STE WILLIAMS

WikiLeaks supporters milk Twitter API in DDoS attacks

WikiLeaks supporters are milking Twitter’s application programming interface to carry out attacks that have led to crippling slowdowns at MasterCard.com, Visa.com and other websites that cut off funding to the whistle-blower outfit.

A relatively new Java-based version of the Low Orbit Ion Cannon, which protesters use to direct torrents of traffic at sites they disapprove of, allows users to specify a Master Twitter ID, according to a Thursday post on the Sans blog. It’s the first time the point-and-click attack tool has included the Twitter field, security researchers said.

“The Twitter angle in this application piqued my interest,” Sans handler on Duty, Mark Hofman, wrote. “It is using the Twitter API in a new and creative way, certainly one that hadn’t readily occurred to me.”

He didn’t say exactly what JavaLOIC did with Twitter’s API, but Jose Nazario, senior manager of security research at Arbor Networks, speculated it probably coordinated the timing and targets of attacks. If so, it wouldn’t be the first time Twitter has been used as a command and control channel for corralling large networks of PCs. There are even tools available to streamline the configuration of Twitter-based C&Cs.

Sophos has more more additional details about LOIC, including its Twitter feature, here.

Other versions of LOIC use internet relay chat channels to coordinate attacks. Volunteers install the program and then enter the address of an IRC server. From there, organizers are able to instruct thousands of machines to march in lock step as they attack websites. The ability to turn on and off huge amounts of traffic quickly makes the attacks much harder to defend against.

Sean-Paul Correll, a threat researcher with Panda Security, said at the height of the attacks on Wednesday, there were more there 3,000 machines participating in LOIC-based attacks against MasterCard, Visa, PayPal and other sites that cut off services used to fund WikiLeaks. He also observed independent botnets with as many as 30,000 compromised computers also participating in the attacks.

The attacks have wreaked a fair amount of damage. By Correll’s estimate, MasterCard has suffered more than 32 hours of downtime since Tuesday, with 23 of those hours being almost continuous. Parts of Visa’s site saw more than 21 hours of downtime. The most crippling attack on Visa started a little before 1pm California time on Wednesday, when organizers transmitted a command over IRC to flood the site with more traffic than it could handle.

“It was down instantly,” he told The Register. “As soon as they started pointing the servers over to it, it was toast.”

Visa and MasterCard representatives have said no customer data has been accessed as a result of the attacks, and transactions have been able to go normally. Still, it was widely reported that MasterCard’s Securecode service for secure online transactions was offline for much of Wednesday.

Nazario said as the attacks have progressed many have begun attacking targets’ backend servers, where damage is often more severe despite it being less obvious to outside observers.

“If you can’t load the Visa homepage, so what,” he explained. “But if the backend for some of these sites is down, where it integrates with other vendors or other sites, then they have a problem. That’s what [the attackers] seem to be trying to do now as a way of shutting down their ability to take and make payments.”

WikiLeaks sympathizers aren’t the only ones getting into the denial-of-service game. Anonops.net, a site used to by organizers of the attacks, was itself taken down on Wednesday night, Correll said. At time of writing, it was inaccessible. ®

Hacker Attack WikiLeaks foes

LONDON — In a campaign that had some declaring the start of a “cyberwar,” hundreds of Internet activists mounted retaliatory attacks on Wednesday on the Web sites of multinational companies and other organizations they deemed hostile to the WikiLeaks antisecrecy organization and its jailed founder, Julian Assange.

Within 12 hours of a British judge’s decision to deny Mr. Assange bail in a Swedish extradition case, attacks on the Web sites of WikiLeaks’s “enemies,” as defined by the organization’s impassioned supporters around the world, caused several corporate Web sites to become inaccessible or slow down markedly.

Targets of the attacks, in which activists overwhelmed the sites with traffic, included the Web site of MasterCard, which had stopped processing donations for WikiLeaks; Amazon.com, which revoked the use of its computer servers; and PayPal, which stopped accepting donations for Mr. Assange’s group. Visa.com was also affected by the attacks, as were the Web sites of the Swedish prosecutor’s office and the lawyer representing the two women whose allegations of sexual misconduct are the basis of Sweden’s extradition bid.

On Thursday, Gregg Housh, an activist with the loosely affiliated group of so-called hacktivists, said the group was redoubling its efforts to bring down PayPal, which is better protected than some other sites. The assertion was backed up by an independent security analyst who closely monitors the Internet and saw evidence of the onslaught.

No other major Web sites appeared to be suffering disruptions in service early Thursday, however, suggesting that the economic impact of the attacks was limited.

