InfoSec Daily Podcast Episode 423 for July 7, 2011. Tonight's podcast is hosted by Rick Hayes, Adrian Crenshaw, Karthik Rangarajan, and Varun Sharma.
Announcements:
2nd Annual AIDE conference
When: July 11th – 15th, 2011
Where: Marshall University Forensic Science Center, Huntington, WV
http://aide.marshall.edu/
OISF July Anniversary Event
When: July 16th, 2011
Where: Dayton, Ohio
http://ohioinfosec.org
Adrian Will be there
My Hard Drive Died
5-Day Bootcamp Data Recovery
Where: Chicago, Illinois
When: July 18-22, 2011
SANS Security 464 – Hacker Detection for Systems Administrators with Continuing Education Program – Russell Eubanks
Where: Atlanta, GA
When: Tue, Aug 09 to Wed, Aug 10
https://www.sans.org/mentor/details.php?nid=25573
Discount Code: Mentor10 (10% discount)
#BruCon
When: Sept 19-22, 2011
Where: Brussels, Belgium
http://blog.brucon.org/2011/02/confirmation-of-brucon-dates.html
@DerbyCon
When: September 30th – October 2, 2011
Where: Louisville, KY
http://www.derbycon.com/
SANS Mentoring: Forensics 408 – Computer Forensic Essentials
When: Wednesday, October 12, 2011 – Wednesday, December 14, 2011
Where: Atlanta, GA
Discount Code: ISDPod15 (15% discount)
http://www.sans.org/mentor/details.php?nid=25504
2011 Fall Information Security Conference
When: November 8 – 9, 2011
Where: Atlanta, GA (Loudermilk Conference Center)
http://www.gaissa.org
Stories
It was early May when LulzSec's profile skyrocketed after a hack on the giant Sony corporation. LulzSec's name comes from Lulz, a corruption of LOL, often denoting laughter at the victim of a prank. For 50 days until it disbanded, the group's unique blend of humour, taunting and unapologetic data theft made it notorious. But knowing whether LulzSec was all about the "lulz" or if it owed more to its roots as part of Anonymous – the umbrella group of internet subculture and digital activism – was pure speculation. Until now.
Who is "Sabu"?j
I'm a man who believes in human rights and exposing abuse and corruption. I generally care about people and their situations. I'm into politics and I try my best to stay on top of current events.
We've seen you cast as everything from the greatest of heroes to the most evil of villains. How would you characterise yourself?
It is hard for me to see myself as either. I am not trying to be a martyr. I'm not some cape-wearing hero, nor am I some supervillain trying to bring down the good guys. I'm just doing what I know how to do, and that is counter abuse.
What was your first experience with "hacktivism"?
I got involved about 11 years ago when the US navy was using Vieques Island in Puerto Rico as a bombing range for exercises. There were lots of protests going on and I got involved in supporting the Puerto Rican government by disrupting communications. This whole situation was the first of its kind for the island and the people didn't expect things to go that route. Eventually, the US navy left Vieques.
How did you get involved with Anonymous?
When I found out about what happened to Julian Assange, his arrest in the UK and so on, I found it absolutely absurd. So I got involved with Anonymous at that point.
What operation really inspired you and why?
Earlier this year, we got wind of the Tunisians' plight. Their government was blocking access to any website that reported anti-Tunisian information, including Tunileaks, the Tunisian version of Wikileaks, and any news sites discussing them.
Tunisians came to us telling us about their desire to resist. "Disrupt the government of Tunisia," they said, and we did. We infiltrated the prime minister's site and defaced it externally. When Tunisia filtered off its internet from the world, it was the Tunisians who came online using dial-up and literally allowed us to use their connections to tunnel through to re-deface the prime minister's websites. It was the most impressive thing I've seen: a revolution coinciding both physically and online. It was the first time I had proof that what Anonymous was doing was real and it was working.
What would you like to say to people who say that you and other Antisec/Anonymous/LulzSec members are just troublemakers who have caused untold damage and loss to people for no apparent reason?
Would you rather your millions of emails, passwords, dox [personal information] and credit cards be exposed to the wild to be used by nefarious dealers of private information? Or would you rather have someone expose the hole and tell you your data was exploitable and that it's time to change your passwords? I'm sure we are seen as evil for exposing Sony and others, but at the end of the day, we motivated a giant to upgrade its security.
But what about hacks that were done "for lulz"?
Yes, some hacks under LulzSec were done for the lulz, but there are lessons learned from them all. In 50 days, you saw how big and small companies were handling their user data incorrectly. You saw the US federal government vulnerable to security issues that could have just as easily been exploited by foreign governments. You saw affiliates of the US government handling sensitive emails and they themselves ignored the FBI's better practice manuals about password re-use.
