Thursday, October 27, 2011

Week 9 Post: German hacking group releases new web attack tool

The German hacking groups known as “Hackers Choice” have released a program that they declare will allow for a Web server to be taken down by a single computer using a secure connection.

The program named The THC-SSL-DOS (The Hackers Choice-Secure Socket Layer-Denial of Service) tool was released to the public on Monday. Evidently this tool exploits a flaw in Secure Socket Layer (SSL) renegotiation protocol by barraging and overwhelming a system with numerous requests for secure connections. SSL renegotiation makes it possible for Web sites to create new security keys over and SSL connection that has already been established.

Hackers Choice has announced that it released the exploit to bring attention to the flaws existing in SSL, which enable sensitive data traffic to flow between Web sites and an individual user’s computer without being captured.

According to a blog posting by an anonymous member of the group: “We are hoping that the fishy security in SSL does not go unnoticed,” the member continued with: "The industry should step in to fix the problem so that citizens are safe and secure again. SSL is using an aging method of protecting private data which is complex, unnecessary and not fit for the 21st century.”

The group has also stated that the exploit will also works on servers which do not have SSL renegotiation enabled, but requires some configuration and the addition of more attacking computers. The group states that this exploit would afford a single IBM laptop to take down an average Web server over a standard DSL connection. Establishing a SSL connection requires

Establishing an SSL connection is 15x more taxing on the processing power of the server than on the client. This program exploits this lopsided property by overloading the server and kicking it off the Internet. This problem affects all SSL implementations today. Vendors have been aware of this problem since 2003 and the topic has been discussed widely.

Both UNIX and Windows flavors of this program are freely available to the public at the following site: http://thehackernews.com/2011/10/hackers-choice-releases-ssl-ddos-tool.html. Thehackernews.com site also gives the following information:

Tips & Tricks for whitehats

1. The average server can do 300 handshakes per second. This would require 10-25% of your laptops CPU.
2. Use multiple hosts (SSL-DOS) if an SSL Accelerator is used.
3. Be smart in target acquisition: The HTTPS Port (443) is not always the best choice. Other SSL enabled ports are more unlikely to use an SSL Accelerator (like the POP3S, SMTPS, ... or the secure database port).


Counter measurements:
No real solutions exists. The following steps can mitigate (but not solve) the problem:
1. Disable SSL-Renegotiation
2. Invest into SSL Accelerator



I find it curious when groups like Hackers Choice release such powerful tools to the general public. I understand the argument that it forces vendors to seriously address the issues, but on the flipside of the coin, until a fix is provided we could see issues across the Internet because anyone with a computer now has the power to attack and potentially temporarily cripple Web sites. I think a better approach would be to announce that they have found an exploit and work with the vendors to correct the holes that they have found rather than arm the masses with a tool like this.



References:

New attack tool targets web servers using secure connections. Retrieved 26 October, 2011 from Web site: http://news.cnet.com/8301-1009_3-20125058-83/new-attack-tool-targets-web-servers-using-secure-connections/?tag=txt;title



Hackers Choice releases SSL-DDOS-Tool. Retrieved 26 October, 2011 from Web site: http://thehackernews.com/2011/10/hackers-choice-releases-ssl-ddos-tool.html

