LulzSec is dead, long live Anonymous

With law enforcement officials claiming that LulzSec has been decapitated, what does this mean for Anonymous?

The web is awash with hydra metaphors, but the truth is that no-one can say exactly what the effects are likely to be. Not for a while, anyway.

It’s always been clear that the number of Anonymous members with real hacking skills is a small core. Most ‘Anons’ are little more than camp followers - happy to download and use DDoS tools such as LOIC and Slowloris, but with little real clue as to how they work.

The dangers inherent in that ignorance have been made only too clear lately. In South America and Spain, law enforcement officials arrested 25 alleged Anonymous members as a result of analysing IP addresses contained in the logs of attacked websites. Most Anons, it seems, are unaware that the tools they use to further their cause does nothing to hide their identities.

And many Anons have managed to infect their own machines with the Zeus trojan after downloading a version of Slowloris that had been maliciously altered by cyber-criminals unknown. It’s not beyond the bounds of possibility that the people responsible for exploiting these clueless hacktivists might themselves be members of Anonymous. After all, the botnet formed by the infected machines would prove a useful weapon in the group’s activities. And it’s quite possible that at least a portion of the Anonymous movement are also engaged in criminal activities: DDoS attacks are a useful way of masking other crimes.

The thing is, Anonymous is such an amorphous grouping, spanning many countries and embracing so many ideologies and political viewpoints, that it’s almost impossible to rule out anything. And while Sabu and the others indicted in the most recent arrests were clearly the key players in LulzSec and AntiSec, and formed a hacking corps within Anonymous, there are other hackers out there happy to wave the Anonymous banner.

We can expect more arrests as the paranoia levels rise and hackers turn on each other. But we can also expect more attacks. For example, the take-down of Sabu, Anarchaos, Topiary, Pwnsauce, Palladium and Kayla will have no effect on the Anonymous hackers in India responsible for leaking Symantec source code. And there will be others in the US, UK and elsewhere rash enough (or stupid enough, depending on your viewpoint) to think they’ll be able to take Sabu’s place and get away with it. Confidence verging on arrogance is the hallmark of many of these hackers - and the source of their downfall.

It’s a cliche, and a fallacy, to characterise hackers and hacktivists as teenagers. But it is demonstrably true that much of their professed ideology is, to put it politely, somewhat naive. And then there’s the attitude - those hilariously portentous videos and the ‘you can’t catch us, copper’ taunting. (Untrue, as it happens.) Anons may span a range of ages (at least one of those 25 recently arrested was 40 years old), but much of the movement shares an immature view of the consequences of their actions.

(As a side note, the part of the brain that allows us to foresee consequences doesn’t fully develop until we’re in our early 20s, which explains the high accident rate among teenage drivers.)

And so hacktivism will continue. Anonymous will continue - largely ineffective but scoring occasional hits. And while Anonymous has never really represented anything more than a noisy and self-aggrandising nuisance, that’s not to say it isn’t a danger to the security and reputation of the organisations on whom it turns its attention.

The problem with the arrests of the people accused of being the LulzSec chiefs is that some companies might think the threat has passed. It hasn’t. A lesson has been taught to those who might take their place, but experience shows that such lessons are usually ignored. Anonymous has already branded the arrested people as losers: it has thrown them overboard.

The self-important posturing that is so intrinsic to the Anonymous style of hacktivism means that Anons will keep attacking, and will keep being arrested. This is the new reality of the net.

[This post is based on the editorial in the March issue of Computer Fraud & Security]

Sabu the snitch - as predicted six months ago

So, it turns out that the infamous ‘Sabu’, the somewhat cocky leader of LulzSec and one of the few members of Anonymous accredited with real hacking skills, has been an FBI informer for months.

This is not news to someone who goes by the name ‘HuntJaeger’ on Twitter. Just over five months ago I witnessed a Twitter exchange between anonymouSabu (as Sabu called himself on Twitter) and HuntJaeger. This was shortly after Sabu started tweeting again, having been silent for a couple of months.

HuntJaeger was in no doubt why Sabu had been observing radio silence. He accused the LulzSec hacker of having been turned by the FBI. “So, you’ve completed the FBI snitch training and are now back to rat out your comrades…” he said.

This is how it goes in the hacker underworld, of course. Every book I’ve ever read about illicit hackers (to differentiate them from the good kind) makes the point that, once nabbed, they waste no time in ratting out their comrades. It all contributes to a good, healthy spirit of paranoia.

Now that the arrests have been made, the indictments against Sabu - or Hector Xavier Monsegur as his friends and family know him - is probably looking at jail time. I hope those lulz were worth it.

Predictably, Anonymous is putting on a brave face. And to be honest, Anonymous is about a lot more than LulzSec or AntiSec. But it looks like the movement might have lost some of its most skilled hackers.

Interview: Greg Hoglund - a fight-through capability

The recent RSA Europe conference in London was unusual. Some of the high-profile security firms exhibiting and presenting have also been victims of serious breaches this year.

