Posts tagged “Hacktivism”

Iran DDOS 2



I just read a great post by Jose Nazario suggesting that there hasn’t been much evidence of the use of botnets. But the most interesting point he makes is where he points out that the site under attack could take offensive action against the people participating in these “refresh” style attacks:

The attackers who participate by loading these pages and going off to dinner, sleep, or on with their days open themselves up to attacks back through drive-by attacks. Imagine a simple scenario: the victims modify their sites to include some code like LuckySploit that commits a simple set of attacks. The attacker’s machine reloads the page (this is, after all, part of the attack). Hit a browser or accessory bug and bam, the attacker has been attacked. Now you’ve got a foothold on the attacker’s machine and, if you’re a sophisticated cyberwar player, you can use this to further understand your adversary. This is a dangerous strategy. If you’re going to employ this kind of attack you need to remember you may be putting your “army” at risk.

That’s interesting because it has happened before. A similar type of campaign back in 1998 by EDT was focused on the Pentagon and the site under attack retaliated:

In September 1998, the Electronic Disturbance Theater, a group of activists that practices politically driven cyber civil-disobedience, launched an attack aimed at disabling a Pentagon Web site by flooding it with requests. The Pentagon responded by redirecting the requests to a Java applet programmed to issue a counteroffensive. The applet flooded the browsers used to launch the attack with graphics and messages, causing them to crash.

(Also, the defacers are getting into it: A gov.ir site was defaced too (http://www.marivan.gov.ir/Election.htm))

Iran DDOS



There have been a variety of good reports (zdnet, sans, fp ) on the DDOS campaigns targeting Iranian sites after the election. However, one of the things I’ve noticed is the tendency to characterize this as something relatively new. But this has been happening for at least a decade! See, http://www.fraw.org.uk/download/ehippies/archive/op-01.html , http://www.fraw.org.uk/download/ehippies/archive/op-01a.html, http://www.thing.net/~rdom/ecd/archives.html

I think that one of the issues that’s being overlooked is the mobilization and participation component. To just DDOS a site its easier to use/buy/rent/etc… a botnet. That involved few people, it is easy, and its is effective. To get a bunch of people to basically refresh a site (even if they are using some rudimentary automated tools) requires participation. I have doubts about whether the downtime of the targeted sites is due to this type of attack. I suspect that there are likely other attacks involved that do the heavy lifting.

But to think that it takes a lot of people to execute an act of civil disobedience on the Internet is naiive. Programs make a difference, not people.” — Oxblood Ruffin, cDc

Anyway, I’m finding that these sites are unavailable:

16/06/09 12:18 http://ahmadinejad.ir/ 217.218.155.110 503
16/06/09 12:18 http://www.justice.ir/ 62.193.12.10 503
16/06/09 12:18 http://www.iranjudiciary.org/ 62.18.21.156 (51, ‘Network is unreachable’)
16/06/09 12:18 http://rajanews.com/ 10.7.222.162 (51, ‘Network is unreachable’)
16/06/09 12:18 http://www.farsnews.com/ 77.104.73.15 (61, ‘Connection refused’)
16/06/09 12:18 http://www.leader.ir/ 62.220.121.130 (61, ‘Connection refused’)
16/06/09 12:18 http://www.president.ir/ 80.191.69.11 timed out
16/06/09 12:18 http://www1.farsnews.com 77.104.73.16 timed out
16/06/09 12:18 http://www.irna.ir/ 81.12.51.146 timed out
16/06/09 12:18 http://www.police.ir/ 81.28.32.52 timed out
16/06/09 12:18 http://www.mfa.gov.ir/ 217.172.99.41 timed out

The defacers seem to be out too:

http://zone-h.org/mirror/id/9003285

Defacement Flare-Up & Truce



On November 17, 2008 the web site of the Oil and Gas Regulatory Authority of Pakistan (OGRA), www.ogra.org.pk, was defaced by an Indian defacement group called Hindu Militant Group (HMG). By November 24, 2008 a Pakistani defacement group called Pakistan Cyber Army (PCA) formed and responsed to the defacement and defaced the web site of India’s Oil and Natural Gas Corporation Ltd. (ONGC), www.ongcindia.com.

One thing that grabbed my attention was an email reportedly sent by the PCA that refers to the specificity and intentionality of the attack unlike standard defacement “wars” that prey on websites vulnerable to publicly known exploits:

“HMG hacked our oil and gas website.. that was a random act… Our attack was planned, and dedicated to their OIL AND GAS website which makes sense plus it shows we Pakistanis can do it.”

Rather than deface some random .pk (although they did deface several others sites too) they retaliated by defacing the .in equivalent of the site the HMG defaced. To me this indicates skill above the scriptkiddie level.

Moreover, they claim:

“These defacement’s were not dedicated for the fame of our group name PCA. Pakistan Cyber Army this group name was created right 5 minutes before we defaced these websites. This means we don’t have any intention to spread our names nor we need to show our skill levels.”

