DailyTech – Welcome to 2011, Year of the Hacker
In the 1990s hackers ran rampant, breaking into and compromising some of the most sensitive business and government systems worldwide. Their incredible success led to major industry adjustments. Corporate and government IT departments adjusted their policies and cracked down on security. New security-centered firms were born.
But this year there has been an explosion of high-profile system intrusions the likes of which have not been seen in a decade. And for all those fancy protections, one thing is clear — much of the “security” of modern systems appears to be an illusion.
And the web has yet again became a digital Wild West — a place where the lines between good and evil blur; a place where the strong become the weak, the weak become the strong, and the newly strong victimize the newly weak; and a place where the line between mercy and destruction rests on the personal prejudices of bands of digital bandits.
I. 2011: Year of the Hacker
On Monday, LulzSec (“Lulz Security”) published a data dump of a thorough intrusion of the front end of the U.S. Senate’s servers. But this is far from the first significant intrusion this year.
Let’s pause to briefly recap a few of the most important hacks:
Jan. 4: Anonymous uses distributed denial of service (DDoS) attacks to take down Tunisian government websites.
Jan. 10: Anonymous hacks Irish centre-right party Fine Gael, defacing its website and accusing it of censorship. Over 2,000 party-member accounts are compromised.
Jan. 28: British police arrest five alleged members of Anonymous.
Jan. 28: CNET reports that Goatse Security‘s homepage is defaced by an ex-member. We reveal that this appears to be a publicity stunt, though for the record a spokesman for the group firmly denies this.
Feb. 3: Anonymous members uses DDoS to take down the websites of the Egyptian government during the revolution against dictator Hosni Mubarak.
Feb. 5-6: HBGary, a security contractor is hacked by Anonymous via SQL injection, social engineering, and other tactics. 68,000 emails are dumped, including ones that implicate that the Bank of America hired HBGary to try to attack Wikileaks.
Feb. 10: Chinese hackers steal information from seven oil companies in an operation dubbed “Night Dragon”.
Feb. 10: White paper states that iPhone passwords can be exposed via a jailbreak-driven attack.
Feb. 17: China implicated in “unprecedented” attack on Canadian government servers.
Feb. 24: Ex-soldier hacktivist “The Jester” (th3j35t3r) takes down hate websites of the Westboro Baptist extremist Christian cult.
Feb. 27: Anonymous begins attacks on Koch Industries, Inc., an American manufacturing conglomerate who spent millions lobbying against unions and paid massive campaign contributions towards Wisconsin’s “union buster” Governor Scott Walker.
Mar. 14: Anonymous releases grabbed documents indicating that a Bank of America property possibly committed foreclosure fraud.
Mar. 18: Security firm RSA reports that its been hacked.
April 4: Epsilon Data Management LLC is hacked, revealing millions of users’ email and contact information. Affected companies include US Bank; TiVo, Inc. (TIVO); JPMorgan Chase & Co. (JPM); Verizon Communications, Inc. (VZ); Capital One Financial Corp. (COF); Marriott International, Inc. (MAR); the Ritz-Carlton Hotel Company LLC; Citigroup, Inc. (C); Brookstone, Inc.; McKinsey & Co., Inc.; the Kroger Comp. (KR); Walgreen Comp. (WAG); India’s Jet Airways (BOM:632617); Kraft Foods Inc. (KFT); Best Buy Co., Inc. (BBY); Robert Half International Inc. (RHI); and Ameriprise Financial, Inc. (AMP).
April 17-19: PlayStation Network is hacked, 77 million records compromised. Anonymous is later implicated by Sony in the hack, but most believe that the greater collective was not involved. Sony Online Entertainment is also breached, 24 million records lost.
April 19: Hacker threatens to breach U.S. wind facility, showing limited access information. Attack is later ruled harmless.
April 26: Sony announces that the PSN was hacked.
May 2: SOE announces that its customer database was breached.
