Anonops #11: Stop ACTA

quote:

Kazakhstan upgrades censorship to deep packet inspection

In December 2011 we were aware of Kazakhstan increasing Internet censorship in response to some unrest and protests in Zhanaozen in the west. The censorship was then deployed around the country, in many cases with the full support of the populace. The initial invesitgation showed simple IP address blocking coupled with basic dns censorship. Tor continued to work without incident until this week.

JSC KazTransCom, AS35104, has deployed or begun testing deep packet inspection (dpi) of all Internet traffic. They specifically target SSL-based protocols for blocking. This includes Tor, IPsec, and PPTP-based technologies, as well as some SSL-based VPNs. Business and private users of these technologies are equally affected.

An example of the censorship, as recorded by volunteers in country, can be found in this network flow diagram. Kazakhstan is identifying and blocking the SSL client key exchange during the setup of an SSL connection. This graph shows the effects of this deployment of censorship based on dpi.

Luckily, due to our recent experience with Iran we have an answer for people: use obfsproxy. Obfsproxy continues to work in Kazakhstan, as well as Iran. In fact, it works in any country where dpi is used to censor citizens' access to the Internet.

Thank you to the volunteers for spending their Valentine's Day collecting and analyzing data.

quote:

Tor gaat dataverkeer maskeren om filters te omzeilen

De ontwikkelaars van Tor werken aan de mogelijkheid om dataverkeer zo te maskeren dat deze afkomstig lijkt van een ander protocol. Hierdoor moet Tor-verkeer minder last krijgen van agressieve internetfilters.

De methode wordt door Tor omschreven als obfsproxy, oftewel een obfuscated proxy. Via een dergelijke Tor-proxy is het mogelijk om de datastroom te manipuleren. Aan Forbes geeft Tor-ontwikkelaar Andrew Lewman het voorbeeld van een obfsproxy die een met ssl versleutelde datastroom laat lijken op een chatsessie volgens het xmpp-protocol. Hierdoor zouden agressieve filtermethoden als deep packet inspection omzeild kunnen worden.

De obsproxy-methode in Tor is nog experimenteel en zou een stream nog onvoldoende kunnen aanpassen om deze op een betrouwbare manier geheel onherkenbaar te houden. Ook worden alleen verbindingen die gebruik maken van het tls-, ssl- en socks-protocol ondersteund, maar de ontwikkelaars streven er naar om ook http en andere veelgebruikte protocollen te gaan ondersteunen.

Ondanks de alpha-status van obfsproxy, krijgen de Tor-ontwikkelaars positieve reacties vanuit onder andere Iran. In dit land heeft het regime niet alleen ip-blokkades ingesteld, maar sinds kort ook een blokkade op al het ssl- en tls-verkeer doorgevoerd. Door obfsproxy te activeren kunnen Iraanse internetgebruikers alsnog websites als Gmail en Hotmail bereiken doordat het versleutelde dataverkeer gemaskeerd wordt.

quote:

http://translate.google.c(...)F%3Faid%3D1231182589

Athens
An 18 year old arrested in the process of a crime, and two other Greek high school students, 16 and 17 years, accused by the Electronic Crime to participate in the falsification of the website of the Greek Ministry of Justice on February 2.

The three hackers allegedly belonging to the group Greek Hacking Scene (GHS) and declared members of the wider, international organization Anonymous.

"Justice is coming," wrote English invaders in the first page of the site, and upload and video message is also fluent in English, which said: "What is happening in your country is unacceptable. Came to power to express the wishes of your people and you have failed utterly. Kill the most sacred thing for your country is the Republic. "

The three accused students now illegal access to computer systems in accordance with Article 370 of the Penal Code.

During surveys conducted in the homes of the accused seized three laptops and 12 hard drives.

Police are now continuing investigations to identify and other team members

No reference to other objectives

The police statement says, according to online postings, these defendants "have committed dozens of digital attacks." The objectives, however, not specified.

