Tough titties: Govt sites stormed

Tough titties: Govt sites stormed

Summary: Anonymous, best known for its masked protests against the Church of Scientology, has branched out into denial-of-service attacks against Australian government websites to protest the Rudd Government's plans for mandatory internet "filtering".

SHARE:

Anonymous, best known for its masked protests against the Church of Scientology, has branched out into denial-of-service attacks against Australian government websites to protest the Rudd Government's plans for mandatory internet "filtering".

Last week, the group hit the Parliament House website, making it unusable for several days. The attack was dubbed "Operation Titstorm". In a Patch Monday exclusive this week, we hear from one of the organisers of those attacks, c0ld blood, speaking from somewhere in Europe.

Security consultant Crispin Harris analyses the attacks and explains why the participants may be putting themselves at risk. Colin Jacobs from Electronic Frontiers Australia explains why Anonymous' attacks aren't helping the anti-censorship cause. And in South Australia, AnonSA distances themselves from the attacks.

Plus we bring you Stilgherrian's idiosyncratic wrap-up of the week's IT news — everything you would have read yourself if you weren't so busy.

Patch Monday accepts your audio comments. Either Skype to "stilgherrian", or phone 02 8011 3733 (Sydney).

Transcript

Stilgherrian: This is Patch Monday. I'm Stilgherrian. And today: Operation Titstorm, last week's attacks on the Australian Parliament House website by protest group Anonymous. We're actually going to hear from one of the organisers. And we'll also explain why the participants could well be putting themselves at risk, even apart from risking prosecution as criminal vandals. Later up we'll have our summary of the week's IT news.

But first, Operation Titstorm. The group Anonymous is perhaps best known for protesting against the Church of Scientology, wearing the Guy Fawkes mask from the movie V For Vendetta to keep their identity secret. But in fact, Anonymous started as an internet name on image boards and forums like 4chan, 7chan, Fark and Slashdot. If you want any further history, the Wikipedia article on Anonymous is as good a place to start as any.

Anonymous first gained mainstream media attention in 2008 with their anti-Scientology protest Project Chanology. The campaign included prank emails, faxes and phone calls. But most importantly from our point of view a series of denial-of-service (DoS) attacks against Scientology websites. Some of them were quite successful. And one Fox News reporter even referred to Anonymous as hackers on steroids and domestic terrorists.

Yes. Well, anyway, in 2009 Anonymous was, as they put it, reawakened to protest the Rudd Government's plans for mandatory internet filtering. On 9 September last year in what was called Operation Didgeridie a round of denial-of-service attacks took the Prime Minister's website offline for, well, 10 minutes. Bit of a joke really. To get some perspective on that, have a listen to our recent programs on cyber war and online industrial espionage.

Well, last week the Anonymous attackers returned with Operation Titstorm, which kicked off on Wednesday morning Australian time. Yes, pornographic emails and faxes with pictures of tits sent to various government workers. All very grown-up stuff. But this time the denial-of-service attacks seemed more effective. The Parliament House website was unreachable for most of the second half of last week.

Well, there's plenty to look at here. Security consultant Crispin Harris will help us understand the attacks. And as I said we'll even hear from one of the organisers. But first, the political angles. Electronic Frontiers Australia has been one of the key organisations opposing the internet filter. Vice-chair Colin Jacobs reckons Anonymous is not helping their cause.

Colin Jacobs: They don't really have a coherent strategy behind what they're doing. They're frustrated and they want to lash out, and they want to take some revenge and have a bit of a laugh at the same time. We can certainly understand the frustration that's driving it because we feel that. But the action they've decided to take is completely counter-productive. Clearly the government can't respond to threats and blackmail, and we probably wouldn't want them to.

The main reason why this is bad is that they're re-framing the debate as one about free access to legal and illegal porn, when really there are much larger issues at stake. So they make opponents of the filter look like juveniles who just want access to more porn. Whereas, really we have a much more sophisticated strategy at play.

