While certainly not over-shadowing the Obama Administration’s military threats against Syria, the cyber attack that brought the mighty New York Times to its knees last week is a major development and should get us all thinking.
The attack, a Dedicated Denial of Service attack, took the Times’ website off-line for a day and was one of a series of attacks on major information institutions by a hacker group called The Syrian Electronic Army. The SEA appears to be a network of hackers (some of them outside Syria) who are loyal to Syrian President Bashar al-Assad and apparently ready to attack anyone who’s not. Because this was, after all, the website of one of the world’s most powerful and prominent newspapers, the sudden exposure of its vulnerability was daunting.
The vulnerability of websites was further demonstrated by the five day attack two weeks ago on the website of Sahara Reporters, a site featuring news on Africa that is always provoking the ire of repressive governments and corrupt politicians. This attack was particularly nasty and protracted. It took technologist Ross Glover of May First/People Link, of which Sahara Reporters is a member, nearly five days to combat and then finally control the attack so that the website could return to normal functioning.
There were nearly ten major cyber attacks in August against very prominent targets and such coincidence begs for a lesson. It’s not hard to find. The Internet is vulnerable to attack. Our corporations and governments concentrate on defending against attacks on financial and military targets on-line, conducting surveillance on the human race and launching their own cyber-attacks against “enemies” abroad. All the while they do literally nothing to protect against threats on information and organizing centers, some of the resources people need the most. With all the money put into on-line surveillance, there’s been very little put into developing ways to block DDOS attacks or secure the real Internet. Put simply, you and your communications are not a priority.
Most of these attacks appear to be the work of the SEA which, while insisting it’s not a government project, makes no bones about its allegiance to the Assad regime. The SEA’s strategy, as it were, is to disrupt news websites and social media that carry criticism of the regime, to “spread the truth” they say. But its targets, like the Times, indicate that a website’s prominence and authority are also important criteria. There are lots of publications that are much more critical of Assad than the Times. And the character of their attacks — providing almost no informative content — mean they’re more interested in disrupting information than spreading it.
Founded in 2011, as Syrian society erupted in protest and “Arab Spring” activity, the SEA has been a busy operation. It has launched attacks against BBC News, the Associated Press, National Public Radio, Al Jazeera, Financial Times, The Daily Telegraph, The Washington Post and Human Rights Watch. It’s also spammed social networking sites including President Obama’s Facebook page and Oprah Winfrey’s — posting repeated pro-Assad slogans that temporarily consumed both sites.
Among its most famous attacks was one this past April on the Associated Press news agency, in which tweets falsely claimed the White House had been bombed and President Barack Obama injured. The tweets were quickly countered by the White House but during the short lapse, they caused plenty of confusion, understandable jitters and a huge drop in stock market prices.
It’s not clear who was behind the attack on the Sahara Reporters but you can pretty much take your pick. The remarkable site has been a frequent target of attack because of its unfettered and un-restrained reportage on Africa, a good way to amass enemies.
Attacks of this type are terrorism. Sure, they don’t blow up bodies or destroy homes or offices but terrorism isn’t aimed at winning wars or defeating armies in battle — as obscene as such destructive enterprises are. Its goal is to frighten people, make them feel vulnerable, and disrupt the patterns of behavior that make people, news organizations or movements functional. They seek to momentarily derail the social trains we travel in our normalcy. That derailment, the theory goes, causes people to think twice before doing something or to refrain from doing it again. It’s strategic bullying and, because information is so critical and central to our daily functioning, this kind of bullying is both disturbing and potentially effective.
It’s the hacker’s version of the kind of intimidation the NSA (and all U.S. security agencies) thrive off of and this may be why a government that is obsessed with any activity it deems challenging to its own security couldn’t care less about anyone else’s. To explore that damning fact, we should start by understanding what these hackers are actually doing and, on today’s Internet, it is a very simple activity.
The two terms to understand are “phishing” and “DDOS”.
Phishing — as you may have guessed, it’s based on “fishing” — is the capture of username and password data. There are many ways to do this including phony email or faux websites — like when you get that email from your bank asking you to log into a site in some other country whose sole purpose is to capture the username and password you regularly use for your banking account. The phishing strategies are countless but they all rely on you giving them the information.
Given the heightened consciousness about these crude theft techniques, most sophisticated hackers rely on what’s called a “brute force attack” to get passwords. Again, variations abound, but the idea is to run a long list of passwords against the encrypted passwords on the server hosting your email or website. If all passwords are complicated and “secure”, this is time-consuming but any insecure password (like “yourname123”) is going to be cracked quickly and the account compromised. Once that happens, the hackers are into the system posing as you. They can post what they want and, if they have administrator permissions, they can wreck the website.
These password theft techniques are probably what SEA hackers used to get into social networking sites or into the websites they have defaced. Someone with a Facebook account had an easy password or some administrator of one of those social networking systems got sloppy.
The Dedicated Denial of Service (or DDOS) attack, on the other hand, doesn’t seek to replace content, it seeks to block it. It does this by sending repeated “requests” (a url) for a specific website page at blinding speed until the page can no longer be reached by legitimate visitors. More sophisticated hackers will target the site’s IP address (the number that identifies the server the site is on). In that case, every site housed by the server is affected and will, quite quickly, become unavailable. The coy part of this approach is that the administrators of the server don’t initially have any idea which site is actually being targeted. It’s like bombing a neighborhood to kill one person.
There are many ways server administrators fight off these attacks and attackers have continuously developed ways to counter those attack-resistance techniques which server administrators have developed techniques for resisting. The battle between those who would shut down communications and those who fight to keep them going goes on and on.