In the evening Sunday, February 13, shortly before the crucial vote in parliament on the new memorandum, Anonymous announced that had set off the sites of ELAS, the Ministry of Citizen Protection, the Greek Prime Minister and the Greek Parliament.

The fact this website was not accessible at that time. The same happened later on the websites of PASOK, New Democracy, the Ministry of Finance and Evangelos Venizelos, but it is not clear whether this was associated with Anonymous.

quote:

Anonymous Invades the Spanish Academy Awards Ceremony For Real



Rather than just crashing web pages, Spanish anonymous members had the balls to crash the equivalent of the Oscars ceremony in Madrid today. Three members of Anonymous sneaked past extreme police and private security controls to jump onto the stage as the event was at one of its highest points, as this image shows.

Pedro Almodovar, Antonio Banderas and Salma Hayek were among those who assisted the awards ceremony, called the Goyas in honor of famous Spanish painter Francisco de Goya. While the award for best director was being presented, three Anonymous members wearing Guy Fawkes' masks tried to jump onto the stage from the orchestra seats. Private security caught them before they could actually made it.

Meanwhile, the Spanish film academy web page was under attack. Anonymous also published contact information of actors, actresses and directors who supported the so-called Ley Sinde, a SOPA-like law designed to kill any kind of web pages without a court order.

I wonder if some Guy Fawkes would have the courage to slip through security the same at Hollywood's Academy Awards. [El Mundo]

quote:

'Britse regering wil internetgebruik realtime kunnen monitoren'

Op initiatief van de veiligheidsdiensten werkt de Britse regering aan wetgeving die het mogelijk moet maken om realtime telefoon- en internetverkeer te monitoren. Privacybeschermers kwalificeren de voorstellen als onacceptabel en gevaarlijk.


Dat meldt The Telegraph op basis van niet nader genoemde bronnen. Volgens de krant wordt er in het kader van nieuwe antiterrorismewetgeving gewerkt aan voorstellen voor het Communications Capabilities Development Programme. Daarin worden internetproviders en telecombedrijven verplicht om onder andere gegevens over telefonie- en dataverkeer een jaar lang in databases op te slaan. De inhoud van telefoongesprekken of e-mailberichten zou niet worden bewaard, maar in de databases moeten wel contactgegevens als telefoonnummers, ip-adressen en e-mailadressen zijn terug te vinden.

De databases zouden door inlichtingendiensten als MI5, MI6 en de politie realtime doorzocht moeten kunnen worden. Zo zou bijvoorbeeld een verdacht persoon die mobiele telefoongesprekken voert razendsnel opgespoord kunnen worden. De voorstellen zouden echter nog verder gaan: ook gebruikers van sociale-netwerksites zouden in kaart gebracht moeten worden. Zo willen de voorstanders inzicht krijgen in berichten die gebruikers van onder andere Facebook en Twitter naar elkaar sturen, terwijl zelfs communicatie tussen de spelers van multiplayergames te volgen zou moeten zijn.

Het ministerie van Binnenlandse Zaken zou al twee maanden onderhandelingen zijn aangegaan met bedrijven als O2, BT, Vodafone en Virgin Media, terwijl de wetsvoorstellen in mei door de Britse regering openbaar gemaakt kunnen worden. Hoewel de Conservatieve premier Cameron bij zijn aantreden nog beloofde de privacy hoog in het vaandel te hebben, lijken de inlichtingendiensten met succes druk te hebben uitgeoefend om een eerder gesneuveld wetsvoorstel van de regering Blair nieuw leven in te blazen.

