STE WILLIAMS

WordPress.com Crushed Under DDoS

WordPress came under massive attack on Thursday, causing disruptions for many of the sites that rely on the webhosting platform to publish their content.

“WordPress.com is currently being targeted by a extremely large Distributed Denial of Service attack which is affecting connectivity in some cases,” Sara Rosso, a representative of WordPress owner Automatic, said in a statement released to customers. “The size of the attack is multiple Gigabits per second and tens of millions of packets per second.”

The attack later subsided, but the vast amount of junk data being thrown at the company’s servers while the DDoS, or distributed denial-of-service, attack was ongoing made it hard to defend against using standard countermeasures.

Rosso said WordPress was working with its upstream providers to mitigate any further attacks. She also said WordPress “will be making our VIP sites a priority in this endeavor.”

While significantly smaller than Google-owned Blogger and other hosts, WordPress is nonetheless a crucial platform for a large amount of the Web’s population. In July Drupal estimated WordPress powered 8.5 percent of websites.

“You have no idea how hard it was to get this post up, as WordPress.com, our blog host, is currently under a denial of service attack,” TechCrunch reported. “It’s been almost impossible to access the TechCrunch backend for the past 10 minutes and users are receiving a ‘Writes to the service have been disabled, we will be bringing everything back online ASAP’ error message.”

Antivirus provider Sophos also reported difficulties in posting stories to its Naked Security blog, but said traffic to its main website was unaffected because it used a different provider?

Source…

Call of Duty DDoS attack police arrest teen

A 17-year-old from Manchester has been arrested by the Metropolitan Police’s e-crime unit (PCeU) on suspicion of being behind a denial of service attack against the online game Call of Duty.

The teenager was arrested in the Beswick area of Manchester early on Thursday morning.

He is suspected of involvement in denial of service attacks which severely disrupted the online version of the game, and the playtime of many other players, in September. Distributed denial of service attacks are currently being used against the websites of Sarah Palin, Mastercard and other perceived “enemies of Wikileaks and Julian Assange”.

The game’s publisher, Activision, contacted police after the attacks.

The investigation by PCeU found the DDoS attack was made using a malicious program called “Phenom Booter”.

Police found the malware being offered for sale on a web forum for Call of Duty players to allow them to attack other players of the game and thereby improve their own scores.

Police tracked the server to the UK and finally via its IP number to Greater Manchester.

The 17-year-old is still in custody and has been arrested on suspicion of offences against the Computer Misuse Act.

DI Paul Hoare of the PCeU said online gaming was a major retail sector so software aimed at disrupting such games could have commercial implications for the companies concerned, and for their reputations.

He also said: “This type of crime can often be the precursor to further offending in more traditional areas of online crime.” ®

Join in the Wikileaks DDoS war from your iPhone or iPad

The online “infowar” precipitated by the media circus surrounding Wikileaks and Julian Assange continues, with DDoS attacks occurring against a bewildering variety of websites assessed as having either aided or failed to aid the leak-publisher – or often merely for commenting on the brouhaha.

Meanwhile, interest has focused on the methods used to mount the DDoS attacks. It appears that in general most of the muscle is coming from botnets of the usual sort: ones made up of zombie machines infected with malware using the same methods as ordinary online criminals and spammers (and just as illegal).

However, some of the battling communities – for instance the loosely organised hacktivist collective Anonymous, aligned in support of Assange and Wikileaks – also use collaborative tools where supporters can voluntarily attach their machines to a botnet in order to assist with a DDoS attack. The preferred tools are usually some version of the Low Orbit Ion Cannon (LOIC) software. Machines running LOIC can then be controlled via IRC or some other channel (again the campaigners are aping criminals by using Twitter of late).

Downloading and installing LOIC (the code is freely available at such places as Sourceforge) is simple enough, but evidently off-putting enough that not many people are doing it. The LOIC hivemind net run by Anonymous has generally had only a few hundred machines in it, far too few to mount a serious DDoS, and most of the grunt has been delivered by larger malware-based botnets controlled by individual Anonymous members (just one reportedly containing more than 30 times as many machines as the anonops.net hivemind).

