if you are a government employee…

Wikileaks needs to be shutdown. Assange needs to be prosecuted and the sources need to be court martialed as traitors.

Hopefully this madness will end soon.