Saturday, October 22, 2011

Week 8 Post: Cyberwarfare, the future of war

According to The Ney York Times, White House officials said that they had considered attacks on Libya’s government computer network to block the country’s early-warning data gathering and missile launches on NATO war planes during the American-lead strikes last spring, but they had decided against.
Though the cyber attacks would have lowered the risks to pilots, ultimately it was called off because they fear opening that door, and the precedent a cyber offensive would.  Also there was a concern that there would not be enough time to find all of the holes in Libya’s networks and exploit them before the strikes.  There were questions of whether Congress would need to be notified prior to the attacks.
Weeks later, there were talks among military strategists discussing smaller attacks to prevent alerting Pakistani radars from noticing the helicopters that carried the Seal commandos who would go on to kill Osama bin Laden in May.  Instead, the operation deployed Black Hawk helicopters and a surveillance drone that were equipped with radar-evading technology.
One could speculate that there may be another reason given that the Pentagon is inching towards declaring cyber attacks launched by foreign nations an act of war, which merits a military response.
Also, there is some speculation that the U.S. may have played a role in the creation or spreading of Stuxnet, which according to researchers who have analyzed the code, say that it appeared that it was designed to sabotage Iran’s nuclear program. 
It’s easy to see articles like this in many different lights. One prone to conspiracies could assume that the statements given by Obama’s administration are flat out lies, that our government is in fact engaging in cyber warfare, and just like every other country on the planet, flatly denies it.  But, this only makes sense, if our government (or ANY government for that matter) were to disclose that they were in fact involved in offensive cyber attacks, it opens Pandora’s Box.  With all the reports of China performing offensive cyber attacks and data collection, but them acting ignorant to it in the news, is it any wonder that the US would do the same?  People who can get past the conspiracies may see the logic in the government not using Libya or Pakistan as a test bed for cyber attacks, I mean let’s be honest, are these countries deploying countermeasures that are adequate enough to repel our airborne and cloaking technologies? I highly doubt it, and in this age of WikiLeaks, would America really want to risk being under the spotlight on the world stage for matter-of-factly employing cyber offensives?  I think not. 
That being said, it is almost certain that cyber warfare will be a part of the future of war.  Strictly from an IT Security standpoint, it will be interesting to see how this new arm of warfare shapes the future faces of war.




References:

 Mills, E. (2011).  U.S. rejected cyberattack on Libya, report says.  Retrieved 20 October, 2011 from Cnet Web site: http://news.cnet.com/8301-1009_3-20121681-83/u.s-rejected-cyberattack-on-libya-report-says/

Friday, October 14, 2011

Week 7 Post: German officials accused of hacking… by hackers.

A group of German hackers known as the ‘Chaos Computer Club’ (CCC) allege that they have uncovered a Trojan program designed for spying on Skype communications.  The allegations are leveled at German law enforcement officials, whom the group says used the Trojan for surveillance. 
The Trojan, the group learned after reverse-engineering and analyzing the ‘lawful interception’ malware program used by German police forces, has flaws which put the infected computer at risk to serious attacks by others.
The CCC wrote in a post on their Web site: "The malware can not only siphon away intimate data but also offers a remote control or backdoor functionality for uploading and executing arbitrary other programs. Significant design and implementation flaws make all of the functionality available to anyone on the Internet."
The group uncovered the Trojan while it was performing some consulting for German lawyer Patrick Schladt, who is defending a client facing charges of illegal export of pharmaceuticals.  Schladt had given his client’s laptop to the CCC to examine the machine using computer forensics.  The CCC used forensic software to restore the Trojan files, which had earlier been removed to cover the tracks of the program.
Mr. Schladt alleges the Trojan was installed on his client’s laptop by customs officials per the request of Bavarian state police when the client was returning to Germany after a trip in 2009.  Following his client being charged, prosecutors provided as evidence screenshots taken of the client’s Web browser.  Following that, Schladt contacted the CCC.

Snooping on suspected criminals is within the legal guidelines for German authorities, but they need court permission to do so and any spyware used for monitoring Voice over IP (VoIP) calls used by authorities cannot alter code on a suspect’s computer, nor can additional functionality be added to the software.
Mr. Schladt argues that the screenshots presented demonstrate that the software used to spy on his client’s laptop went “way too far for German logging” laws.  He brought his argument to a higher court and the judge agreed.  Mr. Schladt said: "The most important thing is that every screenshot that was made and every file out of that Trojan will not be in the case."

The malware in question, known as the “State Trojan” or “R2D2” has the capability to not only monitor Skype, but is also capable of monitoring MSN Messenger, and Yahoo Messenger communications.  Additionally, it is able to capture keystrokes in Internet Explorer, Firefox and other browsers, and it can capture screenshots. 

