Combating Distributed Denial of Service Attacks in Brazil, Latin America, and Everywhere Else

One of the most disruptive attacks to deal with in today’s threat landscape is the distributed denial of service attack, often called DDoS. Using the resources of many other computers, an attacker can focus a vast amount of packets and power at a single resource and effectively knock it offline for as long a time as desired. This is a class of attack that must be respected and properly prepared for.

Recently McAfee Labs became aware of a series of the DDoS attacks taking place in Brazil during the last several days. Victims of these attacks included those in the telecommunications and banking sectors. Upon analysis, these attacks appear to use a mix of attack techniques: old-school SYN and ICMP flooding, while at the same time newer tools such as LOIC and SlowLoris. Regardless of the tools used, these types of attacks can be devastating to an online business and its brand.

While the attacks on Brazilian companies do not stand out in their technique (good DDoS is still DDoS), they are significant because Brazil is a large, fast-growing economy that affects other regions and should be looked at in a serious light regardless of the attackers and their motivations. So the question remains: What strategies can companies use to minimize the damage from these types of attacks?

No one technology will do the job. Never has, never will. Good security is about process, people, and technology. Certainly newer technologies like next-generation intrusion prevention and firewalls with IP reputation are of great value and should be looked at; but a good, thorough penetration test should be at the top of everyone’s list along with forensics and a good incident-response plan.

If your company is in the same business as some of the recent victims, then this is a good time to take stock, undergo a good pen-test, and see how well prepared you are.

Revisit your security basics, layer your defenses, and expect an attack.

Feds’ Use of Fake Cell Tower: Did it Constitute a Search?

Federal authorities used a fake Verizon cellphone tower to zero in on a suspect’s wireless card, and say they were perfectly within their rights to do so, even without a warrant.

But the feds don’t seem to want that legal logic challenged in court by the alleged identity thief they nabbed using the spoofing device, known generically as a stingray. So the government is telling a court for the first time that spoofing a legitimate wireless tower in order to conduct surveillance could be considered a search under the Fourth Amendment in this particular case, and that its use was legal, thanks to a court order and warrant that investigators used to get similar location data from Verizon’s own towers.

The government is likely using the argument to avoid a court showdown that might reveal how stingrays work and open debate into the tool’s legality.

Stingrays spoof a legitimate cellphone tower in order to trick nearby cellphones and other wireless communication devices into connecting to the tower, as they would to a real cellphone tower. When devices connect, stingrays can see and record their unique ID numbers and traffic data, as well as information that points to a device’s location. To prevent detection by suspects, the stingray sends the data to a real tower so that traffic continues to flow.

By gathering the wireless device’s signal strength from various locations, authorities can pinpoint where the device is being used with much more precision than they can get through data obtained from the mobile network provider’s fixed tower location.

According to an affidavit submitted to the court (.pdf) by the chief of the FBI’s Tracking Technology Unit, the stingray is designed to capture only the equivalent of header information — such as the phone or account number assigned to the aircard as well as dialing, routing and address information involved in the communication. As such, the government has maintained that the device is the equivalent of devices designed to capture routing and header data on e-mail and other internet communications, and therefore does not require a search warrant.

The device, however, doesn’t just capture information related to a targeted phone. It captures data from “all wireless devices in the immediate area of the FBI device that subscribe to a particular provider” — including data of innocent people who are not the target of the investigation, according to the affidavit. FBI policy requires agents purge all data stored in the surveillance tool at the conclusion of an operation, so that the FBI is not collecting “information about individuals who are not the subject of criminal or national security investigations,” the affidavit added.

The device in this case was used to track an aircard allegedly used by Daniel David Rigmaiden, a 30-year-old self-described hacker suspected of being the ringleader of an identity theft group that stole millions of dollars by filing bogus tax returns under the names and Social Security numbers of other people.

The thieves operated their scheme for at least three years from January 2005 to April 2008, allegedly filing more than 1,900 fraudulent tax returns involving about $4 million in refunds. The conspirators used more than 175 different IP addresses around the U.S. to file the fake returns.