RSA, rather notoriously, had its SecurID product compromised by what it insists were state-sponsored hackers. Raytheon admitted to a couple of breaches. And also present at the conference, both in the exhibition hall and in the form of founder & CEO Greg Hoglund, was security firm HBGary.

The assault on hacktivist movement Anonymous by subsidiary HBGary Federal made headlines - mostly because the subsequent backlash led to the breach of the company’s own defences, ultimately resulting in the resignation of CEO Aaron Barr.

Many were surprised when Hoglund engaged directly with Anonymous, even venturing into IRC channels to get a better understanding of what the hackers were doing and to plead with them not to release the email files they’d exfiltrated.

It wasn’t the normal behaviour of a reputable security outfit, but it is of a piece with Hoglund’s philosophy of taking the fight to the hackers, and of treating security as an active, rather than passive, undertaking.

At RSA I got a chance to chat with Hoglund. As you’d expect, he was reluctant to discuss the Anonymous debacle - he must be tired of it by now. All the same, it lingered like a spectre, colouring much of what we discussed, and we touched on it finally.

He was far more interested in talking business. The Anonymous attack killed the HBGary Federal subsidiary, but HBGary itself continues to prosper. Hoglund was in Europe to drum up more business - and possibly flush out a buyer for the company.

It’s all about people

First, though, he wanted to tackle a current bugbear. Hoglund is dismissive of the way some people seem to be obsessed with Advanced Persistent Threats (APTs).

“People just like to call it advanced because it gets through the security that they have, and they need to justify to the board what this is,” he says. “There’s a mentality out there that you can solve the security problem with technology. And that’s entirely incorrect, and it doesn’t work. You can’t buy a magical silver bullet and expect it to solve the security problem … You’re covering your you-know-what, to justify ‘well this isn’t malware, this is APT, this is different, this is why we didn’t detect it’.”

For all the talk of new threats, Hoglund agreed when I suggested our major problem is the inability to solve the problems we’ve already got. “When I talk about threat I’m talking about people,” he says. “The hackers. The mechanism by which they attack, that’s not new. So when you say the threat is evolving, it doesn’t mean the attack, technically, is evolving. What it means is the threatscape, the people - there’s more of them, they’re aware that they can achieve access to incredibly valuable data with relatively small investments - that’s an awareness they have, this year more than ever. So the threat is growing.”

So if the solution isn’t going to be a technical one, how do you tackle the issues?

“People,” says Hoglund. “It’s a counter-intelligence function. So if you’re a large enterprise and you don’t have a full-time security staff, game over. Yeah, it’s expensive … but this is where you have to go. You have to have a human in the loop.”

Taking a human-centric, counter-intelligence approach is specialised stuff. “You have to have access to the data, and you have to have analytics to turn that data into intelligence,” he adds. “Because raw data is not intelligence. If you don’t have a staff that can do that, then your security is already broken at that point. And any small to medium-size company, this is completely out of reach for them. So their only option is managed services.”

So there’s the sales pitch. Nevertheless, he’s convinced that this is how the security industry is going to evolve over the next 10 years.

If you manage to turn raw data into intelligence, what’s it telling you and what do you do with it? This is where the technology comes in, according to Hoglund.

 ”I like to focus on what I call actionable intelligence,” he says. “Actionable means you can take that piece of information and input it into a security solution you already own - a great example of that is an IDS signature. You see an intrusion in your environment, you examine it forensically and you get a URL that that malware or a remote access capability was using for command and control. You take that and put it into your IDS - you’ve just made your IDS smarter. You did that. No outside vendor, no magical blacklist. This is an attack specific to your environment. And what’s going to happen tomorrow is that same attacker is going to be back again, only this time you’re ready for him. You get smarter and smarter as this cycle continues and your cache of threat intelligence grows.”

Shared intelligence

The RSA show was opened by that company’s executive chairman, Art Coviello, calling for more sharing of infosecurity intelligence data. Ironically, this was followed by what was touted to be RSA sharing the story of its own breach, which turned out to be not quite the case. The firm remained tight-lipped about the details and persisted in describing it as a highly skilled and complex attack and not, for example, the compromise of a poorly patched Windows Server 2003 box.

So, does Hoglund think that information sharing is important? At first he seemed keen, but quickly added caveats.

“It’s a double-edged sword,” he says. “If you share data in a way that it’s public, or easily accessible to the bad guys, then they’re absolutely going to know what you know about them, so that’s the problem and the challenge with threat intelligence sharing. So, at least in the US, a lot of the threat intelligence sharing between the Government and the private sector is done using special relationships, closed forums, and may even be classified. If you’re not in that special circle, you’re not going to get access.”

Is this the only way it can be done? “I do think there have to be a lot of controls. You do need to make an effort so the bad guys can’t get the data. But that’s never going to work perfectly if you’re going to have a sharing system, then it’s going to get out some way or another.”