The DDOS attack is what happened to Sahara Reporters and what has happened to some of SEA’s targets. But the New York Times attack last week is different and much more disturbing. To perform that piece of mayhem, the SEA hackers appear to have gotten access to the DNS records for the Times’ site which are handled by the Australian DNS provider Melbourne IT. DNS, domain name service, is basically a huge bank of records that list a domain (let’s say thiscantbehappening.org) and provide information about where that domain is handled — the location of the server that houses the website associated with that domain. This is very secure stuff and domain companies (a select group of corporations that hold this vital information for the entire Internet and constantly serve it up) take security very seriously.
Somehow, the SEA hackers managed to get to the account for the New York Times domain and change its pointers, sending people who typed in that domain to some other server and website. It’s kind of like switching the names of streets on a map — you’re going to the wrong place when you type in that url.
It wasn’t hard for New York Times technologists to get the record changed back but the question remains: how in the world did these guys get the password for the Times’ DNS account? The answer is that the Times’ DNS account was being handled by a U.S. based “reseller”, a company that sells the services of a larger firm. Somehow, the SEA got hold of credentials from one of the reseller’s staff and they simply logged into the Times DNS account and changed the pointer to one of their propaganda sites.
DNS control is one of the least publicized but most intense arenas of controversy and conflict within the Internet world. A company that controls your DNS records controls your website and email services. They are the people who point visitors your way and steer email as it’s being delivered. A problem at the DNS wreaks havoc on communications. For that matter, a threat from the government or more likely a corporation can kill a site immediately. That’s been the battle waged by the Yes Men, the politically progressive spoofers who specialize, among other prank projects, in critically spoofing corporate sites like Chevron, Exxon, the Times and the New York Daily News. Every time they put up a spoof site, the corporation’s lawyers start copyright threats, eventually threatening action against the DNS provider itself unless the site is removed. The Yesmen usually take the site down voluntarily so as not to put hundreds of people out of communication.
Spoofing is protected by the First Amendment and the YesMen would probably win any court case on these issues but that fight isn’t worth the money a DNS provider would have to invest and, for a corporation, money is more important than freedom. The sites invariably come down in the Internet version of a hostage situation.
There is a daunting reality to all this: you can’t really protect a communications system that is designed to be open. Attacks like these maliciously exploit the “openings” that are the very power of the Internet — its robust freedom, its openness and its full access.
Or can you? Have we really explored the possibility of an Internet technology in which people’s on-line time is protected and the ability to connect is given priority? The success of technological innovation is, in part, the support large institutions give projects. All technology projects are started by small groups of technologists and some grow and thrive through Internet users’ support (and without corporate or government help) but many other projects get that help and grow. There’s a reason why these companies choose what they do: it makes them money. There’s a reason why governments concentrate on what they do: it furthers their political ambitions.
So we have corporate software that goes to extremes protecting your computer’s privacy (and protecting its own user license) and we have government on-line programs designed to spy into every corner of your life and managing huge data-centers to store the information gleaned in the spying.
But we have no corporate or government commitment to keep your website on-line. We have no official commitment to assure that news websites are never silenced because, to governments and companies, none of that matters very much. It’s significant that President Obama screamed bloody murder when Edward Snowden revealed information about how our govenrment spies on us but was silent when news and information sources like the Times or Sahara Reporters were reduced to silence. The information you need is not important to them. The information you want to spread has no value to them.
In this “protect yourself” environment, there are a few things you can do if you’re a website owner (a growing number of us) or a person registered with a website (just about all of us).
First, if you are considering hosting a website, ask your prospective provider a simple question: “If my site is hit by a Dedicated Denial of Service attack, what is your policy?” Most of them will say, “We’ll take your site down to protect the other users on the server.” And that sounds reasonable but it’s not.
Capitulating to some bully trying to shut you up isn’t the role of a provider; they are “in business” to faciliate and enable communication not repress it when someone decides they want it repressed. If there is no protection for freedom of speech, there is no democracy or freedom or, for that matter, speech.
Besides, because most DDOS attacks hit the IP address of the server housing your site and most providers use a “shared IP” system in which a huge number of websites have the same IP, taking things off-line doesn’t protect other sites; it spreads the forced silence.
Your answer should be: “If you can’t invest the time and effort to fight off a DDOS attack, I can’t host my site with you.”
Second, develop a good password for sensitive sites and change it every month or so. This sounds extreme but a good password is one you can’t remember or that is so idiosyncratic for you that nobody is going to come close to guessing it. The name of your child or dog or high school isn’t. Your name backwards is a joke. Making things more challenging and time-consuming for means the phisher is going to cast the hook in other waters.
Third, no matter how safe you are, your email can be cracked so don’t leave sensitive information in emails stored on your server — this is actually the default for most providers so ask them if they store your email (store sensitive stuff on your own computer) and ask your corresondents to do the same. The first step to good security is talking about it.
Fourth, encrypt. It’s easy to do if your provider allows it and so ask the provider about that and how to apply programs like Pretty Good Privacy (PGP) and its FOSS implementation GNU Privacy Guard (GPG) to your email. Encrypted email can’t be read on-line and, when it’s stored, it can’t be read until it’s been de-crypted; that type of decryption is very difficult and time-consuming. The hacker will probably consider the time not worth consuming.
Of course, all of this would be less necessary (or perhaps automatic) if we were to build another Internet or radically alter the one we have. And that’s the fifth point we need to take on. All of this demonstrates the importance of progressive movements uniting to support the development of alternative forms of and structures for Internet communications. That’s a subject for another time.
Disclaimer: Alfredo López is a member of the Leadership Committee of May First/People Link, the organization to which both Sahara Reporters and Yes Men belong and the host for both websites.
Alfredo Lopez writes about technology issues for This Can’t Be Happening!