With the Public Broadcasting Service site, you saw the media vulnerable to fake articles. And yes, our Frontline hit [the group attacked the PBS's Frontline television programme website after perceived unfair treatment of Wikileaks] was political, but we also showed what could happen if an organisation were to hack 50 of the biggest media publications right now, online, and distribute a mass news article designed to blend in on each outlet's site. That kind of thing would cause some serious havoc. I mean, we're talking about the potential of crashing stocks or spreading damaging rumours. Everything we did had a duality: a lesson and some LOLs at the same time.
When did you realise you had hit the point of no return?
I was at the point of no return when I realised that I could make a change. Operation Tunisia was it for me. Then HBGary [a security firm attacked by LulzSec]. Now Antisec is the biggest movement in years, unifying all hackers and free thinkers across Anonymous and other groups. There's no going back.
How do you describe what Antisec is about?
Expose corruption. Expose censorship. Expose abuses. Assist our brothers and sisters during their operations in their own countries like the one we have going in Brazil now, Operation Brazil, which is about internet/information censorship. Expose these big multinational companies that have their hands in too much, that have too much power, and don't even take the time to secure your passwords and credit cards. And finally, discussion and education. We are not sitting idly by and letting our rights get thrashed. It's time to rise up now.
So what would an Antisec "win" look like?
There is no win. There's just change and education.
The popularity of LulzSec and Anonymous has inspired many to follow in your footsteps. What words of wisdom do you have for them?
Those who are with me in the fight do not have to be hackers. They can be reporters, artists, public speakers. This movement is about all of us uniting against corruption. But I don't ask anyone to take my risks. I don't want anyone to follow me down my path.
Are you afraid of being caught?
There is no fear in my heart. I've passed the point of no return. I only hope that if I am stopped, the movement continues on the right path without me.
Researchers at McAfee have released a report which examines in detail the March attacks against targets in South Korea, and concludes that the attacks were most likely a cyberwar exercise, possibly conducted by North Korea.
The report, titled "Ten Day of Rain", suggests that the distributed denial of service attacks were aimed at measuring South Korean mitigation efforts and response time in an effort to better hone future attacks.
"While the attack itself seems fairly generic at first glance, there are several things that make this particular combination of targets, malware, and botnet activity different from many we’ve analyzed, warranting our investigation," the report states.
Given the blatant lack of stealth employed in the attack, McAfee researchers believe the operation was not geared towards espionage activities in an effort to steal sensitive data from the government and military systems that were targeted.
"This wasn’t a surgical strike; it was more like a sledgehammer, as most DDoS attacks are. As such, it was noisy, making it easier to detect than a stealthy attack that might be used to steal sensitive data."
McAfee also points out that the operation was designed to last only for a predetermined period before self-destructing – features typically not employed by criminal networks.
"Several steps were taken to ensure that the mission was executed without interruption, within the predefined attack window—and following, ensuring that all vehicles of attack would be destroyed, thus limiting forensic analysis."
Researchers also point out that the complicated nature of the attack, the extensive use of encryption, and the botnet's built-in resiliency do not make sense in light of the pre-programed ten day attack period.
"The level of technical sophistication behind Ten Days of Rain, being used for the relatively simplistic act of a DDoS attack, doesn’t track. Why was so much cryptographic work utilized? Why was a multitier architecture, designed to be so resilient to takedowns, used if the operational life of the bots was only 10 days? Why not keep control of the compromised hosts; why not utilize those systems for future tasks instead of self-destructing?"
Since the evidence indicates that the operation was not designed in a similar fashion as the typical botnet employed by criminal syndicates, McAfee concludes that the attacks must have been structured purely as a cyberwarfare exercise to collect intelligence on South Korea's cyberdefense posture and preparedness.
"This may have been a test of South Korea’s preparedness to mitigate cyberattacks, possibly by North Korea or their sympathizers… the attack itself was very limited and may have been utilized to test and observe how quickly the attack would be discovered, reverse engineered, and mitigated."
McAfee researchers go on to suggest that the data gleaned from the operation could be crucial for fine-tuning future attacks, and that those attacks could be employed in conjunction with traditional military offensive actions.
"Armed with this knowledge, the aggressor could launch cyberattacks, possibly in conjunction with kinetic attacks, with a greater understanding of South Korea’s incident response capabilities. As such, the attackers could better understand their own requirements for a successful campaign."
The researchers conclude that the overwhelming weight of the evidence points to a test of South Korean cyberdefenses that most likely were conducted under the direction of a state sponsor.