Britse voorvechters voor de privacy hebben al afwijzend gereageerd op de plannen voor een 'spionagewet'. Zo spreekt de Open Rights Group van een onacceptabele 'systematische methode' om alle digitale communicatie van burgers af te tappen. Naast de vraag of de voorstellen technisch haalbaar zijn, stelt de organisatie dat de opgeslagen informatie hoogst aantrekkelijk is voor hackers. Ook zouden internetproviders misbruik kunnen maken van de verzamelde data van hun gebruikers, bijvoorbeeld voor gerichte reclame. Vanuit de organisatie Privacy International klinken soortgelijke geluiden, maar een regeringswoordvoerder laat in een reactie aan de Britse krant weten dat de wetgeving nodig is om criminaliteit en terrorisme effectief te kunnen bestrijden.

quote:

s3rver.exe exposed SQLi vulnerability in Chinese Police website

A Hacker known as s3rver.exe break into a Chinese police website and exposed the vulnerability details. In twitter , he announced that "Chinese police owned" and tweet a link to pastebin.

Hacker exploit the SQL Injection vulnerability in the Panjin City Public Security Bureau website(http://gaj.panjin.gov.cn). He published the vulnerable link and a code to extract the database details.

In past , hacker hacked The ICT Specific Council (ICTSC) website, Tongcheng Environmental Protection Agency website(tchjbh.gov.cn)

quote:

Op maandag 20 februari 2012 17:01 schreef Ronnie_bravo het volgende:
Is dat nou leuk zo'n monoloog met knip en plakwerk??

quote:

Op maandag 20 februari 2012 21:40 schreef princem het volgende:
Op welk forum zitten die anonymous heren.wil ff kijken of zitten ze verstopt?

quote:

Viewpoint: The internet is broken - we need to start over
^{By Prof Alan Woodward Department of Computing, University of Surrey}

Last year, the level and ferocity of cyber-attacks on the internet reached such a horrendous level that some are now thinking the unthinkable: to let the internet wither on the vine and start up a new more robust one instead.

On being asked if we should start again, many - maybe most - immediately argue that the internet is such an integral part of our social and economic fabric that even considering a change in its fundamental structure is inconceivable and rather frivolous.

I was one of those. However, recently the evidence suggests that our efforts to secure the internet are becoming less and less effective, and so the idea of a radical alternative suddenly starts to look less laughable.

One example of struggling security comes from Neira Jones, head of payment security at Barclaycard. She told me that in the UK alone, identity fraud costs more than £2.7bn every year and affects over 1.8 million people.

We also increasingly have other forms of cyber-attacks from political activists (so called 'hacktivists'), and cyber-espionage and warfare, where the internet has become another stage for global conflict between nations.
Prof Alan Woodward Prof Alan Woodward is a cybersecurity expert at the University of Surrey

We need to understand the root of the problem.

In essence, the internet was never intended to be a secure network. The concept was developed by the Defense Advanced Research Projects Agency (Darpa) as a means of allowing a distributed computer system to survive a nuclear attack on the US.

Those who designed the Internet Protocol (IP) did not expect that someone might try to intercept or manipulate information sent across it.

As we expanded our use of the internet from large, centralised computers to personal computers and mobile devices, its underlying technology stayed the same.

The internet is no longer a single entity but a collection of 'things' unified by only one item - IP - which is now so pervasive that it is used to connect devices as wide-ranging as cars and medical devices.

Many technologies were then built upon this foundation. The best known was HyperText Mark-up Language (HTML) which is what allows web pages such as this to be displayed in the way you view it now.

And, yes, many of these technologies included the ability to secure the data that is being transmitted over the internet. All will have used one of these 'secure' technologies, most usually when buying something over the internet.

Technology to serve

But, stop and ask yourself this, if it is 'secure', why are there so many successful attacks?

Some argue that humans are the weak link and hence changing the internet's underlying technology would not really solve the problem. I take issue with that. Technology serves people not vice versa.

It is unreasonable to expect users in general to understand complex technologies to the degree necessary to ensure they operate securely over the internet.

It's analogous to a house. By default a house should be built to allow it to be occupied safely.

If you chose to start knocking down walls then it is your fault if the house collapses. But if the foundations of any structure are unsound, no matter how strong or unmodified the building on top, there is always a significant risk of safety being undermined through no fault of yours.

