Researchers Release Attack Tool That Cripples Secure Websites

Researchers have released an attack tool that makes it trivial for anyone to take down websites that allow users to connect via secure connections.

Unlike most denial-of-service attacks (DoS) that require an attacker to direct a network of distributed computers to take down a website by flooding it with fake traffic, the so-called THC-SSL-DOS tool purportedly allows an attacker to achieve the same result from a single computer — or in the case of a website with a number of webservers, just a handful of computers would be sufficient.

The tool, released by a group called The Hackers Choice, exploits a known flaw in the Secure Socket Layer (SSL) protocol by overwhelming the system with secure connection requests, which quickly consume server resources. SSL is what’s used by banks, online e-mail providers and others to secure communications between the website and the user.

The flaw exists in the process called SSL renegotiation, which is used in part to verify a user’s browser to a remote server. Sites can still use HTTPS without that renegotiation process turned on, but the researchers say many sites have it on by default.

“We are hoping that the fishy security in SSL does not go unnoticed. The industry should step in to fix the problem so that citizens are safe and secure again. SSL is using an aging method of protecting private data which is complex, unnecessary and not fit for the 21st century,” said the researchers in a blog post.

The attack still works on servers that don’t have SSL renegotiation enabled, the researchers said, though it takes some modifications and some additional attack machines to bring down the system.

The group notes that vendors have been aware of the vulnerability since 2003, but have not fixed it.

Photo: Al Ibrahim/Flickr

‘Torture’ Judge Gets $3.4 Million Legal Defense for Free

A federal appeals court judge, who as a government lawyer signed off on secret memos authorizing the use of the torture technique known as waterboarding against terrorism suspects, received $3.4 million in free legal services while successfully fending off ethics charges over the authorization.

Jay Bybee, now a member of the San Francisco-based 9th U.S. Circuit Court of Appeals, headed the Justice Department’s Office of Legal Counsel and signed off on memorandums authorizing waterboarding, internationally recognized as torture, and harsh interrogations in the wake of 9/11. Bybee worked in the office from November 2001 to March 2003, supervising the memos’ controversial author John Yoo. In 2003, President George W. Bush appointed Bybee to the appeals court.

Despite the elevation of Bybee, the DoJ’s Office of Professional Responsibility opened an investigation in 2004, looking into whether to file professional misconduct charges against him for providing legal cover for the use of torture against terrorism suspects, including Khalid Sheikh Mohammed, the alleged mastermind of 9/11.

But, thanks to the help of Los Angeles firm of Latham & Watkins, the investigation was dropped in 2010.

The National Law Journal on Monday published Bybee’s financial disclosure statements for the 9th Circuit,. They show that Latham had donated $3.25 million in services and a few other firms another $150,000 in the years leading up to the government’s decision concluding that Bybee and underling Yoo had not committed professional misconduct.

According to the National Law Journal:

The episode continues to affect Bybee’s role as a judge because of potential conflict of interests involving Latham. The firm has a major presence in the 9th Circuit, but a search of court records shows that, since Bybee’s troubles began, he has disqualified himself from cases in which Latham lawyers are representing a client.

Latham told the National Law Journal that Bybee will continue to recuse himself “for some time.”

WikiLeaks Halts Publication Over Cash Flow Issues

For the second time in two years WikiLeaks announced it was suspending publication of secret documents due to financial difficulties.

The site has already failed to make good on months-old claims that it has a cache of new secrets to unleash, including internal documents from Bank of America, and the new announcement would postpone their publication even longer. WikiLeaks announced on Monday that it was halting publication because it was running out of cash and needed to focus on fundraising.

At the same time, the site announced that it planned to launch a new submission system on Nov. 28, a year after it began publishing a cache of more than 250,000 U.S. State Department cables. The site didn’t say how it planned to publish new submissions if it was experiencing financial problems.

”In order to reclaim the organization’s future survival, WikiLeaks is now forced to temporarily suspend its operations and move into a phase of fund-raising,” WikiLeaks founder Julian Assange said in a statement.

The announcement comes just days after Assange told an audience that his organization had sustained itself over the last 11 months solely on cash it had already raised from donations.

Last April, the Wau Holland Foundation, the Berlin-based non-profit that was responsible for processing donations to WikiLeaks that were made through PayPal and bank transfers, disclosed that it had received about $1.9 million in donations for WikiLeaks in 2010. More than half of that amount, or $700,000, came in November and December of that year, after WikiLeaks and several newspapers began publishing the trove of diplomatic cables allegedly received from Army intelligence analyst Bradley Manning.

In a new video plea for donations (see above), Assange asserts that his organization has “thousands of pending revelations,” and needs money to support its fight against PayPal, Visa, MasterCard and other payment systems that froze the organization’s accounts after it began publishing the State Department cables last year.

Assange said the account freezes had left WikiLeaks “with just 5 percent of our financial lifeline” and had “wiped out successfully 95 percent” of donations, though he offers no details to support this assertion.

