Five Epic Hacks That Never Happened

RunningShoes.com CEO Chad Weinman lost more than $10,000 when GoDaddy went offline Monday. Photo: RunningShoes.com

These days when there’s trouble on the internet, there’s usually someone at the ready to jump up and take (or assign) blame for whatever went wrong, nevermind the facts. It can mean free publicity for your cause — whether it’s killing laws like SOPA or beefing up the federal budget for cyber security.

Sometimes it doesn’t take much more than a tweet and a Pastebin post to get a serious amount of free publicity. So in the spirit of yesterday’s GoDaddy incident where a random Twitter handle claimed to have downed the hosting giant, here are five great hacks that never happened — despite what you might have learned from the media.

1. GoDaddy Gets PwndDaddied

With millions of customers feeling the pain of downtime, the DDoS attack on GoDaddy.com made the internet service provider’s onetime support of SOPA a conversation topic from coast to coast.

GoDaddy’s DNS went out of commission for about six hours, starting at 10 a.m. Pacific Monday. With no way for computers on the internet to look up GoDaddy’s customers, e-mail and websites went down.

Take for instance the online retailer RunningShoes.com. The outage cost the company somewhere between $10,000 and $20,0000, says CEO Chad Weinman. “It’s devastating. We’re absolutely dependent on that site for our revenue,” he says.

On Twitter, the culprit soon reared his ugly head. A hacker named Anonymous Own3r (the self-proclaimed “Security leader of #Anonymous,” thank you very much) had taken GoDaddy down with a withering distributed denial of service attack, so stealthy that security companies could find no trace of it on the internet.

The Huffington Post quickly connected the dots, clued in by an Anonymous source. “This is a warning shot,” the HuffPo wrote.

A warning shot that was muffled somewhat the next day when GoDaddy, embarrassingly, admitted that it had screwed up its DNS routing tables. The hacker’s proof that he had stolen proprietary GoDaddy source code? A simple Google search showed it was open source.

2. Twitter Gets Its Wings Clipped

As Justin Bieber and cat lovers know, there is nothing that can silence the Twitterverse. Nothing except for a cunning hacker, that is.

And that’s who stepped gracefully into the news cycle on June 21 this year when Twitter went down for an awful 40 minutes.

When the perp stepped forward, it was the UGNazi crew who had previously DDoSed the NASDAQ and the CIA.

“We just #TangoDown’d http://twitter.com for 40 minutes worldwide!,” wrote Cosmo, the 15 year-old hacker god who lives with his mom in Long Beach, California.

UGNazi was soon getting mad press in outlets such as the Telegraph, Mashable, and Slate.

But the press bubble was popped the next day when Twitter admitted that its own admins had somehow torpedoed the site.

“This wasn’t due to a hack or our new office or Euro 2012 or GIF avatars, as some have speculated today,” Twitter reported on its company blog. The culprit: a “cascading bug.” That’s Twitter-speak for “everything went wrong all at once.”

3. Fuck the FBI Friday

It was the greatest Anonymous operation of all. A systematic campaign of terror against the Man. Every Friday, the Antisec wing of Anonymous would drop a treasure trove of documents, shining a merciless light on the secret plans of law enforcement, government agencies and big corporations around the world.

The pump was primed and the dox were about to flow. The dumps would happen every Friday, and Antisec had already loaded up enough inventory to fill five months of Fuck the FBI Fridays. “Yes, each and every Friday we will be launching attacks,” the Antisec member told Wired, “with the specific purpose of wiping as many corrupt corporate and government systems off our internet.”

There was only one snag. Less than two weeks later, law enforcement swooped in and arrested 25 alleged Anonymous members. After that, Fuck the FBI Friday simply folded.

4. Brazil Goes Dark

Do you remember where you were when 60 Minutes ran its chilling November 2009 report on cybersecurity? One of the bombshell revelations in the report was news that hackers had broken into the local power grid in September 2007, leaving more than 3 million people in the dark in the state of Espirito Santo.

This was the perfect storm that cyberwar hawks had been dreaming of. An attack on computers that took out physical infrastructure.

60 Minutes‘ report was a little light on sourcing. In fact, it didn’t name a single one of its “half-dozen” intelligence community sources behind the allegation.

A quick check with Brazilian regulators cleared things up, though. Shortly after the report aired, Wired reviewed reports on the incident written by Brazil’s independent systems operator group and the National Agency for Electric Energy.

The source of the outage? Soot on the insulators.

5. Tango Down Internet

The Name: Operation Global Blackout

The Group: Anonymous

The Target: The internet’s 13 root servers

The Date: The day before April Fool’s, 2012

It was a brilliant plan, but in retrospect the timing of the attack may have been a clue.

In an anonymous Pastebin post, Operation Global Blackout pledged to use a genuinely scary attack — known as DNS amplification to take out the root servers that serve as the authoritative sources linking up internet protocol addresses to human-readable domain name system addresses such as Wired.com.