But in the last day or two, a new wrinkle has begun to gain prominence. It is now possible to visit a webpage which will convert your browser into a pocket LOIC instance, delivering DDoS packets from whatever device you are using to browse – not necessarily even a computer.

As Panda Labs analyst Sean-Paul Correll notes:

Only a browser is needed, so you can even launch the attack from your fone, I just tested it with my iPhone … Of course I tested that it was real and worked, but I didn’t send any attack out.

Such a webpage will typically give you the option of adjusting how many requests per second to send to the target website (handy in the case of a phone or perhaps a fondle-slablet device with a limited data package and/or bandwidth) and allow you to attach an insulting message of your own devising.

This would appear to be rather less sophisticated than a proper IRC or Twitter-controlled LOIC install, but has the merit of being simpler. Whether this tremendously simple way of joining in botnets will finally mobilise large numbers of pro- or anti-Wikileaks vigilantes remains to be seen. For now, it appears that the effective DDoS attacks – and other more sophisticated meddling going on – are emanating from relatively small numbers of people.

It would seem that in general most people are aware how relatively unimportant and easily replaceable a part Julian Assange and Wikileaks have played in the release of the classified US files, which continue to mildly interest the outside world. ®

Bootnote
1) Reader be warned: Participating willingly in a DDoS attack is a crime in many countries. Even if this doesn’t bother you, you download software and visit webpages of this sort at your own significant risk: campaigners on both sides have shown little in the way of scruples, and ordinary criminal scammers are now exploiting the situation too.

WikiLeaks supporters milk Twitter API in DDoS attacks

WikiLeaks supporters are milking Twitter’s application programming interface to carry out attacks that have led to crippling slowdowns at MasterCard.com, Visa.com and other websites that cut off funding to the whistle-blower outfit.

A relatively new Java-based version of the Low Orbit Ion Cannon, which protesters use to direct torrents of traffic at sites they disapprove of, allows users to specify a Master Twitter ID, according to a Thursday post on the Sans blog. It’s the first time the point-and-click attack tool has included the Twitter field, security researchers said.

“The Twitter angle in this application piqued my interest,” Sans handler on Duty, Mark Hofman, wrote. “It is using the Twitter API in a new and creative way, certainly one that hadn’t readily occurred to me.”

He didn’t say exactly what JavaLOIC did with Twitter’s API, but Jose Nazario, senior manager of security research at Arbor Networks, speculated it probably coordinated the timing and targets of attacks. If so, it wouldn’t be the first time Twitter has been used as a command and control channel for corralling large networks of PCs. There are even tools available to streamline the configuration of Twitter-based C&Cs.

Sophos has more more additional details about LOIC, including its Twitter feature, here.

Other versions of LOIC use internet relay chat channels to coordinate attacks. Volunteers install the program and then enter the address of an IRC server. From there, organizers are able to instruct thousands of machines to march in lock step as they attack websites. The ability to turn on and off huge amounts of traffic quickly makes the attacks much harder to defend against.

Sean-Paul Correll, a threat researcher with Panda Security, said at the height of the attacks on Wednesday, there were more there 3,000 machines participating in LOIC-based attacks against MasterCard, Visa, PayPal and other sites that cut off services used to fund WikiLeaks. He also observed independent botnets with as many as 30,000 compromised computers also participating in the attacks.

The attacks have wreaked a fair amount of damage. By Correll’s estimate, MasterCard has suffered more than 32 hours of downtime since Tuesday, with 23 of those hours being almost continuous. Parts of Visa’s site saw more than 21 hours of downtime. The most crippling attack on Visa started a little before 1pm California time on Wednesday, when organizers transmitted a command over IRC to flood the site with more traffic than it could handle.

“It was down instantly,” he told The Register. “As soon as they started pointing the servers over to it, it was toast.”

Visa and MasterCard representatives have said no customer data has been accessed as a result of the attacks, and transactions have been able to go normally. Still, it was widely reported that MasterCard’s Securecode service for secure online transactions was offline for much of Wednesday.

Nazario said as the attacks have progressed many have begun attacking targets’ backend servers, where damage is often more severe despite it being less obvious to outside observers.