Stilgherrian: Even other users of the Anonymous brand have distanced themselves from Operation Titstorm, including Anon SA in South Australia. And there's the problem. When anyone can just call themselves Anonymous, pranksters or even opponents can tarnish your reputation. Well, the contact for Anon SA wasn't willing to be recorded on this issue, so here's a computer reading their email response.

Computer: Anonymous is by nature an informal non-hierarchical collective which operates as a hive mind that is directed by the will of the majority. Actions attributed to Anonymous are undertaken by immune individuals who apply the Anonymous label to themselves. The widely varying actions of Anonymous range from online pranks purely for amusement for the lulz to internet vigilantism and activism. Serious business.

Anonymous targets Scientology websites as part of Project Chanology using the same techniques that some are now using against the government. After this initial action a splinter group was formed which continued to protest the Scientology cult peacefully since 2008. This is an example of how a stunt started, for the lulz came to be refined into a serious business campaign.

We believe that the pranks that initiated the Chanology campaign are permissible against a science-fiction cult. But we do not believe that those actions are appropriate methods of dealing with government as a way of fighting against the proposed internet censorship.

The actions of other individuals under the banner of Anonymous has at times stigmatised our group by association. There is no way to regulate the actions of anyone operating under Anonymous. And the best we can do is state our disagreement with actions we do not condone.

Stilgherrian: That's Anon SA in South Australia. Well, as previously reported by ZDNet.com.au, there is a contact point for Operation Titstorm. A Gmail address. At the other end is someone using the handle c0ld blood, that's with the first O as a zero.

They've responded to questions from journalist Renai LeMay at Delimiter, and the ABC. But would they be willing to have their voice heard? The answer curiously enough is yes. On Sunday afternoon Sydney time, I recorded this interview with c0ld blood via Skype.

Are you the person who would be best described as organiser of this particular campaign that's involved in the denial-of-service attack on the Australian Parliament House website?

c0ld blood: There's lots of people organising it. But yeah, I'm one of the people.

Stilgherrian: Why did you see this issue as requiring this kind of attack? I mean I should point out, as you realise, it is an illegal thing to do.

c0ld blood: We need to send a message across that governments cannot just mess with the internet and not expect any backlash. This is a way that the whole world, and not just people in Australia, can say this isn't right.

Stilgherrian: There have been people such as Electronic Frontiers Australia saying though that conducting an illegal operation, or at least something so disruptive, does not help their campaign. That it portrays those fighting the filter as, if you like, a renegade element who are just about promoting pornography. What's your answer to that?

c0ld blood: It's a difficult balance to get right. Because, of course, the way we do run and attack it's going to upset a few people. But we feel it's the best way to get the message out there.

Stilgherrian: And how many people have been involved? Do you know that?

c0ld blood: It's between like 400 and 500 people who are actually involved.

Stilgherrian: You chose, as one of the targets, the Australian Parliament House website. And as you probably know it's been overloaded for several days now. Though, as we're recording this on Sunday afternoon Australian time, it does appear to be operational again. Why did you choose the Parliament House website as a target?

c0ld blood: I'm not actually sure why we chose that. But there was a long list of ones which were going to be targeted and I think that one just fell down the easiest. So people carried on doing it.

Stilgherrian: We've seen tools being used such as the Low-Orbit Ion Cannon, Slow Loris and others.

c0ld blood: Yes.

Stilgherrian: Elsewhere in the program we have an Info Sec specialist who will explain how they work.

c0ld blood: OK

Stilgherrian: They are purely denial-of-service attack tools, are they not?

c0ld blood: Yes, they are.

Stilgherrian: How do you rate the success of this operation?

c0ld blood: It's been quite successful because it's highlighted to the Australian Government that it's not going to happen easily. If they're going to put the filter up, people are going to stand up and are going to do something about it.