“By cutting these off the Internet, nobody will be able to perform a domain name lookup, thus,” the Global Blackouters said. “Anybody entering ‘http://www.google.com’ or ANY other url, will get an error page, thus, they will think the Internet is down.”

Anonymous operatives quickly distanced themselves from the event, which came and went like a bad joke.

Know any #vaporhacks we missed? Drop them in the comments.

Twitter Ordered to Release OWS Protester’s Data or Be Fined for Contempt

Image: here_kitty_kat/Flickr

Twitter has three days to turn over user data related to an Occupy Wall Street protester or face monetary sanctions from a New York Court.

New York State Supreme Court Judge Matthew A. Sciarrino Jr. ruled in Manhattan on Tuesday that Twitter must give federal prosecutors the information they are seeking related to accounts they believe belong to Malcolm Harris, who was arrested last October during a protest at the Brooklyn Bridge.

The court ordered Twitter to release the data or hand over its confidential earnings statements from the last two quarters so the court can determine how much of a fine to levy against the company. Twitter has until Sept. 14 to produce the data, according to Bloomberg.

“I can’t put Twitter or the little blue bird in jail,” Sciarrino reportedly said in court, “so the only way to punish is monetarily.”

The social media giant filed an appeal in late August asking the New York appeals court to reconsider Sciarrino’s earlier rulings ordering it to give the government tweets and account information on two Twitter accounts believed to have been used by Harris. Three days ago, Sciarrino denied Twitter’s request to stay the order until the appeals court ruled on it.

Sciarrino initially ruled that Twitter had to hand over the data, even though the government did not obtain a warrant to get it. The lower court had also denied Harris the right to challenge the government request for data on his own, which Twitter asked the appeals court to reconsider.

In its appeal (.pdf), Twitter wrote that Harris’ tweets are protected by the Fourth Amendment “because the government admits that it cannot publicly access them, thus establishing that Defendant maintains a reasonable expectation of privacy in his communications.” The Twitter accounts in question have been closed and are no longer publicly available.

But even if Harris’ tweets were publicly available, Twitter points out that the U.S. Supreme Court has ruled that “public information which would allow law enforcement to draw mere inferences about a citizen’s thoughts and associations are entitled to Constitutional protection, thus establishing that a citizen’s substantive communications are certainly entitled to the same protection.”

Harris was arrested for disorderly conduct last October while participating in an Occupy march at the Brooklyn Bridge.

Last January, the district attorney in Manhattan asked Twitter to hand over all tweets posted to the account of @destructuremal between Sept. 15 and Dec. 31 last year, as well as any information Twitter had about the owner of the account, such as a user name, e-mail address or IP addresses used to access the account to post the tweets. In March, the government served Twitter with a second order for records related to a different Twitter account, @getsworse, also believed to belong to Harris.

Prosecutors used a 2703(d) order to request Harris’ information, which allows them to obtain data without a warrant. More powerful than a subpoena, but not as strong as a search warrant, a 2703(d) order is supposed to be issued when prosecutors provide a judge with “specific and articulable facts” that show the information they seek is relevant and material to a criminal investigation. The people targeted in the records demand, however, don’t have to themselves be suspected of criminal wrongdoing.

Authorities said they wanted Harris’ tweets “to refute the defendant’s anticipated defense, that the police either led or escorted the defendant into stepping onto the roadway of the Brooklyn Bridge.”

Twitter had moved to quash the government’s 2703 orders, but in July,  Judge Sciarrino ordered Twitter to release the tweets and account information, ruling that Harris had no expectation of privacy in tweets that were published.

“If you post a tweet, just like if you scream it out the window, there is no reasonable expectation of privacy,” Sciarrino wrote in his decision. “There is no proprietary interest in your tweets, which you have now gifted to the world.”

Authorities did not ask Twitter to hand over Harris’ private direct messages.

“Those private dialogues,” Sciarrino noted, “would require a warrant based on probable cause in order to access the relevant information.”

Twitter filed the original motion to quash after the judge ruled that Harris himself didn’t have standing to quash the 2703 orders on his own. In its appeal filed this week, Twitter asked the court to reverse this decision as well, stating that Twitter users have a “proprietary interest” in their records, under the company’s Terms of Service, the company wrote in its appeal.

“Twitter users own their Tweets and should have the right to fight invalid government requests,” Twitter argued. The company said that Twitter users also have standing under New York state and federal laws, as well as case law, to challenge a government subpoena that implicates their constitutional rights.

The courts, evidently, disagree.

Earlier this year, Twitter reported authorities had sought information on Twitter user accounts 679 times during the first half of this year. Twitter revealed that it complied with the requests 75 percent of the time by releasing all or some of the information being sought.