“If you can’t load the Visa homepage, so what,” he explained. “But if the backend for some of these sites is down, where it integrates with other vendors or other sites, then they have a problem. That’s what [the attackers] seem to be trying to do now as a way of shutting down their ability to take and make payments.”

WikiLeaks sympathizers aren’t the only ones getting into the denial-of-service game. Anonops.net, a site used to by organizers of the attacks, was itself taken down on Wednesday night, Correll said. At time of writing, it was inaccessible. ®

Hacker Attack WikiLeaks foes

LONDON — In a campaign that had some declaring the start of a “cyberwar,” hundreds of Internet activists mounted retaliatory attacks on Wednesday on the Web sites of multinational companies and other organizations they deemed hostile to the WikiLeaks antisecrecy organization and its jailed founder, Julian Assange.

Within 12 hours of a British judge’s decision to deny Mr. Assange bail in a Swedish extradition case, attacks on the Web sites of WikiLeaks’s “enemies,” as defined by the organization’s impassioned supporters around the world, caused several corporate Web sites to become inaccessible or slow down markedly.

Targets of the attacks, in which activists overwhelmed the sites with traffic, included the Web site of MasterCard, which had stopped processing donations for WikiLeaks; Amazon.com, which revoked the use of its computer servers; and PayPal, which stopped accepting donations for Mr. Assange’s group. Visa.com was also affected by the attacks, as were the Web sites of the Swedish prosecutor’s office and the lawyer representing the two women whose allegations of sexual misconduct are the basis of Sweden’s extradition bid.

On Thursday, Gregg Housh, an activist with the loosely affiliated group of so-called hacktivists, said the group was redoubling its efforts to bring down PayPal, which is better protected than some other sites. The assertion was backed up by an independent security analyst who closely monitors the Internet and saw evidence of the onslaught.

No other major Web sites appeared to be suffering disruptions in service early Thursday, however, suggesting that the economic impact of the attacks was limited.

The Internet assaults underlined the growing reach of self-described “cyberanarchists,” antigovernment and anticorporate activists who have made an icon of Mr. Assange, a 39-year-old Australian.

The speed and range of the attacks Wednesday appeared to show the resilience of the backing among computer activists for Mr. Assange, who has appeared increasingly isolated in recent months amid the furor stoked by WikiLeaks’s posting of hundreds of thousands of secret Pentagon documents on the wars in Afghanistan and Iraq.

Mr. Assange has come under renewed attack in the past two weeks for posting the first tranche of a trove of 250,000 secret State Department cables that have exposed American diplomats’ frank assessments of relations with many countries, forcing Secretary of State Hillary Rodham Clinton to express regret to world leaders and raising fears that they and other sources would become more reticent.

The New York Times and four other news organizations last week began publishing articles based on the archive of cables made available to them.

In recent months, some of Mr. Assange’s closest associates in WikiLeaks abandoned him, calling him autocratic and capricious and accusing him of reneging on WikiLeaks’s original pledge of impartiality to launch a concerted attack on the United States. He has been simultaneously fighting a remote battle with the Swedish prosecutors, who have sought his extradition for questioning on accusations of “rape, sexual molestation and forceful coercion” made by the Swedish women. Mr. Assange has denied any wrongdoing in the cases.

American officials have repeatedly said that they are reviewing possible criminal charges against Mr. Assange, a step that could lead to a bid to extradite him to the United States and confront him with having to fight for his freedom on two fronts.

The cyberattacks in Mr. Assange’s defense appear to have been coordinated by Anonymous, a loosely affiliated group of activist computer hackers who have singled out other groups before, including the Church of Scientology. Last weekend, members of Anonymous vowed in two online manifestos to take revenge on any organization that lined up against WikiLeaks.

Anonymous claimed responsibility for the MasterCard attack in Web messages and, according to Mr. Housh, the activist associated with the group, conducted waves of attacks on other companies during the day. The group said the actions were part of an effort called Operation Payback, which began as a way of punishing companies that tried to stop Internet file-sharing and movie downloads.

Mr. Housh, who disavows a personal role in any illegal online activity, said that 1,500 supporters had been in online forums and chat rooms organizing the mass “denial of service” attacks. His account was confirmed by Jose Nazario, a senior security researcher at Arbor Networks, a Chelmsford, Mass., firm that tracks malicious activity on computer networks.