I asked if he thought sharing would need to be limited among countries, for reasons of national security, or if such pooling of data might be carried out within some existing framework - NATO, perhaps, or at a ‘five eyes’ level. “Sure, that would be interesting. But they’re never going to share everything - they’ll only share select stuff.”

Fight-through capability

You’re going to get breached, is Hoglund’s message for organisations of all kinds. Most security activity is reactive, not proactive. IDS signatures, for example, only tell you about old attacks, not the ones that are coming. Data sharing can help strengthen defences, in this reactive way, and raise the bar for attackers. But someone who’s sufficiently determined and resourced will still get through.

Hoglund likes to talk about a ‘fight-through’ capability. In the RSA panel session preceding our chat, he’d used this military term in the context of the US Air Force Reaper and Predator drone systems that have been infected with malware (widely misreported as being keylogger software).

“The military’s not that excited about it,” says Hoglund. “They know it’s not exfiltrating. The only threat to the system is instability.” He reckons that USAF will have quickly determined that the malware does not pose a threat to the stability of the system and will simply continue to use the infected systems - ‘fight through’ - carrying on with the mission while sorting out the compromise in parallel. This, he believes, is an attitude that commercial and other organisations should adopt.

“That’s the resilience and fight-through capability,” he says. “If you accept that business is just about managing risk, then there has to be some level of acceptance that compromises will occur. And you still have to be able to do business.”

Architectural changes

Indeed, Hoglund’s business prospects are companies that have come to the realisation that they are vulnerable (usually because they have already been breached) and will be compromised. Organisations that believe they can construct impregnable defences require too much education into the ways of the real world for Hoglund’s taste.

As most security vendors know, selling products and services is usually very easy during or immediately after an attack. But is there a need for organisations to take a longer term view and perhaps consider changing their network architectures to be more resilient, perhaps with increased use of air gapping?

“Absolutely,” he says, “because if you have a breach, that doesn’t mean that you’re going to lose data. So you have to make it very hard for them to get the stuff out. You should have your critical data separated from the rest of your network. You should have access control - this is such a basic idea, the principle of least privilege. It’s hard to believe how many enterprises out there simply don’t have that. But in a Windows network it’s entirely possible to implement that - it’s simply a manageability problem. And yeah, that’s expensive. But people will buy a SIEM, and then not use it. A problem with the SIEM is that it doesn’t do your work for you, and a lot of companies will look at it as a cost. The SIEM is giving you exposure to tremendous amounts of real-time data about what’s going on in your enterprise, but you still have to have a human being, an analyst, who can tune that data set, create analytics, so that 100,000 events an hour can be brought down to maybe four events of interest per hour, and that’s a huge problem.”

There’s still the perennial problem of justifying the trouble and expense of doing this. Getting the business to understand the risks is tricky because it’s not easy to convert threats into risk metrics. But Hoglund believes the arguments are there. “What if we lost confidence in the network,” he says. “What if we simply don’t know how many back doors they have and we don’t know if we can detect them all. Then I have to re-architect everything and build it from the ground up. There’s a number that’ll get somebody’s attention.”

Defence in depth

He also believes that more attention needs to be paid to the latter phases of an attack. Perimeter-based defences are all geared to stopping the initial infection phase. But attackers are often most vulnerable in the following interaction phase, which is mostly manual work, getting to know the network and finding the target data, and then the exploitation phase during which data is exfiltrated.

“That’s your window of opportunity,” he says. “They’re actually highly exposed during that time. The bad guys don’t have a lot of stealth at that point. They’re leaving forensics artefacts all over the environment and all you’ve got to do is detect them. And there’s only so many ways to hack a network at that point. You just have to detect that behaviour, and that’s really not that hard, I just think that people aren’t doing it, at least not widely.”

So this is defence in depth in action? “Exactly. That might be your second-last line of defence. The last line is stopping the data as it’s going out over the firewall.”

Reputation and the killswitch

Hoglund has some experience of that. The word ‘killswitch’ was mentioned. And this is where the Anonymous incident couldn’t be avoided any longer.

In the earlier panel session, Hoglund recounted the galling experience of watching Anonymous download Gmail-based email files while he attempted, in vain, to get Google to intervene. Proving he was the account holder took time - too much time. He’s now a keen advocate of making cloud service providers implement a ‘killswitch’ so that an account can be turned off in an instant, with no data allowed in or out.

“In the end, it turned out to be not all that bad,” he claims. “It was shocking and we were scared at first, but then I realised there wasn’t anything bad in my email, it didn’t really matter that much. In the grand scheme of things it was a nit compared to what’s been happening to other companies this year. I was just in the unfortunate position of being the first one.”

I mentioned how some companies believe that reputational damage is short-lived. “It’s true,” he says. “Three to six months. There’s been research done - this is in the retail space: something bad happens and after a year, consumers recognise the logo but don’t remember why. So it’s almost like free publicity in a way.”