They are self-proclaimed “whitehats” whose motivation appears to be revenge and nationalism. For me, it is a case that stands out from the typical defacement-wars that periodically erupt. However, I’ve now found that www.ongcindia.com was defaced by WFD in 2002. It Looks like the site has a history of poor security. It could be less a case of the skillfulness of the attackers than one of timing.

One of the things I’ve noticed in the coverage of these defacements is that the defacements by two separate Pakistani groups the PCA and ZombiE_KsA are being merged together. In addition, some of the defaced sites were re-defacements and others were re-defaced by Indian hackers with messages to the administrators of those sites indicating a history of indifference to basic security practices.

For example, www.ctram.indianrail.gov.in was defaced in March (2008/03/26) and it appears that the most recent defacement exploited the same vulnerability (the scrolling text in “external.asp”). aponline.gov.in was another redefacement, this site was also defaced on 2006/03/21.

The sites that were re-defaced by HMG contained text asking the administrators of those sites to patch the vulnerabilities:

My dear Site owner pls fix ur flaws…ur site was hacked by pakistani hackers, now ur site is in our Indian Hackers control…pls fix ur voluns immediately contact us andhrahackers@gmail.com

Here is a list of the sites:

http://www.ongcindia.com/ – PCA,
http://www.jslinc.com/ – PCA
http://www.syscontech.in/ – PCA, , Re-Defaced
http://www.kvrtm.org.in/ – PCA, , Re-Defaced
http://www.iirs.gov.in/ – PCA, , Re-Defaced
http://www.ctram.indianrail.gov.in/ – PCA

http://www.aponline.gov.in/ – ZombiE_KsA
http://www.cidap.gov.in/ – ZombiE_KsA
http://www.bankofbaroda.com/ – ZombiE_KsA
http://zeetvusa.com/ – ZombiE_KsA
http://www.andhrahackers.com/ – ZombiE_KsA
http://gad.ap.gov.in/ – ZombiE_KsA

I framed these defacements as a “flare-up” because there have been ongoing defacements. For example, ZombiE_KsA defaced Indian sites, loyola.edu.in, on 2008/10/02 and zeetvusa.com on 2008/10/14. Some of these attacks preceded HMG’s November 17, 2008 defacement of www.ogra.org.pk and contained inflammatory language such as “India Sucks buhuahahahahaha” and insults directory toward Gandhi.

From zone-h:

2008/11/28 ZombiE_KsA zeesports.us
2008/11/25 ZombiE_KsA aponline.gov.in
2008/11/25 ZombiE_KsA cidap.gov.in
2008/11/24 ZombiE_KsA gad.ap.gov.in
2008/11/21 ZombiE_KsA bankofbaroda.com
2008/11/07 ZombiE_KsA lawyersclubindia.com
2008/10/14 ZombiE_KsA zeetvusa.com

zone-h has 203 archived defacements of gov.pk sites and 319 archived defacement of gov.in sites. Many appear to be unrelated to politics or an India-Pakistan rivalry but they do indicate that it is not uncommon for government sites to be defaced — even by scriptkiddies.

In the end, cooler heads prevailved and the groups involved in the latest flare up negotiated a truce:

PCA (Pakistan Cyber Army) and Zombie_ksa (pakbugs crew) comes into friendly terms with ICW (Indian Cyber Warriors, HMG). After a meeting, all of the three groups agreed not to deface each other’s websites. It all happened when people from these groups realized that there is no use of such defacement and they should be instead involved in constructive work.

In the past Indian and Pakistani groups also negotiated a truce:

Previously, both countries remained in state of cyber war during 1997 to 2002. From Pakistan’s side the war was fought by Dr. Nuker, the founder of PHC “Pakistan Hackers Club” and MFRD, founder of G-force. These two groups were responsible for defacing hundreds of Indian websites, and broke all previous records of cyber war history. Both of the Pakistani Groups then settled issues with NEO, an Indian hacker to conclude that 5 years running Cyber war.

While an interesting case from the perspective of flare-ups in defacement “wars” it also once again highlights the inattention to secure on the web servers of high profile sites. And it shows that with the right timing groups can exert greater influence than their resources and capabilities would normally allow. While the defacements appear to be completely unrelated to the recent terrorist attacks in Mumbai, the timing is certainly intriguing.

Canada imposters crash APEC



An Australian comedy group impersonated the Canadian delegation to APEC and managed to drive their motorcade into a restricted area before they were arrested:

Eleven of the pretend Canadians — all cast or crew from the satirical Australian television show The Chaser’s War on Everything, including one comic in an Osama bin Laden get-up — were eventually stopped and arrested under special security laws adopted in advance of the week-long Asia-Pacific summit.

Agents Provocateurs



Faced with video uploaded to YouTube the Sûreté du Québec have been forced to admit that they infiltrated the protest the summit in Montebello. Armed with rocks the fake protesters pushed their way to the police line and were confronted and uncovered by peaceful protesters. The SPP have now promised, after initial resistance, to conduct a review of its practices.

