Tag Archives: hacktivism

LOIC DDoS & The Nature of Anonymous Attacks

One of the most impressive and dangerous Denial of Service tools is named, jokingly, as Low Orbit Ion Cannon (LOIC). The tool has gained public notice after being repeatedly used in successful attacks against high value web servers such as those belonging to the Church of Scientology during Project Chanology, the Recording Industry Association of America (RIAA), groups opposing MegaUpload and WikiLeaks as the mega-group’s enemies.

While I won’t get into the ideological arguments expressed by either Anonymous or their opposition, I’d like to take a moment to explain LOIC and provide some interesting links to sites containing more information.

As I always state:  I’m merely an individual interested in security for the sake of learning, if you have a vested interest in any of the ideologies either for or against the attacks check the links below for protections or ways to get more involved in the LOIC project.

Background

LOIC, originally written in C# by Praetox Technologies, has been since coded into an independent JavaScript program known as JS LOIC (hosted by HiveMind, linked below). As such there’s even a web version of the DoS tool!

When the project was first released I managed a DDoS (Distributed Denial of Service) attack against my own test box using a 5 PC networked LOIC attack triggered using UltraVNC (akin to a botnet), it worked extremely well. The method could even be used to trigger remotely using an iPad or any device running the appropriate RAS software. If a given server or network is susceptible to LOIC attacks, a DDoS against that server or network can be extremely potent.

Details and Protection

LOIC works by flooding a specified target server with TCP or UDP packets. The attack relies on the principles inherent to most forms of DoS attacks. As such it’s surprisingly easy to protect against. Many servers should have been well-protected against DoS attacks to begin but, as we know from real world IT, what’s best isn’t always what’s done.

Firewall rule-sets can be enacted which filter out the over abundance of packets coming from any one IP address long before something like this becomes a problem. To my knowledge ISPs on a larger scale can protect against DoS traffic by filtering out the appropriate UDP and ICMP packets before they reach their intended targets.

It should be common knowledge for server administrators to contact their ISPs to ensure measures are in place to protect them at that level. Then appropriate measures should be taken to draft appropriate network firewall rules.

But many of the attacks are difficult to trace…

The Nature of Anonymous Attacks

ARP Poisoning, as previously mentioned on fork(), can be used to make attacks appear to be launched from within your own network (or attacks against your network can be made by attackers who gain special accessing by spoofing their way into your network). Such attacks can be used to incite various man-in-the-middle (MITM) attacks and/or DoS/DDoS attacks. For more examples see this blog’s article on session hijacking.

A good intrusion detection system monitoring ARP tables can alert the network administrator of changes or additions and thus possibly thwarting spoofed MITM attacks before they occur. The article by Busschers cited below discusses spoofed/reflected attacks and how they can be conducted.

Sources

My blog isn’t funded by any corporations or governments and as such I’m fully willing to give all sides to an argument. So, I’ve constructed a list of  sources I used when writing this post as well as some sites that may interest those wanting to learn more:

If you’d like to contribute to the C# original LOIC project please check out the LOIC project page here: https://github.com/NewEraCracker/LOIC/

Additionally you can check the more frequently updated SourceForge page for JS LOIC designed by HiveMind: http://sourceforge.net/projects/loic/

The HiveMind web version is located here: https://code.google.com/p/lowc/

Server Fault (Stack Exchange) Topic in regards to preventing LOIC DDoS posed by a user in 2010: http://serverfault.com/questions/211135/how-to-prevent-a-loic-ddos-attack

“4 Best Practices for Mitigating DDoS Effects,” by ES Enterprise Systems, February 6, 2012. Article discusses DDoS damage mitigation here: http://esj.com/articles/2012/02/06/best-practices-mitigating-ddos.aspx

“Effectiveness of Defense Methods Against DDoS Attacks by Anonymous,” Busschers, Rik. University of Twente, NL. This is a great article detailing the Anonymous Chanology & Operation Payback attacks, those recent attacks against PayPal, MasterCard and more. Check it out here: http://referaat.cs.utwente.nl/TSConIT/download.php?id=1085 (It’s also an excellent article for learning more about the type of attacks used and how such things as SYN packet flooding work. If the article ever goes off-line I’ll re-upload it.)