Stilgherrian: But I mean the filter's not already in place. There's still quite a bit of process to go through in a political sense. Wouldn't it be more constructive, and perhaps portray the opposition to the filter in a better light, if there was like an engagement in the political tools that were already available?

c0ld blood: It would be. But it would just be falling on deaf ears. By DoSing the sites it's forcing the hand of the Australian Government because they're going to have to take notice.

Stilgherrian: Are they? I mean they can perhaps just ignore this and move on.

c0ld blood: I think they have taken notice and I think though it's going to be they have requested to talk to some of our people about it.

Stilgherrian: Even within people who are branded Anonymous, who take on the Anonymous label. I know Anonymous South Australia has said this is not the way to go. I have seen this kind of action described as a splinter group from Anonymous. Is that a fair characterisation?

c0ld blood: No. All the live protests and stuff is more of a splinter group from what Anonymous originally was. It's just getting back to more of Anonymous' original roots.

Stilgherrian: Do you want to expand on that for those that don't know the history?

c0ld blood: We started off just on websites and finding stuff that annoyed us, and doing these kinds of attacks like flooding forums and stuff like that. And we've kind of expanded to more of a political basis. It started with Scientology which started out, as the Australian Government did, with DoS attacks and so on. And now it's turned into a more live protest movement.

Stilgherrian: Now anyone can put the label Anonymous on their actions, of course. How would you describe your relationship to the people who have been involved in this particular series of denial-of-service attacks?

c0ld blood: I personally haven't actually taken part in any of the denial-of-service attacks. But I've helped advise and talked to people about what they're doing and of course in aiding their efforts.

Stilgherrian: How would you describe the people themselves? Is there a particular demographic? I ask because, of course, Anonymous is often perceived as kids and teenagers I saw in one description. Is that fair?

c0ld blood: That is a fair description and lots of them are kids and teenagers. And the main reason that they take part in these attacks is because kids and teenagers don't really get the chance to voice their opinions. But by doing this and acting as a huge large group, they're getting their opinions heard.

Stilgherrian: This attack has made Australian Parliament House website unable for some days, I must say to the annoyance of political journalists. And Senator Stephen Conroy, our minister for Communications, has shown no sign of caving in on this issue at any time in this. Where do you see actions going next?

c0ld blood: Currently, there's plans to let in more live protests and, yeah. So the main plan at the moment is to move the protests away from the illegal DoSing to legitimate protests.

Stilgherrian: May I ask how you got involved in Anonymous yourself?

c0ld blood: I found lots of people on the website. I mainly started after the Scientology raids. And I now run one of the chat networks which is used mainly for stuff like this.

Stilgherrian: Has your focus in terms of censorship been solely on Australia's laws? Or have you been looking at some of the others around the world?

c0ld blood: Well, in previous months we focused on Iran when they were censoring the internet after their election. So it's not just Australia. It's really any country which feels it's necessary to censor the internet.

Stilgherrian: That's c0ld blood. One of the organisers of the Anonymous denial-of-service attacks on Australia's Parliament House website. So just what is a distributed denial-of-service attack? How are these done? And how do they stack up? I spoke with our occasional guest here on Patch Monday, security consultant Crispin Harris.

Crispin Harris: The main thing that makes it a distributed denial-of-service attack is that it comes from a large number of source addresses that makes it very difficult to block. What a distributed denial service is not is a set of specific targeted attacks against some end user or corporation government system.

Stilgherrian: So when we see media reports saying that the Parliament House website is hacked, we really shouldn't use that word hacked, should we?

Harris: No, the distributed denial-of-service is not a compromise. It is, in the words that we use for it, a distributed denial-of-service. What it's doing is taking the target site offline. It's not actually doing anything nasty to it except making it not work.

Stilgherrian: Well, service was denied. The Parliament House website was not available for most of the time over several days there. That is an unusual situation surely.

Harris: Mostly unusual in terms of the size and the infrastructure that Parliament House have behind their website. That system usually would be expected to cope with a large volume of transient traffic.

