Hacktivists Targeting DNS Servers & an Effective DNS Offensive Counter-Measure

Denial of Service (DoS) attacks used to be the main tool in the Hacktivists toolbox. For the most part, they are not very hi-tech and anyone can run the software to attack websites to aid in their preferred “cause”. But as the recent hacktivism attacks in Israel (and now Pakistan) have shown, DNS server attacks are now all the rage.

DNS SERVERS TARGETED

Why deface one website, when you can just hack the server that holds the IP address to the victim’s site (or sites)! Changing the registered domain name for a website allows you to point the domain name, like Google.pk to ANY server that you want. So, if you can hack the DNS registrar that holds the records for an entire country, you can change any of the servers that you like to point to any website that you want.

Luckily the pranksters behind these attacks have just been redirecting these hijacked websites to a bragging page, “This site hacked by …” They seem to be in it to bring attention to their group, or a political cause, instead of doing serious damage.

Hacking into DNS registrar servers is the hard part, creating a website that looks like any one of the ones that was hacked is trivial. It only takes a few seconds to create a clone of a website that looks and acts like the real one, but could serve malware or other malicious functions. So far it seems that these hackers are more interested in just getting across a message.

Just in it for the “Lulz”.

But with the apparent ease that this is happening, you can see the dangers if the hacktivists were a more malicious group. Say like Nation State hackers who want to infect groups of systems from a target nation. Or gather pertinent credentials from users who think they are on a legitimate website, and not a spoofed one reached via DNS manipulation.

As you can see locking down these important DNS systems better be a top priority of EVERY nation.

OFFENSIVE COUNTER MEASURE

As mentioned earlier, Denial of Service attacks have not gone away and are still used en mass to tie up websites to make them unavailable. Many times Denial of Service attacks are nothing more than normal communication with a website, but multiplied over many times, from multiple users to tie up a server.

But can anything be done to stop this flood of traffic aimed at a site by thousands if not tens of thousands of attacking machines? Sure there is, according to the popular Patriot Hacker Jester, just reflect the traffic back at the attackers!

During the latest Israel/ Gaza conflict, the hacker group Anonymous jumped in on the Hama’s side and attacked many Israeli websites. So of course, The Jester responded by shutting down 3 Hamas sites and their TV Channel. In response, according to The Jester’s website, Anonymous targeted his website.

So Jester just redirected his DNS server to point back at one of their servers, effectively forcing them to DoS their own server!

His website is protected by “CloudFlare” a popular proxy service that protects users from many attacks. When he saw the incoming attack, he simply told CloudFlare to point his website name “jesterscourt.mil.nf” to one that was supported by Anonymous:

“So I simply redirected my domain name to the Occupy ‘movement’s main website. Known as ‘occupytogether.org’. Remember #Anonhamas are big supporters of the Occupy Movement and many of their ‘members’ are also members of the Occupy Movement. Fair game.”

Denial of Service attacks can last for days or longer. Did the technique work?

Apparently, it did:

The Jester also talks about automatting this process, so when a DoS attack is detected, it automatically forwards the flood of traffic to a list of Anonymous supported sites.

It has been an interesting week. New DNS attacks and apparently new effective offensive counter measures. Will the average corporate website defend itself with The Jester’s techniques?

Probably not, but I could foresee some country’s government sites just might.

Well, maybe off the record…  🙂

Cyber Cold War and the need for an Offensive Cyber Special Forces Group

I was speaking to a veteran the other day that has about 20 years of service and has been in more countries than I can remember. As we talked about the war in Afghanistan, possible future war with Iran and other current military affairs, he told me, “Things are changing. They are after military websites, online accounts and even Facebook pages of active duty troops. It is a Cyber Cold War now.”

International websites are under siege by everyone from political hacktivists to cyber-crime organizations, to Nation State backed hackers. But what is the real threat?

  • Political Hacktivists – The current Anonymous leak of the intercepted FBI call concerning Anonymous told me everything I needed to know about how serious a threat political hacktivism is taken. During the call, FBI agents and British agents joke around and laugh up to the point where a senior agent joins the conference call. Then it was all business. Denial of service threats and the releasing of credit card info is a nuisance, but not really a threat, especially when compared to the other heavy crime that the FBI is used to dealing with.
  • Cyber Crime – This is a lot more serious than political hacktivism. International cyber-crime is booming, and recently more money was stolen through cyber-crime than was made in the illicit drug trade. But this really is an extension of organized crime and not cyber war.
  • Nation State Hackers – This is where the threat really lies. From the release of counterfeit network equipment that could be backdoored to industrial sabotage to military based espionage. This is where our military level cyber forces should be focused.

In essence we are in a Cyber Cold War. Nation State hackers are very active in attacking and compromising military, government and defense contractor sites. Terrorists are using social media sites to recruit, train and spread their poison.  It is very representative of the espionage, politics and spread of communism during the Cold War.

Is our current military cyber force capable of dealing with this threat? I think when our cyber command was created, it had in mind the threats they were facing and had the desire to be both offensive and defensive. Blocking the threats and counter-attacking in the cyber realm. But before cyber command even got off the ground, it was hamstrung by the legal and political ramifications of offensive operations.

What then is needed?

We need a Cyber Special Forces group.

After the failed Bay of Pigs invasion, President John F. Kennedy realized that the US was facing a new battle with the spread of communism. He made it a priority to get Special Forces groups created and active to face this threat.

Troops were selected that were intelligent, capable and willing to learn. They were put through intense training that allowed them to move undetected in enemy territory and engage the enemy on their own terms.

As Special Forces groups evolved, their peacetime missions became two fold. They were sent into countries to train allied or somewhat friendly forces, but at the same time to gather intelligence about countries that at some point in the future may not be allied with US intentions.

Right now, our Cyber Command seems more defensive oriented. Instead of just monitoring and detecting threats, a capable offensive unit is needed. One that can not only counter-hack, assess potential targets, train friendly nations, and stop electronic threats. But also be able to put boots on the ground and physically shut down terror cells and any other physical threats that arise from intelligence gained.

Hacker Group Anonymous Intercepts Recorded FBI Phone Call

The Hacktivist group Anonymous has released an intercepted FBI conference call between the FBI and numerous police agencies. Along with the audio clip, the group also released an internal FBI e-mail about the conference call on Pastebin.

The e-mail, titled “Anon-Lulz International Coordination Call”, appears to have been sent to numerous international police agencies. The Pastebin post sates the call would be held on Tuesday, January 17, 2012 and was to “discuss the on-going investigations related to Anonymous, Lulzsec, Antisec, and other associated splinter groups.”

According to the BBC, the FBI has confirmed the call was legitimate, and that they are hunting down those involved:

The information was intended for law enforcement officers only and was illegally obtained. A criminal investigation is under way to identify and hold accountable those responsible.”

The BBC also mentions that the phone call was most likely not intercepted live, but was taken from an audio file:

“It was unclear how Anonymous had managed to obtain the recording but a lawyer for one of the suspects discussed told the BBC it appeared to have been taken as an audiofile from an intercepted email, rather than having been eavesdropped on.”

It is very concerning that Anonymous gained this e-mail and audio file. This does not mean though that Anonymous has gained access to internal FBI systems, they could have gained access to any of the international police organizations listed in the e-mail and pilfered the data from there.

Time will tell.