FacebookTwitterGoogle+RedditEmail

Internet Hackers and the Real Threat They Expose

by ALFREDO LOPEZ

While certainly not over-shadowing the Obama Administration’s military threats against Syria, the cyber attack that brought the mighty New York Times to its knees last week is a major development and should get us all thinking.

The attack, a Dedicated Denial of Service attack, took the Times’ website off-line for a day and was one of a series of attacks on major information institutions by a hacker group called The Syrian Electronic Army. The SEA appears to be a network of hackers (some of them outside Syria) who are loyal to Syrian President Bashar al-Assad and apparently ready to attack anyone who’s not. Because this was, after all, the website of one of the world’s most powerful and prominent newspapers, the sudden exposure of its vulnerability was daunting.

The vulnerability of websites was further demonstrated by the five day attack two weeks ago on the website of Sahara Reporters, a site featuring news on Africa that is always provoking the ire of repressive governments and corrupt politicians. This attack was particularly nasty and protracted. It took technologist Ross Glover of May First/People Link, of which Sahara Reporters is a member, nearly five days to combat and then finally control the attack so that the website could return to normal functioning.

There were nearly ten major cyber attacks in August against very prominent targets and such coincidence begs for a lesson. It’s not hard to find. The Internet is vulnerable to attack. Our corporations and governments concentrate on defending against attacks on financial and military targets on-line, conducting surveillance on the human race and launching their own cyber-attacks against “enemies” abroad. All the while they do literally nothing to protect against threats on information and organizing centers, some of the resources people need the most. With all the money put into on-line surveillance, there’s been very little put into developing ways to block DDOS attacks or secure the real Internet. Put simply, you and your communications are not a priority.

Most of these attacks appear to be the work of the SEA which, while insisting it’s not a government project, makes no bones about its allegiance to the Assad regime. The SEA’s strategy, as it were, is to disrupt news websites and social media that carry criticism of the regime, to “spread the truth” they say. But its targets, like the Times, indicate that a website’s prominence and authority are also important criteria. There are lots of publications that are much more critical of Assad than the Times. And the character of their attacks — providing almost no informative content — mean they’re more interested in disrupting information than spreading it.

Founded in 2011, as Syrian society erupted in protest and “Arab Spring” activity, the SEA has been a busy operation. It has launched attacks against BBC News, the Associated Press, National Public Radio, Al Jazeera, Financial Times, The Daily Telegraph, The Washington Post and Human Rights Watch. It’s also spammed social networking sites including President Obama’s Facebook page and Oprah Winfrey’s — posting repeated pro-Assad slogans that temporarily consumed both sites.

Among its most famous attacks was one this past April on the Associated Press news agency, in which tweets falsely claimed the White House had been bombed and President Barack Obama injured. The tweets were quickly countered by the White House but during the short lapse, they caused plenty of confusion, understandable jitters and a huge drop in stock market prices.

It’s not clear who was behind the attack on the Sahara Reporters but you can pretty much take your pick. The remarkable site has been a frequent target of attack because of its unfettered and un-restrained reportage on Africa, a good way to amass enemies.

Attacks of this type are terrorism. Sure, they don’t blow up bodies or destroy homes or offices but terrorism isn’t aimed at winning wars or defeating armies in battle — as obscene as such destructive enterprises are. Its goal is to frighten people, make them feel vulnerable, and disrupt the patterns of behavior that make people, news organizations or movements functional. They seek to momentarily derail the social trains we travel in our normalcy. That derailment, the theory goes, causes people to think twice before doing something or to refrain from doing it again. It’s strategic bullying and, because information is so critical and central to our daily functioning, this kind of bullying is both disturbing and potentially effective.

It’s the hacker’s version of the kind of intimidation the NSA (and all U.S. security agencies) thrive off of and this may be why a government that is obsessed with any activity it deems challenging to its own security couldn’t care less about anyone else’s. To explore that damning fact, we should start by understanding what these hackers are actually doing and, on today’s Internet, it is a very simple activity.

The two terms to understand are “phishing” and “DDOS”.

Phishing — as you may have guessed, it’s based on “fishing” — is the capture of username and password data. There are many ways to do this including phony email or faux websites — like when you get that email from your bank asking you to log into a site in some other country whose sole purpose is to capture the username and password you regularly use for your banking account. The phishing strategies are countless but they all rely on you giving them the information.

Given the heightened consciousness about these crude theft techniques, most sophisticated hackers rely on what’s called a “brute force attack” to get passwords. Again, variations abound, but the idea is to run a long list of passwords against the encrypted passwords on the server hosting your email or website. If all passwords are complicated and “secure”, this is time-consuming but any insecure password (like “yourname123”) is going to be cracked quickly and the account compromised. Once that happens, the hackers are into the system posing as you. They can post what they want and, if they have administrator permissions, they can wreck the website.

These password theft techniques are probably what SEA hackers used to get into social networking sites or into the websites they have defaced. Someone with a Facebook account had an easy password or some administrator of one of those social networking systems got sloppy.