Of course, some argue that you can simply underpin structures with shaky foundations. There are other, more secure technologies that could be substituted for the current 'IP'.

This June sees the launch of what many consider to be the next generation of IP (known as IPv6 and IPSec) which is capable of securing all data transmitted over the internet.
Anti-Acta protest in Warsaw Hacktivists have helped create a new stage for global conflict, ProfWoodward says

However, availability of a better technology does not automatically lead to its adoption. Secure alternatives to IP have existed for a long time and yet none have been adopted widely.

In fact, the launch in June is more of a relaunch intended to reinvigorate interest in the next generation of IP which was developed in 1998.

I have my doubts as to its success as the internet has a momentum of its own: without someone mandating its use, or more specifically how it should be used, it is unlikely that it will be deployed to make up for the current shortcomings.
.

Security afterthought

Ever since the internet first changed from an academics' toy to become a commercial tool in the 1990s, security has always been an afterthought.

Only in an environment where the providers of the underlying networks insist upon the use of a single, secure technology, can one have a set of firm foundations.

Sadly, a key characteristic of our current internet is that it is a lawless, unregulated environment. Even governmental attempts at governance have failed as the internet is global and no truly global governance body exists.

Neira Jones summed it up nicely when she said to me that while regulations are trying to address the security void, success will depend on collective responsibility and accountability as well as extensive awareness and education at all levels.
Continue reading the main story
“Start Quote

We can have areas of the internet that are governed by a global body”

While not a popular view, I think that the current internet can only survive if adequate global governance is applied and that single, secure technology is mandated. This is obviously fraught with the much rehashed arguments about control of the internet, free speech, and so on.

Then there is the Herculean task of achieving international agreement and a recognised and empowered governance body.

However, this exists for other shared infrastructures, from aviation to telephony, so it is not impossible.

I think the answer lies somewhere in the middle.

We can have areas of the internet that are governed by a global body and run on technologies which are inherently secure, and we can have areas which are known to be uncontrolled.

They can coexist using the same physical networks, personal computers and user interface to access both but they would be clearly segregated such that a user would have to make a clear choice to leave the default safe zone and enter what has been described as "the seediest place on the planet".

quote:

Updated: FTC dropped security requirements from contract for sites hit by Anonymous

Update: Fleishman-Hilliard is disputing the facts of the hack as presented by hosting provider Media Temple. Bill Pendergast, general manager of the Fleishman-Hillard DC office, told Ars Technica, ""For Media Temple to claim ignorance of hosting the FTC -- or other government -- sites is completely false. In their own words, Media Temple is deep in this area, with what they claim to be the appropriate level of compliance. It's hard to see how their fiction helps anyone get to a constructive outcome." A fully-updated story with the latest information from FTC, Fleishman-Hilliard and Media Temple will be posted shortly.

If you were looking for a recipe for creating government websites that attract defacement attacks, the acquisition process that led to the creation of a set of recently hacked Federal Trade Commission sites would be a good place to start. Despite a raft of federal security regulations and guidelines for using cloud services, smaller projects often fall through the cracks of security oversight—just as they often do with outsourced marketing projects for large corporations.

The initial language of the FTC's solicitation for the $1.49 million contract that created the sites that were hacked on January 24 and February 17 set out very specific language about the security requirements for the site. But by the time the contract for a set of consumer and business education websites and social media was awarded to public relations firm Fleishman-Hilliard in August of 2011, those requirements were dropped from the statement of work.

In part, the security requirements were dropped because the FTC planned to host the sites with someone other than the winner of the contract. But Fleishman-Hilliard ended up setting up the servers for the sites themselves—on Media Temple's unmanaged server-in-the-cloud service that was never intended for .gov sites. And it appears the FTC signed off on the move.

As a result, the servers provisioned for a number of FTC sites, including a site providing recommendations for business and consumer information security, were configured with an outdated version of the Drupal content management system that offered up a tempting target to Anonymous "antisec" hackers looking to embarrass the government.