Another great source detailing spoofed DDoS attacks: http://www.skullbox.net/spoofeddos.php

ARP Poisoning/Spoofing in detail can be further explored here: http://www.irongeek.com/i.php?page=security/arpspoof

Network Research Group (NRG)’s ARP Watch can be found here: http://www-nrg.ee.lbl.gov/

Recap Notes on Infosec VC 2012

Recap: the Pros & Cons

Back in June we had an awesome segment of Infosec VC 2012 entitled, “Hacktivism: What, Why, and How to Protect Against It,” lead by Gregory Nowak, Head Researcher at ISF (Information Security Forum) and ISACA Security Advisory Group and Peter Wood , CEO of First Base Technology and also of ISACA. So I thought I’d attend the bulk of the Infosec VC 2012 conferences now in August. What follows is my notes on some of the presentations for those that are interested…

The Disconnect Between Managers and Technicians

Product managers and corporate executives all seem to view security in a macro sense and often don’t fully grasp or care about the minute details of data security, such was illustrated at the 2012 Infosecurity Virtual Conference. These big shot corporate types and project managers are great for selling security solutions developed by a company’s IT department to the company’s administrators. But their lack of “street level” knowledge leave a lot to be desired.

Take the keynote presentation, Data Security and Compliance in an Evolving Data Center, by Derek Tumulak (VP of Vormetric). He was extremely intelligent and understood a lot of core concepts. A few positives of his presentation included: overview of virtualization and how it’s used in data centers (globally speaking), cloud computing and associated models, the importance of mobile security and how one breach could potentially mean disaster for an insecure organization, encryption management (how and when to use encryption as a last resort) and so on.

But Mr. Tumulak failed to identify actual instances of said compromises or how an organization should safeguard their systems on a technical level.

Instead he said, hackers, by and large, have been “[s]tealing information to sell it on the black market,” which isn’t necessarily true. Corporate espionage is big but it isn’t everything. Given the rise of Hacktivism I believe a strong number of attacks are conducted by those with specific ideological views they wish to convey (Anonymous attacks against Sony to protest the prosecution of a PS3 modder and other similar attacks). Also many wish to highlight security flaws to that company and, some, see what they can get by exploiting such systems (sheer curiosity).

While I can’t claim to know every technology out there, I understand this to be a very large weakness in the corporate environment: the disconnect between the inner workings of data security and the project managers that organize teams to implement the solution. Is the solution to make all corporate executives network technicians? Obviously not but a middle ground must be met in order to appropriately data. Big pictures are wonderful but if you aren’t going to get your hands dirty or at least explain past instances of exploitation and what steps can be made to protect against such problems, you’re just ranting. Good for sales, bad for business.

Unlike conventions such as HOPE, Defcon and Black Hat Briefings (which does have a fair amount of “big picture” talks, as corporations only seem to understand that method), a lot of corporate events are presented in this kind of “dry” way at other sessions. The Infosecurity Magazine US Summer Virtual Conference 2012 was full of this. Some, but not all, of the presentations were like this.

You’d think a lot of these executives were more interested in PowerPoint or Keynote than coding.

“Providing Smart Security for Smart Devices,” by Mike Sapien and Marc Vael) was very dry and the solutions discussed were obvious ones. Anyone with smartphone knowledge would have been eons ahead of these guys. The Program Director of ISACA was a little more informative here as far as how corporate employees need to safeguard their mobile data.

Unfortunately almost 99% of the conference was targeted at CTOs, VPs, and other corporate audiences. A number of presenters stated that things that were “highly technical ” wouldn’t be useful; most people gloss over it. As such the tone of the conference was “business minded” and technology was discussed in general terms. As such it didn’t really serve to impress the tech savvy.

I really liked Theresa Payton’s address. As the Fmr. Whitehouse CIO and head of her own security company she has a warning to companies: focus on the new emerging digital landscape. She spoke about the important role social media plays in computing today.

Companies today must adopt social media, in her opinion, but they must also adopt a strong sense of security if they want to address its inherent security concerns.

So in conclusion of the cons, it wasn’t a conference detailing the finer points of information security such as firewall and network group policies, AD flaws and loopholes, social engineering techniques, encryption standards in depth, code exploits & tightening, wireless security (ARP table monitoring for MITM protection), and a myriad of other technical details. It was mostly by corporate-types for corporate-types.

A forum friend of mine actually did tell me “it’s like this. We just go to these things to get our credits for our CISSP,” after I said I wasn’t really interested in the bulk of the conferences. So I guess I’m over-analyzing the conference.