That last sentence was spoken with heavy irony and a kind of world-weary humour. HBGary has just posted its best-ever quarter, but in the aftermath of the Anonymous attack, I suggested that he must have had some intense conversations with clients. “Yes,” he admits, “but this wasn’t for reputation reasons. They were worried that, financially, we weren’t able to withstand it. They had orders in the pipeline, and they didn’t want to order if we were going to go under. As it turns out, we actually closed Q1 out above our numbers that we had set prior to the attack. So we were, in fact, still doing quite well. Now, unfortunately, we were doing very much better than that on our pipeline, but the orders that were delayed in Q1 ended up all coming in in Q2. So our Q2 was phenomenal.”

He doesn’t actually reveal the figures involved. But can it really be true that Anonymous - aside from bringing about the demise of HBGary Federal - had so little effect on the business?

“Keep in mind our customers don’t like Anonymous,” says Hoglund. “They view themselves as targets too.”

Sony: just another victim

One of the most interesting aspects of the Anonymous/LulzSec hacking of Sony is the opportunity to observe what effects it might have over time. Now a legal decision in Australia has placed Sony in a position that, I suspect, it finds very agreeable - as a victim.

While most security analysts seem to agree that the hacks themselves were fairly trivial - from both a technical perspective and in terms of immediate damage - the true significance, we were led to believe, would be the effect on Sony’s brand.

Indeed, various Anonymous and LulzSec mouthpieces were keen to point out the reputational damage they had wrought. Time after time, with both the Sony hacks and other high-profile attacks mounted by the groups, we were informed that the whole point was to sully the reputations of the organisations under assault so that customers would think twice about doing business with them. 

One Anon told me, in an IRC chat, that the desired result will be that, “people will think twice before they hand over their identities online. That people will stop and say ‘Do I KNOW this data is safe? Do I KNOW no one can hack into this system and use my information against me?’ “

However, this effect relies on one critical factor: it’s important for the general public to believe that Sony was culpable in this matter - that its poor security (and it certainly was poor) was a major contributor to the leak of its customers’ data. In that scenario, hackers such as LulzSec are more of a catalyst than a cause, or at worst the final link in a chain of insecurity for which the hacked company is partly, if not largely, responsible.

But…

I found, when researching an article on hacktivism for Network Security (available on Science Direct - subscription or payment required), that this is not a perception of the Sony hacks that is universally shared. In fact, I concluded that LulzSec’s desire to taint Sony by leaking the company’s databases faced a number of hurdles.

The first is that people forget. Try asking your friends (at least those who aren’t followers of hacktivism) about the incidents and you’ll probably find that many have forgotten all about the hacks, even if they knew about them in the first place.

Sony customers, especially members of the PlayStation Network (PSN) may be more inclined to remember. But I don’t think it’s too cynical to suggest that most of those will be inclined to forgive and forget just as soon as the next cool game comes out. I’ve certainly not heard of any large-scale abandonment of the PS3 platform.

Of course, many people will simply not understand that Sony was in any way culpable in this matter. IT security is a complex and arcane issue. Poor security is hard to explain to lay people. Yet everyone’s heard of hackers, a term now (alas) largely synonymous with ‘criminal’ in the public’s perception.

And so most people who remember that Sony was hacked will simply assume that the poor company was maliciously attacked by bad guys.

The Australian Privacy Commissioner, Timothy Pilgrim, agrees. He’s just ruled that one of the victims of the PSN breach was … wait for it … Sony. His investigations have concluded that Sony was not in breach of the country’s National Privacy Principles - that it was the nasty old hackers who ‘disclosed’ the company’s data, not Sony itself.

As time goes on, the number of people who remember that Sony was hacked will diminish. Given that those who realise the company was partly to blame will be a small subset of that number, and that those who care enough not to give Sony their business is a smaller group still, then Sony can probably rest assured that it is already over the worst.

At least, that’s as far as reputational damage goes. The firm is still facing lawsuits, including several class actions. But all that’s at stake there is money…

When is #Anonymous not Anonymous?

Not for the first time, the Anonymous activist collective is suffering some brand issues. It turns out that claiming you are ‘leaderless’ and ‘decentralised’ is something of a two-edged sword.

It’s also a lie, of course.

The concept is that anyone can operate under the Anonymous banner. There are no committees to attend, no leader from whom you need to seek approval. If you want to mount an operation and call it an Anonymous action … well, go right ahead.

Or maybe not. We’ve just seen two examples of where that causes some problems.

The one currently grabbing headlines is the so-called OpFacebook. A YouTube video by ‘Anonymous’ promises that everybody’s favourite personal data aggregator will be “destroyed” on Nov 5. And the video has all the classic hallmarks of Anonymous - it’s sufficiently pretentious and bombastic that you can’t help wondering if it’s meant to be funny.

