MegaUpload and the Anonymous Retaliation

Recently, the US government finally stepped in and shut down illegal downloading site MegaUpload.com.  The site could be used to upload your own personal files to back them up or share with others.  The problem with that kind of freedom was that the site turned into a haven for media piracy, often sharing all the latest movies and music before they even hit theaters and stores.  Once the government was able to make the case that the owners of MegaUpload were encouraging such behavior and promoting the site with it, they swept in and shut it down.  Blaming the site for $500 million in lost profits for the entertainment industry, they arrested 4 of the owners and seized all the servers across the globe that were run by MegaUpload.  This was done a day after many of the most popular sites on the Web “blacked out” to protest the controversial SOPA bill.

There are several things that regular computer users can learn from the whole mess:

1.  Backup your data to multiple sources!

While MegaUpload was used for a lot of piracy, there were many legitimate users who used it to backup files from work and other important documents.  Their data is now gone! You need to save your important data to several different hard locations to supplement these online backups.

2.  Choose a reliable online backup service!

Going off of point one, it was foolish for those people to use MegaUpload for important things!  It was apparent to anyone using MegaUpload that there was a lot of content that should not have been shared being stored with them.  Users should look into sites like Box.com that are meant specifically for storing personal and work files to back them up or share with others.  Box even gives you 50GB of free storage when you sign up!

3.  Cyberwar is going to be a big part of the future.

Shortly after it was announced that the MU owners were taken into custody, hacker collective “Anonymous” led their largest attack yet against the government and media industry.  Not only did members attack and bring down government sites like the FBI and Whitehouse.gov, but when Internet users clicked seemingly harmless links to read more about the attacks, their computers were turned into vessels for the attack as well.

Cyber security is huge, and it’s more important than ever to play it safe with the Internet and your devices.  If even the big and mighty government can’t protect themselves, who knows how vulnerable we are?

Sources:

“MegaUpload file sharing site shut down for piracy by Feds” - http://latimesblogs.latimes.com/entertainmentnewsbuzz/2012/01/file-sharing-megaupload-shut-down-for-piracy-by-feds.html

“DOJ, FBI, entertainment industry sites attacked after piracy arrests”- http://news.cnet.com/8301-27080_3-57362279-245/doj-fbi-entertainment-industry-sites-attacked-after-piracy-arrests/

What’s Really Necessary for Cybersecurity?

SOPA explained: What it is and why it matters

http://money.cnn.com/2012/01/17/technology/sopa_explained/index.htm?iid=EL

What’s the controversial site Megaupload.com all about?

http://www.cnn.com/2012/01/20/tech/web/what-is-megaupload/index.html?iref=allsearch

There was an ongoing massive debate between Hollywood and Silicon Valley about the proposed bills, Stop Online Piracy Act (SOPA) and Protect IP Act (PIPA), to combat piracy.  However, more than a week ago these bills were shelved because of recent events which consisted of online and offline protests and the shutdown of a large file-sharing website, Megaupload.com.  These events have brought a few concerns regarding cybersecurity and privacy.

SOPA and PIPA wanted to cut off “rogue” websites from search engines and other services in order to prevent the public from accessing any pirated content hosted on those sites.  Tech companies such as Google and Facebook, were against these bills because the bills would have introduced undefined liabilities and would require for these sites to continuously inspect websites.  As a response Wikipedia and Google, along with several other websites, initiated a “black-out” of their services on January 18 to inform the public of how the bills would affect their digital lives.  Back in the real-world, people went to the streets of major cities such as Washington D.C., NYC, San Fransisco, and Seattle to verbally express their concerns.

One day later, the U.S. government succeeded in shutting down one of the most well-known sites for hosting pirated content, Megaupload.com.  With the help from international governments, they were able to charge seven people with copyright infringement and acquire about $50 million in assets.  The next day, January 20, SOPA and PIPA were officially “postponed” indefinitely.  There is a slight chance that they could come back but only if the bills are drastically revised with a better strategy to combat piracy.

Why does the government or Hollywood need additional laws to fight websites hosting pirated content if they can do so without them?  SOPA and PIPA seemed like they wanted to implement a “legal” denial-of-service attack where rather than making the intended target malfunction or offline, they would just remove the target from search engines.  How would that have succeeded?  The public could have easily bookmarked or remembered the site’s address and return to it even after it has been removed from the search engines.

How does this relate to cybersecurity?  If these laws were passed, then sites like Google would have been forced to monitor our content in order to make sure that they would not be liable if we uploaded copyrighted material.  That would be an intrusion on our privacy because then there would be a huge database of collected data from users who wanted to share with the public.  Even though most of everything that we do gets recorded digitally in today’s society, does that mean that we want the government to know what we are sharing with our family, friends, or anyone else for that matter?  I believe not.