But distributed denial-of-service attacks are not that uncommon. Google experienced some recently. So has Facebook. And a number of other large organisations. It's unfortunately, technically, it's not a difficult attack to do. Very few organisations are going to put their hand up and say we've been taken offline by people without a clue. But they're happening all the time and they're part of the internet background radiation.

Stilgherrian: And it is just an issue that any IT infrastructure is provisioned to a certain level. So once you fill up the capacity that's it.

Harris: Absolutely. And a lot of the internet infrastructure is very expensive to build and maintain. So you only want to build enough capacity for what your expected peak load is. So when somebody comes along and aims 20,000 laptops at one web server, that web server is unlikely to be able to cope with the load.

Stilgherrian: Now we've actually downloaded and had a look at the set of attack tools that were being suggested for this particular operation by Anonymous. What is your opinion of that set of tools?

Harris: I ran through a gamut of emotions on this one. I initially looked at them and, frankly, I laughed. The tools themselves are very low tech tools. There's a text file that tells you to, amongst things, email porn to members of Parliament. Excellent. Well done, guys. The second one is that there is a traffic flood tool called Low Earth Ion Cannon. We'll come back to that a bit later. And the third one, and this is the actually only interesting piece of the whole kit and caboodle, is a tool called Slow Loris that does a web server resource exhaustion attack.

Stilgherrian: Can you expand on that?

Harris: What this tool does, is it starts off and it opens a connection to the web server and fails to complete. It says, 'hello web server, I'm here. I'll talk to you in a minute. Can you hold please?' And every so often it pipes up and it says, 'yes, I'm still here. Please hold.' Unfortunately, the web server can only come up with a certain number of open sessions at any time, or calls that are coming in. And once you fill up these call lines no other sessions can start.

Stilgherrian: So as you say, these attacks are very easy to do. That sounds like an extremely easy programming exercise. And yet at the same time it's going to fill up the capacity of the web server, well, relatively quickly if it's coming from a large number of locations all at once.

Harris: Yes. These attacks were first designed in the mid-90's, and at that point it was not uncommon for a web server to only be able to cope with 400 or 500 connections at once. And one machine, using a tool like Slow Loris, could easily open all of those connections. These days web servers can cope with 20,000 to 30,000 or more, so it takes a few more machines to fill them up.

Stilgherrian: Now our friend from Anonymous earlier did say there were 400 or 500 people that he knew of involved in this attack which is presumably 400 or 500 computers. Perhaps a few more than that if they doubled up. In terms of the scale of a denial-of-service attack where in the spectrum does that sit?

Harris: That's piddly. It really is tiny. You can buy a thousand computers on a botnet to do something like this for less than US$100.

Stilgherrian: And yet that is enough to bring down a website like that of Parliament House.

Harris: Oh, yes. What I really would have expected from this was an attack that had closer to 10,000 or even 50,000 or 100,000 machines. Each machine doing a small amount of traffic. And thus having that large number of source addresses. 10,000 machines is a very difficult scale to cope with, to try and block. If Parliament House haven't removed these 500 machines already from their access lists, I might be suspecting that there's something else involved.

Stilgherrian: Such as?

Harris: At this point I'm giving complete speculation. Why would Parliament House and the Australian Government cyber-security response not have blocked 500 to 1000 IP addresses at their upstream routers? That seems to suggest that they're not upset by this continuing to occur.

Stilgherrian: Well, I mean Parliament House, while the website is important to journalists wanting to download Hansard from the previous day's Parliamentary debates and so on — it's not mission critical infrastructure.

Harris: And I suspect that we might have trouble trying to find more than, say, 1000 people that have even been seriously inconvenienced by this.

Stilgherrian: And therefore it's not worth spending the money on defending against the attack. Yeah, just let it peter out I suppose as people lose interest and move on.

Harris: And also from the Department of the Internet's perspective, all this is doing is providing bad publicity for the anti-filter crowd.

Stilgherrian: That point is continually being made by people along the way. Now these tools that were being distributed as part of this attack here were all things that directly ran on the attacker's computer. That means that all this is extremely easy to log and trace back to the participants, isn't it?