Onto the pros…

Best Presentation: “How to Protect Your Organization from a DDoS Attack”

Panelists

Michael Singer, VP of Security for AT&T
Prof. David Stupples, CCySS, University of London

At Glance

Prof. David Stupples of the Centre for Cyber Security Sciences (CCySS), City University of London was one of the greatest speakers for me. He discusses malware, DDoS attacks in-depth using past examples of such attacks are conducted. Botnets that harvest data and move through proxy servers to mask the identities of attackers are of significant concern to CCySS.

The professor explained how Botnets work and how they are analyzed before being sent to anti-virus/malware companies for safeguarding their client’s systems. He explained how analysis is conducted using mathematics when analyzing botnets in CCySS-made honeypots and how CCySS has a track record of doing just that.

Prof. David Stupples also discussed the limits of Botnets and possible preventative methods such as:

* Providing security/OS upgrades can mitigate against such malicious code exploitation.
* Vendors using honeypots to analyze known botnets/malware can help.
* IP/DNS filtering is effective to some degree against Botnets (and the Botnets ability to connect “home” to its masters).  Note that I attribute this to the way Alureon/DNSChanger was thwarted by ISPs despite the FBI’s warnings to the general public. ISPs were able to compensate for this at their level and ensure DNS didn’t resolve where they weren’t supposed to.
* Malware companies examing Botnet/malicious code fingerprints for quick identification
* Reverse engineering search engine spiders to identify threats immediately

That panel included other security professionals and their insights into the matter of software attacks, viruses, malware and DDoS attacks. They stress the importance of different countries working together to analyze, spot and thwart such attacks. Prof. David Stupples said that such international efforts have helped catch a number of attackers in the UK. He stressed the need for more international law enforcement support.

Michael Singer, Executive Director of Security for AT&T, was also among my top favorite speakers. He discussed how the safeguarding of the internet is essential but not at the expense of individual freedoms, which many people enjoy. He stressed the importance of the need for a global security organization, like Prof. Stupples, but also warns that such an organization must make sure not to curb individual freedoms.

Interestingly Mr. Singer also discussed mobile security and how Android, in particular, can be used for for such exploitation as it’s an amazing platform with the power of a small computer.

To see the presentation, click here to register and go to the conference page.

Glitches

Poor Audio – There are a lot of problems with audio. The audio was pretty bad. But all of these conferences generally have low quality audio.

Slide/video track bar – When watching older/archived sessions, moving this bar to skip or go back usually requires a refresh of the entire presentation page. Which generally stinks.

Computer Security Resources

** Thanks for checking out this post! It’ll be revamped shortly to include a better forensics section and, perhaps, a little more order!!! If you think something should go here, just send me a message! In the meantime, feel free to check out some of the great links on the right side menu of the blog. **

Top Sources at Random

Schneier on Security

Honeynet Project Blog

SANS Institute’s Forensics Blog

LinuxSecurity.com

Exploits Database by Offensive Security

LeakDB (search by hash or text string for cracked content)

Ethical Hacking Projects @ Break The Security (contains a nice repository of tools)

16 Systems (awesome free cryptanalysis and penetration tools inc. TrueCrypt volume detection)

Security Tube (the best site for computer security and video instruction; complete with segments from security conferences!)

Nirsoft Tools (great freeware forensics tools and password utilities).

Cryptohaze (interesting encryption penetration tools that rely on your GPU)

Forensics

Cyberspeak’s Podcast (Ovie Carroll’s podcast!)

Forensic 4cast (great podcast and magazine by Lee Whitfield!)

Mandiant (Redline memory analyzer, Web Historian, Highlighter for logs, awesome industry blogs, etc.)

AccessData (FTK/FTKi for acquisitions, Registry Viewer, PRTK/DNA, etc.)

Guidance Software (makers of EnCase which I’ve come to admire greatly despite being a die hard FTK fan. The EnScript scripting element for customized analysis and artifact recovery is outstanding. They also own Tableau!)

DEFT Linux – Computer Forensics live cd (forensics linux distro, pretty good for IR)

Paladin4 (one of the easiest linux distros to use, excellent for imaging!)

F-Response (never used it but I see it used online all the time; this looks like one of the best networking acquisitions tools ever. The fact that I dc3dd and netcat is probably not healthy, but I’m new to forensics so I have an excuse!)

Malware Analysis

Deep End Research (Leading malware research, Yara, etc.)