Only it turns out that ‘Anonymous’ isn’t Anonymous, if you see what I mean. The ‘real’ Anonymous (the one, remember, with no leaders or centralisation) has been denouncing this operation as a fake. ‘Sabu’ (@anonymouSabu), the non-leader of Anonymous (and also, as it happens, LulzSec) has been especially active in denouncing this as a fraud and is practically begging the media to pay no attention to it.

So how does that work, exactly? Surely the whole concept of Anonymous is that, if I call myself an Anon, that’s enough. Who is Sabu to call this a fake? By what authority can he assert that this is not an Anonymous operation?

I’ve recently completed a long feature about Anonymous and LulzSec for the journal I edit, Network Security. During the research, I had a couple of IRC chats with Anons, via the irc.anonops.li server. Part of this touched on the ‘leaderless’ nature of the movement. I wanted to know how that assertion can be supported when there is clearly some direction from a core group. For example, the channels found on irc.anonops.li are regarded by pretty much everyone as the ‘official’ IRC channels. Some of the channel topics are used to set targets for the Low Orbit Ion Cannon (LOIC) - the DDoS tool used by Anons that has turned out to be so dangerous for its users. There are also channels used for co-ordinating operations that are not open to the likes of you and I - strictly invitation only. I wanted to know how this meshes with the leaderless concept.

I chatted with joepie91 who was at pains to point out that he did not speak in any official capacity, but just as one of many Anons. He did, however, have channel admin privileges in the #reporter channel set up to talk to the media, and most other people in the channel appeared to defer to him.

I asked him to explain a comment he made that, “anonymous =/= anonops”.

joepie91: anonops is just one network that is populated by Anons

joepie91: Anonymous is not a centralized entity

joepie91: there’s no member list, no ‘official representatives’, no leaders

So far so good. But I pointed out that someone gets to set targets in channel messages. The answer felt a little evasive, in that he largely just stated the obvious - that channel ops get to set the topics. But he also enlarged:

joepie91: if you don’t like operation payback, noone stops you from setting up a similar operation with similar targets but a different structure … if you disagree you can just walk away and set up your own … and noone will stop you

It seems that’s exactly what someone has done with OpFacebook. And now Anonymous seems not to like it.

But that’s not the only spat that’s been going on. When various Anonymous accounts were kicked off Google+, because they contravened the service’s rules on using real names, some Anons vowed to set up a social networking site just for Anons. It’s hard to see how the mechanics of social networking would fit with the idea of being Anonymous, but selah.

The result was AnonPlus, which has so far had a very sorry history. It started out using bog-standard forum software, but has mutated many times, shifting domains and hosting, constantly promising great things to come. With amusing irony, it has been hacked numerous times (as in the example above) and this led to a blow-up between Sabu and ‘higochoa’. Sabu, it seems, was particularly incensed at people believing that he, personally, had been hacked every time AnonPlus was defaced.

<Sabu> I am getting sick of hearing that *I* get hacked every week

In a more telling moment, Sabu says:

<Sabu> I suggest you either kill the project / stop using anonymous’ name

That suggests to me that Sabu feels at least some sense of proprietorship over the Anonymous brand. Maybe it’s time for Anonymous to decide whether it is genuinely going to embrace an anarchic policy of no enforced structure, or whether it should grow up a little and become a more organised activist force. The latter would be more interesting because, currently, its disorganised and chaotic approach is achieving very little.

Just in it for the lulz?

Supporters of Wikileaks are dedicated to freedom of speech - until, that is, someone disagrees with them.

“Humankind,” wrote Eliot, “cannot stand very much reality”. And so it is with a bunch of self-styled net buccaneers calling itself LulzSec.

The US Public Broadcasting Service (PBS) - normally the darling of those with anti-corporate leanings - has suffered the ire of these ‘hacktivists’. Apparently, it screened a documentary about Wikileaks that was not entirely flattering. Such insults are not to be borne.

There is a distinct whiff of Anonymous about LulzSec - the same whimsical self-regard, the same adolescent posturing. (There is, for what it’s worth, a #lulzsec channel on irc.anonops.in. It’s unlikely to be any kind of official hangout - I was the only person in there when I checked it out.)

Denial of service attacks and website defacement are the preferred forms of protest for Anonymous. They are high-profile acts that require little effort, minimal skill and involve relatively little risk. There is, of course, the unfortunate side-effect that the downing of a website effectively denies the legitimate owner of free speech. This form of hactivism is a way of shutting up those whose opinions differ from yours.

It seems that LulzSec is gearing up for more attacks on Sony - the target du jour of Anonymous. Meanwhile, the group is basking in the attention garnered by the PBS stunt - and getting attention was probably half the point in the first place.

The Internet is a powerful medium for activism and deserves to be used as such. But hacktivism needs to be driven by more than petulance. If the Internet is to serve as a place for taking a principled stand, it’s important that it does not acquire a reputation for immature pranks. Vandalism is not an effective way of engaging in complex debates about political responsibility, freedom of information or digital rights.

LulzSec has yet to elucidate any meaningful principles or agenda, other than a desire to show off in public. Assuming it has a genuine ethical purpose behind its behaviour, perhaps these will be spelled out on a forthcoming website. Let’s hope so.