When the FTC originally posted the solicitation for bids in May of 2011, the statement of work included strong security language for the project, stating that the servers for the project would be subject to the requirements of the Federal Information Security Management Act of 2002 (FISMA). And as part of those requirements, the FTC's solicitation spelled out contractors' responsibilities regarding data breaches: "The contractor shall be required to prevent and remedy data breaches and to provide the FTC with all necessary information and cooperation, and to take all other reasonable and necessary steps and precautions, to enable the FTC to satisfy its data breach reporting duties under applicable law, regulation, or policy in the event, if any, that a breach occurs… The Information System Security Plan required elsewhere in this document shall include policies and procedures necessary to ensure the timely detection of and reporting to the FTC of data breaches, as well as safeguards to prevent and mitigate the risk of, as well as to remedy, such breaches, if any."

But by the time the contract was awarded, the FTC had struck any reference to security requirements from its amended statement of work. In a "Questions and Answers" document posted by the FTC's Office of Acquisitions on June 3, the office responded to a question on the nature of the security requirements of the project by stating "This information has been deleted from the statement of work." In the same Q&A document, the FTC said that the websites built under the contract "will be hosted by a third-party hosting provider to be contracted separately and directly by the FTC."

That clearly didn't happen. Media Temple, the hosting service that was used to provide the servers for the sites, wasn't contracted by the FTC; instead, the sites were set up by Fleishman-Hilliard, and the hosting provider was unaware they were being used for .gov domains, according to Media Temple chief marketing officer Kim Brubeck.

The result of the process was that a whole set of FTC domains—including business.ftc.com, OnGuardOnline.gov, and the National Consumer Protection Week blog—were left unpatched and exposed to attack, creating low-hanging fruit for attackers like Anonymous. And there are clearly many other civilian federal agencies that have the same problem. Anonymous' Antisec collective claims to have amassed a large number of similar federal sites that it has already compromised.

quote:

ACTA is part of a multi-decade, worldwide copyright campaign

Last week, we observed that major content companies have enjoyed a steady drumbeat of victories in Congress and the courts over the last two decades. The lobbying and litigation campaigns that produced these results have a counterpart in the executive branch. At the urging of major copyright holders, the Obama administration has been working to export restrictive American copyright laws abroad. The Anti-Counterfeiting Trade Agreement (ACTA) is just the most visible component of this ambitious and long-running project.

Ars Technica recently talked to Michael Geist, a legal scholar at the University of Ottawa, about this effort. He told us that rather than making their arguments at the World Intellectual Property Organization, where they would be subject to serious public scrutiny, the US and other supporters of more restrictive copyright law have increasingly focused on pushing their agenda in alternative venues, such as pending trade deals, where negotiations are secret and critics are excluded.

The growing opposition to ACTA in Europe suggests this strategy of secrecy may have backfired. But the US is not giving up. It has already begun work on its next secret agreement, ealled the Trans-Pacific Partnership. Geist told Ars that restoring balance to copyright law will require reformers to be as determined as their opponents have been. He said that donating to public interest groups that focus on international copyright issues is the best way to make sure that the public interest is well-represented.

Exporting copyright law

Countries have been negotiating international copyright treaties for more than a century, but the passage of two treaties in the 1990s represented a turning point in international copyright law.

The Trade-Related Aspects of Intellectual Property Rights (TRIPS) agreement, signed in 1994, made protection of copyrights a requirement of membership in the World Trade Organization. Countries that failed to meet international copyright standards could face trade sanctions. The 1996 World Intellectual Property Organization Copyright Treaty further ratcheted up the minimum requirements for copyright protection—requiring, for example, that signing countries regulate the circumvention of digital rights management schemes.

WIPO's relatively open structure meant that major copyright holders didn't get everything they wanted in the 1996 treaty. For example, Geist said, the United States was unable to get the strong anti-circumvention language it preferred into the WIPO treaty.

