Types Hack Attacks

Hack Attacks
Dr.MohitBansal Profile Pic
Published Date:26-10-2017
Your Website URL(Optional)
Hacking With the rise in importance of the Internet in our lives came the opportunity for some to exploit this for their own gain. Hacking rose to prominence as the resources they targeted became more valued. Hackers sought opportunities to control sites and make a statement by attacking governments, businesses and organisations that they disagreed with. Other hackers did it for the financial gain and rewards. And yet another group hacked on behalf of government and defense to attack their enemies or learn their secrets. The rise of Anonymous as a collective involving themselves in “causes” rede- fined the coordination of people with common interests on the Internet. Their high profile operations have spurred a growth in interest in hackers generally but also in the role of experts whose role it is to secure government, business and organizations against hackers. The collected articles in this chapter explore both sides of this ongoing and esca- lating battle. 2.1 Hacking, Cracking and the W ild, Wild Web 4 2 Hacking 1 Is it time to get tougher on hackers, whatever their motivations? Source: pixabay CC0 PRIVACY—Who are hackers and what do they want from you? Pop culture would have us believe they live in dank basements, wear black leather from head to toe and have pseudonyms such as Warlock or Neo. Hacking and film have long gone hand in hand. Pre-internet we had the appropriately- named Gene Hackman in The Conversation, a 1974 movie focusing on the violation of people’s privacy. Post-internet, the names trip easily off the tongue: The Matrix; The Score; Swordfish; GoldenEye; Tron; Hackers—each one revisits the theme of hacking, reworks it, reinforces the same key imagery. Perhaps the film that most inspired the modern hacker genre was WarGames, the 1983 film in which a teenage hacker, played by a dew-faced Matthew Broderick, inadvertently leads the world to the brink of nuclear war. 2 A real-life echo of this comes in the shape of Gary McKinnon, the Scottish sys- tems administrator who faces charges of hacking into 97 US military and NASA computers over a 13-month period between 2001 and 2002. And then of course there’s Julian Assange, the WikiLeaks founder, who has graduated from one-time teenage hacker to (notorious) world celebrity. 1 Man despair problem null one binary code, pixabay, http://pixabay.com/en/man-despair-problem- null-one-65049/ , 21 December 2012. 2 Fresh evidence made public to help Enfield hacker Gary McKinnon’s fight against extradition, h ttp://www.enfieldindependent.co.uk/news/localnews/8923549.Lords_to_debate_fate_of_ Enfield_hacker_Gary_McKinnon/, Accessed online 14 April 2011. 2.1 Hacking, Cracking and the Wild, Wild Web 5 2.1.1 Who’ s Hacking Who? Governments, private companies and criminal organisations are all involved in hacking to some extent and for different reasons. 3 Certain newspapers, as we’ve learned recently, are not immune to the charms of listening in to the private affairs of others. 2.1.2 The Wild, Wild Web In terms of corruptibility, the digital network we now take for granted is like the American Wild West of the 1860s. It was designed to facilitate information flow over digital links and the idea that these links could be used for illicit activities may not even have crossed the minds of the engineers who built it. In some ways, the current system is extremely hacker-friendly, and there would need to be a major infrastructure rebuild before hacking could be stamped out. 2.1.3 Colour- Coded Hacking Broadly speaking, hackers fall into three camps: 1) White hackers A so-called “white-hat” will inform an organisation if a security weakness is found in that organisation’s systems. 4 Organisations such as the Australian Computer Emergency Response Team (AusCERT) fill a white hat role in the hacker world. In one sense, they perform a defensive role: they are the good-guys of the hacking world. 2) Grey hackers These are less clear-cut than the above (hence the fact they occupy something of a “grey” area in the hacking world). Often, they act on the spur of the moment. Depending on the situation, they might exploit or warn an organisation if a weakness is found in their system. Are they our friends or enemies? That just depends. 3) Black hackers These will act to exploit any weakness in a network or an organisation’s systems for gain. This could mean collecting and selling intellectual property or personal information. 3 News of the World phone hacking: John Whittingdale seeks public enquiry, http://www.guardian. co.uk/media/2011/apr/13/news-of-the-world-phone-hacking , Accessed online 14 April 2011. 4 AusCERT, http://www.auscert.org.au/, Accessed online 14 April 2011. 6 2 Hacking It could also mean infecting an organisation’s systems with a malicious virus. Black hackers may be individuals, organisations or governments. And then there’s something quite different, known as: 2.1.4 Crackers For many, hacking is about learning new skills to gain a better understanding of how the digital network operates. Hacking, to crackers, is a hobby, a chance to be part of a group activity. Will they graduate 1 day to black leather pants and dank basements? It’s perf ectly possible. Sadly, for every “good” hacker there are countless others who act from less than noble motives, and follow well-worn paths to reach their goals. 2.1.5 Hack Attacks The most common types of these are: 1) Distributed Denial of Service or DDoS Simply put, this involves hackers overloading a site’s server with too many requests. There’s nothing particularly sophisticated about this type of attack, but it’s one of the most effective if executed on a large scale. 2) Website hacking This involves hackers bypassing the security parameters of a website, gaining access to its administrator panel, then adding or removing information (e.g. adding a page that carries a personal message from the hacker, or adding sexually explicit images on a site’s landing pages). Viruses are, in their own way, a form of hacking. 