X Marks the Spot



After the French Government tried to get GreenPeace to remove a GoogleMap from their site that showed the location of secret, genetically modified maise GP marked the spot with a crop circle.

The map has apparently been removed from the GreenPeace France website.

Detecting & Evading Filtering



At the Internet & Democracy 2005 conference in London we had a session on “Detecting and Evading Filtering”. The goal was to explain some techniques used to better determine filtering and give an overview of the ONI methodology.

In the second half of the presentation we focused on censorship circumvention. I like to talk about circumvention from two perspectives: push & pull. The “push” strategy if from the perspective of content producers and I hoped to use the discussion to start developing a sort of “best practices” document for content producers who expect their content to be blocked.

The final part of the presentation focused on pull strategies, basically proxies/anonymizers etc… — technology that enables users to select filtered content to view. Most of the strategies from this perspective are detailed in “Choosing Circumvention“. We also demo’d psiphon :)

The slides from the presentation are available here:
http://www.nartv.org/ppt/uk-prz.ppt.

Fifth HOPE Audio Files Available



The audio files from 2600′s Fifth Hope are now available. I spoke on the Cult of the Dead Cow’s Hacktivism Panel. The audio file in mp3 format are available:

Part 1: cdc-hacktivism-1.mp3
Part 2: cdc-hacktivism-2.mp3

An earlier blog entry with my ppt slides is available here.

Lycos, Spammers & Electronic Civil Disobedience



Lycos has just launched a new screensaver that attempts to disrupt, but not disable, websites used by spammers to sell products. The goal is to slow down access to these sites by implementing a bandwidth attack – a client-side denial of service attack (DoS). Client-side DoS attacks differ from server-side DoS attacks because in order to be successful client-side DoS attacks require the participation of many thousands of individuals whereas server-side attacks usually involve a few individuals who break into computers and use them as zombies in order to conduct DoS attacks. Basically, each user that installs the screensaver receives a list from a central database of spam sites then issues a connection to each of the spam sites. If a large number of users begin making requests to the selected sites, the servers will become overloaded. Lycos argues that since these spam sites have to pay for their bandwidth �more requests means higher bills� for the spammers. Lycos has implemented a �health check� to ensure that no server is completely shutdown.

This is precisely the same technique used in past Electronic Civil Disobedience (ECD) campaigns. Though not as slick as the flash GUI that Lycos has the tools used in ECD campaigns ( Disturbance Developer Kit, e-hippie virtual sit-in tools) operate much the same way. Client-side DoS has been criticized by Oxblood Ruffin (of cDc/Hacktivismo) who describes it as “being pecked to death by a duck”.
More… »

Political Viruses & Worms



Viruses and Worms that appear to be politically motivated are not new, but Stian recently informed me about (more here) a worm circulating in China that apparently links to or contains references to “A Survey of Chinese Peasants“.

A Survey of Chinese Peasants is an expos� on the inequality and injustice forced upon the Chinese peasantry, who number about 900 million. The book describes what the authors term to be a guaiquan, or vicious circle, where unjust taxes and the arbitrariness of authorities, sometimes resulting in extreme violence against the peasants, is the norm.

The worm modifies the hosts file so that some 937 domains point to 222.89.98.219. The server at that IP is no longer accessible.
More… »

The Hacker Grow-Op



Wired covered the Hacktivism panel at 2600′s HOPE in New York City and spoke with Oxblood Ruffin of the cDc as well as Prof. Ron Deibert from the Citizen Lab. Apart from reaffirming that “Hacktivism isn’t found in the graffiti on defaced Web pages, in e-mail viruses bearing political screeds or in smug take-downs of government or organizational networks” but is ” the development and use of technology to foster human rights and the open exchange of information” the artcile talks about some of the work we do at the Citizen Lab. which Deibert described as a “hacker grow-op.” Deibert explained:

The combination of hacking in the traditional sense of the term — not accepting technologies at face value, opening them up, understanding how they work beneath the surface, and exploring the limits and constraints they impose on human communications — and social and political activism is a potent combination and precisely the recipe I advocate to students and use to guide my own research activities

Hacktivism and How It Got Here
Wired – July 14, 2004

Hacktivism @ HOPE



I was invited to represent the Citizen Lab at HOPE in New York City by the CULT OF THE DEAD COW (cDc). HOPE is a convention hosted by 2600. The cDc organized a panel on hacktivism that included Sharon Hom from HRIC, Jagdish Parikh from HRW and Eric Grimm from the law firm CyberBrief. The panel was hosted by Oxblood Ruffin and Count Zero from the cDc.

Sharon spoke powerfully about the Internet and human rights abuses in China and was follwoed by Eric who spoke about the HESSLA (local mirror) license he helped Hacktivismo create and how he worked with the United States Department of Commerce to get the distribution of 6/4 approved. Jagdish spoke about Internet censorship and repression going on worldwide. I spoke about the Citizen Lab as a hacktivist lab and outlined some of the projects that we are working on. My presentation can be downloaded here (ppt, pdf).