FBI acts against 40 Anons

The execution of 40 search warrants by the FBI against alleged members of Anonymous is part of a co-ordinated operation with the UK’s Metropolitan Police Service, which made five arrests yesterday.

The FBI hasn’t announced any arrests yet and isn’t giving up much information about its targets. Its press release is pretty clear, however, that it is treating the DDoS attacks amounted by Anonymous as criminal acts. In part, the release says:

“The FBI also is reminding the public that facilitating or conducting a DDoS attack is illegal, punishable by up to 10 years in prison, as well as exposing participants to significant civil liability.”

The FBI also points out that it is not acting alone.

“The FBI is working closely with its international law enforcement partners and others to mitigate these threats. Authorities in the Netherlands, Germany, and France have also taken their own investigative and enforcement actions. The National Cyber-Forensics and Training Alliance (NCFTA) also is providing assistance.”

For its part, Anonymous, bless ‘em, have decided to up the ante by declaring war on the UK Government. It’s worth reading the open letter in full, for entertainment if nothing else. It attempts to characterise the DDoS attacks as a hip form of civil protest, but we’ve already seen the authorities are having none of that.

The letter also attempts to excuse the DDoS attacks by pointing out how little damage they did - in other words, Anonymous is making a virtue out of its own ineffectiveness. Why not take this at face value? Well, simply because of my experiences in the Anonymous IRC channels. The Anons participating in the attacks and reporting back via IRC were clearly intent on damaging their targets - they said so in no uncertain terms.

The Internet has a major part to play in civil protest - that’s being demonstrated in Tunisia and Egypt, and is why the governments of those countries are attempting to shut down services such as Twitter and Facebook. But the Anonymous attacks are not in this class. These are over-excited teenagers who’ve watched the Matrix too many times and are keen on a bit of cyber-vandalism because they think there are no consequences. I think they’re in the process of being disillusioned on that last point.

There’s nothing wrong with ‘hacktivism’. People have a right to protest and the Internet has provided a new channel for organising and executing these activities. But when you break the law in order to make your feelings known, you need to be sure that your motives are good, your targets are legitimate and your methods are warranted. Anonymous attacks against the Egyptian Government arguably fall into this category. Its attacks on PayPal, MasterCard et al did not.

Anonymous arrests

Five young men have been arrested in the UK in connection with DDoS attacks mounted by the Anonymous group, according to a report by the BBC. The five range in age from 15 to 26.

This was predictable - up to a point. Anonymous takes a fairly callous ‘cannon fodder’ attitude to its ‘members’ (if you can call them that).

The Low Orbit Ion Cannon (LOIC) software - the weapon of choice for most Anons - is a fairly crude tool. Originally developed by ‘Praetox Technologies’ (a suitably anonymous coder) as a network stress-testing tool, it fires HTTP, TCP or UDP packets directly at the target. It’s not possible to operate via proxies because that could simply DDoS the proxies themselves.

Most Anons will have run LOIC from their own machines, although there is also a Javascript version that can be hosted on websites. But no version of LOIC makes any attempt to spoof or obscure the originating IP.

A standard defence against DDoS is to monitor the IPs from which large numbers of packets are originating, and then filter those addresses. In the process, of course, you build an effective database of attacker IPs. Get a court order and match those against ISP server logs and you have the identities of the attackers.

Normally, this isn’t of much use: in a botnet-based DDoS attack, the attacker IPs belong to innocent (if sometimes careless) PC owners whose machines have become infected. In the case of Anonymous and LOIC, the IPs identify the attackers themselves - or websites that have made the Javascript version available (which could make both the website owner and the hosting company liable).

It’s quite probable that the majority of Anons have no idea that this is the case. Most of them are script kiddies caught up in the excitement, and the prospect of being able to create havoc with no apparent consequences.

Some are aware of the dangers, but there is a dangerously high level of naivety at work. On IRC channels and websites affiliated to Anonymous, advice on how to protect yourself includes claiming your computer was infected with a virus and setting your wifi router to be open so that you can claim someone else used it. Neither of these would stand up in court. 

The UK arrests aren’t the first. While Anonymous attacks related to Wikileaks were still in progress, two teenagers were arrested in the Netherlands, and in the US, the FBI seized a server. Two Anons are currently serving time in jail for earlier attacks against the ‘church’ of Scientology.

Some Anons suggest that the authorities would be unable to prosecute the large number of people involved in their attacks. But, of course, they wouldn’t have to. A few test cases would probably be enough to discourage people from joining in — at least, enough people so that Anonymous wouldn’t get the volume of DDoS traffic required to be successful.

Claiming that these attacks were mounted as part of a social protest is unlikely to carry much weight outside of the Anonymous IRC channels (where the debate rarely rises above adolescent levels). DDoS attacks against legitimate companies going about their lawful business are unambiguously illegal in most countries - and pretty much all countries in which Anons are likely to have been operating.