The Internet assaults underlined the growing reach of self-described “cyberanarchists,” antigovernment and anticorporate activists who have made an icon of Mr. Assange, a 39-year-old Australian.

The speed and range of the attacks Wednesday appeared to show the resilience of the backing among computer activists for Mr. Assange, who has appeared increasingly isolated in recent months amid the furor stoked by WikiLeaks’s posting of hundreds of thousands of secret Pentagon documents on the wars in Afghanistan and Iraq.

Mr. Assange has come under renewed attack in the past two weeks for posting the first tranche of a trove of 250,000 secret State Department cables that have exposed American diplomats’ frank assessments of relations with many countries, forcing Secretary of State Hillary Rodham Clinton to express regret to world leaders and raising fears that they and other sources would become more reticent.

The New York Times and four other news organizations last week began publishing articles based on the archive of cables made available to them.

In recent months, some of Mr. Assange’s closest associates in WikiLeaks abandoned him, calling him autocratic and capricious and accusing him of reneging on WikiLeaks’s original pledge of impartiality to launch a concerted attack on the United States. He has been simultaneously fighting a remote battle with the Swedish prosecutors, who have sought his extradition for questioning on accusations of “rape, sexual molestation and forceful coercion” made by the Swedish women. Mr. Assange has denied any wrongdoing in the cases.

American officials have repeatedly said that they are reviewing possible criminal charges against Mr. Assange, a step that could lead to a bid to extradite him to the United States and confront him with having to fight for his freedom on two fronts.

The cyberattacks in Mr. Assange’s defense appear to have been coordinated by Anonymous, a loosely affiliated group of activist computer hackers who have singled out other groups before, including the Church of Scientology. Last weekend, members of Anonymous vowed in two online manifestos to take revenge on any organization that lined up against WikiLeaks.

Anonymous claimed responsibility for the MasterCard attack in Web messages and, according to Mr. Housh, the activist associated with the group, conducted waves of attacks on other companies during the day. The group said the actions were part of an effort called Operation Payback, which began as a way of punishing companies that tried to stop Internet file-sharing and movie downloads.

Mr. Housh, who disavows a personal role in any illegal online activity, said that 1,500 supporters had been in online forums and chat rooms organizing the mass “denial of service” attacks. His account was confirmed by Jose Nazario, a senior security researcher at Arbor Networks, a Chelmsford, Mass., firm that tracks malicious activity on computer networks.

Most of the corporations whose sites were targeted did not explain why they severed ties with WikiLeaks. But PayPal issued statements saying its decision was based on “a violation” of its policy on promoting illegal activities.

Paul Mutton, a security analyst at netcraft, a British Internet monitoring firm, confirmed Mr. Housh’s account of the renewed attack on PayPal Thursday and said it had caused sporadic outages through the day. A spokesman for PayPal was not immediately reachable to confirm or deny the accounts.

The sense of an Internet war was reinforced Wednesday when netcraft reported that the Web site being used by the hackers to distribute denial-of-service software had been suspended by a Dutch hosting firm, Leaseweb.

A sense of the belligerent mood among activists was given when one contributor to a forum the group uses, WhyWeProtest.net, wrote of the attacks: “The war is on. And everyone ought to spend some time thinking about it, discussing it with others, preparing yourselves so you know how to act if something compels you to make a decision. Be very careful not to err on the side of inaction.”

Mr. Housh acknowledged that there had been online talk among the hackers of a possible Internet campaign against the two women who have been Mr. Assange’s accusers in the Swedish case, but he said that “a lot of people don’t want to be involved.”

A Web search showed new blog posts in recent days in which the two women, identified by the Swedish prosecutors only as Ms. A. and Ms. W., were named, but it was not clear whether there was any link to Anonymous. The women have said that consensual sexual encounters with Mr. Assange became nonconsensual when he stopped using condoms.

The cyberattacks on corporations Wednesday were seen by many supporters as a counterstrike against the United States. Mr. Assange’s online supporters have widely condemned the Obama administration as the unseen hand coordinating efforts to choke off WikiLeaks by denying it financing and suppressing its network of computer servers.

Mr. Housh described Mr. Assange in an interview as “a political prisoner,” a common view among WikiLeaks supporters who have joined Mr. Assange in condemning the sexual abuse accusations as part of an American-inspired “smear campaign.”

Another activist used the analogy of the civil rights struggle for the cyberattacks.

“Are they disrupting business?” a contributor using the name Moryath wrote in a comment on the slashdot.org technology Web site. “Perhaps, but no worse than the lunch counter sit-ins did.”

John Markoff and Ashlee Vance contributed reporting from San Francisco, and Alan Cowell from Paris.