"WIPO is a place that's more open than it used to be," Geist told Ars. "Because of the consensus-based approach, there is a necessity to engage in negotiating." Indeed, in recent years reformers have begun to make headway themselves. Treaties to liberalize copyright in ways that benefit libraries and the blind are now under consideration at WIPO.

So, Geist said, the US has increasingly engaged in forum-shopping, bypassing WIPO and pushing for stronger copyright protection in a wide variety of other venues. For example, the United States has negotiated a series of bilateral trade agreements with nations such as South Korea, Australia, and Chile. While they're branded as free-trade deals, they also require the other country to adopt the more punitive copyright regime favored by the United States.

The negotiations over the Anti-Counterfeiting Trade Agreement were part of this trend. In contrast to the relatively open WIPO process, ACTA was negotiated in secret by a relatively small number of mostly wealthy countries. The developing nations who would be the most likely to object weren't invited to participate. The plan was to present the finished treaty to the world on a "take it or leave it" basis.

Unfortunately, the plan didn't work as well as its backers had hoped. Early drafts of the treaty leaked, giving opponents time to organize against the most extreme provisions in the treaty. And the secretive and non-representative nature of the negotiation process created a bad taste in the mouths of many stakeholders. Concerns over ACTA's secretive drafting process may have been as important as any of the treaty's substantive provisions in generating European opposition. If Europe fails to ratify ACTA, it will dramatically weaken the treaty.

Try, try again

But the US isn't giving up. To the contrary, the US and its industry backers seem to have concluded the problem with ACTA was that they didn't try hard enough to lock down the negotiating process. So they're now plowing forward with the Trans-Pacific Partnership. This time, the US has cut the leak-prone Europeans out of the process, limiting negotiations to eight countries such as New Zealand and Peru that are much easier for the United States to intimidate. Presumably, the goal is to enshrine the US's preferred copyright policies in the TPP and then use the TPP as a template for future agreements.

Once the US gets a critical mass of countries to sign a deal, it can then use other carrots and sticks to pressure additional countries to sign on. Geist said one important tool is the so-called "Special 301" list, an annual watchlist of countries Washington considers to have insufficiently strict copyright laws. Not only will countries be pressured to sign onto ACTA, the US may also press them to implement even those provisions of ACTA that the agreement itself labels as optional.

Geist believes that the interests behind SOPA and ACTA are likely to view recent defeats as temporary setbacks. "They're not playing for next year," he said. "They're playing for 10 years and 20 years in the future."

He said that reformers can resist their agenda, but only if they play the same "long game" as their opponents. Ordinarily, the most important thing a citizen of a democracy can do to stop bad public policies is to call their legislators. But in this case, most of the action is occurring in international organizations where individual legislators have little influence.

To fight agreements like ACTA requires organizations with the sophistication and resources to navigate the complex world of international diplomacy. Geist pointed to Knowledge Ecology International, Public Knowledge, and the Electronic Frontier Foundation as examples of organizations with a track record of resisting the drive toward ever-stronger copyright protection.These organizations are "WIPO regulars" well positioned to stay in the trenches and ensure the public interest is well-represented regardless of the venue. Geist said that donating to these organizations is the most effective way for ordinary voters to help resist the worldwide trend toward ever-more-extreme copyright laws.

quote:

Interview: With the 15yo hacker who hacked 5 Australian Government sites and Harvard / #list #rls #legion

^{Published February 19th, 2012}

Over the past 30 hours or so there has been two fairly big story’s that have both come from attacks carried out by the same hacker, first Harvard got exposed and hacked and had emails leaked and then today 5 Australian government websites got hacked.

We had the chance to interview the hacker who is just 15yo and goes by the name PrOtOn and is part of D157UR83D Crew

So here is the main interview raw pasted. as you will see PrOtOn has more plans for the Australian government that involves the AFP ( Australian federal police).

quote:

PrOtOn my first hack was in primary school, i think i was 11