Patriot Hacker “The Jester” to be Unveiled?

Interesting news from our good friends over at InfosecIsland. Apparently well known Patriot hacker “The Jester” (th3j35t3r) has  gone underground or “gone dark” after someone going by the name Smedley Manning (aka “CubeSpherical”) threatened to release his identity.

Screenshots from a link on Cubespherical’s Twitter account seem to show a conversation between him and The Jester. In the shots, Cubespherical claims he knew Jester from the military and is going to “Dox” him, or reveal his identity.

Of course he will only do it, he claims, once he receives 20 thousand Bit Coins donation to Wikileaks, as can be seen in the twitter screen grab above.

The Jester’s blog seemed to be wiped of information, and his Twitter account deleted. Cubeshperical also announced on his Twitter page that another ex-military, anti-anonymous figure named @Narganon had also deleted his account, with the question, “Same Guy?”

Hard to tell what is really going on. Why would The Jester delete his Twitter account and just the posts from his WordPress site?

Was The Jester’s site and Twitter hacked? InfosecIsland points to a cryptic Pastebin post that has a message supposedly from The Jester and a copy of all the missing blog posts.

Time will tell – Will the former military hacker be revealed by a fellow military person? Will cubeshperical raise the 20K Bitcoins? Will the Jester get his revenge?

Jeepers, all this excitement and it is only a Monday!

Distributed Denial of Service (DDoS) Attacks Explained

Cross Posted from This is a copy of an article I did for iElmira’s tech forum.
You may have heard about the DDoS attacks that have shutdown many websites during the Wikileaks kerfuffle. But what is a DDoS attack anyways?

Well, simply put, in a denial of service attack, the attacker sends repeated messages to a target website with such frequency, that the website can not keep up and slows to a crawl, in effect taking it offline.

Well, this works great for small websites, but larger websites are hosted on several computers and use a round robin DNS type resolution, so that multiple machines appear as one site. These can handle a lot more traffic so a different tactic is needed.

Attackers will usually use zombie machines that they have infected with a virus (also called ‘bots’) to work together to attack a single site. Sometimes hundreds and even thousands of systems are used in this matter. (keep your system and anti-virus updated! 🙂  ) The website is hit with so many requests that it bogs them down to the point where they can no longer respond. This is called a Distributed Denial of Service Attack.

Most of the “hacktivists” involved with the Wikileaks DDoS attacks are using these DDoS attacks to shutdown each others websites. The hacktivists are receiving a lot of flack from the computer security “experts” for using these old style attacks (Kinda doesn’t make sense, because they do seem to be working).

For you see there is a newer, much more effecient method of Denial of Service attack called “Layer 7 DoS”. In this level of attack, instead of flooding a server with thousands of message packets, the actual webserver application itself is attacked. Partial request are opened with the server, but never finished. This leaves the server in a waiting state. It only takes a very few of these requests to bog down a server and take it offline.

In a Layer 7 Denial of service attack, a single attacker could take almost any single website down at will. They literally act like an on/off switch. The Jester used such a program he created called “Xerxes” to take wikileaks offline the first day of the latest release. I have seen a different Layer 7 DoS program run and it is brutally effective.

The scary part is that these have existed for quite a while now, and because they attack a function of webservers, neither Apache or microsoft have moved to fix them. That is the official word though, to truly fix the issue would probably require major rewrites and they are not willing to do that at this point. You will probably see these issues addressed in the next releases of Apache and IIS.

Cyber Arms Intelligence Report for 12/13/10

The biggest story this week is still Wikileaks. Okay let’s start with the latest DDoS targets. After a flood of DDoS attacks, a 16 year old kid was arrested by Dutch police. So, unbelievably the Dutch police come under attack:

Dennis Janus, a spokesman for the National Police Service confirmed that both the police website, and that of the National Prosector’s Office had been offline for much of the day, with many theorising that the likely reason is a distributed denial-of-service (DDoS) attack similar to that which was launched against Mastercard, PayPal and other firms.

What has been crazy is the DDoS and counter DDoS attacks seem to have no end in sight. One hacking group “Anonymous” is offering its DDoS tool (LOIC) and asking for volunteers to jump in and help. Apparently the 16 year old that was arrested may have been using LOIC and wouldn’t you know; LOIC attacks are not anonymous. They can be tracked back to the attacker.

It does make one wonder though if the government is involved with any of these attacks. Not sure, but one site does claim that the CIA is hosting one of the Wikileaks mirror sites as a honeypot.

We have even seen a casualty of mistaken identity in this DDoS war as a company that was not even involved at all gets taken down. EasyDNS was mistakenly reported by media outlets as the company that knocked Wikileaks offline. When in reality it was a company called EveryDNS. I wonder if the hackers, after recognizing the mistake apologized?

