Big mistake. People who mess with Brian Krebs tend to end up fully doxed and arrested shortly afterwards. You'd think the blackhat world would understand this by now. Krebs is not a guy want to be investigated by.
Does Twitter hijack everyones back button on Mobile? Im using FF Mobile and whenever I visit a twitter link I have to close the tab because I cant go back.
Its up now. Tops story is about the lizard squad. This is an interesting tidbit:
>These two services, like most booters, are hidden behind CloudFlare
Wow, is cloudflare so poorly run they have no idea they're hosting/caching/accelerating Lizard Squad tools? CF plays up itself as this strong security minded service, but it looks like they're in bed with the blackhats.
I was on the fence with them, but now I think I'm just going to roll my own mod_security/mod_evasive proxy and call it a day. If they dont care about or can't detect these types of clients, then I don't want to do business with them.
LulzSec also used Cloudflare back in the day. CF made a statement after that became public and said they take a neutral stance regarding who decides to use their service and that they don't proactively regulate the sites that do. As they shouldn't.
Except it wouldn't stop there. If CF blocks bot services, then they should of course block places selling drugs. Drugs kill people unlike botnets. And actually, sites promoting drugs are equivalent to sites promoting suicide. So block both of those. And come to think of it, botnets only exist because of hackers, so we should probably get those blocked, too.
It's unfortunate there's any limit on hosting. LE can still go subpoena CF and use judicial channels like always. CF should stay in the anti DDoS business and just annoy everyone with their captchas instead of implementing law and morality.
Child porn seems to be the exception, as it's easier to look at "stopping" such things getting near our visibility, instead of worrying about the actual incidence of the problem. (See Craigslist where AGs preferred to shut down a system they had access to, since that's visible, preferring to force "adult" users to buy and sell in uncontrolled markets.)
No, CloudFlare intentionally lets this happen. They won't terminate a site's service for "merely" selling DDoS services. See https://news.ycombinator.com/item?id=7967615 for some old discussion on this, including input from CloudFlare's CEO.
Indeed, this might be useful to law enforcement - it means that there's at least a bit of info about our criminals in possession of a US-based company that won't have to be chased for months to comply with a warrant/subpoena.
Well quite frankly if you've been in the scene for a while, you'd be able to tell using other clues, speech patterns, and reused nicks.
Julius Kivimäki aka zee, aka Zeekill (https://encyclopediadramatica.se/Zeekill) has an extensive history, he actually has been dox'd and outed numerous times prior to this.
I knew lizard squad was zee by zee's idiotic behaviour. He constantly used the moniker "Ryan" or "Ryan Clearly" the name of another unrelated hacker. Well sure enough he gave an interview to someone using that moniker. Having even the tiniest bit of inside knowledge it was easy to piece together 1 + 1 = 2 and lizard squad is zee, aka julius.
There are other clues too, believe it or not, not too many entities are capable of massing as large a ddos as they were. Those that have the technical capability, normally don't advertise as such.
Zee was a "special" case, in that he had the capability, and advertised it as such, I was astounded the boy hadn't been jailed years prior. As I mentioned earlier he has an extensive history, and was involved in many of the large site take downs and ddos's that have made public news.
Zee/"ryanc" has indeed been involved in things like these for many years. HTP (Linode + much more) is just a small part of it.
I'm also very surprised it's taken this long for him to be arrested. He's completely brazen and has committed countless crimes despite knowing full well the general public and law enforcement know exactly who he is.
And if he truly was/is involved in carding, he probably won't get out for a while. I can hold some respect for blackhat groups, and hell, even a tiny, miniscule bit of respect for script kiddies like Lizard Squad, but once they get into financial fraud and theft my sympathy is gone.
Just because someone knows who I am does not mean that'll matter when it comes to proving things in court, which in real life isn't as easy as one might imagine.
Well, I live in a country that will not extradite it's own citizens. And even if I somehow did manage to get extradited the US has a legal system where you'd actually have to prove a persons guilt, not just speculate it based on some IRC log of dubious origin.
