What's new

Hackers warn Westboro Church: Stop now or else

gubbi

SENIOR MEMBER
Feb 25, 2009
4,536
1
4,360
Country
India
Location
United States
Hackers warn Westboro Church: Stop now or else
A group of hacktivists acting under the banner, "Anonymous," has warned a church with a controversial history that unspoken retribution will follow it continues its practice of inflammatory protests.

In an open letter to the Westboro Baptist Church, Anonymous has put the anti-gay, fundamentalist church on notice that "the damage incurred will be irreversible," and that "neither your institution nor your congregation will ever be able to fully recover."

The Westboro Baptist Church is led by Rev. Fred Phelps. It has drawn particular attention for carrying out anti-gay protests at funerals of military servicemen with signs celebrating the deaths of the soldiers with signs like "God Hates the USA" or "Thank God for 9/11." The group operates a website with the URL godhatesfags.com.

In its letter, Anonymous wrote the following:

We, the collective super-consciousness known as ANONYMOUS - the Voice of Free Speech & the Advocate of the People - have long heard you issue your venomous statements of hatred, and we have witnessed your flagrant and absurd displays of inimitable bigotry and intolerant fanaticism. We have always regarded you and your ilk as an assembly of graceless sociopaths and maniacal chauvinists & religious zealots, however benign, who act out for the sake of attention & in the name of religion.

Being such aggressive proponents for the Freedom of Speech & Freedom of Information as we are, we have hitherto allowed you to continue preaching your benighted gospel of hatred and your theatrical exhibitions of, not only your fascist views, but your utter lack of Christ-like attributes. You have condemned the men and women who serve, fight, and perish in the armed forces of your nation; you have prayed for and celebrated the deaths of young children, who are without fault; you have stood outside the United States National Holocaust Museum, condemning the men, women, and children who, despite their innocence, were annihilated by a tyrannical embodiment of fascism and unsubstantiated repugnance. Rather than allowing the deceased some degree of peace and respect, you instead choose to torment, harass, and assault those who grieve.

Your demonstrations and your unrelenting cascade of disparaging slurs, unfounded judgments, and prejudicial innuendos, which apparently apply to every individual numbered amongst the race of Man - except for yourselves - has frequently crossed the line which separates Freedom of Speech from deliberately utilizing the same tactics and methods of intimidation and mental & emotional abuse that have been previously exploited and employed by tyrants and dictators, fascists and terrorist organizations throughout history.

ANONYMOUS cannot abide this behavior any longer. The time for us to be idle spectators in your inhumane treatment of fellow Man has reached its apex, and we shall now be moved to action. Thus, we give you a warning: Cease & desist your protest campaign in the year 2011, return to your homes in Kansas, & close your public Web sites. Should you ignore this warning, you will meet with the vicious retaliatory arm of ANONYMOUS: We will target your public Websites, and the propaganda & detestable doctrine that you promote will be eradicated; the damage incurred will be irreversible, and neither your institution nor your congregation will ever be able to fully recover. It is in your best interest to comply now, while the option to do so is still being offered, because we will not relent until you cease the conduction & promotion of all your bigoted operations & doctrines.

The warning has been given. What happens from here shall be determined by you.

Given their ability to follow through on their threats with the recent case of Anonymous hacking HBGary Federal (an internet security firm widely consulted by the likes of CIA and McAfee), what do you think Anonymous will be able to do?
What do you think of "Anonymous"?
 
Hackers warn Westboro Church: Stop now or else


Given their ability to follow through on their threats with the recent case of Anonymous hacking HBGary Federal (an internet security firm widely consulted by the likes of CIA and McAfee), what do you think Anonymous will be able to do?
What do you think of "Anonymous"?

This is a hoax, Anonymous isn't going to attack them and never planned to. Someone's trying to use Anonymous as their personal army, and failed miserably.

Was "Anonymous" church threat a hoax? - Tech Talk - CBS News
 
This is a hoax, Anonymous isn't going to attack them and never planned to. Someone's trying to use Anonymous as their personal army, and failed miserably.