"The combination of technical sophistication juxtaposed with relatively limited execution and myopic outcome is analogous to bringing a Lamborghini to a go-cart race. As such, the motivations appear to outweigh the attack, making this truly seem like an exercise to test and observe response capabilities."
The full McAfee report can be found here: https://secure.mcafee.com/us/resources/white-papers/wp-10-days-of-rain.pdf
Source: http://www.wired.com/threatlevel/2011/07/disrupting-internet-access
The nation’s major internet service providers, at the urging of Hollywood and the major record labels, have agreed to disrupt internet access for online copyright scofflaws.
The deal, almost three years in the making, was announced early Thursday, and includes participation by AT&T, Cablevision Systems, Comcast, Time Warner and Verizon. After four copyright offenses, the historic plan calls for these companies to initiate so-called “mitigation measures” hat might include reducing internet speeds and redirecting a subscriber’s service to a landing page about infringement. The internet companies may eliminate service altogether for repeat offenders, although the plan does not directly call for such drastic action.
The agreement, backed by the Recording Industry Association of America and the Motion Picture Association of America, also does not require internet service providers to filter copyrighted material sailing through peer-to-peer protocols. U.S. internet service providers and the content industry have openly embraced filtering, and the Federal Communications Commission has all but invited the ISPs to practice it.
“This is a sensible approach to the problem of online content theft,” said Randal Milch, Verizon’s general counsel. Cary Sherman, the RIAA’s president, said the deal was “groundbreaking” and “ushers in a new day and a fresh approach to addressing the digital theft of copyrighted works.”
The RIAA, which includes Universal Music Group Recordings, Warner Music Group, Sony Music Entertainment and EMI Music North America, kicked off the marathon negotiations in December 2008, when it abruptly stopped a litigation campaign that included some 30,000 lawsuits targeting individual file sharers. Key leverage in the marathon negotiations included the Digital Millennium Copyright Act, which demands that ISPs have a termination policy in place for repeat infringers, and New York Governor Andrew Cuomo, who brought the parties together when he was that state’s attorney general.
The plan, however, provides no immunity from internet subscribers facing legal action, and leaves it up to the rights holders to detect infringement.
“As provided under current law, copyright owners may also seek remedies directly against the owner of an internet account based on evidence they may collect,” according to the deal.
The Copyright Act allows damages of up to $150,000 per infringement. Peer-to-peer file sharing of copyrighted works is easily detectable, as IP addresses of internet customers usually reveal themselves during the transfer of files.
On the first offense, internet subscribers will receive an e-mail “alert” from their ISP saying the account “may have been” misused for online content theft. On the second offense, the alert might contain an “educational message” about the legalities of online file sharing.
On the third and fourth infractions, the subscriber will likely receive a pop-up notice “asking the subscriber to acknowledge receipt of the alert.”
After four alerts, according to the program, “mitigation measures” may commence. They include “temporary reductions of internet speeds, redirection to a landing page until the subscriber contacts the ISP to discuss the matter or reviews and responds to some educational information about copyright, or other measures (as specified in published policies) that the ISP may deem necessary to help resolve the matter.”
Adrian’s Note: So, what is in it for the ISPs? Why do they care to take the burden of policing?
Source: http://www.cyberwarnews.info/2011/07/07/four-random-databases-dumped-by-p0keu/
Twitter has been a busy place for dumping information. Within the last 20hrs or so there has been a fairly large random dump of information, this starts with our post of the BPM dump yesterday.
The latest dumps of information contain usernames/passwords and database information from various websites.
Kulturdirekt.se x2 database’s
http://www.washingtonco.k12.nc.us
http://www.tamilcanadian.com
The leaks come via twitter from the @p0keu who has a funky avatar:
Kulturdirekt.se
The first website Kulturdirekt.se describes it self as: Culture Direct collects Stockholm’s independent culture on the Web and the Culture House
Twitter – @p0keu- @Kulturdirekt feelin' a li … http://pastebin.com/B4T4V6hL
Then they got leaked again via another section of the site leaking different data.
Twitter – @p0keu- And oh.. Another one- Well http://pastebin.com/Vt9mwVyZ
washingtonco.k12.nc.us
The second website washingtonco.k12.nc.us is Washington County Schools Internet Network.
Now this next one comes as a bit of a surprise…. 10 passwords that are exactly the same. This is just pure insecure and stupid.
Twitter – @p0keu- I'd like to point out the … http://pastebin.com/NhKYkdRu
TamilCanadian.com
The third website TamilCanadian.com was designed to provide information about the culture and history of the Tamil people.
TamilCanadian.com leak http://pastebin.com/P6CU7yfH