May 7: Sony sweepstakes site is hacked via a simple Google Search, 2,500 records lost.
May 7: FOX‘s X-Factor TV show contestant database leaked in SQL injection attack by LulzSec.
May 15: LulzSec leaks a database of UK ATM information, including who owns machines, where they’re located, etc.
May 17: Android authentication tokens compromised due to insecure API.
May 20: Sony is found to be hosting a phishing page on its servers, courtesy of hackers.
May 20: Employees at several Apple, Inc. (AAPL) Genius Bar locations report (according to Ars Technica) that 1 in 20 Mac computers is infected with the MacDefender trojan, Apple orders its techs to feign ignorance on the topic.
May 21: Unknown parties steal $1,220 in virtual currency from 128 accounts on a Sony-owned internet services provider (ISP).
May 21: Hacker “k4L0ng666” defaces Sony Music Indonesia website via SQL injection.
May 22: Hacker “b4d_vipera” defaces Sony BMG Greece website, takes 8,500 records via SQL injection.
May 23: LulzSec leaks contents of Sony’s Japanese websites (no user records) via an SQL injection attack.
May 24: Sony Canada loses 2,000 some records in an SQL injection attack by Lebanese hacker group Idahc.
May 25: Sony promises affected customers a year of free identity theft protection.
May 29: PBS is hacked by LulzSec after the hackers take issue with its coverage of Wikileaks. Hackers post fake news stories and deface its page, and wreak havoc on its servers.
June 2: Sony BMG Netherlands and Belgium have 1 million records exposed via SQL injection from unknown parties. Records include user names and plaintext passwords.
June 2: Gmail accounts are hacked, Chinese government is fingered, as accounts belonged to Chinese dissidents; advocacy groups.
June 2-3: In a spat over a particular user LulzSec DDoSs popular hacker magazine 2600‘s IRC chat servers and proxy servers. The dispute is eventually resolved after members and publication admins have a chat.
June 3: Names, photos, and email addresses of 120 developers lost in a SQL injection attack on Sony Europe database.
June 3: LulzSec warns Japanese game maker Nintendo (TYO:7974) of gaping hole in its online security.
June 5: Anonymous publishes the names, passwords, and email addresses of several prominent Middle Eastern politicians.
June 5: Sony Pictures Russia is breached via SQL injection, user records from several databases are dumped to Pastebin.
June 6: Sony BMG’s internal network is mapped by LulzSec in new breach; SCE developer code is also taken.
June 8: SQL injection attack drops yet more records from Sony Music Portugal, Idahc claims responsibility.
June 8: LulzSec hacks “unhackable” webpage from security firm Black & Berg Cybersecurity Consulting, LLC and refuses cash prize, saying they “did it for the lulz.”
June 9: Using Low Orbit Ion Cannon (LOIC) DDoS attacks, Anonymous targets Turkey for “censorship”.
June 10: LulzSec posts admins records, accounts of government officials purloined from databases of pornographic websites.
June 10: A group calling themselves “Anonymous India” attacks the Indian army website with DDoS attacks.
June 12: LulzSec publishes a thorough network intrusion of Bethesda Softworks and ZeniMax Media that includes source code, network mappings, and more. Group doesn’t publish user information because it says “[W]e actually like this company.”
June 12: U.S. Senate servers are hacked by LulzSec, though classified servers are not penetrated.
June 12: Spanish police arrest three alleged members of Anonymous. Anonymous responds with a DDoS takedown of Spanish police websites.
June 14: “Titanic Takeover Tuesday” is launched by LulzSec. The group strikes gaming magazine The Escapist, the servers of EVE Online, the site of government contractor software firm Finfisher, servers for Minecraft, and servers for League of Legends, a MMORPG.
June 14: Anonymous targets U.S. Federal Reserve Chairman Ben Bernanke, via a post on their ops site. It is unclear whether any attacks materialized.
June 14: Turkey arrests 32 alleged members of Anonymous, group vows revenge.
