Friday, December 10, 2010

Hacktivism on Display: Operation Payback and the Wikilkeaks Saga



hack
verb \ˈhak\
a : to write computer programs for enjoyment
b : to gain access to a computer illegally  

ac·tiv·ism
noun \ˈak-ti-ˌvi-zəm\
a : a doctrine or practice that emphasizes direct vigorous action especially in support of or opposition to one side of a controversial issue

hacktivism - hacking meets activism

Anonymous Logo
The Wikileaks saga has come with no shortage of drama and intrigue but it also serves as a remarkable example of hacktivism in the social networking era - when tools to organize and collaborate not only exist but are part of our everyday lives. The latest developments demonstrate just how quickly large, disparate groups can organize and with relatively simple technology do very real damage.

Background
Following the arrest earlier this week of Julian Assange, the now very public face of Wikileaks, a entity known as Anonymous, has led the charge to encourage DDoS attacks on a variety of websites. Anonymous, which originally emerged from 4chan must be considered an entity as opposed to a group because there is really no concept of membership. Anonymous is simply the banner under which like minded individuals gather in the name of a cause - in this case, to seek retribution for perceived corporate cooperation to cripple Wikileaks, a movement that has come to be known as Operation Payback.

Communications Infrastructure
The group conducting the attacks is open and so are the communication mediums. Coordination has occurred via Twitter, Facebook, the Anonymous website and IRC channels. While various sites have been taken down, new ones emerge to take their place just as quickly. IRC communication has occurred primarily on irc.anonops-irc.com within a variety of channels including #OperationPayback and #Target.

Takedowns are Futile
Various sites have been taken down and accounts suspended throughout the wikileaks saga, as corporations are forced to walk the delicate tightrope between free speech and reputational damage. However, in reality such efforts are futile as the modern SaaS/Cloud/Social Internet permits new communication channels to be setup elsewhere almost instantaneously and generally at no cost.

The initial Anon_Operation Twitter account was suspended (Google Cache), only to be quickly replaced by others such as Op_Payback and  Anon_SpecOps, which so far remain online. These accounts have served as one of the mechanisms to focus DDoS attacks on specific targets and also share ongoing information about the attacks.
Suspended Anon_Operation Twitter account
Anon_SpecOps Twitter account announcing a new attack target - later taken offline

Facebook also quickly took down a group entitled Operation Payback which supported the effort, only to see dozens more show up in it's place.

Facebook message announcing suspension of the Operation Payback page
Wikileaks itself has setup over 1,000 mirror sites to ensure that individual takedown efforts by ISPs or DNS providers will have a limited effect overall.

Attack
The DDoS attacks have leveraged a tool known as LOIC (Low Orbit Ion Cannon), a relatively simple tool designed to flood targets with TCP/UDP packets or HTTP headers. Some versions incorporate a 'hive mind' feature which allows the tool to connect to an IRC channel where the targets can be centrally managed. Throughout the attacks this week, Anonymous has been encouraging anyone willing to participate to use LOIC to flood specific targets. While other tools and attack methods may have been used in the DDoS attacks, LOIC is the one tool that the public at large is being encouraged to adopt. If indeed the successful DDoS attempts have used nothing more than a free Internet fire hose, it is a concerning indicator of overall DDoS defenses at the targeted networks.
LOIC with the Hive Mind feature
Javascript based versions of LOIC JS have also been preconfigured with attack targets and hosted online. The advantage of this approach is that the tool requires absolutely no security knowledge for someone to participate in the attacks. Rather than needing to compile/install source code, a user simply pulls up LOIC JS in their browser and fires traffic at the target with the click of a button.
LOIC JS targeting PayPal
Contributors have even modified versions of LOIC JS for mobile devices to ensure that road warriors can participate in the attacks.
Mobile version of JS LOIC

Targets
Anonymous has targeted a variety of websites, all of which are perceived to have either caved to government demands to not support Wikileaks or have spoken out against Wikileaks and Julian Assange. 

Damage
Despite the relatively unsophisticated nature of the attacks, they do appear to have been successful in at least temporarily taking sites for Visa, PayPal and Mastercard offline as can be seen in the screenshots below. Reports also indicate that DDoS attacks took down sites for Swiss bank PostFinance, the Swedish Prosecution Authority and Sarah Palin, although an attack on Amazon was unsuccessful.

Netcraft performance graph for Mastercard.com showing downtime on December 8, 2010
Netcraft performance graph for Visa.com showing downtime on December 9 & 10, 2010
downforeveryoneorjustme.com showing downtime for api.paypal.com on March 9, 2010
IRC chat discussing api.paypal.com takedown

Netcraft is maintaining a page to monitor uptime of all sites targeted by Operation Payback.

Lessons Learned

While I certainly don't condone the Anonymous attacks, it is important that we learn from them. We have seen various instances of hacktivism throughout the years, such as defacements that occurred following the mid-air collision of a US spy plane and a Chinese fighter jet or Project Chanology, an earlier Anonymous effort targeting the Church of Scientology. However, I have not previously seen a movement quite like the one that we are currently witnessing, one where literally thousands of people have come together so quickly, most with limited or no security knowledge and yet they have been able to do real damage. This has occurred in part to the nature of the story itself. It is one that has garnered a global audience, but it has also occurred because the tools to organize such an effort are now so readily available. From social networking sites to free hosting to ubiquitous broadband, the assets required are within reach of anyone with a web browser.

What should corporations and governments take away from this week's events?

  • Hacktivism is a legitimate threat to corporations and governments
  • Efforts by authorities to censor communication among hactivists is futile - it will not achieve the intended goal of halting the attacks and will more likely add fuel to the fire
  • While attacks may be relatively unsophisticated from a technical perspective, they can be successful nonetheless
They got the guns, but we got the numbers
Gonna win yeah, we're taking over.
"Five to One", The Doors

- michael

3 comments:

Anonymous said...

I think by "March" you mean "December"??

Michael Sutton said...

@Anonymous, you are correct. Good catch.

-Richard said...

Yet another report that misrepresents anonymous and "operation payback".

Operation payback predates the wikileaks fiasco by months. The "payback" was for several DoS attacks suffered by ThePirateBay.org ... not wikileaks. The motivation came from a report in the Sydney Norming Herald in which an Indian IT company claimed to be launching DoS attacks at filesharing websites at the behest of US media interests, specifically Fox.

Operation Payback had many pre-wikileaks successes, most notable the demise of the firm "ACS:Law" and the "speculative billing" model of copyright enforcement in the UK.

Please read my recent BNA article coving the birth of operation payback titled "From Torrent Trackers to Anonymous Ion Cannons".