Therefore, the concern still remains:  What is a good balance between keeping our privacy and having security?  How much is the public willing to give up from their lives  to the government for enforcing laws?

Cyber “Warfare”

A recent article published by the New York Times titled “2 Israeli web sites crippled as cyberwar escalate” describes several recent attacks placed against the Israeli (Tel Aviv) stock exchange and El Al (the national airline). These attacks were perpetrated by a single pro-Palestinian cyber criminal known as oxOmar. Furthermore, this is not the first type of attack against the Israeli people as this same hacker had previously posted credit information of more than twenty thousand Israeli citizens.

This got me to think a little more about our current standing in the world and how such attacks could be potentially more harmful and easier to orchestrate than standard warfare or terror attacks. Currently there are hundreds of cyber attacks against the U.S. government and large U.S. companies and corporations that occur on a daily basis. Most of the attacks are simply to gather very specific information or to exploit very specific vulnerabilities. In addition, the most serious of these attacks are typically only executed by a very small amount of people.

Briefly consider the potential consequences of a full-on attack backed by complete government funding and hundreds of hackers/attackers. The potential damage that could be done would be enough to cause serious problems to how both the government, and the economy function. The problem isn’t how secure our systems are but rather when will there will be a force with strong motivation to do harm and the funding to back it.

http://www.nytimes.com/2012/01/17/world/middleeast/cyber-attacks-temporarily-cripple-2-israeli-web-sites.html?_r=1

The Criminal Mindset, or, “I Think I Can”

Theories abound as to the motivation of someone who decides to sink below the letter of the law (or rise above it, depending), from the far out to the mundane.  Quite interestingly, it may be nearly impossible to ever retrieve a scientifically accurate representation of this data – criminals, much like wild animals, are rarely academically observed in the wild, only in the zoo of the prison system, where they will invariably act much different toward their prospective observers.

Speaking candidly as someone who has stolen from, emotionally harmed, and otherwise caused detriment to others in a distant past, I would offer the opinion that more often than not, a psychologically healthy criminal has one mindset, which boils down to, simply, “I can get away with this.”

Mind you, I have never committed a violent crime against another, nor would I; nor am I what you would call a “hardened criminal,” though I have spent an aggregate of roughly 24 hours in various jails across the country – so take the rest as you will.

Objectively, I could stand by an argument that in some felonies, a certain amount of very rudimentary “cost-benefit analysis” takes place.  Though deranged as it may be, a young person with no positive influences in their world could certainly value the kinship at stake in murdering an unknown person in order to gain favor in a gang over that stranger’s life.  Alternately, it may even be subjectively worth it to defraud hundreds or thousands of people out of millions or billions of dollars, depending on your personal morals.

For some, it can be deduced that trading a downtrodden life of poverty and loneliness for wealth and companionship could transcend any artificial, manmade consequences.

However, in the commission of most, if not all crimes, there must exist a certain measure of confidence in one’s ability to reap the reward without said consequence.  Whether it’s the aforementioned murderer, or a speeder on the interstate, or even or a child trying to play video games with the sound off after bedtime, the action can only even enter the mind after successfully spurning previous boundaries.

I realize this must sound paradoxical, but as toddlers, we absorb the world around us in very unique ways.  We are constantly pushing boundaries, both ours and those of others, and customarily, we are restrained.  It is only upon the absence of such restraint do we find the behaviors that we find what we are capable of outside of the limits of “regulations,” whether they be household rules, or manmade laws.

By building upon the selfish character of our human nature as we age, we eventually grow to learn that sometimes, there are rules that can be broken, and we discover the methodologies to do so.  Expanding on this, we can arrive at the logical mindset of what, socially and ethically, we can call “a criminal.”

In short, as long as there are humans, there will be opportunists, and as long as there are opportunists, there will continue to be those who are willing to subvert the laws put forth before them.

Citations:
http://bit.ly/xzTgpl – “The Overly Confident Mentality of Criminals”
http://bit.ly/zQyFhu – ”Criminal Mindset”

Another Major Online Retailer Hacked

Zappos hacked, 24 million accounts accessed

 

 

http://money.cnn.com/2012/01/16/technology/zappos_hack/index.htm

 

Once again 24 million customers of an online store have had their personal information compromised.  Zappo recognized that there was an illegal and unauthorized access to account information.  Unfortunately along with customer information being stolen passwords were also taken and the company is requesting that you change your password not only for Zappos for any other site you may have used the same username/password combination for.

                Zappos has ensured their customers that all password data is encoded and that attackers would not be able to decode or want to take the time.    6PM.com is a daughter company of Zappos and their customers were also affected. The sad truth is that the Zappos attack still pales in comparison to the Sony attack that affected 77 million customers or the Citigroup attack which stole 2.7 million from people accounts.  Data Breaches have cost corporations 130.1 Billion last year.  This includes the amount of 39 Billion actually stolen.