That's a popular view, but I don't think that in real life it's an entirely correct one. At the very least those with money tend to be able to have a fair trial in the US.
I think you'd be facing the choice between a trial with a 500 year prison charge plus millions in damages and lawyer costs or accepting 10 to 15 years in prison avoiding the trial.
I hope you have lots of money to guarantee a fair trial, but anyway, I'd strongly suggest you to never ever travel anywhere near the US for the rest of your life.
The reply to your question is already on point. There is a sickening amount of open systems on the net. I know zee used tends of thousands of routers as only some of his ddos tools. I also know of dudes who wrote custom scripts specifically for zee's ddosing, would scan for incoming connections matching whatever signature identified at the time, automatically connect to the router using whatever exploit to get in, change the root pass and restart it.
Zee got his net taken away from him numerous times hitting the wrong people.
But yes in a nutshell, the digital world is mostly unprotected open and unlocked houses, with little pockets of protected castles here and there, and some locked houses too.
I wonder what the payoff is for running a script to secure the CentOS box you just rooted versus leaving it open to additional attacks. On one hand, you have potential loss of your work due to disruption of services leading to someone noticing and re-imaging the box. On the other hand, I don't particularly like sharing with randoms.
It also makes me wonder if optimized command and control networks have been developed. Most of the code I see floating around public drops goes to very little effort to conceal data exfil, if it even makes an effort to identify data to exfil at all. This seems like a real waste given that some large percentage of machines you steal are likely worth more than just their cpu time and bandwidth. Obviously the more code you run, the higher your chances of detection, but it seems like a huge creative space. How do I find interesting files without tripping all the alarms? How do I efficiently take over someone else's LSM hooks?
By incoming connections, do you mean web visitors who fell victim to CSRF/XSS exploits in their router management web panels? Or was he hijacking routers another way?
Then it is just a matter of figuring out where these routers are, and then writing a few scripts to exploit and command them in mass. I don't think CSRF/XSS would net him the vast numbers he'd need to make a significant ddos.
And to more specifically answer your question, by "incoming connections", I mean like monitoring the ddos via netstat on a box zee was actively attacking.
Well, problem is those vulns require either the attacker to share or control the victim's LAN in some way, or the router's management panel to be exposed to the Internet (which is usually not the default for the vast majority of consumer routers).
For cases where they're remotely exposed, just about anyone can scan the Internet and try to exploit these routers. I'm sure he was doing that, but I'm sure hundreds or thousands of other people were as well.
When combined with something like a CSRF, you can use those exploits against a victim even if their router is locked down (only listening on LAN, strong admin password). All they need to do is visit a site you control, without something like NoScript. If the admin password is not guessable, then they'd need to have an active login session. That can be circumvented if the router has an auth bypass vuln, which has been found in at least a few models.
Also, I believe a lot of routers can be used for DDoSing without exploiting or compromising them at all if they're exposing SSDP (UPnP). SSDP reflection, possibly combined with NTP reflection, is likely how Lizard Squad launched their DDoS attacks.
P.S. I know you and have talked to you (and Zee and some others), briefly, on some IRC networks long ago.
Of course. I was just speculating based on the comment about using routers to DDoS; I don't know if an uptick was actually observed during the outage. I know SSDP has been the hip new thing for the past few months though.
Majority of our bandwidth does not come from these so called "reflection attacks". But is in fact "real" bandwidth.
We are using actual 0days to compromise the (about 100k-150k) servers we have.
I'm actually rather excited for the eventual technical analysis of our net by someone with actual technical competence. It might end up causing quite a bit of noise.
Oh, that's pretty interesting, and a refreshing change from what you normally see in this space.
I seem to recall you guys (I think it was you guys, may be mixing up with another group; I also know you were supposedly kicked out of HTP at some point, which adds to my confusion) using one of the Rails YAML handling 0-days to acquire bots a while ago. I think someone was logging the IRC channel where they were being joined to.
Would it be fair to say the other bots are mostly a result of other web app vulns, or are you guys actually finding 0-days in native applications as well?
Do you actually have a full vulnerability research team, or is it just like 1-2 guys finding vulns? HTP's stuff like Coldfusion and MoinMoin was definitely pretty impressive.