Most of the corporations whose sites were targeted did not explain why they severed ties with WikiLeaks. But PayPal issued statements saying its decision was based on “a violation” of its policy on promoting illegal activities.

Paul Mutton, a security analyst at netcraft, a British Internet monitoring firm, confirmed Mr. Housh’s account of the renewed attack on PayPal Thursday and said it had caused sporadic outages through the day. A spokesman for PayPal was not immediately reachable to confirm or deny the accounts.

The sense of an Internet war was reinforced Wednesday when netcraft reported that the Web site being used by the hackers to distribute denial-of-service software had been suspended by a Dutch hosting firm, Leaseweb.

A sense of the belligerent mood among activists was given when one contributor to a forum the group uses, WhyWeProtest.net, wrote of the attacks: “The war is on. And everyone ought to spend some time thinking about it, discussing it with others, preparing yourselves so you know how to act if something compels you to make a decision. Be very careful not to err on the side of inaction.”

Mr. Housh acknowledged that there had been online talk among the hackers of a possible Internet campaign against the two women who have been Mr. Assange’s accusers in the Swedish case, but he said that “a lot of people don’t want to be involved.”

A Web search showed new blog posts in recent days in which the two women, identified by the Swedish prosecutors only as Ms. A. and Ms. W., were named, but it was not clear whether there was any link to Anonymous. The women have said that consensual sexual encounters with Mr. Assange became nonconsensual when he stopped using condoms.

The cyberattacks on corporations Wednesday were seen by many supporters as a counterstrike against the United States. Mr. Assange’s online supporters have widely condemned the Obama administration as the unseen hand coordinating efforts to choke off WikiLeaks by denying it financing and suppressing its network of computer servers.

Mr. Housh described Mr. Assange in an interview as “a political prisoner,” a common view among WikiLeaks supporters who have joined Mr. Assange in condemning the sexual abuse accusations as part of an American-inspired “smear campaign.”

Another activist used the analogy of the civil rights struggle for the cyberattacks.

“Are they disrupting business?” a contributor using the name Moryath wrote in a comment on the slashdot.org technology Web site. “Perhaps, but no worse than the lunch counter sit-ins did.”

John Markoff and Ashlee Vance contributed reporting from San Francisco, and Alan Cowell from Paris.

Mastercard downed by Anon-Assange-fans

Mastercard is feeling the wrath of the internet this afternoon – its website and at least part of its payment systems have apparently been brought down by a denial of service attack.

The credit card company is being typically cryptic – its most recent statement said only that it is “is experiencing heavy traffic on its external corporate website”, which is a nicely understated way to describe an overwhelming DDoS assault.

The statement added: “We are working to restore normal speed of service. There is no impact whatsoever on our cardholders’ ability to use their cards for secure transactions.”

However the Reg has been contacted by merchants down under who are currently unable to access the payment portal on Mastercard’s private network – a far more serious breach of security than just downing a website.

This blog also suggests that Mastercard’s 3D Secure system is not working either.

The hack attack is being claimed by Operation Payback, as revenge for Mastercard’s decision to shut down payments to Wikileaks in the wake of its publishing US diplomatic cables.

Operation Payback has itself come under DDoS attack from ‘patriot’ hackers. Presumably pro-Assange hackers have taken out Senator Lieberman’s personal site.

PayPal was targeted for similar reasons, but was functioning at the time of writing.

Mastercard’s PRs were unable to confirm any attack on payments systems but have promised us a more up-to-date statement. We’ll update this story should we receive one.

Pro-Wikileaks hacktivistas in DDoS dustup with patriot contras

Online hacktivist collective Anonymous, operating under the banners Operation:Payback and “Operation Avenge Assange” have launched a series of DDoS attacks against organisations and people seen as being opposed to Wikileaks and its spokesman Julian Assange.

Meanwhile, Operation:Payback itself has been subjected to counter-DDoS attacks thought to originate with US “patriotic” contra-hacktivistas.