The malware violates German law because of its capability to receive uploads of programs from the Internet and is capable of executing them remotely.  According to the CCC “This means, an 'upgrade path' from lawful spyware to the full State Trojan's functionality is built-in right from the start. Activation of the computer's hardware like microphone or camera can be used for room surveillance, the government malware can, unchecked by a judge, load extensions by remote control, to use the Trojan for other functions, including but not limited to eavesdropping."

The State Trojan could theoretically be used to plant evidence on the infected machine.  It could also delete files, hence completely obstructing justice.  It also has serious security holes that would open the infected computer up to attacks made by others aside from the law enforcement agency that is controlling the software.

"The screenshots and audio files it sends out are encrypted in an incompetent way, the commands from the control software to the Trojan are even completely unencrypted," the CCC post says. "Neither the commands to the Trojan nor its replies are authenticated or have their integrity protected. Not only can unauthorized third parties assume control of the infected system, but even attackers of mediocre skill level can connect to the authorities, claim to be a specific instance of the trojan, and upload fake data. It is even conceivable that the law enforcement agencies' IT infrastructure could be attacked through this channel."
The CCC says that it has contacted the German Ministry of the Interior about what it has uncovered. The group says that they (Ministry of Interior) have had enough time to activate the existing self destruct function of the trojan.”

At a news conference on the 10th of October, German federal government spokesman Steffen Siebert said that officials are looking into the matter.  “We are taking the allegations very seriously; we will need to check all systems thoroughly.”

WikiLeaks had released a confidential memo in 2008 that showed communications between German state law enforcement and a German software agency DigiTask, a company that makes software that is capable of monitoring Skype communication.

Seibert said that the software in question was 3 years old and had not been used by federal officials.
DigiTask lawyer Winfried Seibert said that the company had developed programs for authorities in Germany.
Regarding the use of the trojan, if it’s within German laws to spy on people’s computers in this fashion, then there’s nothing wrong with them using such methods.  The problem lies in the idea that they are creating security holes in the victim’s machines.    



           

References:
Mills, E. (2011).  Hackers say German officials used backdoor.  Retrieved 12 October, 2011 from Cnet Web site: http://news.cnet.com/8301-1009_3-20118194-83/hackers-say-german-officials-used-backdoor/

Friday, October 7, 2011

Week 6 Post: Homeless Hacker Accused of Hacking County Computers

Christopher Doyon, 47, is a homeless man in Santa Cruz is facing federal charges for purportedly hacking County computers last December.  He was released from custody last week.  Mr. Doyon was in Santa Cruz on Saturday to profess his innocence and voice his concerns of what he believes to be an oppression of the homeless.       

Doyon was indicted last month by a federal grand jury in what seems to be part of a nationwide crackdown on the hacking community.  The indictment against Doyon alleges that he is a computer hacker known by the alias of Commander X, whom is a member of a group based out of Massachusetts known as the Peoples Liberation Front (PLF).  The PLF describes itself as an organization of cyber-warriors who work on behalf of the downtrodden.  The indictment also claims that he is a member of Anonymous, the international outfit that has been responsible for worldwide hacking attacks.  

Doyon professed the following last Saturday outside of the Santa Cruz County Courthouse: “I am Commander X, Yes, I am immensely proud and humbled to my core to be a part of the movement known as Anonymous.”  He also stated that he’s a founding member of the PLF.  

Doyon was arrested by federal agents on 22 September on a street corner in Mountain View.  
He continued by saying: “Both my co-defendant, Josh Covelli, and I are categorically innocent of the charges against us and our legal team will provide irrefutable evidence of this.”

The federal document claims that Doyon and Covelli (who is from Fairborn Ohio), executed “Operation Peace Camp 2010” on behalf of the PLF.  The operation included carrying out a Distributed Denial of Service (DDOS) on county computers, making them temporarily inaccessible.  The document also claims that the actions taken were as a response to events of the ‘Peace Camp of August 2010” where more than 50 people slept outside the County Courthouse for 60 days in protest of the city’s laws against sleeping outside.      