As part of its new fundraising push, WikiLeaks listed the cost of its operations, though didn’t elaborate on how it reached the expenditure figures or define what such expenditures as “technical information” and “legal costs” meant. WikiLeaks has been criticized in the past for failing to be transparent about how it spends donations. The list of its costs include:

  • Security – $300,000
  • Publications research – $500,000
  • Legal costs – $1.2 million
  • Productions – $400,000
  • Salaries and staff expenses – $500,000
  • Campaigns – $300,000
  • Technical information – $500,000

The amounts far exceed expenditures that Wau Holland listed for the site in 2010. According to the foundation, little more than $200,000 was used by WikiLeaks for the cost of processing submissions. This involved “reviewing and editing incoming material, video authoring, analyzing and arranging a large number of documents … anonymisation and much more.” The sum also included the “involvement of external experts like journalists.” In 2010, WikiLeaks sent two Swedish journalists to Iraq to locate and interview two children who were injured in an Army Apache attack, a battle that featured in the now-famous Iraq “Collateral Murder” video that WikiLeaks published in April of last year.

According to the Wau Holland report, an additional $152,000 was paid to “a few heads of project and activists,” for services invoiced. This appeared to reference salaries paid to staffers, though the report didn’t specify how this expense differed from expenses attributed to processing submissions.

The report also didn’t say how much Assange personally received from the funds, though the Wall Street Journal reported previously that he received about $88,000 in back pay for work performed in 2010.

Wau Holland paid out about $87,000 to cover WikiLeaks’ infrastructure expenses, such as servers and other hardware; another $91,000 went for travel costs to conferences, meetings and lectures. Additionally, Wau Holland paid out $48,000 in legal fees. This was defined as costs for project campaigns, “not for individual-related legal advice or legal representation in court proceedings.” The latter likely referred to the personal legal expenses that have been racked up over the last year by Assange, who is facing sex-crimes allegations in Sweden and has been fighting an extradition battle in London.

The group has paid out only $15,000 to help with the legal defense of Manning, who is currently awaiting trial on charges that he passed classified and other sensitive U.S. government documents to a third party.

WikiLeaks spokesman Kristinn Hrafnsson wouldn’t provide details on how the new submission system will differ from the site’s previous system. He told the Australian newspaper The Age only that ”it is fair to say that it has been rebuilt from scratch and is more robust and secure than the previous version.”

WikiLeaks lost its previous submission system last year when its former spokesman Daniel Domscheit-Berg and another staff member defected from the organization and took the submission system with them.

WikiLeaks covered up the loss at the time by saying it had disabled its submission system because it had been inundated with too many submissions. Domscheit-Berg later revealed the truth behind the downtime and criticized Assange for operating a system that wasn’t secure and put both sources and visitors to the web site at risk.

WikiLeaks ceased publication of documents once before, due to financial troubles. In December 2009, right before Manning allegedly began to leak large caches of documents to WIkiLeaks, the site announced a temporary suspension of publication until it could raise money. The submission system didn’t come back online until the subsequent spring.

Threat Level’s Kim Zetter Writing the Book on Stuxnet

Wired senior staff writer Kim Zetter won a feature writing award from the Society for Professional Journalists of Northern California last week for her riveting story on how researchers discovered and dissected Stuxnet, a worm intricately programmed to wreak havoc on an Iranian nuclear facility.

And in a bit of nice timing, Zetter has officially committed to writing a book, tentatively titled Countdown To Zero Day, expanding on the tale. The book will investigate the implications of what is considered to be the first known virus intended to destroy critical infrastructure and the first shot fired in a new era of digital warfare. The book will be published by Crown (a division of Random House). No publication date has been announced yet.

Here’s a taste of the award-winning story:

It was January 2010, and investigators with the International Atomic Energy Agency had just completed an inspection at the uranium enrichment plant outside Natanz in central Iran, when they realized that something was off within the cascade rooms where thousands of centrifuges were enriching uranium.

Natanz technicians in white lab coats, gloves and blue booties were scurrying in and out of the “clean” cascade rooms, hauling out unwieldy centrifuges one by one, each sheathed in shiny silver cylindrical casings.

Any time workers at the plant decommissioned damaged or otherwise unusable centrifuges, they were required to line them up for IAEA inspection to verify that no radioactive material was being smuggled out in the devices before they were removed. The technicians had been doing so now for more than a month.

Normally Iran replaced up to 10 percent of its centrifuges a year, due to material defects and other issues. With about 8,700 centrifuges installed at Natanz at the time, it would have been normal to decommission about 800 over the course of the year.

But when the IAEA later reviewed footage from surveillance cameras installed outside the cascade rooms to monitor Iran’s enrichment program, they were stunned as they counted the numbers. The workers had been replacing the units at an incredible rate — later estimates would indicate between 1,000 and 2,000 centrifuges were swapped out over a few months.

The question was, why?

Read the full story from July, and for a follow-up, see Zetter’s story this week on the recent discovery of a mysterious successor to Stuxnet, called DuQu.

SPJ NorCal announcement.

Photo Illustration: Jim Merithew/Wired, based on story design work by Dennis Crothers.