Sites attacked by the Anonymous group have included PostFinance.ch, belonging to the Swiss bank which recently froze an account controlled by Assange, and also ThePayPalblog.com – the main blog operated by PayPal, targeted for refusing to process Wikileaks contributions. DNS outfit EveryDNS has also come into the Operation:Payback gunsights for cutting off Wikileaks’ DNS service, saying that online attacks targeted at the leak site were crippling its other customers.

Over the last couple of days, other sites have been DDoS’d for various reasons by the Anonymous group, including the Swedish lawyers representing the women Assange is alleged to have committed sexual offences against. Charges made by Swedish prosecutors have since resulted in the issue of a European arrest warrant and Assange was yesterday cuffed in London: British judges have elected to refuse bail and the colourful Wikileaks impresario is now in jail pending an extradition hearing.

This process has angered the members of Operation:Payback sufficiently that they have also elected to mount strikes against the website of the Swedish prosecutors’ office and briefly, according to anonymous* claims received by the Reg, against Interpol. (Interpol did issue a “Red Notice” calling for Assange’s arrest at the behest of Swedish authorities, but in fact this has no relevance for British police dealing with a request from another EU nation: in such cases a European warrant is required for the UK cops to act.)

Yesterday, the Anonymous hacktivists decided to attack the site of US Senator Joe Lieberman as well, presumably as a result of remarks he has made describing Wikileaks operations as crimes violating the US Espionage Act – and hinting that Wikileaks’ mainstream-media partners, collaborating on trawling and redacting files prior to public release, have violated the law also.

Some Operation:Payback members also elected to attack the site of former Alaska governor and vice-presidential candidate Sarah Palin for suggesting that Assange should be hunted down like a terrorist.

The Anonymous attacks have been run on through a chatroom, with users attaching their computers to a voluntary botnet for use in the DDoS strikes. Panda Security reported that as the Lieberman attacks began there were almost 1,000 users in the chatroom and nearly 600 machines in the botnet.

Naturally enough Operation:Payback itself has been subject to counter-DDoS efforts of varying strength almost since it began, but following the decision to attack Lieberman’s official US government site the Anonymous operation began to be hit much harder and suffered dozens of outages itself, one lasting almost two hours. Panda Security analysts assessed that the intensified counter-DDoS attacks were coming from self-described American “patriot” hackers – playing contra to the Anonymous hacktivistas, perhaps.

Meanwhile US Army private soldier Bradley Manning, believed to have supplied not only the vast stash of diplomatic cables now being drip-fed by Wikileaks but most of its previous significant material as well (the Baghdad gunship videos, Iraq and Afghanistan “war logs” etc) remains in military prison charged with an array of security violations. His name is seldom mentioned any more in the ongoing saga of Wikileaks, Assange and the online scufflers aligned with and against them.

Operation:Payback uses a banner quote from John Perry Barlow, a founder of the Electronic Frontier Foundation:

“The first serious infowar is now engaged. The field of battle is WikiLeaks. You are the troops.”

Some context for the online teacup “war” might be provided by the tiny size of the Anonymous volunteer botnet compared to today’s heavyweight criminal bot networks. There wasn’t even an attempt to actually attack PayPal, just its corporate blog. ®

Bootnote

*These emails were purportedly from Anonymous, but naturally we can’t vouch for their authenticity. As the faceless informant put it (this is verbatim):

Anyone using a name and claiming to represent Anonymous is a charloten, a fraud, a 13 year old basement dweller surrounded by crusty socks and empty Dew bottles, seeking glory among his friends on Tumblr.

PayPal banned WikiLeaks after US gov intervention

Updated A PayPal executive said his company’s decision to suspend payments to Wikileaks came after the US State Department said the whistle-blower site was engaged in illegal activity. The comment came shortly before PayPal agreed to release the remaining funds in the WikiLeaks fund-raising account.

Press accounts from The Guardian and TechCrunch differ, but both claim that PayPal’s move was influenced by statements from the State Department.

“State Dept told us these were illegal activities,” PayPal VP of platform Osama Bedier told the LeWeb conference in Paris, according to this report from The Guardian. “It was straightforward. We … comply with regulations around the world, making sure that we protect our brand.”