Was "Anonymous" church threat a hoax? - Tech Talk - CBS News

Yeah, just saw that piece of news. However what do you make of this?
Anonymous speaks: the inside story of the HBGary hack
It has been an embarrassing week for security firm HBGary and its HBGary Federal offshoot. HBGary Federal CEO Aaron Barr thought he had unmasked the hacker hordes of Anonymous and was preparing to name and shame those responsible for co-ordinating the group's actions, including the denial-of-service attacks that hit MasterCard, Visa, and other perceived enemies of WikiLeaks late last year.

When Barr told one of those he believed to be an Anonymous ringleader about his forthcoming exposé, the Anonymous response was swift and humiliating. HBGary's servers were broken into, its e-mails pillaged and published to the world, its data destroyed, and its website defaced. As an added bonus, a second site owned and operated by Greg Hoglund, owner of HBGary, was taken offline and the user registration database published.

Over the last week, I've talked to some of those who participated in the HBGary hack to learn in detail how they penetrated HBGary's defenses and gave the company such a stunning black eye—and what the HBGary example means for the rest of us mere mortals who use the Internet.

HBGary and HBGary Federal position themselves as experts in computer security. The companies offer both software and services to both the public and private sectors. On the software side, HBGary has a range of computer forensics and malware analysis tools to enable the detection, isolation, and analysis of worms, viruses, and trojans. On the services side, it offers expertise in implementing intrusion detection systems and secure networking, and performs vulnerability assessment and penetration testing of systems and software. A variety of three letter agencies, including the NSA, appeared to be in regular contact with the HBGary companies, as did Interpol, and HBGary also worked with well-known security firm McAfee. At one time, even Apple expressed an interest in the company's products or services.

Greg Hoglund's rootkit.com is a respected resource for discussion and analysis of rootkits (software that tampers with operating systems at a low level to evade detection) and related technology; over the years, his site has been targeted by disgruntled hackers aggrieved that their wares have been discussed, dissected, and often disparaged as badly written bits of code.

One might think that such an esteemed organization would prove an insurmountable challenge for a bunch of disaffected kids to hack. World-renowned, government-recognized experts against Anonymous? HBGary should be able to take their efforts in stride.

Unfortunately for HBGary, neither the characterization of Anonymous nor the assumption of competence on the security company's part are accurate, as the story of how HBGary was hacked will make clear.

Anonymous is a diverse bunch: though they tend to be younger rather than older, their age group spans decades. Some may still be in school, but many others are gainfully employed office-workers, software developers, or IT support technicians, among other things. With that diversity in age and experience comes a diversity of expertise and ability.

It's true that most of the operations performed under the Anonymous branding have been relatively unsophisticated, albeit effective: the attacks made on MasterCard and others were distributed denial-of-service attacks using a modified version of the Low Orbit Ion Cannon (LOIC) load-testing tool. The modified LOIC enables the creation of large botnets that each user opts into: the software can be configured to take its instructions from connections to Internet relay chat (IRC) chat servers, allowing attack organizers to remotely control hundreds of slave machines and hence control large-scale attacks that can readily knock websites offline.

According to the leaked e-mails, Aaron Barr believed that HBGary's website was itself subject to a denial-of-service attack shortly after he exposed himself to someone he believed to be a top Anonymous leader. But the person I spoke to about this denied any involvement in such an attack. Which is not to say that the attack didn't happen—simply that this person didn't know about or participate in it. In any case, the Anonymous plans were more advanced than a brute force DDoS.

Time for an injection

HBGary Federal's website, hbgaryfederal.com, was powered by a content management system (CMS). CMSes are a common component of content-driven sites; they make it easy to add and update content to the site without having to mess about with HTML and making sure everything gets linked up and so on and so forth. Rather than using an off-the-shelf CMS (of which there are many, used in the many blogs and news sites that exist on the Web), HBGary—for reasons best known to its staff—decided to commission a custom CMS system from a third-party developer.

Unfortunately for HBGary, this third-party CMS was poorly written. In fact, it had what can only be described as a pretty gaping bug in it. A standard, off-the-shelf CMS would be no panacea in this regard—security flaws crop up in all of them from time to time—but it would have the advantage of many thousands of users and regular bugfixes, resulting in a much lesser chance of extant security flaws.