2.1.6 Stuxnet A particularly frightening example of these types of attacks was last year’s “Stuxnet” 5 attacks. This highly sophisticated computer worm infection infiltrated systems in Iranian nuclear plants, halting scheduled operations between June and September. Which, in some way, brings us back to WarGames and, in my mind at least, the Wild West. 5 A Declaration of Cyber-War, http://www.vanityfair.com/culture/features/2011/04/stuxnet-201104, Accessed online 14 April 2011. 2.2 Anonymous, Child Porn and the Wild, Wild Web 7 In the Wild West, destruction caused by outlaws, over many years, led to the introduction of new laws, and the end of a free-for-all mentality to shared and relied- upon resources. Has the time now arrived to impose tougher laws on hacking? Read mor e on this topic: 6 Location, location: who’s watching you (and why)? 2.2 Anonymous, Child P orn and the Wild, Wild Web 28 October 2011 Is it right for hackers, regardless of public support, to take the law into their own hands? 7 Sour ce: AnonymousMXPT CC0 8 High-profile hacktivist group Anonymous has turned its attention to fighting child pornography. As a sign of what it pledges will become more widespread, the group this month 9 launched an attack on a server by the name of Freedom Hosting. In doing so, the group claimed to have temporarily disabled more than 40 child pornography sites on a hidden network while publishing a list of more than 1,500 of those sites’ usernames online. 6 Location, location: who’s watching you (and why)?, http://theconversation.edu.au/location- location-whos-watching-you-and-why-691, Accessed online 14 April 2011. 7 AnonymousMXPT, Flickr, http://www.flickr.com/photos/anonymousmxpt/8261353788/sizes/l/ in/photostream/ , Accessed online 21 December 2012. 8 Anonymous (group), Wikipedia, http://en.wikipedia.org/wiki/Anonymous_(group, Accessed online 28 October 2011. 9 Hacker group Anonymous’ new target: Child pornography websites, TheWeek, http://theweek. com/article/index/220708/hacker-group-anonymousnew-target-child- pornography-websites, Accessed online 28 October 2011. 8 2 Hacking 10 Similar denial-of-service (DDoS) attacks, we can assume, will follow in what anonymous is calling Operation Darknet, or OpDarknet. The move on Freedom Hosting forced the company to switch to back-up systems, although this was not effective—Anonymous attacked again and forced Freedom Hosting offline. 11 In a statement posted online, Anonymous claims to have evidence of Freedom Hosting’s guilt: “For this,” the statement reads, “Freedom Hosting has been declared OpDarknet Enemy Number One”. The group claims: “The owners and operators at Freedom Hosting are openly supporting child pornography and enabling pedophiles (sic) to view innocent children, fuelling their issues and putting children at risk of abduction, molestation, rape, and death.” Anonymous claims its investigation into the “darknet”, including websites that permit the operators and users to hide their identities, led to the discovery that many of the child pornography links led to Freedom Hosting systems. At a time when police and governments around the world are struggling to combat cyber crime, it’s interesting to see the continuing development of vigilante activism. The Wild West has been re-born on the internet. 12 Anonymous is well-known for hacking into corporate and government websites. The ever-evolving group has been associated with civil disobedience and hacktivism—targeting attacks on organisations across a spectrum of entertainment, religious organisations and businesses. 13 “To catch a Predator” Anonymous YouTube video Of course, as is apparent in the name, one of the key goals of Anonymous is for its members to remain hidden from sight. Society may applaud Anonymous in the first instance for attacking child pornog- raphers, but concern must surely be raised that Freedom Hosting has been attacked in this manner without charge, trial and conviction. In the YouTube video above, an eerie blend of voices representing Anonymous state: “Many of us have lingering traumatic images of the material that these pedo- philes (sic) were hiding on the darknet. “Anonymous took a pledge to defend the defenseless (sic) and fight for the fallen … The darknet is a vast sea of many providers. However, we fully intend to make it uninhabitable for these disgusting degenerates to exist.” The group’s online statement regarding the DDoS attack reads: “By taking down Freedom Hosting, we are eliminating 40+ child pornography websites, among these 10 Zombie computers, cyber security, phishing … what you need to know, http://theconversation. edu.au/zombie-computers-cyber-security-phishing-what-you-need-to-know-1671, Accessed online 28 October 2011. 11 OpDarknet Major Release and Timeline, http://pastebin.com/T1LHnzEW, Accessed online 28 October 2011. 12 Anonymous, http://theconversation.edu.au/pages/anonymous, Accessed online 28 October 2011. 13 “To catch a Predator” Anonymous: The fight against child pornography Operation Darknet (OpDarknet), http://www.youtube.com/watch?v=TcNimk1SJvA, Accessed online 28 October 2011. 2.3 Fear and Loathing in Las Vegas: Tipping a Black Hat to the DefCon Hackers 9 is Lolita City, one of the largest child pornography websites to date containing more than 100 GB of child pornography.” Clearly the guns are out of their holsters. Anonymous has vowed to continue to act, possibly because its members believe government is not doing enough to halt the transmission of child pornography over the internet. And yet if the group had actual evidence of a criminal offence being committed by organisations utilising Freedom Hosting, most people might expect them to hand this information to the police and be prepared to support the investigation. This matter should be followed closely to see what response there is from Freedom Hosting—not least by the authorities, who should investigate whether the Anonymous claims are correct. 