TechCrunch reported much the same thing but later updated its post to say: “After talking to Bedier backstage, he clarified that the State Department did not directly talk to PayPal.” He went on to say that the online payment service was influenced by a November 27 letter State Department officials sent Wikileaks founder Julian Assange and his attorney.

“As you know, if any of the materials you intend to publish were provided by any government officials, or any intermediary without proper authorization, they were provided in violation of US law and without regard for the the grave consequences of this action,” the letter, signed by State Department legal adviser Hongju Koh, stated. “As long as WikiLeaks holds such material, the violation of the law is ongoing.”

The letter didn’t cite any specific US statutes WikiLeaks was violating.

WikiLeaks went on to release a trove of State Department memos that aired confidential diplomatic communications.

PayPal representatives didn’t respond to emails seeking clarification about the influence of the State Department.

But late on Wednesday, PayPal General Counsel John Muller said: “While the account will remain restricted, PayPal will release all remaining funds in the account to the foundation that was raising funds for WikiLeaks. According to The Washington Post, there was about $80,000 in the account.

Muller went on to defend the permanent closure of the account by saying the online payment site is “required to comply with laws around the world.”

“Ultimately, our difficult decision was based on a belief that the WikiLeaks website was encouraging sources to release classified material, which is likely a violation of law by the source,” he continued.

Muller’s argument made no mention of organizations such as the International Tibet Network, which continues to solicit donations through PayPal even though some of their activities almost surely violate Chinese laws.

Over the past few days, other financial services, including Visa, MasterCard, and the Swiss bank Post Finance, have also suspended services to Wikileaks and Assange. The move has prompted criticism on Twitter and elsewhere by users who point out that Visa and MasterCard still permit payments to Ku Klux Klan groups but not to a group that so far has been charged with no crime.

Distributed denial of service attacks by people sympathetic to Wikileaks soon took out MasterCard and were also reported against EveryDNS.net, which suspended one of WikiLeaks domain names. US Senator Joe Lieberman and Sarah Palin – both outspoken WikiLeaks critics – and Swedish prosecutors, who are investigating Assange for alleged sexual offenses, have also been targeted, according to reports. A PayPal blog was also disrupted by attacks.

The Register has asked Visa and MasterCard to comment. This post will be updated if either responds. ®

Wikileaks’ DNS pulls plug, citing collateral DDoS damage

Domain name provider EveryDNS has pulled the plug on Wikileaks after giving the site 24 hours’ notice that it could not put up with the denial of service attacks the site was attracting.

The DNS provider said that it had sent messages by email and via Twitter and through the chat function of its website to warn Wikileaks that it was in breach of its terms and conditions and was at risk of termination. No response was received. Messages were sent 10pm EST 1 December. Services were terminated at 10pm 2 December.

The provider said: “Any downtime of the wikileaks.org website has resulted from its failure to use another hosted DNS service provider.”

EveryDNS said:

Specifically, the services were terminated for violation of the provision which states that “Member shall not interfere with another Member’s use and enjoyment of the Service or another entity’s use and enjoyment of similar services”. The interference at issues arises from the fact that wikileaks.org has become the target of multiple distributed denial of service (DDOS) attacks. These attacks have, and future attacks would, threaten the stability of the EveryDNS.net infrastructure, which enables access to almost 500,000 other websites.

The temporary loss of its website will have little impact on Wikileaks. Various Wikileak mirror sites are available and the files are also on BitTorrent and elsewhere.

Wikileaks’ various media partners are also hosting the cables; today’s “revelation” is that British troops in Afghanistan were over-stretched and under-resourced.

Meanwhile Wikileaks spokesman Julian Assange, currently in the UK, is wanted for sex offences in Sweden where many Wikileaks operations are based. He is the subject of an Interpol Red Notice, which is a procedure used to “seek the arrest or provisional arrest of wanted persons with a view to extradition”. The Mail predicts he will be arrested in the next few days. Police sources inform the Reg that the Red Notice has little relevance in intra-European cases, where a European warrant is required. Assange lost an appeal against issue of such a warrant yesterday.

The colourful leakmeister is believed to have given police his address when he arrived in Britain several weeks ago.

EveryDNS explains why it ended Wikileaks’ services.

source