The Dedicated Denial of Service (or DDOS) attack, on the other hand, doesn’t seek to replace content, it seeks to block it. It does this by sending repeated “requests” (a url) for a specific website page at blinding speed until the page can no longer be reached by legitimate visitors. More sophisticated hackers will target the site’s IP address (the number that identifies the server the site is on). In that case, every site housed by the server is affected and will, quite quickly, become unavailable. The coy part of this approach is that the administrators of the server don’t initially have any idea which site is actually being targeted. It’s like bombing a neighborhood to kill one person.

There are many ways server administrators fight off these attacks and attackers have continuously developed ways to counter those attack-resistance techniques which server administrators have developed techniques for resisting. The battle between those who would shut down communications and those who fight to keep them going goes on and on.

The DDOS attack is what happened to Sahara Reporters and what has happened to some of SEA’s targets. But the New York Times attack last week is different and much more disturbing. To perform that piece of mayhem, the SEA hackers appear to have gotten access to the DNS records for the Times’ site which are handled by the Australian DNS provider Melbourne IT. DNS, domain name service, is basically a huge bank of records that list a domain (let’s say thiscantbehappening.org) and provide information about where that domain is handled — the location of the server that houses the website associated with that domain. This is very secure stuff and domain companies (a select group of corporations that hold this vital information for the entire Internet and constantly serve it up) take security very seriously.

Somehow, the SEA hackers managed to get to the account for the New York Times domain and change its pointers, sending people who typed in that domain to some other server and website. It’s kind of like switching the names of streets on a map — you’re going to the wrong place when you type in that url.

It wasn’t hard for New York Times technologists to get the record changed back but the question remains: how in the world did these guys get the password for the Times’ DNS account? The answer is that the Times’ DNS account was being handled by a U.S. based “reseller”, a company that sells the services of a larger firm. Somehow, the SEA got hold of credentials from one of the reseller’s staff and they simply logged into the Times DNS account and changed the pointer to one of their propaganda sites.

DNS control is one of the least publicized but most intense arenas of controversy and conflict within the Internet world. A company that controls your DNS records controls your website and email services. They are the people who point visitors your way and steer email as it’s being delivered. A problem at the DNS wreaks havoc on communications. For that matter, a threat from the government or more likely a corporation can kill a site immediately. That’s been the battle waged by the Yes Men, the politically progressive spoofers who specialize, among other prank projects, in critically spoofing corporate sites like Chevron, Exxon, the Times and the New York Daily News. Every time they put up a spoof site, the corporation’s lawyers start copyright threats, eventually threatening action against the DNS provider itself unless the site is removed. The Yesmen usually take the site down voluntarily so as not to put hundreds of people out of communication.

Spoofing is protected by the First Amendment and the YesMen would probably win any court case on these issues but that fight isn’t worth the money a DNS provider would have to invest and, for a corporation, money is more important than freedom. The sites invariably come down in the Internet version of a hostage situation.

There is a daunting reality to all this: you can’t really protect a communications system that is designed to be open. Attacks like these maliciously exploit the “openings” that are the very power of the Internet — its robust freedom, its openness and its full access.

Or can you? Have we really explored the possibility of an Internet technology in which people’s on-line time is protected and the ability to connect is given priority? The success of technological innovation is, in part, the support large institutions give projects. All technology projects are started by small groups of technologists and some grow and thrive through Internet users’ support (and without corporate or government help) but many other projects get that help and grow. There’s a reason why these companies choose what they do: it makes them money. There’s a reason why governments concentrate on what they do: it furthers their political ambitions.

So we have corporate software that goes to extremes protecting your computer’s privacy (and protecting its own user license) and we have government on-line programs designed to spy into every corner of your life and managing huge data-centers to store the information gleaned in the spying.

But we have no corporate or government commitment to keep your website on-line. We have no official commitment to assure that news websites are never silenced because, to governments and companies, none of that matters very much. It’s significant that President Obama screamed bloody murder when Edward Snowden revealed information about how our govenrment spies on us but was silent when news and information sources like the Times or Sahara Reporters were reduced to silence. The information you need is not important to them. The information you want to spread has no value to them.

In this “protect yourself” environment, there are a few things you can do if you’re a website owner (a growing number of us) or a person registered with a website (just about all of us).

First, if you are considering hosting a website, ask your prospective provider a simple question: “If my site is hit by a Dedicated Denial of Service attack, what is your policy?” Most of them will say, “We’ll take your site down to protect the other users on the server.” And that sounds reasonable but it’s not.

Capitulating to some bully trying to shut you up isn’t the role of a provider; they are “in business” to faciliate and enable communication not repress it when someone decides they want it repressed. If there is no protection for freedom of speech, there is no democracy or freedom or, for that matter, speech.

Besides, because most DDOS attacks hit the IP address of the server housing your site and most providers use a “shared IP” system in which a huge number of websites have the same IP, taking things off-line doesn’t protect other sites; it spreads the forced silence.

Your answer should be: “If you can’t invest the time and effort to fight off a DDOS attack, I can’t host my site with you.”