2.3 F ear and Loathing in Las Vegas: Tipping a Black Hat to the DefCon Hackers 8 August 2011 Las Vegas has a long association with people on the fringe of society but even 14 Hunter S. Thompson’s characters Raoul Duke and his drug-soaked Samoan lawyer 15 would have found visitors to the DefCon hacker conference at the extreme edge of these fringes. As the late, great Gonzo journalist would have put it: “There was madness in any direction, at any hour. You could strike sparks anywhere.” 16 This year’s DefCon, named after the US military’s “defense readiness condition” , was held from August 4 to August 7. It followed on from the Black Hat 2011 conference, also held in Las Vegas (from July 30 to August 4), which brought together academics, professional security experts and hackers alike. Of the two conferences, Black Hat is probably the more serious (and tamer). This year, Black Hat was in the news thanks to demonstrations of how to 17 electronically and remotely unlock and start a Subaru Outback. 18 19 The hack involved a man-in-the-middle attack with the hackers setting up 20 their own GSM network to intercept messages sent to the car’s management systems and reading the contents before passing them on. 14 Fear and Loathing in Las Vegas, http://en.wikipedia.org/wiki/Fear_and_Loathing_in_Las_Vegas, Accessed 8 August 2011. 15 DEF CON Hacking Conference, http://www.defcon.org/, Accessed 8 August 2011. 16 DEFCON, http://en.wikipedia.org/wiki/DEFCON, Accessed 8 August 2011. 17 Hackers break into Subaru Outback via text message, http://www.engadget.com/2011/08/04/ hackers-break-into-subaru-outback-via-text-message/, Access ed 8 August 2011. 18 Hacking, cracking and the wild, wild web, http://theconversation.edu.au/hacking-cracking-and- the-wild-wild-web-738 , Accessed 8 August 2011. 19 Man-in-the-middle attack, http://en.wikipedia.org/wiki/Man-in-the-middle_attack, Accessed 8 August 2011. 20 GSM, http://en.wikipedia.org/wiki/GSM, Accessed 8 August 2011. 10 2 Hacking Access codes gathered in this way could then be used to control the car, opening 21 the doors and starting the engine. Known as “war-texting” , the technique can be used with a wide variety of equipment including security cameras and power- and water-supply sensors. Another development that attracted some coverage was the (theoretical) ability 22 to hack a person’s insulin pump and get it to administer a fatal dose. 23 Also at Black Hat, researchers from Carnegie Mellon University demonstrated 24 25 how they could use facial recognition software on Facebook profile photos (and photos from other sites) to identify people and gather a considerable amount of information about those identified. 26 Less well-publicised were talks on how to set up and defend a crisis map, which 27 are increasingly being used to collate information from social media to establish an accurate picture of what is happening during crises such as Egyptian uprising. Governments would have a huge interest in disrupting these services if they thought they were being used for the benefit of those involved in the revolution. 2.3.1 DefCon Where Black Hat is a more serious and security-oriented conference, DefCon is more of a social event, with a greater emphasis on hacking than traditional security applications. 28 The conference was founded in 1993 by “Dark Tangent” (Jeff Moss) as a party for hackers. Since then it has grown more than 15,000 attendees. 29 Journalists attending DefCon were warned to leave credit cards at home, to not use their telephones and not to connect to any wireless network unless it was using a secure connection. 21 Link no longer goes to specified page, https://www.isecpartners.com/storage/docs/presentations/ iSEC_BH2011_War_Texting.pdf, Accessed 8 August 2011. 22 Black Hat: Insulin pumps can be hacked, http://www.scmagazine.com/black-hat-insulin-pumps- can-be-hacked/article/209106/ , Accessed 8 August 2011. 23 Face-matching with Facebook profiles: How it was done, http://news.cnet.com/8301-31921_3- 20088456-281/face-matching-with-facebook-profiles-how-it-was- done/, Accessed 8 August 2011. 24 Facial recognition technology, http://theconversation.edu.au/pages/facial-recognition-technol- ogy, Accessed 8 August 2011. 25 Facebook and facial recognition – you’ve been tagged http://theconversation.edu.au/facebook- and-facial-recognition-youve-been-tagged-1776 , Accessed 8 August 2011. 26 Link no longer goes to specified page, http://www.blackhat.com/docs/webcast/usa11preview_ chamales.pdf , Accessed 8 August 2011. 27 Crisis management: using Twitter and Facebook for the greater good, http://theconversation.edu.au/ crisis-management-using-twitter-and-facebook-for-the-greater-g ood-2439, Accessed 8 August 2011. 28 Jeff Moss (hacker), http://en.wikipedia.org/wiki/Jeff_Moss_%28hacker%29, Accessed 8 August 2011. 29 DEF CON: The event that scares hackers, http://edition.cnn.com/2011/TECH/web/08/05/def. con.hackers/index.html?npt=NP1&on.cnn=1 , Accessed 8 August 2011. 2.3 Fear and Loathing in Las Vegas: Tipping a Black Hat to the DefCon Hackers 11 Within hours of the conference opening, hackers had interfered with the software controlling the lifts and, allegedly, ATM machines, poker machines, the public address system and lighting at the venue. While conferences such as DefCon are primarily male-dominated affairs— 30 around 90 % of attendees at this year’s event—a 10-year-old girl known as CyFi, 31 founder of DefCon Kids caused a bit of a stir after revealing a security exploit she had found. 32 She found the zero-day exploit in games on iPhones and Android devices. The exploit allowed CyFi to “speed up” time in Farm-style games where rewards and achievements only occur after a certain period of time. 2.3.2 Government Hackers This year’s DefCon also saw an appearance by representatives from the US National 33 Security Agency (NSA) and other secret service organisations, groups that were 34 actively recruiting “cyber warriors” from conference attendees and speakers. 35 As cyber security increasingly becomes a major area of concern for nations around the world, recruitment in this area has risen accordingly. Such attention has not necessarily been welcomed by the hacker community. 