Harris: Yes, in two different ways. One is that from the perspective of the government's cyber response it's very easy to find these 500 people that have been nice enough to run the tool. And within no more than a few hours of it beginning, every single one of those machines was pinpointed to exactly which bedroom it was sitting in.

From the second perspective, and this is where I start to get a little bit worried, at least one of the tools involved has been provided from a completely unsafe source — and is known to be a hacking tool — has also in the past been listed as being a remote control trojan and a botnet enrolment process.

Stilgherrian: Now this is the Low Orbit Ion Cannon which was one of the tools distributed.

Harris: Yes. It is one of the most basic of denial-of-service tools. It's exactly the same sorts of thing that was being used by university students in 1994-95 to take their friends off the network. And there's nothing new that's been added to it, except I suspect the back door for somebody else's remote control environment.

Stilgherrian: So essentially what you're saying, is that by participating in this attack, using the tools provided, everyone has just compromised their own computer.

Harris: Absolutely. Exactly the same way that people are encouraged to go to a website to download malware; you're now saying please, come in and protect the internet by joining Operation Titstorm and we'll take control of your computer to use it however we like later.

Stilgherrian: This really is a fairly clear indication of the level of knowledge amongst the participants really, isn't it?

Harris: Absolutely. There were so many things in this that rang alarm bells, not just to me, but to my non-technical wife. She looked at it and said, 'no way. That's just silly — and naïve'.

Stilgherrian: So to wrap it up again, to put this whole attack in perspective, it's a relatively minor thing in the grand scheme of things. And yet at the same time it shows how easy it is for a relatively small group of people to disrupt communications.

Harris: Oh, yes. This attack in itself is not much more than blow and bluster. There's a lot of noise about it. It's caused a fair amount of media coverage. But in terms of actual threat or damage in the attack itself, it's got to be listed as right down there in very minor areas.

The big danger in this is really two-fold. One is that the machines that were involved in these attacks are now most likely compromised. The second one, and it's a little bit more important for Australian Parliament House and for the Australian cyber-response capability, is that there might well be a more sophisticated attack going on underneath all the noise that this is causing.

This attack is generating a lot of traffic and a lot of log entries. So that monitoring systems are going to have quite a lot of data in them. A sophisticated attacker could use this as an opportunity to do a slow volume-specific pointed attack under the cover of all of this other noise. That attack has a higher likelihood of getting through when there's all of this other traffic going on.

Stilgherrian: That's security consultant Crispin Harris. Now if you have any comments on this issue, or any other part of the program for that matter, please leave them at the website zdnet.com.au/blogs/patch-monday. Don't forget the hyphen. You can also leave audio comments via Skype or the phone. The Skype ID is stilgherrian. The spelling's on the website. Or phone Sydney 02 8011 3733. I would love to include your comments on this in next week's program. You're listening to Patch Monday. Time for a look at the week's IT news.

The Federal Government has announced that it will introduce full body scanners at eight Australian airports next year at a cost of $28 million. These are the ones that create a 3D image of what you look like underneath your clothes. Well, apart from concerns about the privacy aspects and perhaps even the risk from x-rays for frequent fliers, there's another question. Do they actually do anything to increase security?

Defence technology company Thales Australia has won an extension to provide support services for Australian defence force command and control systems. The five-year contract is worth $51 million, and the 37 jobs are based in Canberra and Perth.

In Melbourne, myki contractor Kamco has brought in experts from overseas to troubleshoot the problematic e-ticketing system. The new Transport Minister Martin Pakula is issuing the spin: "The government is obviously frustrated that the contractor has not met its contractual requirements to deliver myki," he said. Never the government's fault, is it? No.

IBM and the University of Melbourne have announced a partnership worth $100 million. IBM will supply a super computer called Blue Gene to be used for computational drug discovery plus manpower.