I understand you may not want to reveal much for opsec purposes, but just one question: the Lizard Squad guys seem like very run of the mill script kiddies. Why would you help them, if you are? Kind of seems like a skill and motive mismatch. Forgive my ignorance if the situation is more complicated than that; I'm just going off of what Krebs wrote.
Ones public actions do not necessarily equal ones skills. The motives behind LS are more complex than some journos believe, something that should be obvious by the darkode connection alone.
Krebs seems to be pretty lost, especially considering that he thinks we've been attacking his site for past 40 days or so. That's just not true (and anyway, if Prolexic couldn't keep PSN up why would they be able to keep his site up?), only thing linking us to attacks against him was a joke in the topic of our fake recruitment channel telling people to take his site down for an hour or so.
Anyway, as for my motives (besides money, of course)? You don't get access to this many boxes without stumbling on at least something interesting.
The darkode thing was certainly interesting. It just doesn't seem to match up with what you see coming out of the @LizardMafia twitter. Though perhaps that's intentional deception.
I'm guessing part of the plan is to continue gaining infamy and notoriety to sell services, starting with the stresser. I also wouldn't be too surprised if perhaps the stresser is a sting op or honeytrap on your part, with the money as just an added bonus.
One thing you should understand, we currently have basically two types of clients. First is of course the kids who go to lizardstresser.su and buy the $20 plan so they can attack people they play video games with.
Now, on the other hand we have our corporate clients. These corporate clients usually contact us via email or over forums and either make us a fixed offer or request a quote for a given target and time-frame. Now, these types of clients are usually willing to pay tens, if not hundreds of thousands of dollars to disrupt their competition for a couple of days.
The second type of customer is obviously our main source of income, and what better way to find those clients than worldwide media publicity?
It'd be funny if this ended up being a sting op, wouldn't it?
The bar is pretty low. When there are tens of millions of unpatched machines floating around on the internet, and hundreds of weaponized exploits already written by other people, all it takes is patience and lack of good judgement.
If they're taking over Paypal accounts or stealing credit card numbers, it can be as simple as buying a lot of capacity at the various VPN provider. We know from the attack on Tor that they had many thousands of google compute instances, and the same may be true on the many, many other providers.
He probably found them because they did something stupid. Maybe not all of them have screwed up (yet). They certainly don't look very careful. Krebs figures the first two will turn over the rest as part of a plea deal, and that will be the end of it. https://krebsonsecurity.com/2014/12/lizard-kids-a-long-trail...
Both those links are currently unavailable for me. However, their content is still available on the main page if you scroll further down to the relevant blog posts.
Krebs is really well connected to the underworld, plenty of people pass him information confidentally, just like any other journalist. He also understands this field far better than most people, so although he probably did find them "easily", it probably wasn't "on his own" and it almost certainly wouldn't have been anywhere near as easy for you or me to do it.
What is the actual law that someone that engages in DDOS'ing violates? I feel like we might need one specifically for the activity. It's effectively the internet version of criminal mischief. It's not hacking and all of that, but it's also not something that we should just let go all the time. I'm getting sick of hearing about script kiddies DDOSing random websites, I'd be happy to see some fines.
DDOS attacks are generally launched from botnets consisting of computers that are illegally accessed without their owners' permission. While the DDOS itself may not violate any laws, executing it via hijacked computers certainly does.
If you employ a certain number of people, it's assumed that they're doing other things. When you have to devote them to a different project, you're doing a few things:
1. Making your staff work overtime.
2. Leaving other work undone.
3. Hiring new staff to make up for this.
4. Keeping redundant personnel on board in case something like this happens again.
5. Hiring temporary contractors and services to help you with this specific task.
the salaries for staffing a coordinated multinational police investigation and possible computer forensics contractors?
All of the following need to be paid:
Police agency in country where DDoS target resides, police agency in country where criminal resides, police agency in countries where dummy computers reside, etc?