36 An open letter was published last week, calling for hackers not to “sell out” to the NSA. And of course no article on hacking would be complete without a mention of 37 LulzSec and Anonymous, the current hacktivists du-jour. 38 Obligingly, DefCon hosted a discussion panel featuring an at-times heated dis- cussion about the groups’ activities. 30 10 year old girl hacker CyFi reveal her first zero-day in Game at DefCon 19, http://thehack- ernews.com/2011/08/10-year-old-girl-hacker-cyfi-reveal-her.html, Accessed 8 August 2011. 31 DEFCON Kids, http://www.defconkids.org/, Accessed 8 August 2011. 32 Zero Day Exploits - Holy Grail Of The Malicious Hacker, http://netsecurity.about.com/od/ newsandeditorial1/a/aazeroday.htm, Accessed 8 August 2011. 33 Welcome to the National Security Agency, http://www.nsa.gov/, Accessed online 1 July 2013. 34 Zakaria, Tabassum, Defcon Hacker Convention: Government Cybersecurity Experts Looking To Recruit Top Hacking Brass In Las Vegas, http://www.huffingtonpost.com/2011/08/02/defcon- hacker-convention-government-cybersecurity_n_915853.html? Accessed online 1 July 2013. 35 Cyber security, http://theconversation.com/topics/cyber-security, Accessed online 1 July 2013. 36 DJ Pangburn, An Open Letter to Defcon Hackers: Don’t Sell Out to the NSA, http://www.death- andtaxesmag.com/127506/an-open-letter-to-defcon-hackers-dont-sell-out-to-the-nsa/, Accessed online 1 July 2013. 37 Wright, Craig S, Are Anonymous and LulzSec about to hack PayPal for WikiLeaks? http://the- conversation.com/are-anonymous-and-lulzsec-about-to-hack-paypal-f or-wikileaks-2582, Accessed online 1 July 2013. 38 Takahashi, Dean, Defcon panel: Anonymous is here. LulzSec is here. They’re everywhere, http:// venturebeat.com/2011/08/06/defcon-panel-anonymous-is-here- lulzsec-is-here-theyre- everywhere/, Accessed online 1 July 2013. 12 2 Hacking There was some suggestion that the hackivists should focus their efforts on 39 unearthing corruption or child exploitation web sites, rather than hacking for fun or other, less noble, reasons. It was suggested there were members of LulzSec and Anonymous both in the audience and generally attending the conference. In many ways, these conferences highlight that it is possibly not the widely- publicised hacks—such as those carried out by LulzSec and Anonymous—that we should be concerned about. With computers increasingly interfacing with every part of our lives, it is the undetected and subtle ways in which hackers can take control of these interfaces that is of most concern. 40 And as recent global events have highlighted, it is possibly not just the teen- age hackers we should be worried about but the governments who are employing them. As Thompson might have put it: “When the going gets weird, the weird turn pro.” 2.4 Ar e Anonymous Hackers Really on Trial, or Is FBI Payback Misdirected? 5 September 2011 41 It’s a scene reminiscent of a thousand police dramas: the FBI arrived at the door 42 of 20-year-old journalism student Mercedes Haefer, guns drawn, at 6 a.m. one morning last July. She was still in her pyjamas, getting ready for work. Haefer is one of 14 individuals who last week pleaded not-guilty in San Jose for 43 waging cyber-attacks against e-commerce giant PayPal. The warrant for Haefer stated federal officers were looking for anything associated 44 with hacking, infiltrating or Distributed Denial of Service (DDoS) attacks. 39 Branch, Philip, LulzSec takes down CIA website in the name of fun, fun, fun, Accessed online 1 July 2013. 40 Wright, Craig S, World’s biggest-ever cyber attacks uncovered – and it’s only the beginning, h ttp://theconversation.com/worlds-biggest-ever-cyber-attacks- uncovered-and-its-only-the- beginning-2677, Accessed online 1 July 2013. 41 An Interview With a Target of the FBI’s Anonymous Probe, http://gawker.com/5757995/an- interview-with-a-target-of-the-fbis-anonymous-probe , Accessed on 5 September 2011. 42 FBI Exposes The Terrifying Face Of “Anonymous”, http://www.thesmokinggun.com/documents/ internet/fbi-exposes-terrifying-face-anonymous-748293, Acc essed on 5 September 2011. 43 PayPal, https://www.paypal.com/au/webapps/mpp/home, Accessed on 5 September 2011. 44 Zombie computers, cyber security, phishing … what you need to know, http://theconversation. edu.au/zombie-computers-cyber-security-phishing-what-you-need-to-know-1671, Accessed on 5 September 2011. 2.4 Are Anonymous Hackers Really on Trial, or Is FBI Payback Misdirected? 13 Oh, and they were looking for a Guy Fawkes mask—evidence that would link Mercedes with the hacker group Anonymous (who have claimed such masks as 45 their own) and, specifically, Operation Payback. 2.4.1 Payback Operation Payback saw DDoS attacks on a number of companies, in particular Paypal. Anonymous claimed the attacks were retribution for decisions by executives 46 at these companies to withdraw payment facilities from Wikileaks. The FBI knew Haefer was associated with Anonymous because of her involvement 47 on the group’s IRC channels, where she was known as “NO”. 48 But she denied having taken part directly in any of the DDoS attacks on PayPal. 49 Haefer was indicted along with 13 others on two charges of causing damage against PayPal’s computers. They carry a maximum penalty of 15 years in jail and a fine of 500,000. Two other people were charged separately. Haefer is enrolled in a journalism and media pre-major course at the University 50 of Nevada and Las Vegas. Commenting on the charges against Haefer, the director of the Hank Greenspun 51 School of Journalism and Media, Professor Daniel Stout said, “We don’t condone unethical behavior that results in the harm of the audience.” He also said that if Haefer had continued her studies she would have taken courses that ultimately produce journalists with a strong sense of ethics (Haefer is 52 still enrolled at UNLV and Professor Stout has since moderated his comments ). Despite a superficial understanding of what a DDoS attack comprises (and despite the fact Haefer had not been tried when he made his statement), he was ready to brand both the act and Haefer as criminal and unethical. 45 Operation Payback: WikiLeaks Avenged by Hacktivists, http://www.pcworld.com/article/212701/ operation_payback_wikileaks_avenged_by_hactivists.html, Accessed on 5 September 2011. 