Who is Anonymous?

Reports that members of the Anonymous hacktivist movement have defaced the website of Irish opposition party Fine Gael are being denied by … well, members of Anonymous.

The hack exposed details of 2,000 members of the party. But chatter within Anonymous IRC channels suggests that most people who identify themselves with Anonymous want to distance themselves from this action.

It’s a problem, though, isn’t it?

The whole point of Anonymous is that anyone can join. There’s no formal membership. You don’t have to register at a website. All you have to do to be a member is to say so. The movement prides itself on being amorphous, which makes it difficult to attack (though not impossible). It even tries to suggest it doesn’t have a leadership (which is a lie, but a discussion for another time).

So whoever the people were who attacked the Irish website have as much right to call themselves ‘Anonymous’ as anyone else.

However, there are some clues that this action wasn’t carried out by the kind of people who hang out in the usual Anonymous IRC channels. According to some reports, the hack was quite sophisticated. And the technical skill level of most Anons is pretty low. Most are little more than script kiddies, if that.

To give you an example: during the recent, high-profile attacks on PayPal et al, there was a hiatus during which there was no target defined. Anons were getting restless. Many visitors to the #operationpayback channel were desperate to attack something, anything. They wanted a target domain or IP to plug into their LOIC clients. Someone with a mean sense of humour and a little more knowledge than most suggested: “Attack 127.0.0.1”.

It was disheartening how many took this seriously. I suspect that a few had logged off IRC in the excitement of having a new victim, and didn’t see subsequent announcements that mounting a DDoS attack on your own machine might be a bad idea. It would have been fun to watch, though. They probably thought they’d brought down the entire Internet…

Operation Payback - success or failure?

Just how successful were the Anonymous Operation Payback DDoS attacks? Now that the hysterical press coverage has died down, it’s time to take stock.

It’s important to understand the nature of Anonymous: it’s not like a cybercrime gang aiming a botnet at a blackmail target. Nor is it like the Chinese attempting to take down Google.

Anonymous is more amorphous. The group (and we have to have some word for it, so ‘group’ will have to do), likes to present itself as leaderless and totally decentralised. This isn’t true, but what leadership exists is very effectively masked by the ‘anyone can join in’ nature of its activities. There is some guidance, and there are some people taking decisions, but all are encouraged to participate and there is at least a veneer of anarchy even if the reality is somewhat different.

What this means is that objectives are often surprisingly vague. Sometimes you think you know what Anonymous is trying to achieve, but you can’t be sure. This proved to be very useful to the group itself, and we’ll look at that in a moment.

The other difference between an Anonymous DDoS campaign and a botnet-based attack is one of scale. The average botnet might control 30,000 machines. Notwithstanding media exaggerations and boasts by Anonymous itself, the group rarely managed to have more than a few hundred machines flooding its targets at any one time.

Target for today

What were those targets? PayPal came in for some of the most intensive attacks. MasterCard and Visa suffered. Anonymous also went after the law firm representing the two women who made allegations against Julian Assange, the Swedish prosecutor’s office and a number of other sites run by people or organisations deemed to be against Wikileaks or the best interests of Assange.

Twitter - which repeatedly shut down accounts used by Anonymous for co-ordinating the attacks and broadcasting news and information - remained immune. It was obvious from the chat in IRC channels that Anonymous members (‘Anons’) are just too geeky to want to be without one of their favourite toys. There is, of course, hypocrisy in this. But then if you adopt a basically anarchic system of choosing targets and mounting attacks, there is no possibility of sophisticated analysis or reasoned debate. It’s the rule of the mob.

Not much thought seems to have been given to collateral damage. Not that everyone was indifferent: indeed, there were some unhappy voices raised in the IRC channels about the blocking of PayPal affecting ordinary site owners - small businesses, bloggers and so on. One point I didn’t see raised was how attacking the Swedish law firm might affect its ability to support its other clients, with potential for real harm to their lives.

The IRC channels were frenzied, almost hysterical. Voices of reason were shouted down or banned. In its fight for free speech, it seems, Anonymous is fairly intolerant of those who do not share its views.

It became quickly obvious that many Anons were there for the sheer love of the fight. During quiet periods, when no target was defined, you could see calls like “target please” and “let’s attack *something*” from those motivated more by the excitement of irresponsible action without consequences than by any ideological bent. What proportion of Anons just like attacking stuff, as opposed to those who actually have a firm grasp of the often complex issues at stake, is impossible to say.

And let’s not forget that - unlike the Wikileaks issue - the mounting of DDoS attacks by Anonymous is unambiguously illegal. I saw many justifications for this in the IRC channels, but none that rose above the average quality of teenage rebellion.