VirusShare (Malware Samples)

VirusTotal.com (Identify malware by hash or upload a file to scan)

Some more good reading…

TaoSecurity

Dark Reading | Security | Protect The Business – Enable Access

Darknet – The Darkside | Ethical Hacking, Penetration Testing & Computer Security

Packet Storm ≈ Full Disclosure Information Security

CYBER ARMS – Computer Security

Zimperium – Protecting your empire

Offensive Security Blog

BackTrack Linux – Penetration Testing Distribution **

Insecure.Org (makers of the famous nmap and crackers you can trust)

Seclists Mailing Lists (Insecure.org brings you a quality mailing lists spanning a wide variety of topics!)

Seclists Vulnerability Mailing List (Insecure.org brings you a quality vulnerability/bug-related mailing list)

Lifehacker, tips and downloads for getting things done (occasionally some good security articles on setting up a VPN, Proxy server or safeguarding data, targeted at non-security professionals)

TrueCrypt – Free Open-Source On-The-Fly Disk Encryption Software for Windows 7/Vista/XP, Mac OS X and Linux (Beside from the “Evil Housemaid” exploit, this is – simply put – the very best open source encryption software out there)

Armitage – Cyber Attack Management for Metasploit (Armitage; that which makes a lot of Metasploit possible)

https://www.grc.com/default.htm (offers on-site quick vulnerability scans and other services)

BugTraq (Security Focus)

SecurityFocus (Symantec owned news)

** Some great Backtrack/Kali-related sites include the Official Wiki & Tutorials Section. SecurityTube has some great tutorial videos as well. Kali Linux is now my go-to distro for Linux forensics and pentesting, you can snag a copy here (or join a great unofficial fan forum here). Additional BT5 instructional videos can be found on the BackTrack Linux Fan Page.

Cracking

Ophcrack Project Homepage

This tool is good for LM and NT hash; quick and easy SAM hive cracking which is ideal if you don’t happen to have a license for PRTK but do for FTK and wish to crack EFS; uses rainbow tables for speed (pre-calculated hashes), for brute force see l0phtcrack below.

l0phtcrack Password Auditor

Offers excellent brute force, support for rainbow tables and dictionary attacks. Some that are coming from PRTK may note l0phtcrack seems to be missing PRTK’s biographical dictionary attack… one of my favorite tools. But that’s not necessarily true: you can accomplish this by loading biographical information in by creating your own dictionaries. Also one of the coolest features of l0phtcrack is the network sniffer which pulls password hashes transmitted across a network… but fair warning: it doesn’t always work, if in doubt, read the documentation).

** Note: thanks to my nameless friend for letting me try his l0phtcrack. Much appreciated.

AccessData’s PRTK

One of my all time favorite tools. Although brute forcing and standard dictionary attacks may take a long time and be resource intensive, PRTK also includes some pretty powerful dictionaries straight off the bat. Also nothing beats the simple and straight forward interface. I’m a huge fan of the biographical dictionary attack in which you can import string data from FTK and FTKi to accomplish a user-specific attack (that is to say, things like directory listings, FTK dtIndex’d results, etc. can all be imported to speed up attacks).  I used PRTK extensively in my AccessData Certified Examiner studies and found it to be one of the best tools to date.

Interesting side note regarding EFS cracking if you have a license to FTK but not to PRTK:

If you are running FTK4+, you can first crack the Windows user password in Ophcrack (SAM & SYSTEM hives) and then, after selecting the EFS encrypted file, allow FTK to decrypt it with the password you’ve discovered. FTK also includes allows you to list multiple passwords if you’re unsure of which it may be. If PRTK is installed on the same system, it’ll use PRTK in the background and decrypt the file. Of course, as an ACE, I advocate getting a license to PRTK if you can, but thankfully PRTK can be used for this at the back-end with little trouble.

Safeguarding Data using Strong Passwords

https://www.grc.com/passwords.htm

Strong Password Generator

How To Create Strong Passwords That You Can Remember Easily

Computer Security Conferences of Note

http://www.defcon.org/

Black Hat | Home

Where The World Talks Security | RSA Conference

ASIS International: Home Page

Computer Forensic Show

Multiple SANS Conferences

NYC 2600

What Kind of Disjointed List is This?

Obviously it would be impossible list all the great computer security-related sites and tools out there. Hope you find the list somewhat useful.