46 WikiLeaks Supporter ‘Operation Payback’ Targets PayPal, Amazon, http://www.pcmag.com/ article2/0,2817,2374090,00.asp , Accessed on 5 September 2011. 47 Internet Relay Chat, http://en.wikipedia.org/wiki/Internet_Relay_Chat, Accessed on 5 September 2011. 48 An Interview With a Target of the FBI’s Anonymous Probe, http://gawker.com/5757995/an- interview-with-a-target-of-the-fbis-anonymous-probe , Accessed on 5 September 2011. 49 Consumer credit cashing, http://freemercedes.org/, Accessed on 5 September 2011. 50 UNLV student arrested by FBI for hacking in support of Wikileaks, http://www.unlvrebelyell. com/2011/07/25/unlv-student-arrested-by-fbi-for-hacking-in-support-of-wikileaks/, Accessed on 5 September 2011. 51 Jessica Zimmerman JMS’s Outstanding Graduate Student for November, http://journalism.unlv. edu/, Acc essed on 5 September 2011. 52 Haefer asserts innocence, http://www.unlvrebelyell.com/2011/08/08/haefer-asserts-innocence/, Accessed on 5 September 2011. www.allitebooks.com 14 2 Hacking 53 54 In an examination of the ethics of DDoS attacks Gabriella Coleman, a socio-cultural anthropologist at New York University, makes a distinction between criminal acts such as hacking and non-violent political acts such as sit-ins. In doing so, she raises the possibility of regarding DDoS as the digital equivalent of an occupation. That said, in the case of a sit-in, the aim may include being arrested to draw more attention to a cause—and it’s not clear that any of the alleged members of Anonymous were anticipating being arrested. The indictment used for the so-called Anonymous 16 includes the charge of intentional damage to a computer. 2.4.2 DDoS A DDoS works by sending repeated requests to a website very quickly, exhausting resources and blocking access to regular users. In the grand scheme of hacks, DDoS is a nuisance but not a major threat to a company, unlike, say, losing the details of user accounts and passwords. 55 This was a view shared by Deputy Assistant FBI Director Steven Chabinski. “There has not been a large-scale trend toward using hacking to actually destroy websites, but that could be appealing to both criminals or terrorists,” Chabinsky 56 told radio station NPR in July. “That’s where the ‘hacktivism,’ even if currently viewed by some as a nuisance, shows the potential to be destabilizing.” Ethics Leaving aside considerations as to whether DDoS attacks are themselves ethical, the charge that the Anons lack a sense of ethics, as suggested by Professor Stout and others, seems even less certain. If anything, it’s the Anons’ sense of righting the wrongs of corporations and governments that underpins most of their activities. Haefer said she became interested in the activities of Anonymous in part because of a sense of injustice at the inappropriate punishment for a woman accused of dis- tributing 24 songs. She was referring to the US2 million fine imposed on Jammie Thomas-Rasset for sharing music, a fine which was later reduced to a US54,000. 53 The ethics of digital direct action, http://www.aljazeera.com/indepth/opin- ion/2011/08/20118308455825769.html , Accessed on 5 September 2011. 54 Gabriella Coleman, http://steinhardt.nyu.edu/faculty_bios/view/Gabriella_Coleman, Accessed on 5 September 2011. 55 FBI Tries To Send Message With Hacker Arrests, http://www.npr.org/2011/07/20/138555799/ fbi-arrests-alleged-anonymous-hackers, Accesse d on 5 September 2011. 56 FBI Tries To Send Message With Hacker Arrests, http://www.npr.org/2011/07/20/138555799/ fbi-arrests-alleged-anonymous-hackers, Accesse d on 5 September 2011. 2.4 Are Anonymous Hackers Really on Trial, or Is FBI Payback Misdirected? 15 Haefer’s case can be contrasted by that of a 16-year-old woman from France who claimed the hack of San Fransisco’s Bay Area Rapid Transport Police Officers Association last month. The young hacker had released the personal details of 100 officers. Going by the handle “Lamaline_5mg”, she claimed this was her first hack, and that she had little experience and had picked up enough information to hack the site in less than 4 h. Whereas Haefer claimed no previous technical knowledge, Lamaline was techni- cally savvy enough to use techniques to cover her tracks, making her protestations of technical naivety slightly suspect. Interestingly, Lamaline had not associated herself with Anonymous—in fact, some people on an Anonymous chat room condemned the attack as irresponsible. 2.4.3 Kicking an Open Door One confounding factor in the actions of Anons is the relatively low barrier to entry for participation. A simple search online will provide links to downloadable software to enable the participation in a DDoS. Software such as the LOIC is simple to use and requires no technical expertise. There are readily accessible videos that demonstrate their use. Anyone can go on to the Anonymous IRC channel and listen in. You can follow the activities of Anonymous and others on Twitter. Accompanying this ease of access is the separation of actions and consequence— a separation encapsulated by using DDoS software. Unsophisticated users would potentially struggle to understand how traceable their actions are. The fact the FBI had little trouble in rounding up the 14 suspects being tried together in the DDoS attacks is more a testament to the ease of tracing individuals than a reflection of the technical abilities of the FBI. 57 Their single unifying feature of those arrested in connection with Operation Payback is their young age, given most of those charged are in their twenties. The reaction against Anonymous from the general public, lawmakers and security specialists comes across almost as a generational conflict. This is epitomised by Haefer having to leave her father’s home because he sup- posedly viewed his daughter (in Haefer’s words) as “a terrorist”. 58 And Haefer? She still believes in the positive things Anonymous is doing and is looking forward to making that known, without a mask, at her day in court. 