Second, develop a good password for sensitive sites and change it every month or so. This sounds extreme but a good password is one you can’t remember or that is so idiosyncratic for you that nobody is going to come close to guessing it. The name of your child or dog or high school isn’t. Your name backwards is a joke. Making things more challenging and time-consuming for means the phisher is going to cast the hook in other waters.

Third, no matter how safe you are, your email can be cracked so don’t leave sensitive information in emails stored on your server — this is actually the default for most providers so ask them if they store your email (store sensitive stuff on your own computer) and ask your corresondents to do the same. The first step to good security is talking about it.

Fourth, encrypt. It’s easy to do if your provider allows it and so ask the provider about that and how to apply programs like Pretty Good Privacy (PGP) and its FOSS implementation GNU Privacy Guard (GPG) to your email. Encrypted email can’t be read on-line and, when it’s stored, it can’t be read until it’s been de-crypted; that type of decryption is very difficult and time-consuming. The hacker will probably consider the time not worth consuming.

Of course, all of this would be less necessary (or perhaps automatic) if we were to build another Internet or radically alter the one we have. And that’s the fifth point we need to take on. All of this demonstrates the importance of progressive movements uniting to support the development of alternative forms of and structures for Internet communications. That’s a subject for another time.

Disclaimer: Alfredo López is a member of the Leadership Committee of May First/People Link, the organization to which both Sahara Reporters and Yes Men belong and the host for both websites.

Alfredo Lopez writes about technology issues for This Can’t Be Happening!

Alfredo Lopez writes about technology issues for This Can’t Be Happening!

More articles by:

CounterPunch Magazine

minimag-edit

bernie-the-sandernistas-cover-344x550

zen economics

Weekend Edition
March 24, 2017
Friday - Sunday
Michael Hudson
Trump is Obama’s Legacy: Will this Break up the Democratic Party?
Eric Draitser
Donald Trump and the Triumph of White Identity Politics
Jeffrey St. Clair
Roaming Charges: Nothing Was Delivered
Andrew Levine
Ryan’s Choice
Joshua Frank
Global Coal in Freefall, Tar Sands Development Drying Up (Bad News for Keystone XL)
Anthony DiMaggio
Ditching the “Deep State”: The Rise of a New Conspiracy Theory in American Politics
John Wight
London and the Dreary Ritual of Terrorist Attacks
Rob Urie
Boris and Natasha Visit Fantasy Island
Paul Buhle
The CIA and the Intellectuals…Again
David Rosen
Why Did Trump Target Transgender Youth?
Vijay Prashad
Inventing Enemies
Ben Debney
Outrage From the Imperial Playbook
M. Shadee Malaklou
An Open Letter to Duke University’s Class of 2007, About Your Open Letter to Stephen Miller
Michael J. Sainato
Bernie Sanders’ Economic Advisor Shreds Trumponomics
Lawrence Davidson
Moral Failure at the UN
Pete Dolack
World Bank Declares Itself Above the Law
Nicola Perugini - Neve Gordon
Israel’s Human Rights Spies
Patrick Cockburn
From Paris to London: Another City, Another Attack
Ralph Nader
Reason and Justice Address Realities
Ramzy Baroud
‘Decolonizing the Mind’: Using Hollywood Celebrities to Validate Islam
Colin Todhunter
Monsanto in India: The Sacred and the Profane
Louisa Willcox
Grizzlies Under the Endangered Species Act: How Have They Fared?
Norman Pollack
Militarization of American Fascism: Trump the Usurper
Pepe Escobar
North Korea: The Real Serious Options on the Table
Brian Cloughley
“These Things Are Done”: Eavesdropping on Trump
Sheldon Richman
You Can’t Blame Trump’s Military Budget on NATO
Carol Wolman
Trump vs the People: a Psychiatrist’s Analysis
Kollibri terre Sonnenblume
Marines to Kill Desert Tortoises
Stanley L. Cohen
The White House . . . Denial and Cover-ups
Farhang Jahanpour
America’s Woes, Europe’s Responsibilities
Joseph Natoli
March Madness Outside the Basketball Court
Bill Willers
Volunteerism; Charisma; the Ivy League Stranglehold: a Very Brief Trilogy
Bruce Mastron
Slaughtered Arabs Don’t Count
Pauline Murphy
Unburied Truth: Exposing the Church’s Iron Chains on Ireland
Ayesha Khan
The Headscarf is Not an Islamic Compulsion
Ron Jacobs
Music is Love, Music is Politics
Christopher Brauchli
Prisoners as Captive Customers
Robert Koehler
The Mosque That Disappeared
Franklin Lamb
Update from Madaya
Dan Bacher
Federal Scientists Find Delta Tunnels Plan Will Devastate Salmon
Barbara Nimri Aziz
The Gig Economy: Which Side Are You On?
Louis Proyect
What Caused the Holodomor?
Max Mastellone
Seeking Left Unity Through a Definition of Progressivism
Charles R. Larson
Review: David Bellos’s “Novel of the Century: the Extraordinary Adventure of Les Misérables”
David Yearsley
Ear of Darkness: the Soundtracks of Steve Bannon’s Films
FacebookTwitterGoogle+RedditEmail