What Is

As many may know, there have been sophisticated attacks on many major world companies in the world over the last decade or so. Now most of these are reputed with a fair bit of backup proof to come from one source, but that is not the topic of discussion of this post. My point is why it can happen and continue to happen.

Our information’s systems are a massive, complicated, system stretching over and connected to even more networks around the world. Connections are made, broken, and remade in the blink of an eye, loads of information transferred around the world with no true origination port or destination. Information, unlike any other commodity or possession, can be copied or stolen without actually removing it from the source, leaving detection to the forensics specialists, if they even know to look. People can go into a system, move through it gleaning what they might, and continue onto another system.

That very interconnectivity, while maybe wonderful for research and other legitimate operations leaves us open to many sorts of attacks, and once they enter the system, they might flow to any other connected system with little to no other interference. Not only are the systems interconnected to nigh everything, they very infrastructure is antiquated, as the financial burden would be impossible for a country to bear. A person or organization with the right motivation and equipment could shut the country down and mess with our infrastructure to the point of destruction.

http://www.bloomberg.com/news/2011-12-13/china-based-hacking-of-760-companies-reflects-undeclared-global-cyber-war.html

Advanced Persistent Threats

Advanced Persistent Threat refers to a type of long term attack that is carried out via the internet and that consistently assails the same target. They are usually covert in nature and require high level funding and resources, a characteristic consistent with that of a nation or state-sponsored group. Attacks are typically complex and detailed and target specific systems or information. The vector of attack may include any combination of previously identified vulnerabilities and new zero-day exploits and may be conveyed over many types of medium.

The victims of recent APTs include the U.S. Departments of Defense and Energy, RSA Corp., Google, the Iranian Government, and Lockheed Martin. These attacks successfully compromised systems and information and went undiscovered or unhindered for some time. While there are a handful of actors, China has been responsible, directly or indirectly, for a large amount of attacks that have sought data on a wide spectrum including Google source code and user data; military and defense plans and designs; intelligence data; and economic and financial information. The issue is a sensitive one because although a significant amount of industrial, military, and military data is being compromised the United States can do little diplomatically with China as it lacks comprehensive proof and a means to force China to halt the attacks. Furthermore, China contends that it is also a victim and that any attacks that originate from the country are from criminals. The U.S. Government has, in cooperation with industry, investigated and tracked down the attacks and has found traces and footprints that consistently tie them to China.

The United States and its allies are not just victims of APTs however. While they do not have the same motives and targets as China, Western powers have created and executed attacks such as Stuxnet, the intricate computer worm that ruined and destroyed centrifuges in Iranian nuclear enrichment facilities. It was for this type of operation that the U.S. Government established Cyber Command to conduct the offensive and defensive functions of the nation’s cyberspace. The threat landscape has changed so drastically that cyberspace is now classified as a battlefield and as such as we must be prepared to fight in it.

Advanced Persistent Threats will continue to be an issue in the cyber domain. Due to the their nature they are hard to completely defend against and new vulnerabilities and techniques will allow for more attacks. Preventing these types of attacks requires a system of passive and active defenses that are constantly updated and reviewed for flaws and errors.

Source: http://www.washingtontimes.com/news/2011/dec/14/cyberthefts-of-vital-data-by-china-based-teams-ris/

Stuxnet, Duqu – sophisticated & modular

Recently, news reports of highly sophisticated computer viruses have emerged. One, the Stuxnet virus, attacks Programmable Logic Controllers (PLCs) and another, the Duqu trojan, steals data. The Stuxnet virus seems to be targeting Iran’s nuclear power plants, which draws suspicion on the United States and Israel. Kaspersky Lab, a Russian computer security company, has uncovered evidence that these two pieces of malware share the same platform. Kaspersky has named this platform “Tilded” due to the large number  files beginning with “~d”. Due to its clever sophistication, the “Tilded” platform enables a modular functionality that allows the attacker the ability to build new “modules” and simply plug them in. The analogy used in the article was: “It’s like a Lego set. You can assemble the components into anything…”. Kaspersky also suspects that the “Tilded”  platform was used to produce at least three addition pieces of malware, because the common components of Stuxnet and Duqu that search for each other, additionally search for to at least three other unknown pieces of malware.