57 FBI Exposes The Terrifying Face Of “Anonymous”, http://www.thesmokinggun.com/file/paypal- service-attack?page=0 , Accessed on 5 September 2011. 58 Haefer asserts innocence, http://www.unlvrebelyell.com/2011/08/08/haefer-asserts-innocence/, Accessed on 5 September 2011. 16 2 Hacking 2.5 Comodo Hacker, TurkGuvenligi…Out for Lulz or Breaking the Internet? 12 September 2011 Two recent hacking incidents have highlighted the increasing fragility of the internet’s core infrastructure. They serve as a stark reminder that online security is somewhat illusory. The weaknesses have been known for some time but the move to implement solutions has lacked momentum. But events in the past few months may have pushed internet providers to a tipping point. 2.5.1 Comodo Hac ker Breaks SSL The more serious of the two incidents was carried out by a hacker called the Comodo 59 60 Hacker, or Ich Sun as his Twitter account was known. 61 62 In March, he hacked a company called Comodo, which is responsible for 63 64 issuing certificates that underpin the secure internet protocol SSL, or Secure Sockets Layer—a cryptographic protocol that provides communication security. These certificates are highly visible: you can see them when the padlock icon appears on a browser URL when you are connected to a secure site—for example, your bank. Essentially, the hacker was able to use Comodo to create fake certificates for sites 65 such as google.com and long.yahoo.com. This hack was detected and disclosed early and its consequences were limited. At the time, the hacker was identified as a 21-year-old Iranian national from 66 information that he released. 59 Hacker claims he can exploit Windows Update, http://www.computerworld.com/s/article/9219876/ Hacker_claims_he_can_exploit_Windows_Update?taxonomyId=89, Accessed on 12 September 2011. 60 Ich Sun Rising – The Story Of How SSL Certificate Authorities Died, http://diceylee.blogspot. com.au/2011/09/ich-sun-rising-story-of-how-ssl.html , Accessed on 12 September 2011. 61 Google, Yahoo, Skype targeted in attack linked to Iran, http://news.cnet.com/8301-31921_3- 20046340-281.html?tag=mncol;txt , Accessed on 12 September 2011. 62 Comodo, http://www.comodo.com/, Accessed on 12 September 2011. 63 What is SSL and what are Certificates? http://tldp.org/HOWTO/SSL-Certificates-HOWTO/x64. html, Accessed on 12 September 2011. 64 Transport Layer Security, http://en.wikipedia.org/wiki/Secure_Sockets_Layer, Accessed on 12 September 2011. 65 Iranian hackers obtain fraudulent HTTPS certificates: How close to a Web security meltdown did we get? https://www.eff.org/deeplinks/2011/03/iranian-hackers- obtain-fraudulent-https, Accessed on 12 September 2011. 66 ComodoHacker’s Pastebin, http://pastebin.com/u/ComodoHacker, Accessed on 12 September 2011. 2.5 Comodo Hacker, TurkGuvenligi…Out for Lulz or Breaking the Internet? 17 The hacker wanted to impress the world with his skill, and sought to justify the hack as retaliation against what he perceived as actions by the US and Israel, in 67 particular, in their role in the Stuxnet virus attack against an Iranian nuclear facility. He insisted he was working alone and not, as allegations had claimed, that the 68 attack was organised by the Iranian Government. 2.5.2 Comodo Hacker Reprised The Comodo hacker promised more to come, and was true to his word. Last month, 69 the Dutch security company Fox-IT was asked to investigate the appearance of a rogue certificate for google.com online. Although the certificate had been identified and revoked (effectively cancelled) 70 on August 29, the hacker had compromised DigiNotar, the company responsible for issuing the certificate, during the period from June 27 to July 22. 71 There is evidence the google.com certificate had been used in Iran to fool users into thinking they were connecting securely to Google sites when, in fact, they were probably logging into sites controlled by the Iranian Government. All communication, emails, usernames and passwords would have been avail- able in unencrypted form. The fact the certificates were being used to spy on the Iranian people was bad enough, but the problems didn’t stop there. It turned out that DigiNotar, based in the Netherlands, was also responsible for 72 issuing certificates for the Netherlands Government, among many other compa- nies and organisations. The hacker had issued 531 certificates from DigiNotar. This caused the browser manufacturers, Google, Mozilla (Firefox), Microsoft and eventually Apple to 67 A Declaration of Cyber-War, http://www.vanityfair.com/culture/features/2011/04/stuxnet-201104, Accessed on 12 September 2011. 68 Comodo Report of Incident - Comodo detected and thwarted an intrusion on 26-MAR-2011, htt ps://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html, Accessed on 12 September 2011. 69 Fox-IT, http://www.rijksoverheid.nl/bestanden/documenten-en-publicaties/rapporten/2011/09/05/ diginotar-public-report-version-1/rapport-fox-it-operation-black-t ulip-v1-0.pdf, Accessed on 12 September 2011. 70 Link no longer goes to specified page, http://www.diginotar.com/, Accessed on 12 September 2011. 71 Google users in Iran targeted in certificate scam, http://www.google.com/hostednews/afp/article/ ALeqM5g4RgXPBowpoyZnscQ8o7-L4AlOpQ?docId=CNG.9e34c99182f5659a398b6521776 6ca17.21, Acc essed on 12 September 2011. 72 Dutch Government Struggles to Deal With DigiNotar Hack, http://www.pcworld.com/ article/239639/dutch_government_struggles_to_deal_with_diginotar_hack.html, Accessed on 12 September 2011. 