The custom solution on HBGary's site, alas, appeared to lack this kind of support. And if HBGary conducted any kind of vulnerability assessment of the software—which is, after all, one of the services the company offers—then its assessment overlooked a substantial flaw.

The hbgaryfederal.com CMS was susceptible to a kind of attack called SQL injection. In common with other CMSes, the hbgaryfederal.com CMS stores its data in an SQL database, retrieving data from that database with suitable queries. Some queries are fixed—an integral part of the CMS application itself. Others, however, need parameters. For example, a query to retrieve an article from the CMS will generally need a parameter corresponding to the article ID number. These parameters are, in turn, generally passed from the Web front-end to the CMS.

SQL injection is possible when the code that deals with these parameters is faulty. Many applications join the parameters from the Web front-end with hard-coded queries, then pass the whole concatenated lot to the database. Often, they do this without verifying the validity of those parameters. This exposes the systems to SQL injection. Attackers can pass in specially crafted parameters that cause the database to execute queries of the attackers' own choosing.

The exact URL used to break into hbgaryfederal.com was www.hbgaryfederal.com is offline. The URL has two parameters named pageNav and page, set to the values 2 and 27, respectively. One or other or both of these was handled incorrectly by the CMS, allowing the hackers to retrieve data from the database that they shouldn't have been able to get.

Rainbow tables

Specifically, the attackers grabbed the user database from the CMS—the list of usernames, e-mail addresses, and password hashes for the HBGary employees authorized to make changes to the CMS. In spite of the rudimentary SQL injection flaw, the designers of the CMS system were not completely oblivious to security best practices; the user database did not store plain readable passwords. It stored only hashed passwords—passwords that have been mathematically processed with a hash function to yield a number from which the original password can't be deciphered.

The key part is that you can't go backwards—you can't take the hash value and convert it back into a password. With a hash algorithm, traditionally the only way to figure out the original password was to try every single possible password in turn, and see which one matched the hash value you have. So, one would try "a," then "b," then "c"... then "z," then "aa," "ab," and so on and so forth.

To make this more difficult, hash algorithms are often quite slow (deliberately), and users are encouraged to use long passwords which mix lower case, upper case, numbers, and symbols, so that these brute force attacks have to try even more potential passwords until they find the right one. Given the number of passwords to try, and the slowness of hash algorithms, this normally takes a very long time. Password cracking software to perform this kind of brute force attack has long been available, but its success at cracking complex passwords is low.

However, a technique first published in 2003 (itself a refinement of a technique described in 1980) gave password crackers an alternative approach. By pre-computing large sets of data and generating what are known as rainbow tables, the attackers can make a trade-off: they get much faster password cracks in return for using much more space. The rainbow table lets the password cracker pre-compute and store a large number of hash values and the passwords that generated them. An attacker can then look up the hash value that they are interested in and see if it's in the table. If it is, they can then read out the password.

To make cracking harder, good password hash implementations will use a couple of additional techniques. The first is iterative hashing: simply put, the output of the hash function is itself hashed with the hash function, and this process is repeated thousands of times. This makes the hashing process considerably slower, hindering both brute-force attacks and rainbow table generation.

The second technique is salting; a small amount of random data is added to the password before hashing it, greatly expanding the size of rainbow table that would be required to get the password.

In principle, any hash function can be used to generate rainbow tables. However, it takes more time to generate rainbow tables for slow hash functions than it does for fast ones, and hash functions that produce a short hash value require less storage than ones that produce long hash values. So in practice, only a few hash algorithms have widely available rainbow table software available. The best known and most widely supported of these is probably MD5, which is quick to compute and produces an output that is only 128 bits (16 bytes) per hash. These factors together make it particularly vulnerable to rainbow table attacks. A number of software projects exist that allow the generation or downloading of MD5 rainbow tables, and their subsequent use to crack passwords.

As luck would have it, the hbgaryfederal.com CMS used MD5. What's worse is that it used MD5 badly: there was no iterative hashing and no salting. The result was that the downloaded passwords were highly susceptible to rainbow table-based attacks, performed using a rainbow table-based password cracking website. And so this is precisely what the attackers did; they used a rainbow table cracking tool to crack the hbgaryfederal.com CMS passwords.

