INTERNET, DECEMBER 13, 2010 (COMPUTERWORLD) The retaliatory attacks by pro-WikiLeaks activists are growing in strength as hackers add botnets and thousands of people download an open-source attack tool, security researchers said today.

In recent days, distributed denial-of-service (DDoS) attacks have been launched against several sites, including those belonging to Amazon, MasterCard, PayPal and the Swiss payment transaction firm PostFinance, after each terminated WikiLeaks accounts or pulled the plug on services.

As of Thursday, WikiLeaks had posted the full text of more than 1,200 leaked U.S. State Department cables from its trove of over 250,000 messages.

Most of those participating in the attacks are using the LOIC (Low Orbit Ion Cannon) DDoS tool, said researchers with Imperva and Sophos.

Data breaches Hackers steal McDonald's customer data U.S. indictment of WikiLeaks' Assange reportedly 'imminent' Prosecuting WikiLeaks' Assange could be 'difficult' case Pro-WikiLeaks cyber army gains strength; thousands join DDoS attacks Anonymous attack on appears to fail Group used 30,000-node botnet in MasterCard, PayPal attacks Update: MasterCard, Visa others hit by DDoS attacks over WikiLeaks WikiLeaks nearly immune to takedown, says researcher Update: WikiLeaks' Assange arrested in London, denied bail WikiLeaks furor spawns rival DDoS battles More in Data Security The open-source tool, which is sometimes classified as a legitimate network- and firewall-stress testing utility, is being downloaded at the rate of about 1,000 copies per hour, said Tal Be'ery, the Web research team lead at Imperva's Application Defense Center.

"Downloads have soared in the last two days," said Be'ery in an interview. As of 4 p.m. ET, more than 44,000 copies of LOIC had been downloaded from GitHub.

LOIC has become the DDoS tool of choice in the pro-WikiLeaks attacks because users can synchronize their copies with a master command-and-control server, which then coordinates and amplifies the attacks.

"If I download [LOIC] and voluntarily set the server information, the command-and-control server can control my copy of LOIC," said Be'ery. "The command-and-control server can then sync the attack, which makes it much more powerful because the DDoS attacks are occurring at the same time and hitting the same target."

Some will still want manually control LOIC, Be'ery said, calling those people "old school guys." But even then, the attacks are being coordinated.

"They're just syncing their attacks to the announcements made on Twitter and IRC (Internet Relay Chat)," Be'ery said, referring to the messages posted by several hacker groups, including Anonymous, which has been in the forefront of what's called "Operation Payback."

In a new step in the campaigns, botnets -- armies of already-compromised computers that hackers control remotely -- are now being recruited for the DDoS attacks, said Beth Jones, a senior threat researcher with Sophos. "Until now, the attacks have been done by volunteers who download LOIC," said Jones. "But now more groups are joining in with their botnets."

Be'ery said that Imperva had seen IRC chatter of at least one 100,000-PC botnet being thrown into the attacks.

"Operators of these attacks have repeatedly asked on IRC if someone can donate botnets," said Be'ery. "It looks like they feel the need for some more horsepower."

The fact that the organizers of Operation Payback are soliciting more firepower is a clue that they're not able to match the defenses erected by the sites they've targeted, said Be'ery. "They're having a bit of a problem. PayPal and others are doing good work to keep their sites alive, so they're after more machines and telling people [participating in the DDoS attacks] to do what they're told and focus on the targeted sites."

There seems to be something to Be'ery's point.

An attack launched earlier Thursday against by Anonymous appears to have fallen flat; the group then dropped Amazon and instead directed its PCs and followers to again hammer a PayPal URL.

But for all the problems that Operation Payback's having, Be'ery doesn't believe the DDoS attacks have peaked. "There doesn't seem to be any decay in the download rate of LOIC," he noted. "I really don't think things will change unless one of the attacked companies tries to take down the main command-and-control server."

There is only one such server currently coordinating the attacks, he added, but the organizers claim that they have a backup on stand-by. "But if the main server falls, it will certainly give them some trouble regrouping," said Be'ery.

"What's really surprising is that so many people are willing to put themselves on the line legally," she said, pointing out that using a tool like LOIC to attack a site is illegal in most jurisdictions, including the United States.

"A more firm legal response may be helpful," Be'ery agreed. "I'm not even sure that everyone understands that what they're doing is illegal."

On Wednesday, Dutch police arrested a 16-year-old in The Hague for allegedly participating in the attacks against Visa, MasterCard and PayPal. The teen is to be arraigned in Rotterdam on Friday.

"The penny will drop when some of these guys are arrested," predicted Be'ery.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is

WikiLeaks Disclosures Prompt Defense Department Ban on USB Drives By: Fahmida Y. Rashid 2010-12-10 Article Rating: / 2 Share This Article

The clampdown by the Department of Defense will have implications for how United States troops abroad will communicate with folks back home.