According to “Peace Camp 2010” organizer Becky Johnson’s blog last month on the groups blog: "The city of Santa Cruz does not regulate camping. It forbids it completely, and this is in a city with over 1,000 houseless people and shelter for less than 10 percent on our best days."
Johnson along with other organizers of the protest have expressed that they had nothing to do with the hacking, nor did they plan or approve of it.
Doyon said that he chose to speak in front of the County Courthouse because it was the site of the 2010 protest, which he'd attended.  He is one of five people who were charged with illegal camping.  Others arrested were Gary Johnson and Ed Frey (a homeless activist and attorney). Both of those men were sentenced to six months in jail last June and they are currently attempting to appeal the decision.
Doyon went on to say: "The protest was about standing up to the rich and powerful few in Santa Cruz and to demonstrate a better way of building community, and it was those powerful few who, fearing the effect that peaceful protest might have on upcoming elections, ordered Peace Camp 2010 to be ended by force, arresting dozens."
Doyon, released from federal custody last Thursday has been prohibited from accessing social networking sites such as Twitter, Facebook, and Internet Relay Chat.  He expressed: “They’ve taken away my freedom of speech.”  He strongly believes that U.S. Citizens have a “moral imperative” to protest what he believes to be unjust actions by our governments and law enforcement, things such as punishing citizens for sleeping outside.
According to Doyon: "All you need to be a world-class hacker is a computer and a cool pair of sunglasses and the computer is optional."
I applaud Doyon for speaking out and protesting for what he believes in, but feel that he went too far with the DDOS attacks.      

Reference:
http://www.santacruzsentinel.com/localnews/ci_19020319

Saturday, October 1, 2011

Week 5 Post: Hacking Wall Street

The latest cyber attack on Wall Street targets the chief executive of J.P. Morgan Chase, James "Jamie" Dimon. It's interesting to see the growing trend of physical and cyber events blending. This latest attack works in unison with the real world 'Occupy Wall Street' protests that recently took place.



The attack against Jamie Dimond included the release of a document on Pastebin.com. The document included private information about the CEO, including details on his addresses, family members, political contributions, business connections as well as legal information. The document was released by "CabinCr3w."



The hackers have also posted personal data about Goldman Sachs CEO, Lloyd Blankfiend.



In related attacks, the hackers also released information on the New York Police Deputy Inspector, Anthony Bologna in retaliation for videos that show Bologna pepper-spraying peaceful demonstrators in the face last weekend. Bologna is also accused of additional unprovoked pepper-spray attacks on other peaceful demonstrators during the demonstrations, and is currently under investigation for his actions.



The Wall Street protests began about two weeks ago, and have attracted participants numbering in the thousands. The movement has found support from celebrities such as: Noan Chomsky, Michael Moore, Susan Sarandon, as well as organized labor groups and students. The demonstrators are protesting the U.S. Financial system that they feel favors the rich at the expense of everyone else.



Anonymous and Adbusters activists are the main groups behind the protests.



I’m personally torn on these events. I respect the rights of those who have calmly gathered to peacefully protest what they see as being wrong with America. In the videos I have seen, the police pepper-spraying protesters seems to be an abuse of power, he’s not fending off a rioting mob, but rather is assaulting peacefully gathered protesters. There may have been some provocation by the crowd that is not caught on film (or has been edited out to mask the facts), but the evidence doesn’t seem to show a need for pepper-spraying. The cyber attacks on the other hand, I absolutely disagree with. Leaking personal information such as addresses and family members could lead to serious damage to those involved.







Reference:

Mills, E. (2011). Hackers post data on JP Morgan Chase CEO. Retrieved 30 September, 2011 from CNET Web site: http://news.cnet.com/8301-1009_3-20113943-83/hackers-post-data-on-jp-morgan-chase-ceo/?tag=mncol;title