I found this article interesting, because this is espionage of the cyber-age. A country no longer has to send spies into a volatile situation. Nowadays, a country can effectively spy and inflict damage (both virtual and real) on another country by turning the victim’s own hardware against them – and all from the comfort of the attacker’s own “living room”. Furthermore, when it is a government coordinated effort, the budget is large, the programming talent is high, and the resulting malware possesses immense sophistication. The reason I found this article particularly alarming is because this malware code went undetected for nearly a year, which not only  indicates how stealth-like it operated, but also how unprepared we are to detect and handle highly sophisticated malware. Also, other unsavory countries and lone hackers are likely to study this malware to improve the sophistication of their own cyber attacks, paralleling Bruce Schneider’s prediction of firewall ineffectiveness when he stated: “The effectiveness of firewalls will diminish… as malware writers catch on. This ‘tunnel-inside-and-play’ technique will only get worse.” Therefore, the effectiveness of antivirus software will diminish as the sophistication of malware writers improves – not to sound like a paranoid conspiracy theorist.

http://news.yahoo.com/stuxnet-weapon-least-4-cousins-researchers-133350494.html

Carrier IQ

About a month and a half ago it was revealed that there has been tracking software pre-installed on over 141 million cell phones. The software designed by Carrier IQ is responsible for recording and reporting metrics to your phone carrier. This discovery forces a dialogue about the trust relationship that is established between the customers and their carrier and exactly how the carrier treats the information that is being is being stored. There have been many allegations about what is exactly being tracked by the software, some true and some more along the lines of half-truths.

As it turns out Carrier IQ was intended to be a utility that allows for a carrier to be able to intelligently diagnose network and phone issues that a customer might be experiencing. For example, prior to the development of Carrier IQ, a carrier might only be detecting that 1 out of every 100 phone calls being placed on their network are being dropped; when in reality it might be much closer to 8 or 9 calls out of those 100 placed. This disparity between the actual numbers and the ones being recorded by the carrier allowed Carrier IQ to see a possible use case and ended up meeting the needs of the carrier.

They haven’t explicitly admitted everything they track, but have specifically said that they track call drops correlated with GPS information, SMS information, web history and application/CPU usage.

Carrier IQ has made an effort to create a line in the proverbial sand in what they do and do not want to collect from users. They say that they don’t collect any content, whether it be what was actually sent in an SMS text message or the contents of a webpage that you access. They do however track the metadata for your activity, this includes who you sent your SMS message to and if it was successfully sent. The same can be said about your web history, they are tracking the URLs being accessed not what is actually being displayed on your screen.

Carrier IQ thinks that what they are collecting is harmless to the consumer but a debate is now forming on what type of information should be okay to track and what really shouldn’t be. Carrier IQ has stated that they don’t capture the content of what the user is doing. Content is really an ambiguous term. Carrier IQ might not consider my URL history to be a private matter. I consider pretty much all of my usage history sans maybe CPU utilization to be a private matter (no matter how mundane my life really is). Its something that really shouldn’t existing in a database somewhere, ready to be hacked, subpoenaed or looked at by a rogue employee that has decided that they want to know more about me. What becomes even more disconcerting is that this information is being tracked even while I am out of the country, on a Wi-Fi network not even connected to their cellular network.

Who knows, maybe I’m just being a paranoid parrot. Maybe no one really cares anymore about their privacy, it has been said by numerous individuals that “Privacy is dead – get over it.” I for one don’t like it and I think I’ll take my ball and go home. In all seriousness though, this software really should be industry vetted to make sure that it cannot be exploited by malicious individuals and it should be established exactly what information each carrier is tracking and for how long. This would allow consumers to identify what tabs the carriers are keeping on their customers; which I’m sure most consumers won’t like and allow for free market forces to stifle the ones being over exuberant with this tracking technology.

http://www.theverge.com/2011/12/5/2609662/carrier-iq-interview

http://www.wired.com/threatlevel/2011/11/rootkit-brouhaha/

http://www.edition.cnn.com/2011/12/02/tech/mobile/carrier-iq-reactions/

FBI Arrests Hacker of Gene Simmons Website

On the morning of Tuesday December 13, Kevin George Poe from Connecticut was arrested by the FBI for conducting a denial of service attack on the Gene Simmons website.  The judge gave him a $10,000 bond and he is scheduled to appear in federal court in Los Angeles at a date that has yet to be determined.  Poe is said to be connected to a hacking group.  He is currently being charged with one count of conspiracy and one count of unauthorized impairment of a protected computer.

“In October 2010, Poe and others linked to the Anonymous hacking collective, allegedly conducted a five-day long distributed denial of service (DDoS) attack against the server hosting Simmons’ website. According to the indictment, Poe made use of the Low Orbit Ion Cannon (LOIC,) a favorite tool used by the group to conduct DDoS attacks by sending a flood of TCP/UDP packets over a network in an attempt to overwhelm a system and make it inaccessible.”

Poe faces a maximum of 15 years in a federal prison if both counts are successfully processed.

The website was brought down due to the denial of service attack and Gene Simmons plans to sue.

http://www.securityweek.com/ddos-rock-star-face-jail-time-fbi-agents-arrest-genesimmonscom-attacker