June 14: In a Pastebin posting Anonymous condemns the attacks on the Indian government, saying they were perpetrated by an “imposter”.
(Thanks to Wikipedia and Attrition.org for listings of and links to detailed information on some of these hacks.)
Vital Stats on Major Hacks:
Number of Attacks on Sony: 19
Number of Hacks by LulzSec: 18+
Number of Hacks by Idahc: 2+
Number of Hacks by Anonymous: 11+
Number of Hacks suspect to have originated in China: 4+
Number of Hacks on U.S. Gov’t or Contractors: 4+
II. Profile: Recent Anonymous Activity
One of the largest and most active hacker collectives is Anonymous. Known as a group where inexperienced hackers can get their hands dirty, the collective has a large worldwide presence. Anonymous is loosely affiliated with the image-board site 4Chan. The group does not have official leaders — any member can act as an organizer at any given time, trying to convinced members to do attacks or “operations” as they typically call them.
Most communication among members is accomplished via secured IRC chats.
Very active members sometime serve as “spokespeople” for the group, to spread information about its activities for those who don’t troll IRC channels daily. Obviously these spokespeople don’t speak for all members, but they offer a decent perspective (typically) on the group’s thoughts and actions. The site AnonNews.org is the group’s primary site for press releases. The group also maintains a Twitter account.
In recent weeks Anonymous‘s attention has been split between the Middle East and Sony. Though ostensibly Anonymous as a whole is not attacking Sony any more, some individual members or groups of members are believed to be.
Three members of the group were arrested last Friday in Spain because the Spanish government believed they were key organizers of the group. Anonymous engaged in a war of DDoS attacks and semantics with the Spanish government. But at the end of the day it’s unclear whether or not the men taken into custody truly organized any attacks with the group.
Last weekend the International Monetary Fund (IMF) was hacked, just days after Anonymous tweeted “#OperationGreece: Target: http://www.imf.org” and the IMF issued a statement that it was prepared for the attacks. The IMF is a group responsible for global finances.
It appears someone — perhaps China — beat Anonymous to the punch. The IMF says its servers were hacked over the weekend by an attacker who appeared to be a sophisticated “nation state” aiming to establish a “digital insider presence”.
The attack showcases a growing issue — the fact that it’s often very unclear who has attacked a particular entity. This is the case as often the same entity is the subject of cyber-aggression from multiple parties. Furthermore, publicized attack plans can be cleverly exploited by those who wish to obfuscate their presence. In that sense groups like Anonymous may find themselves increasingly “framed” by true attackers, given their propensity to sound off online.
This was seen yet again in last Friday’s attacks on the Indian military and government from a group calling themselves “Anonymous India”. The “real” Anonymous condemned these attacks saying it played no part in them. Yet many articles were published that fingered Anonymous itself for the attack. In short it appears Anonymous‘s name was was (ab)used in a politically motivated attacks.
Anonymous still appears very active, as evidenced by its recent leak of emails and passwords of officials in Bahrain, Egypt, Jordan, and Morocco.
The group’s membership is believed to be large. Some members are ostensibly non-hackers, but just enjoy participating in the group’s eye-catching public demonstrations, in which actors don Guy Fawkes masks.
III. Profile: Recent LulzSec Activity
LulzSec exploded onto the scene in May with a series of high-profile intrusions, most noticeably focused at Sony. The group maintains an active PR website, a calling board, and an active Twitter presence. However, it is thought to be a smaller, more elite group than Anonymous. LulzSec does not bear any official affiliation with Anonymous, though they share some common enemies. Like Anonymous, LulzSec is thought to be a group without a leader.
The group appears to be increasingly flaunting its abilities against the U.S. government.
After targeting an FBI affiliate earlier this month, the group targeted several government officials in its recent porn database breach. Some of these entries appear to be joke user names (for example “flag” with password “karlmarx”) from people who aren’t actually in ownership of government emails.