Naturally, Amazon fell into the sights of Anonymous. The company had kicked Wikileaks from its servers. And just to add fuel to the fire, someone had the nerve to publish a Kindle e-book via Amazon.co.uk containing some of the Cabelgate memos. (The description of the book was later changed to claim that it contained only a discussion of the memos, and the book was soon withdrawn anyway.) This was doubtless a case of Amazon not knowing what was being published via its Digital Text Platform service (it doesn’t read & approve every book), but the Anons took this as an affront by the company, rather than the book’s author. And so Amazon was attacked.

Final results

So, how did Anonymous do? Truth be told, its attacks probably amounted to little more than a nuisance as far as the big corporations go. These are organisations with highly distributed systems, most of them designed to withstand DDoS attacks.

There were frequent cheers of victory in the IRC channels, as various Anons declared the current target to be down. In most cases, this was likely due to that particular Anon having his/her IP address blocked by the target. That’s how anti-DDoS systems operate: they identify IPs sending too many requests in too short a time and blacklist them.

Nevertheless, PayPal, MasterCard and Visa did all suffer brief periods of downtime, at least on small parts of their networks (see the Netcraft graphs for MasterCard, above, and Visa, below). The question is, how much did they suffer? My guess is, not much.

Admittedly, financial organisations like this don’t like downtime - they spend a lot of money and go to great trouble to avoid it, with highly available systems. Nevertheless, some downtime is a fact of life and - viewed in the context of their business over a quarter or a year - the disruption caused by Anonymous will show up as little more than a blip.

Writing on the Forbes site, Matt Schifrin reported that, while MasterCard’s share price took a slight dip while it was being attacked, by the end of the day it had rallied again and was only slightly down on the previous day (which could be the result of any number of factors). Visa’s share price also took a dip when Anonymous attacked, but actually finished higher at the end of the day.

Schifrin goes as far as to say that an attack by Anonymous might present traders with a short-term opportunity. (He didn’t proceed to the obvious conclusion: given that anyone can join Anonymous and rally forces to attack a company, this could be a way for unethical traders to manipulate the market!)

The smaller organisations that got hit - such as the law firm - probably suffered more. Whether this suffering is in any way justified, I leave for you to decide. Internet-based vigilantism is going to become an ever-bigger issue.

Failed attack

Anonymous failed to bring down Amazon, and this was significant not only in the failure itself but in the way Anonymous handled it. The reason was simple lack of firepower. Several hundred individuals firing their Low Orbit Ion Cannon (LOIC) DDoS tool were no match for Amazon’s cloud-based infrastructure - a point noted, I imagine, by many organisations considering a move to the cloud. Amazon brushed off the Anons like so many fleas.

Later, when Anonymous had called off its attacks, it issued a press release (a sign that it isn’t a decentralised as it would like you to think: mobs don’t write press releases). In part, this said:

While it is indeed possible that Anonymous may not have been able to take Amazon.com down in a DDoS attack, this is not the only reason the attack never occured [sic]. After the attack was so advertised in the media, we felt that it would affect people such as consumers in a negative way and make them feel threatened by Anonymous. Simply put, attacking a major online retailer when people are buying presents for their loved ones, would be in bad taste.

This is, of course, simply dripping with hypocrisy. The attacks on PayPal, MasterCard and Visa were all capable of affecting “people such as consumers” every bit as much as an attack on Amazon. Quite how an illegal attack on one commercial organisation is “bad taste” while attacks on others are fine isn’t explained.

The reality is, of course, that Anonymous simply failed and is desperately trying to spin the facts to save face - much like a pouting teenager muttering, “I didn’t really want to do it anyway, so there!”. So much for championing transparency and truth.

This spinning continued even in on IRC. The topic of the #operationpayback channel announced: “Mission acomplished” [sic]. I’m not sure if the reference to George W Bush was intentional: either way, it’s unfortunate.

Ironically, Amazon did go down. Its European operation was offline for half-an-hour. I happened to be in the #operationpayback channel when it happened and the result was entertaining. Anons joining the channel would ask “are we attacking Amazon again?”. Others simply crowed “Amazon’s down!”, assuming Anonymous was the reason. Best of all, though, were the many voices calling for Anonymous to take credit, even though they knew it was nothing to do with them (Amazon later said it was a hardware failure). One member even reported having contacted CNN to report that Anonymous had knocked the retailer offline.

Raising awareness

If Anonymous failed to wreak any real damage, does this mean the campaign itself was a failure?

Well, no. In the same press release, Anonymous insists that its main goal was raising awareness. That is partly spin: the members of the IRC channel clearly wanted to cause damage. I’m sure many of them wouldn’t have participated in a campaign with aims as wimpy as ‘awareness’. But there is also truth in it.

And raise awareness they did. Thanks to a press frenzy, which managed to greatly overstate Operation Payback’s effects, everyone now knows about Anonymous, about DDoS attacks and about the frailty of the net.

Whether this added anything to the complex and difficult debate surrounding Wikileaks is a moot point. At the very least, in the minds of the general public, Anonymous has managed to associate Wikileaks and its campaign for information transparency with illegal, irresponsible and faceless vigilantism. Is that good?