Another step forward for e-health in Australia. The Healthcare Identifier Bill was introduced to Federal Parliament last week. The plan is to give every Australian and every healthcare provider a unique 16-digit ID number. Well, you wouldn't give them the same one, would you? If the new laws pass the numbers will be assigned by the middle of this year.

Victorian police are investigating attacks on Melbourne-hosted web servers. A hacker named Ghost Buster is apparently targeting businesses to protest assaults on Indians in Australia.

And finally a little follow-up to last week's program about the iiNet case. As you may remember they were found not to have authorised the copyright infringement done by their customers. Well, Roadshow Films, it turns out, donated almost half-a-million dollars to Australian political parties in the lead up to filing its case in the Federal Court.

The Australian Electoral Commission reports on political donations for 2007-08 showed that Roadshow donated a total of around $290,000 to Labor, $198,000 to the Liberals, spread between federal and state branches. That puts Roadshow up near the top end of political donors. For the details of those stories and much more, the place to go is ZDNet.com.au.

That's all for this week. I've already told you how to comment, haven't I? Yes, I have. So that's it. You've been listening to Patch Monday for ZDNet Australia. I'm Stilgherrian. See you next time.

Topics: Censorship, Government, Government AU

About

Stilgherrian is a freelance journalist, commentator and podcaster interested in big-picture internet issues, especially security, cybercrime and hoovering up bulldust.

He studied computing science and linguistics before a wide-ranging media career and a stint at running an IT business. He can write iptables firewall rules, set a rabbit trap, clear a jam in an IBM model 026 card punch and mix a mean whiskey sour.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

6 comments
Log in or register to join the discussion
  • In light of recent events..

    This is an official statement from the Melbourne Anonymous protesters fighting the cult of Scientology:

    We do not endorse the actions of the Anonymous hackers involved in this morning's attacks on parliament/government websites. We are a peaceful protest group who, whilst we agree that Internet censorship is detrimental to the development of our nation and dangerous to those it allegedly protects (children and teenagers), we do not condone various motives behind, and the methods used by the individuals responsible for the DDoS attacks.
    anonymous
  • It's true

    Yes, with your links and the SMH link, you can put it together and find he is Val - moderator of the Sydney Anonymous website.

    http://www.fightdemback.org/archive/people/sanders-andrew/

    Then look for Val on the Sydney site.
    anonymous
  • Anonymous Racist Leader

    Here is the link again for anyone who missed it: http://www.smh.com.au/news/national/white-supremacist-crackdown-call/2005/12/20/1135032001455.html
    anonymous
  • Clarification

    Being a moderator of a site does not make you the leader of that site.
    anonymous
  • Nice work.

    Nice podcast. Doing some research after listening...

    Given the large amount of people, likely most weren't knowlegable in any sort of php or scripting. Wouldn't it make sense the tools are basic for the basic masses?

    The Low Orbit Ion Cannon used in the toolkit is available from sourceforge.net and according to the ED article thats where they were linked to. If you had your expert 'look' at the source then likely he'd see their isn't anything there... is there a seperate toolkit with a trojan?

    You also speculate that they are 400- people with 400 machines. But then he mentions a botnet you could buy. Could it not be possible some of them had botnets themselves? Wouldn't this make more sense? Or did you guys get research and figure out how many.

    Either way I'm not sure if anyone can stop Conroy. This is just pissing on his shoes I imagine.
    anonymous
  • Yes, there were botnets

    When Crispin Harris and I discussed the attack, we took the 400-500 humans and figured they may have access to a couple computers each on average. 1000 computers can generate the 7.5 million requests per second that were reported by Fairfax, provided they have the uplink bandwidth. However that was very much a back-of-the-envelope guesstimate.

    Since then, c0ld blood has told me that some of the participants did have botnets, which would fit some other details of the attack descriptions.

    The Low Orbit Ion Cannon was being distributed as a .exe file from an anonymous file sharing site, not as source. Some versions of LOIC have been found with trojans. We sent the distributed version off for testing, but have not yet heard back. Further news as it comes to hand.
    anonymous