200k was a random number but i doubt it's necessarily cheap to find any random DDoS-starter
It is certainly unlawful: it is trying actively to disrupt someone's service (a website but also possibly its entire business). There are also specific laws for DoS[0].
Does anyone know lizard squad's motivation? Are they just out to get attention, or do they have some grudge against gaming companies? Regardless, their criminal behavior doesn't impress me or strike me as making a lasting impact.
It looks like their motivation behind the holiday attacks on Xbox LIVE and PSN was to get following on their Twitter account to advertise their DDoS-as-a-service platform.
I think it means that he doesn't just print submarine articles that PR firms handed him. He actually digs through data, has sources, and engages in practices formally associated with journalism.
My 13yr old brother spent all year saving his pocket money on a deal with dad where dad would put in the rest for him to get his first ever gaming console, an Xbox One. On Christmas he got it, and for 3 days straight he couldn't get it working AT ALL since the Xbone needs XBL to be online to activate, download games (they're all download tokens now), etc.
Christmas was well and truly ruined for him. It was heartbreaking to see that happen to him after all year of working his butt off and looking forward to it.
It's saddening to hear that your little brother's Christmas was ruined, but I'd argue that it's more of the fault of Microsoft designing a closed and centralized system with extensive DRM than the Lizard Squad's fault for taking down Xbox Live.
MS might have many flaws, and you might ideologically disagree with many of their practices (hey, I do too), but if you want to pin blame, it's squarely on the attackers who chose to stage an attack to deliberately break people's Xboxes on Christmas. They chose to act in a way that kept that little brother from being able to use the system as a way to try to grab some marketing to advertise their DDoS as a service scheme.
This. Seriously: a company makes a product which has the ability to be broken by hackers using a method (ddos), which is widely known and extensively used for over 20 years. And the product is closed source so no one can fix it. So... hackers break it on christmas. Oh no, it's not the companies fault! downvote! downvote! I'm tired of hacker news proprietary loving bullshit (except when the open source can somehow help them build proprietary products).
The Xbox can also be damaged by hammers, but could be designed with a more ruggedized case that could withstand that attack. If someone smashed a kid's Xbox on Christmas with a hammer I wouldn't blame the design of the console, I'd blame the creep with the hammer.
Seriously, you might not like MS, proprietary software, their business models, or lots of other things about them, but don't go blaming them for some cretins attacking their systems in a failed ploy to make a buck.
The Lizard script kiddies had a pretty horrible business model too, FWIW, break into a bunch of systems across the internet to DDoS Xbox/PSN servers, ruin a bunch of people's Christmas, and use the media coverage to sell their DDoS as a service scheme.
Yes, I will blame them. You make no compelling case otherwise. This is how the internet works. If you run a server with security vunls that are well known and patches available: it gets owned. It's your fault. Same type of situation here.
"If you run a server with security vunls that are well known and patches available: it gets owned. It's your fault."
It's not that MS was being lax about properly hardening their boxes, though. You could DDoS the most hardened server out there, or a rack of them, it's really an inherent design issue with TCP/IP that you can DDoS systems. It's completely ignorant to blame MS, they didn't have a single point of failure, they had blocks of auth servers nailed.
Some people decided to spend their christmas gaming with other people. That is a valid wish and an enjoyable group activity. And they were obviously "ruined".
How would you feel if you went to an amusement park with your family and found it is closed, because a group of kids spent the night destroying things?
A few days ago I saw how some children felt the Christmas ruined and was the worst of his life by not playing GTA online with their friends, I think the most disturbing should not be the attack but how people are seeing the dates which should in more family matter junction and other things.
I have to say that Brians recent posts seem a little pissy and childish in his wordings. He also stated facts that are untrue such as that most of Lulzsec are in jail...currently most of them are out and never served much time.
This has happened repeatedly with other groups and he reports it to CNN or other news media and gets coverage. It was very brief outage on a really small site but it is good for lots of coverage on national media. I am not jealous, I think it is lame and not newsworthy. His site being down for less than an hour is not news.
Seriously, why do you think I am motivated by jealousy? I am not in his space, have no interactions with him or his foes. I think it is not a newswirthy story. I stand by that.
