In an era with an always-on connectivity, protesters can be a strong statement against an organisation by bringing down its information infrastructure. It is something that can make front page news stories, and becomes the equivalent of protesting from a-far, with very little chance of being traced.
So, as a protest against St. Louis County Police’s involvement in the killing of unarmed teenager Michael Brown in Ferguson, Mo, there was a DDoS (Distributed Denial of Service) attack on the police Web site, and which brought down the attack for several days. Overall it made a strong statement, and which the authorities could do little about it. Along with this, the group responsible, who declared links to Anonymous, outlined that they had hacked into the St. Louis County Police network, and gained access to dispatch tapes related to the day of the shooting, which they then uploaded to YouTube.
Why is DDoS so successful?
This year (2014) has actually seen more DDoS attacks than ever before, with a doubling of the high-end attacks over the year, and with over 100 attacks peaking at more than 100Gbps. The current highest attack was against a Spanish site, where the NTP (Network Time Protocol) was used to bombard the Web infrastructure. With this the intruder makes requests from compromised hosts to a NTP server for the current time, but uses the destination target as the return address for the request. Overall the protocols used on the Internet are not designed with security in mind, thus it is possible to use a different destination address to the one that actually made the request. This specific attack peaked at 154.69Gbps, which is more than enough to bring any network down. The key target is to exhaust networked resources, such as the interconnected devices, the bandwidth for the connections to the Internet, and the CPU of the servers.
The reason that DDoS is often successful is three-fold:
- Difficult to differentiate between good and bad traffic. Overall the Internet has been created by some extremely simple protocols, which were not designed with security in-mind. Thus it is extremely difficult to differentiate good traffic from bad traffic. Normally organisations throttle back when they are under attack, by not accepting new connections, and waiting to the existing connections have been broken.
- Tracks are obfuscated. With reflect attack, the target becomes an intermediate device, where it is difficult to trace the actual source of the attack. With networks such as Tor, the intruder can further hide their tracks.
- Zombie nodes used in the attack. There are many compromised hosts on the Internet, including those compromised with the Zeus botnet. Each of these can be controlled, and used to attack the target.
The Rise of Hacktivism
As we have seen in Russia’s suspected cyber attack on Web sites in Estonia, and in the Arab Spring uprising, the Internet is playing an increasing part within conflicts around the World. Thus as we move into an Information Age, the battle field of the future is likely to be in Cyber Space, along with this it will also be the place where nation states will struggle to control news outlets.
A cause or a fight?
Organisations need to understand that there are new risks within the Information Age and there are new ways to distribute messages, especially from those who are skillful enough to be able to disrupt traditional forms for dissemination. Thus Hacktivism can become a threat to any nation state and organisation (Figure 1).
The important thing to note about Hacktivism is that the viewpoint on the Hacktivist will often be reflected on the political landscape of the current time, and that time itself can change this viewpoint. While Adolf Hitler and Benito Mussolini are still rightly seen as terror agents, Martin Luther King and Mahatma Gandhi are now seen as freedom fighters. Thus viewpoints often change and for some the Hacktivist can have the image of a freedom fighter.
Big v Little
The Internet supports a voice for all, and there are many cases of organisations and national states upsetting groups around the World, and where they have successful rebelled against them. In 2012, Tunisian Government web sites were attacked because of WikiLeaks censorship, and in 2011, the Sony PlayStation Network was hacked after Sony said they would name and shame the person responsible for jail breaking their consoles (Figure 3). It can be seen that just because you are small on the Internet, doesn’t mean you cannot have a massive impact. Sony ended up losing billions on their share price, and lost a great deal of customer confidence.
The HBGary Federal example is the best one in terms of how organisations need to understand their threat landscape. For this Aaron Barr, the CEO of HBGary, announced that they would unmask some of the key people involved in Anonymous, and contacted a host of agencies, including the NSA and Interpol. Anonymous bounced a message back saying that they shouldn’t do this, as they would go after them. As HBGary were a leading security organisation, they thought they could cope with this and went ahead with their threat.
Anonymous then searched around on the HBGary CMS system, and found that a simple PHP request of:
give them access to the complete database of usernames and hashed passwords for their site. As the passwords were not salted, it was an easy task to reverse engineer the hashes back to the original password. Their target, though, was Aaron Barr and Ted Vera (COO), each of which used weak passwords of six characters and two numbers, which are easily broken.
Now they had their login details, Anonymous moved onto other targets. Surely they wouldn’t have used the same password for their other accounts? But when they tried, the can get access to a while range of their accounts using the same password (including Twitter and Gmail). This allowed Anonymous access to GBs of R&D information. Then the noticed that the System Administrator for their Gmail Email account as Aaron, and managed to gain access to their complete email system, and which included the email system for the Dutch Police.
Finally they went after their top security expert: Greg Hoglund, who owned HBGary. For this they send him an email, from within the Gmail account, from a system administrator, and asking for confirmation on a key system password, of which Greg replied back with it. Anonymous then went onto compromise his accounts, and which is a lesson for many organisations. While HBGary Federal has since been closed down, due to the adverse publicity around the hack, the partner company (HBGary) has went from strength-to-strength, with Greg making visionary presentations on computer security around the World.Figure 5: Greg’s compromise.
A key factor is in these types of attacks, is that, when not prepared, the complete infastructure can fall like a house of cards. In Ferguson, the email system also went off-line for a while, and to protect themselves from data leakage, they took down all personal information their site.
The protection of IT infrastructures against DDoS is extremely difficult, and organisations need to understand how they will cope with these types of attacks. Along with this, many organisations are even more proactive, and actively listen to the “buzz” around hacking events on the Internet, in order to put in-place mitigation methods. Often it’s a matter of coping with the attack, and enabling new network routes and virtualised devices to cope with the attack while it happens.
Overall it is a difficult debate, and one person’s cause is another fight, but the technological challenge remains, and it is one of the most difficult faced by IT architectures, and is often costly to deal with.