18 2 Hacking 73 remove DigiNotar from their list of trusted Certificate Authorities (CAs) and issue 74 patches to their software. The Dutch Government and other DigiNotar customers will need to replace all of their DigiNotar certificates with certificates from another CA. 2.5.3 T urkGuvenligi Breaks DNS Another hacker (group) was, in the meantime, subverting a different piece of the 75 internet. This hack was by someone calling himself TurkGuvenligi (The Legend) 76 and basically involved a technique of DNS Hijacking. The Domain Name System (DNS) is the way names such as http://www.google. com are translated into numbers, allowing programs to communicate with each other over the internet. DNS Hijacking involves substituting the real address for another one. So in the case of the TurkGuvenligi hack, sites such as Vodafone, The Register, The Telegraph and National Geographic were pointed to a website with the TurkGuvenligi name and a statement celebrating “World Hackers Day”. The importance of the TurkGuvenligi hack is that, combined with fake SSL certificates, it means a person would have no idea they were not at the real site. 77 In the past, security professionals have claimed a spoofed DNS would not matter so much because, if you used a secure SSL connection, the browser would alert you to the fact that the certificate wasn’t correct. By combining the Comodo Hacker’s exploit with that of TurkGuvenligi’s DNS attack you have a situation whereby literally anyone could fool a very large number of people into thinking there was nothing wrong. 2.5.4 The Internet Is Broken Society has increasingly come to rely on the internet for almost every aspect of life, from commerce through to health, personal expression and political dissent. 73 Certificate authority, http://en.wikipedia.org/wiki/Certificate_authority, Accessed on 12 September 2011. 74 What is a software patch? http://www.oss-watch.ac.uk/resources/softwarepatch, Accessed on 12 September 2011. 75 Theregister.co.uk, Vodafone, Telegraph, Acer, National Geographic got hacked by Turkguvenligi, htt p://thehackernews.com/2011/09/theregistercouk-biggest-news- site-got.html_, Accessed on 12 September 2011. 76 DNS hijacking, http://en.wikipedia.org/wiki/DNS_hijacking, Accessed on 12 September 2011. 77 How to protect from man-in-the-middle attacks, http://www.net-security.org/secworld. php?id=7087 , Accessed on 12 September 2011. 2.5 Comodo Hacker, TurkGuvenligi…Out for Lulz or Breaking the Internet? 19 A great deal of this activity relies on being able to operate securely when needed. When you are using your bank account, buying something online or organising a demonstration against a policy you don’t agree with, you need a secure connection to a legitimate site. The events of the past few months have highlighted that we cannot rely on the current infrastructure to provide any sort of guarantee of a secure environment. 2.5.5 Solutions to F ix the Internet? So, are there any alternatives to the current infrastructure that would be better? 78 On the SSL side, the Perspectives Project from Carnegie Mellon University has released a solution called “Convergence”. In this scheme, instead of having a list of Certificate Authorities dictated by the browser, you can nominate people you trust (such as your local university) to validate a site that you are visiting. The benefit of this is that you can change the list and have as many or as few “notaries” validate the site for you. Another alternative to DNS that also helps with the SSL problem, but does not 79 completely solve it, is DNSSEC, or Domain Name System Security Extensions, a suite specifications for securing certain kinds of information provided by DNS. This provides security extensions to DNS and attempts to resolve the underlying 80 problems with DNS hijacking. Unlike Convergence, DNSSEC requires governments and internet providers to 81 implement the fix. Coordination is only beginning to happen. Whatever the full extent of the motives of these hackers, a clear outcome is that the internet is vulnerable to exploitation by governments, terrorists, criminals, activists and lulz-seekers. Staying safe online can certainly be helped by awareness and good security practice, but greater truths are emerging. Your internet security increasingly comes down to the fact you weren’t in the wrong place at the wrong time. 78 What is Perspectives? http://perspectives-project.org/, Accessed on 12 September 2011. 79 Domain Name System Security Extensions, http://en.wikipedia.org/wiki/Domain_Name_ System_Security_Extensions , Accessed on 12 September 2011. 80 DigiNotar SSL Breach, http://isc.sans.edu/diary/DigiNotar+SSL+Breach/11479, Accessed on 12 September 2011. 81 DNSSEC Takes Off in Wake of Root Zone Signing, http://www.circleid.com/posts/20110830_ dnssec_takes_off_in_wake_of_root_zone_signing/, Accessed on 12 September 2011. 20 2 Hacking 2.6 Betr ayed? LulzSec Arrest Over Sony Hack Reveals Trust Issues 5 October 2011 On September 22, 23-year-old college student Cody Kretsinger was arrested 82 by the FBI for his part in the hack of Sony Pictures Entertainment by the high-profile 83 hacking group LulzSec. The hack resulted in the exposed information of more than 37,500 people who 84 had registered for online promotions. The hack itself and the reasons behind it 85 have become secondary, but it was part of a campaign against Sony by the hacking 86 groups Anonymous and LulzSec after the company pursued Sony PlayStation three games hackers and in particular George Holt, or “GeoHot”. 2.6.1 Betrayal What made this arrest notable is that the FBI tracked Kretsinger, or “recursion” as he was also known, by obtaining logs of his activity from a proxy service provider 87 called Hide My Ass (HMA). HMA was aware LulzSec members had been using their services from chat logs 88 publicised by The Guardian newspaper but had chosen not to do anything about it. 89 This changed when they were allegedly served with a court order in the UK. There is now some expectation that a second LulzSec hacker, “Neuron”, who 90 had also admitted to using the HMA service, might be tracked down. 82 Member of Hacking Group LulzSec Arrested for June 2011 Intrusion of Sony Pictures Computer Systems, http://www.fbi.gov/losangeles/press-releases/2011/member-of-hacking-group-lulzsec- arrested-for-June-2011-intrusion-of-sony-pictures-computer-systems, Accessed on 5 October 2011. 83 LulzSec takes down CIA website in the name of fun, fun, fun, http://theconversation.edu.au/ lulzsec-takes-down-cia-website-in-the-name-of-fun-fun-fun-1858, Ac cessed on 5 October 2011. 84 Cody Kretsinger, Arizona College Student, Charged In Sony Hacking Case, http://www.huffing- tonpost.com/2011/09/23/cody-kretsinger-arizona-c_n_977490.html , Accessed on 5 October 2011. 