The Pentagon's new restrictions on removable media and file transfers may impact how United States troops abroad communicate with family and friends back home, according to a privacy and computer security expert.

The new rules, outlined by the U.S. Department of Defense in a memo shortly after WikiLeaks started posting 250,000 cables from U.S. embassies and diplomats, ban military service personnel from using any removable media on any classified machines. The "crackdown" on removable media will likely include "rewritable CD drives, USB flash drives and multimedia storage like SD cards," said Darren Hayes, Computer Information Systems Program Chair at New York's Pace University, to eWEEK.

Maj. Gen. Richard Webber, commander of Air Force Network Operations, issued a "Cyber Control Order" on Dec. 3, outlining the new rules and directing all personnel to "immediately cease use of removable media on all systems, servers and stand-alone machines residing on SIPRNet," according to a CNN report.

Similar directives have been issued to other military branches, the report said.

SIPRNet (Secret Internet Protocol Router Network) is a separate and private network belonging to the Defense Department. While access to the SIPRNet system is restricted to only military staff, federal government employees can log on with their secure username and password regardless of their post or location, according to the Daily Mail.

The Air Force order also directs all staff to "immediately suspend all SIPRNet data transfer activities on removable media," said the CNN report.

The orders are in line with the Nov. 28 memo that said all Defense Department classified computers will have the "ability to write on removable media" disabled as a "temporary technical solution."

U.S Army Private Bradley Manning said he downloaded the files from SIPRNet to a CD that was marked as containing music by performer Lady Gaga, according to chat transcripts published by Wired.

"Bottom line: It is now much more difficult for a determined actor to get access to and move information outside of authorized channels," wrote Pentagon spokesman Bryan Whitman in the Defense Department memo.

The military has banned USB devices before, the last time in 2008 shortly after disks helped spread malware onto the department's computers. The ban was lifted earlier this year, but the debate about whether military personnel should still have access to USB drives still continues, said Hayes.

Data transfer between classified and unclassified computers is not being entirely removed, according to Whitman. The number of classified systems that can transfer materials to unclassified systems on NIPRNet will be limited, and under the new rules, two people have to be involved in the transfer, said the memo.

The ban can "only do so much," said Thom VanHorn, vice president of global marketing at Application Security. The problem is user access control: People have access to information they do not need. Information needs to be secured, and access privileges need to be "properly assigned" so "employees only have access to the information necessary to do their jobs," he said.

A former senior intelligence official recently told the Washington Post that access to SIPRNet "ballooned to about 500,000 or 600,000 people, including embassy personnel, military officials from other countries, state National Guard officials and Department of Homeland Security personnel," since 9/11.

While the new rules would prevent information from easily being downloaded and carried away, the focus should be on network monitoring, experts said.

"As a second step," organizations should "monitor access to ensure it isn't being abused or misused," said VanHorn.

It's "strange" that the DoD didn't already monitor user activity, so it's more "likely" that "policies weren't adhered to," said Hayes.

Considering the sheer volume of cables posted to WikiLeaks, it's unlikely that all that data would have been downloaded "without getting noticed" if there'd been a monitoring tool, Hayes said. Even if it happened over a "long period of time," the tools are "on the lookout for large clusters of data" on the network, he said.

Administrators should be looking at what is downloaded and whether it matches the user's job role. Monitoring should have "most scrutiny on the most highly privileged users," said VanHorn.

Regardless of what was in place before, "procedures to monitor and detect suspicious, unusual or anomalous user behavior" will be in place soon, according to the Defense Department memo. About 60 percent of SIPRNet are now connected to a host-based security system, which allows administrators to remotely monitor unusual data access or usage, said the memo. The military is also "accelerating" deployment to the remaining systems.

The Pentagon will also "rethink computer security procedures," such as restricting access to personal e-mail accounts, even on NIPRNet, said Hayes.

U.S. forces in Iraq trying to access WikiLeaks are being shown a warning page reminding them they should not be viewing classified documents over the NIPRNet, according to Gawker. This can be expanded to restrict access to personal e-mail sites like Google Gmail, Yahoo and Microsoft Hotmail, said Hayes.

Hayes said social networking sites such as Facebook pose a challenge for DoD. "The Department of Defense hasn't decided how to deal with social networks," Hayes said, as these sites help troop morale to be able to keep in touch with friends and family at home, but it can be "a medium" for an individual to "leak classified documents."

"Many have argued that it is important for members of the military stationed abroad to have access to technology that facilitates communication with family," said Hayes.

These new guidelines are a result of two reviews ordered by Defense Secretary Robert Gates shortly after the Iraq war logs were posted on WikiLeaks over the summer to determine "what policy, procedural and/or technological shortfalls" occurred, according to the Defense Department statement.

Chief News Editor: Sol Jose Vanzi

All rights reserved