According to court documents, authorities used a variety of other avenues to track Rigmaiden, including obtaining video footage taken at a Verizon payment kiosk in San Francisco. This presumably was to help identify who had paid in person for an account belonging to a person named Travis Rupard — one of the identities Rigmaiden allegedly used during his crime spree.

Investigators used the stingray to trace the aircard to an apartment complex in Santa Clara, California, according to the FBI affidavit. Court documents indicate the device led investigators “to the general proximity of defendant’s usage of the aircard,” allowing authorities to narrow the air card’s location to three or four apartments in a residential complex.

Rigmaiden has been in custody since May 2008 and is representing himself at the U.S. District Court of Arizona, after dismissing multiple attorneys. The government’s assertion about the spy tool comes in response to a motion for discovery that Rigmaiden filed requesting, in part, details of how authorities tracked him.

The government has so far refused to provide information about how the device worked or the techniques they used to monitor the air card, calling such “sensitive investigative techniques” privileged information.

Until now, the U.S. government has asserted that the use of stingray devices does not violate Fourth Amendment rights, and Americans don’t have a legitimate expectation of privacy for data sent from their mobile phones and other wireless devices to a cell tower.

But authorities changed their tone in the Rigmaiden case after the defendant argued that using the device to locate a wireless aircard inside an apartment constituted a search, and therefore required a valid search warrant, which he asserts authorities didn’t have.

After the judge indicated he’d seek more information about the device, prosecutors conceded that in this case its use could be considered a search. They also argued that its use was covered by a court order and a warrant that authorities used to obtain near real-time tracking information directly from Verizon Wireless. A separate tracking warrant, prosecutors say, wasn’t necessary for its fake tower.

Despite the apparent shift in the government’s argument in this specific case, it still maintains that stingray devices do not violate American’s privacy, since the target doesn’t “have a reasonable expectation of privacy in his general location or in the cell site records he transmitted wirelessly to Verizon.”

The Metropolitan police in London have used similar technology which takes the surveillance a bit further, according to a recent story in the Guardian. The British device can be used to identify all mobile phones in a given area, capture and record the content of calls and remotely disable phones.

Photo: Keith Survell / Flickr

Feds Drop Plan to Lie in Public-Record Act Requests

Bowing to political pressure, the Justice Department abruptly dropped proposed revisions to Freedom of Information Act rules Thursday that would have authorized the government to inform the public that requested records do not exist even if they do.

The proposal would have granted the government a new option to state that documents relevant to a FOIA request did not exist. According to the Justice Department’s proposal, if the government believes records should be withheld, the government agency to which the request was made “will respond to the request as if the excluded records did not exist.”

Under normal practice, which seems Orwellian enough, the government may assert that it can neither confirm nor deny that relevant records exist if the matter involves national security.

Civil rights groups, and a host of lawmakers from both sides of the spectrum, had blasted the Justice Department’s original proposal.

“For five decades, the Freedom of Information Act has given life to the American value that in an open society, it is essential to carefully balance the public’s right to know and government’s need to keep some information secret,” said Senate Judiciary Chairman Patrick Leahy (D-Vermont.) “The Justice Department’s decision to withdraw this proposal acknowledges and honors that careful balance, and will help ensure that the American people have confidence in the process for seeking information from their government.”

The American Civil Liberties Union, OpentheGovernment.org and Citizens for Responsibility and Ethics in Washington lobbied against the proposal, which the Justice Department said Thursday “falls short” in balancing openness with national security.

“Putting an end to lies about the mere existence of documents is one step toward restoring Americans’ trust in their government,” said Laura W. Murphy, the ACLU’s Washington, D.C. legislative director.

Still, the government has embraced lying even without FOIA being altered. And judges aren’t very tough on the government when it does lie in FOIA cases.

Last month, for example, a federal judge decided not to hold the CIA in contempt for destroying videotapes of detainee interrogations that included the use of a torture technique known as waterboarding, ruling instead that the spy agency merely committed “transgressions” for its failure to abide by his court order to produce them in a FOIA case brought by the ACLU.

Photo: Leonieke Aalders/Flickr