Well, Wikileaks hasn’t come out of this mess unscathed. According to an article on CNN, it looks like there is mutiny in the ranks. A group has broken off of Wikileaks and created a new whistleblower site called “” and will launch today:

“It has weakened the organization,” one of those founders, Daniel Domscheit-Berg says in a documentary airing Sunday night on Swedish television network SVT. He said WikiLeaks has become “too much focused on one person, and one person is always much weaker than an organization.”

But it looks like they are not the only group breaking up with the Wikileaks fiasco. It appears the members of the hacking group “Anonymous” are starting to turn on each other too. A Sydney based Anonymous  member had some colorful comment about fellow members:

He said that, rather than being full-blown hackers, the Anonymous members were “script kiddies” who only knew how to download the LOIC program and run it.”They’re very unprofessional, illogical and irrational and very much their actions are based upon emotions,” he said.

So apparently, LOIC is just a simple DDoS tool and many members have very little technical experience. They are just running the program. Thank goodness they aren’t using the much more efficient layer 7 DDoS attacks(OWASP PDF file).

In other news, even though Iran says they are A-OK after Stuxnet attack, computer security experts beg to differ:

Eric Byres, a computer expert who has studied the worm, said his site was hit with a surge in traffic from Iran, meaning that efforts to get the two nuclear plants to function normally have failed. The web traffic, he says, shows Iran still hasn’t come to grips with the complexity of the malware that appears to be still infecting the systems at both Bashehr and Natanz.

Okay, they are still infected, what will it take to finally get rid of all traces of Stuxnet? German security expert Ralph Langner had this to say:

“Here is their problem. They should throw out every personal computer involved with the nuclear program and start over, but they can’t do that. Moreover, they are completely dependent on outside companies for the construction and maintenance of their nuclear facilities. They should throw out their computers as well. But they can’t,“ he explained. “They will just continually re-infect themselves.”

“With the best of expertise and equipment it would take another year for the plants to function normally again because it is so hard to get the worm out. It even hides in the back-up systems. But they can’t do it,” he said.

Well, whoever was behind Stuxnet, it looks like they have done an amazing job of tying up and maybe even neutralizing the Iranian Nuclear plants. It also makes one wonder how prepared are other facilities to defend against threats like Stuxnet?

And lastly, a nasty new Botnet has been detected by ShadowServer. The Destination Darkness Outlaw System or “Darkness” is easy to purchase, easy to deploy, and is very effective and efficient in what it does. Darkness works against Windows 95- Windows 7 clients, runs as a Windows service and uses varying levels of bots to shut down target networks.

According to Shadowserver, 30 bots can overwhelm an average site, 300 bots a medium size site, 1000 bots a large site, 5000 a cluster even when using anti-ddos, and 15-20 thousand bots could theoretically bring down the Russian version of Facebook.

Other Top Security Stories from around the Web:

Cybersecurity Must Balance ‘Need to Know’ and ‘Need to Share’ – Robert J. Butler said sharing information within the military, with coalition partners and even with outside agencies will continue, but there will be more controls placed on the information.

NATO Works to Set Right Cyber Balance – “I could envision within the NATO alliance an operational command that focuses on cyber,” he said. “At the moment, that work is imbedded in several of the NATO agencies. But I think we are seeing this as an operational task, so I will be advocating putting more of this on the operational side.”

Army’s plan to modernize intell rides on the cloud – The Army’s efforts to enlist cloud computing to modernize its intelligence capabilities is in step with similar efforts across the military services.

NASA sold computers without properly scrubbing them, IG says – A NASA inspector general’s audit found that the agency had released to the public 10 computers that had not had their memories wiped. Nine of them might have contained highly sensitive data.

NIST Announces SHA-3 Hash Function Finalists – The SHA-3 finalists include Skein, developed by a group including Bruce Schneier and Jon Callas.

Wikileaks Out, The Jester Speaks Out, Anonops Freaks Out

The insanity that is Wikileaks continues. As you may know if you have been following this soap opera, PayPal, MasterCard and Visa all suffered attacks after cutting off funding to the Wikileaks site.

According to one website, a Hacktivist groups called Anonymous (“Anonops” – See video above) that attacked the financial companies is offering its hacker toolkit (LOIC – Low Orbit Ion Cannon) free to any one who wants to join in on the offensive. There are currently about 500 computers in the LOIC Botnet Hive. Wow, what were they thinking there?

It looks like a full war of Hacktivists has started as Anonops itself suffered a Denial of Service Attack. Pandalabs has an exceptional timeline with charts of the ongoing DDoS war.

And lastly, The Jester breaks the silence and releases a statement. Basically saying that there is a Jester imposter, and vengeance is mine.  

Craziness, and I was hoping this Wikileaks nonsense would stop this week. Now it seems that it has created a DDoS storm of pro and anti-Wikileaks followers.

What is next? Tune in next week for the next exciting episode of “Why isn’t Assange in Federal Prison yet”? Or “Obama shuts down internet to stop DDoS attacks”.