Others — like U.S. Army soldiers James Ben Hopkins and Aaron C. Sewell and U.S. Air Force fighter pilot Wade Quigley — appear like real people. Of course, someone could have used those emails as a prank against those individuals.
In addition to calling out porn users with government emails, LulzSec completed a major breach of the U.S. Senate’s servers this Sunday.
Martina Bradford, the deputy Senate sergeant at arms, said on Monday to Reuters, “We were responding to their allegations. Basically what we’re saying that the server they got into is for public access and is in the public side. Although this intrusion is inconvenient, it does not compromise the security of the Senate’s network, its members or staff. Specifically, there is no individual user account information on the server supporting senate.gov that could have been compromised.”
This makes sense. Despite the U.S. governments lack of savvy in cybersecurity, it should know enough to air gap public accessible systems from classified ones. In that regard the LulzSec breach may do little other than to irritate the government.
States Stewart Baker, a former cyber official at the Department of Homeland Security and current employee of security contractor Steptoe and Johnson, “The hackers may have done the equivalent of burglarizing the Senate and bragging because they managed to steal a bunch of souvenirs from the gift shop.”
LulzSec though, never claimed the hack to be a major one. It said it was “just for fun”. The published documents show mostly processes running on one of the servers, images hosted on the Senate’s various pages, and code from some of the pages. There’s no “smoking guns” in the archive so to speak.
Ultimately, the hack should serve as an interesting test, though. To date, LulzSec has disguised their identities, ostensibly using proxies, Tor, and other assets. But the question remains whether they will be able to remain anonymous if the FBI, U.S. law enforcement community, and private security contractors bear down on them.
If the U.S. can’t catch LulzSec now, it’s unlikely they ever will.
Paying little mind to such matters, LulzSec‘s “Titanic Takeover Tuesday” proceeded neatly, with the group striking Minecraft, EVE Online, and League of Legends. The DDoS attacks brought down the games’ login servers. EVE Online took all their servers, including their website offline as a precaution to protect users, though they said no data was lost. Likewise servers of gaming magazine The Escapist were slammed, making access to the site intermittent on Tuesday.
The group’s motivation for the attack appears to be to mock online gamers. States the group via Twitter:
Now accepting calls from true lulz fans – let’s all laugh together at butthurt gamers.
The only “serious” attack appears to be attack Finfisher, which LulzSec says it targeted for “because apparently they sell monitoring software to the government or some shit like that.”
LulzSec‘s targets appear to be primarily gaming firms, the government, media sites, and most of all Sony. Expect more attacks in coming weeks as the group likely has become emboldened by their successes thus far.
IV. The Road Ahead
Both LulzSec and Anonymous can be construed as principled griefers, in a sense. If their members like you, they may deliver the news that your network security is pathetic in a bit more gentle fashion. If you’re their enemy, though, they can be merciless.
It’s unclear why 2011 has been such a remarkable year in terms of system intrusions. Anonymization services like Tor and proxy services have certainly played a role — but Tor has been around since 2002. Likewise, international turmoil in the Middle East and China has stirred the pot, but there have been plenty of other unrest-filled years over the last decade.
What is clear is that 2011 appears to be the year of the hacker.
As long as some companies:
1. Conduct themselves in a belligerent fashion towards tech-savvy members of the online community
2. Store passwords in plaintext
3. Fail to protect against SQL injection attacks
4. Keep stale data online
5. Fall victim to obvious social engineering plots
…and as long as some users:
1. Use short passwords
2. Use dictionary word passwords
3. Use the same password for multiple sites
4. Fall victim to phishing
5. Use work emails for site registration
…these kinds of attacks should continue to regularly occur. You see, the web may be the Wild West — but the problem is less the outlaws’ smarts — it’s their targets lack thereof.
For individuals, remember: if you avoid the above traps, companies may lose your data, but your overall online presence and identity should be safe.
© DailyDDoSe™ 2007-2014