Staring Down a Rogue Bus: An Introduction to ‘Crowd Control’

Occupy Oakland protesters rally in front of the State of California building Wednesday, Nov. 2, 2011, in Oakland, Calif. Oakland's citywide general strike, a hastily planned and ambitious action called by Occupy protesters a day after police forcibly removed their City Hall encampment last week, shut down the Port of Oakland.

On Wednesday afternoon, as my wife and son and I were walking to Occupy Oakland, we saw a bicycle get hit by a bus. The biker wasn’t hit hard, and he didn’t seem hurt.

But we stopped to help him out, in part because the same bus had borne down on us, too, while we’d been walking through the crosswalk. It was one of those classic muscle plays by a driver, intimidating pedestrians and bikes into yielding the right of way. After he hit the bike, the driver tried to pull away — we had to stand in front, the biker and I, to keep him from fleeing the scene. The biker called the police but they never showed.

It became an uncomfortable stalemate. But there was no question about our course of action. We were standing in front of that bus. We weren’t going to let it leave.

Soon, some Occupy protesters intervened — on behalf of the bus. Turns out, the bus was headed to shuttle activists to the port. It was the last in a convoy of charter buses, and none would leave until all the rest could follow, including this one. Eventually, the protesters convinced the biker to let the bus go. He and I had been a crowd of two; but when our crowd got bigger, the perspective changed, and a different group identity formed.

For a feature story in Wired’s January 2012 issue, I’ve spent the past few months thinking about the nature of physical crowds in the digital age. In this series of posts, called “Crowd Control,” I’ll be semi-regularly posting some of my research and observations. Surveying social science on the subject, most of the interesting questions boil down, fundamentally, to this one: *Who* do we become, collectively, when we come together?

As my own, modest example shows, these questions are fundamentally about identity — who (in the moment) is “us,” and what do we think is right? The constantly shifting nature of this question is a large part of why crowd events are hard to understand, and even hard to describe.

Think about that Wednesday in Oakland. In the afternoon, a giant, peaceful crowd of people — including my family and me — marched from downtown Oakland to the city’s port. The mood was relaxed, convivial, almost carnivalesque.

Korean Office Software Exploited

In late September 2011, it was reported that a previously unknown and un-patched vulnerability in Hancom Office (a word processing software predominantly used in Korea) was exploited in the wild. We often hear of new exploits targeting software used worldwide and while these incidents tend to grab all the attention, we also encounter instances of regional software, which often have a limited user base becoming an exploit target. One example of a similar regional software that was also exploited in malware attacks is Ichitaro - a word processing software mostly used in government organizations and their associates in Japan. 

In this case, we managed to track down a couple of malware samples that exploited the reported vulnerability in the Hancom products. The samples are in document files (file extension .hwp) and an exploit attempt is made when the document is opened on a machine installed with vulnerable versions of Hancom Office. A successful exploit attempt will result in malware being dropped on the machine and the opening of a back door to a predetermined site.
Using regional software does not remove the risk of malware attack and this recent attack on Hancom products and past attacks using Ichitaro are proof of this. As malicious attackers continue to look for new security holes to use in malware attacks, regional software can have an important role to play in the malware creator’s arsenal and we expect this to be a niche but growing area for future attacks.
Detection and mitigation

The malicious document files are detected as Bloodhound.Olexe. Backdoor.Trojan detection covers the dropped files.

The vulnerability was patched in mid October by Hancom who published an advisory to inform customers about the issue. In addition, the local Internet and security agency also posted an advisory.

To reduce risk from these types of attacks, software should be kept updated and users need to take a cautious disposition when opening unknown email attachments or files.

Symantec will be presenting on targeted attacks that use vulnerabilities in regional software in Hong Kong this week at the AVAR conference.

Remember, Remember… Anonymous Celebrates the 5th of November

November 5 is a very special day for Anonymous, for this year Guy Fawkes Day and Caturday coincide. Guy Fawkes Day is the British fireworks holiday appropriated by Alan Moore in the 1982 comic V for Vendetta, which was made into a movie in 2006, which in turn inspired the iconic mask used by the group. Caturday is the celebratory day of the lolcat. This is like Kwanzaa, Yom Kippur, Easter, and Arbor Day all rolled into one for the people of lulzy collective.

Anons the world over are celebrating by drinking, watching V for Vendetta, crying over how cute kitten pictures are, and posting pages and pages of famous peoples’ personal data all over the web. On Tumblr, the Anonymous group CabinCr3w released information on a number of public figures including former U.S. Treasury Secretary Larry Summers, noted conservative donors the Koch Brothers, Mayor Michael Bloomberg of New York, Monsanto CEO Hugh Grant, and finally for the lulz, Jesus himself.

While I haven’t had time to review all the material between shots of whiskey and getting my Alan Moore tramp stamp, it seems most of the information released is available through public data sources.

The documents include properties owned by the target; boards the subject sit on; names of associates, family, and friends; items from news reports; and statements made by the subject or others. While being d0xed is likely not comfortable for the target, many of these newsworthy figures have similar profiles written up in media organizations and in the files of beat reporters who cover them. Anonymous has just put them online, sans sources, making it harder but not impossible to verify the data.

Also, the trailer for a new documentary on Anonymous called We Are Legion was posted in time for November 5th:

With a ongoing operations including one chasing child pornographers and debates about going after a Mexican drug cartel happening as Anonymous moves into year four of harassing the Church of Scientology, supports the Occupy Wall Street movement and the ongoing Arab Spring, hacks law enforcement, and as ever, posts funny cat pictures, this next year promises to be interesting times for Anonymous.

This post is part of a special series from Quinn Norton, who is embedding with Occupy protestors and going beyond the headlines with Anonymous for For an introduction to the series, read Quinn’s description of the project.

Photo: Anonymous9000/Flickr