85 Operation Payback brings you OpSony, http://www.anonnews.org/?p=press&a=item&i=787, Accessed on 5 October 2011. 86 Are Anonymous hackers really on trial, or is FBI payback misdirected? http://theconversation. edu.au/are-anonymous-hackers-really-on-trial-or-is-fbi-payback-misdirected-3205, Accessed on 5 October 2011. 87 Hide My Ass Free Proxy and Privacy Tools, http://hidemyass.com/, Accessed on 5 October 2011. 88 LulzSec IRC leak: the full record, http://www.guardian.co.uk/technology/2011/jun/24/lulzsec- irc-leak-the-full-record , Accessed on 5 October 2011. 89 Lulzsec fiasco, http://blog.hidemyass.com/2011/09/23/lulzsec-fiasco/, Accessed on 5 October 2011. 90 Second LulzSec hacker ‘Neuron’ could be tracked down via UK VPN, http://www.guardian. co.uk/technology/2011/sep/26/lulzsec-second-hacker?INTCMP=ILCNETTXT3487, Accessed on 5 October 2011. 2.6 Betrayed? LulzSec Arrest Over Sony Hack Reveals Trust Issues 21 2.6.2 Just Business, Right? The actions of HMA in handing over logs to the FBI has been a rude awakening for 91 many and has sparked condemnation from commentators on Twitter. It illustrates that many in the hacker community have strong principles that they expect others of like mind to hold—it’s just who happens to be in the group of “like minds” at any one time that’s the issue. HMA is a commercial company that markets its services by exploiting the idea 92 it’s supportive of the hacker’s cause—even somewhat cynically exploiting its role in aiding Egyptian protesters in circumventing government censorship to access Twitter. To many in the West, including in government and security circles, there’s noth- ing wrong with helping an Egyptian resident to break a law in a country whose government had effectively lost support. The issue is not a moral one, but simply a practical one, given it’s less likely the Egyptian Government would be able to obtain a UK court order to persuade a service such as HMA to hand over logs. 93 Representatives of other virtual private network (VPL) service providers such 94 as AirVPN (which allow users to appear as if they are on a different network) have come out to condemn HMA’s actions and question statements issued by the com- pany that “all VPN providers keep logs”. AirVPN does not keep logs and accepts anonymous payment by online currency 95 96 provider Bitcoin. Privacy International has also questioned the actions of a pro- vider that sells itself on the ability to keep your online activity anonymous and untraceable. 2.6.3 Staying Hidden on the Internet 97 In the chatroom logs of several LulzSec hackers there’s some discussion about how to stay secure and, in particular, how to use VPN technology to remain unidentified. 91 Get instant updates on hidemyass, https://twitter.com/search/realtime/%23hidemyass, Accessed on 5 October 2011. 92 Lulzsec fiasco, http://blog.hidemyass.com/2011/09/23/lulzsec-fiasco/, Accessed on 5 October 2011. 93 Virtual private network, http://en.wikipedia.org/wiki/Virtual_Private_Network, Accessed on 5 October 2011. 94 Important notice about security, https://airvpn.org/index.php?option=com_kunena&func=view &catid=2&id=891&Itemid=142891 , Accessed on 5 October 2011. 95 Bitcoin: a pirate’s booty or the new global currency? http://theconversation.edu.au/bitcoin-a- pirates-booty-or-the-new-global-currency-3130, Accesse d on 5 October 2011. 96 Enjoy internet freedom and anonymity, https://www.privacyinternational.org/blog/enjoy-internet- freedom-and-anonymity-terms-and-conditions-apply, Accessed on 5 October 2011. 97 LulzSec private log, http://pastebin.com/QZXBCBYt, Accessed on 5 October 2011. 22 2 Hacking VPN service providers establish servers in multiple countries and allow users to connect to these. The most common use for this would be to appear as if you are a user in the US, for example, to bypass any restrictions imposed by your local internet service pro- vider or government. The uses of this technology range from Chinese residents wanting to access blocked sites such as Facebook to residents outside the US wanting to watch stream- ing video that is only available to US residents. goblinbox (queen of the ad hoc bento). The issue with VPN services is that, as the HMA/LulzSec episode has high- lighted, the HMA has no obligation to keep private the details of the communication through their services. Although HMA representatives claimed in this case they were served a court order, there’s no evidence the company received anything other than a request from the FBI. As the company is UK-based, it seems unlikely the FBI would have been able to obtain a UK court order for an activity that occurred in the US. Rather, people at HMA may have been concerned their business would have been affected and servers in the US shut down. There is also another possibility: services such as HMA are sometimes (whether rightly or wrongly) referred to as “Honeypots”—sites set up by authorities to mas- querade as independent commercial operations. 2.6.4 T or: A Better Path to Anonymity? Given HMA is a commercial organisation, it was curious that the LulzSec hackers would have used it and others like it. An alternative to the commercial services is a 98 service called Tor. 99 Tor was originally developed as a project of the US Naval Research Laboratory 100 and received further support from the Electronic Frontier Foundation EFF and other donors. It works by encrypting traffic from a user’s computer and sending it through a number of Tor Servers that are run by volunteers. The message is encrypted and re-encrypted: each time it passes through a server, a layer of encryption is removed. Eventually, the message exits but, when combined with secure communication, it’s not possible for an external observer to tell which path the communication took and where it originated. 98 Tor Project: Anonymity Online https://www.torproject.org/, Accessed on 5 October 2011. 99 U.S. Naval Research Laboratory, http://www.nrl.navy.mil/, Accessed on 5 October 2011. 100 Electronic Frontier Foundation - Defending your rights in the digital world, https://www.eff.org/, Accessed on 5 October 2011.