Even with the flawed usage of MD5, HBGary could have been safe thanks to a key limitation of rainbow tables: each table only spans a given "pattern" for the password. So for example, some tables may support "passwords of 1-8 characters made of a mix of lower case and numbers," while other can handle only "passwords of 1-12 characters using upper case only."

A password that uses the full range of the standard 95 typeable characters (upper and lower case letters, numbers, and the standard symbols found on a keyboard) and which is unusually long (say, 14 or more characters) is unlikely to be found in a rainbow table, because the rainbow table required for such passwords will be too big and take too long to generate.

Alas, two HBGary Federal employees—CEO Aaron Barr and COO Ted Vera—used passwords that were very simple; each was just six lower case letters and two numbers. Such simple combinations are likely to be found in any respectable rainbow table, and so it was that their passwords were trivially compromised.


For a security company to use a CMS that was so flawed is remarkable. Improper handling of passwords—iterative hashing, using salts and slow algorithms—and lack of protection against SQL injection attacks are basic errors. Their system did not fall prey to some subtle, complex issue: it was broken into with basic, well-known techniques. And though not all the passwords were retrieved through the rainbow tables, two were, because they were so poorly chosen.

HBGary owner Penny Leavy said in a later IRC chat with Anonymous that the company responsible for implementing the CMS has since been fired.

Read more on the original site

An interesting read into how HBGary was humbled - 'the hunter becomes the hunted'
 
Lessons Learned Thanks to HBGary and Anonymous
A week or so ago, I had never heard of HBGary. I assume you probably hadn't either. Now we know HBGary all too well after an attempt to make a name by unmasking the anonymous hackers of Anonymous backfired in more ways than one.

Anonymous has become a virtual household name following the group's "hacktivism" against companies and Web sites that made efforts to knock Wikileaks offline and cut off Wikileaks' funding. The activities conducted by Anonymous were illegal, but to many the attacks were a heroic defense of disclosure and the freedom of speech. Anonymous has since embraced this role as Robin Hood of the Internet and has continued striking new targets-- recently threatening to take down Westboro Baptist Church and its site godhatesfags.com. It's hard not to like them.

Then, HBGary--a small Sacramento-based security firm--claimed to know the true identities of the leaders behind Anonymous, and threatened to reveal them. Anonymous did not appreciate the threat, so within a matter of hours it hacked and defaced the HBGary Web site, and compromised its servers. Tens of thousands of HBGary e-mails were then exposed on the Web, and that is where HBGary's problems begin.

As if getting pwn3d by Anonymous and having sensitive information compromised wasn't bad enough, the content of the exposed e-mails uncovered a larger scandal involving an HBGary affiliate--HBGary Federal. Apparently, HBGary Federal was involved in an ethically dubious plan to use fake social networking profiles to discredit groups that criticize the US Chamber of Commerce.

So, what pearls of wisdom can we derive from this sordid tale? Well, first, that locking down servers and protecting data is a complex and difficult task. HBGary is an information security firm--implying some higher than average understanding of information security--and it was hacked in a matter of hours.

Second, this incident demonstrates that skilled hackers are a formidable force. There are tons of script-kiddy bad guys out there who use automated tools and don't really know how to hack. But, for an attacker with real skill, security measures are more like speed bumps than steel walls--breaking or circumventing them is more a matter of when than if.

Third, we learn that sometimes there is a fine line between the good guys and the bad guys. Ostensibly, the two have roughly the same skill set and all that truly separates them are ethics and some sort of moral code. Lacking that, there is nothing stopping an otherwise legitimate security professional from using his skills for evil rather than--or in addition to--good.

For the first two lessons, IT admins need to understand that there are no silver bullets, and that there is never a point where you are "done" securing the network and data. You must implement a layered defense of reasonable security controls, then diligently monitor for threats and suspicious activities 24/7.

As for the third lesson, make sure you do your due diligence before doing business with a security consultant or hiring a security firm. Do your best to make sure you are doing business with someone with the skills necessary to get the job done, and the moral compass to not cross the line.
 

Users Who Are Viewing This Thread (Total: 1, Members: 0, Guests: 1)


Back
Top Bottom