Pirate Bay Co-Founder Arrested at Airport on Hacking Charges

Photo:  boklm/Flickr

The Pirate Bay co-founder Gottfrid Svartholm was flown from Cambodia, where he was detained last week, to Sweden on Tuesday to face charges unrelated to his pending one-year prison sentence for running the world’s most notorious and illicit file-sharing service.

The 27-year-old, according to Swedish media — the Expressen – was arrested at the Arlanda Airport in Stockholm, suspected of hacking the Swedish tax authority and a contractor to it, Logica.

Two other Swedes have been arrested in relation to the Logica hack.

Sweden’s Supreme Court in February upheld the prison sentences of the four men convicted of running The Pirate Bay. Peter Sunde faces eight months; Fredrik Neij, 10 months; Carl Lundström, four months; and Svartholm, one year. They share combined fines of more than $6.8 million. Lundström has served his time. Sunde is seeking clemency. Neij’s whereabouts are unknown, and is believed to have fled Sweden.

They were convicted in 2009 in a joint civil and criminal proceeding in Sweden that pitted the entertainment industry and the government against the four defendants and the torrent-based file-sharing site, which points the way to free games, movies, software and music, much of it copyrighted. The service is used by millions and is notorious for its rebellious nature.

Juha Saarinen contributed to this report.

‘Police Ransomware’ Preys on Guilty Consciences

“Police ransomware” is big business, generating millions of euros for organized criminal groups. In May, at Europol’s headquarters in The Hague, police officers from 14 EU member states affected by this threat met with representatives from Europol, Eurojust, Interpol, and industry. Police ransomware, as explained on the Europol website, typically appears as a pop-up window, claims to come from a law enforcement agency, and accuses the user of visiting illegal websites. The screen freezes with a message that says the system will be unlocked only after payment of a fine, by Ukash, Paysafe, Toneo, or MoneyPak. Demands are very often specific to the country of the victim, pretending to be issued by local law enforcement agencies and written in the local language.

The recent Threats Report from McAfee Labs shows an impressive increase in this field, with police ransomware the main culprit:

Several posts around the Net describe some of these malware. I’ll summarize the most common, with help from the botnets.fr wiki, created and maintained in France by various malware researchers. This wiki is a great tool for understanding botnets and ransomware, and contains data, screenshots, and MD5s related to these threats.

  • ACCDFISA — Dacromf: Appeared in February, mostly in the United States. It targets Microsoft Windows Terminal Server Edition. ACCDFISA is the acronym for an imaginary security department: the “Anti Cyber Crime Department of Federal Internet Security Agency.”
  • Americana Dreams — VirTool:Win32/Injector.DA: A ransomware using MoneyPak (August)
  • Gimemo: First variants in May 2010. At that time the malware asked users in Russia to dial surcharged cell phone numbers to unblock their PCs. In March 2012, it started using Paysafe and claimed to act as a society of authors and music publishers (SUISA for Switzerland, GVU for Germany, AKM for Austria, PRS for the United Kingdom, SACEM for France, etc.).
  • HmBlocker: First variants appeared in 2010
  • Madlerax: Appeared in September
  • Malex — FBI PC lock: Appeared in August
  • PornoBlocker: Appeared in 2009. It asks users in Russia to replenish Beeline cell phone numbers to unblock their PCs. In March 2011, a PornoBlocker version was disguised as the German Federal Police.
  • Ransirac — GEMA ransomware: First variant in February. It claims to arrive from GEMA (Gesellschaft für musikalische Aufführungs), an authorized German collecting society for musical performing and mechanical reproduction rights.
  • Ransom.II — CELAS, FBI ransomware: Appeared in June. It spread in the United States, and uses the Ultimage Game Card payment system (August). In its first variants, the malware claims to be CELAS, a German company representing a certain part of EMI Music Publishing, or the FBI.
  • Reveton/Rannoh/Matsnu: The first Reveton variant appeared in November 2011. Some are now known as Matsnu (since  January) and Rannoh (since April). The last Reveton variants include a camera feature.
  • Silence LockerTrojan.Ransomlock.K: A crimeware kit (builder and control panel) offered on the underground market beginning in February
  •  Supern0va: Appeared in April. It uses a control panel.
  •  Tobfy: Appeared in June. Tobfy includes a camera feature. Its default landing page tries to mimic Interpol.
  • ULocker: Another ransomware tool. Offered on a private carding board in July. Ransomware made with this tool claims to have arrived from the International Police Association.
  • Urausy: Appeared in July
  • Weelsof: Appeared in April
  • Win32/LockScreen — Euro Winlocker: The first LockScreen variants appeared in 2009. To regain access to the computer, the user was asked to send an SMS message to a specified telephone number in exchange for a password. Since 2011, many versions have been distributed in Europe.
  • Winlock Affiliate: An old affiliate offer. Winlock detections existed before 2009.