Archives for 2016

You are browsing the site archives by date.

Deflect Labs report #3

Botnet attack analysis of Deflect protected website blacklivesmatter.com

Seamus Tuohy and eQualit.ie

View the report with 3D rendering (5mb)

This report covers attacks between April 29th and October 15th, 2016. Over this seven-month period, we recorded more than a hundred separate denial-of-service incidents against the official Black Lives Matter website. Our analysis shows a variety of technical methods used in attempts to bring down this website and the characterization of these attacks point to a “mob” mentality of malicious actors jumping on board in response to callouts made on social media and covert channels. Our reporting highlights the usage of no-questions-asked-hosting and booter services used by malicious actors to carry out these attacks. We describe the ever growing trend of Internet vandals who, searching for a little bit of infamy, launch denial-of-service attacks against the Black Lives Matter (BLM) website. Our analysis documented attacks that could be accomplished for as little as $1 and, with access to public documentation and malicious software within easy reach, only required basic technical skill. Some of the larger attacks against BLM generated millions of connections without relying on huge infrastructure. Instead, traffic was “reflected” from legitimate WordPress and Joomla sites. We compare public attribution for some of the attacks with the data coming through our networks, and present the involvement of purported members of the Ghost Squad Hackers crew in these events.

Contents:

Introduction

“Black Lives Matter, a May First/People Link member that is supported by the Design Action Collective, is a central organization in the response movement against police abuse, brutality and misconduct.” The BLM website has been protected by Deflect since April 15th, 2016, following a spate of DDoS and hacking attacks.

In early July we published a prima facie bulletin expecting to write a comprehensive report of the attacks soon after. Since then the BLM website faced an increasing number of sizable attacks that we decided to include in our analysis and delayed publication. This report will explore these attacks, correlating open source research and publicly stated attribution with what we saw in the data.

The Deflect Labs infrastructure allows us to capture, process and profile each attack, analyzing unique incidents and intersecting findings with a database of profiled botnets. We define the parameters for anomalous behavior on the network and then group (“cluster”) malicious IPs into botnets using unsupervised machine learning algorithms.

 

Attacks & attribution

As a DDoS mitigation solution for blacklivesmatter.com, Deflect has access to all legitimate and malicious requests made to this website. However in almost all cases, attacks come via infected machines or as reflection attacks from unsuspecting websites. A semi-experienced attacker knows how to obfuscate and disguise their traces on the Internet. It is therefore incredibly difficult to attribute an action to a particular person or IP address with confidence. We rely on our analytic tooling, peers in the mitigation industry and social media research to test our hypotheses. Assumptions arising out of OSINT are then verified against the data on our systems and vice versa.

Technical analysis and social media research indicated that actions against the BLM website were launched by multiple attackers frequently acting in concert. Some methods, like Joomla & WordPress reflection attacks, appear to have been coordinated, whilst in other cases it was clear that many actors jumped on the bandwagon of a more powerful attack to claim some of the credit. These small, loosely organized mobs appear minutes to hours after the start of the original attack and lob a hodge-podge of various attack methods, often to no effect. These actions are often accompanied by a flurry of queries from various website downtime monitoring solutions, as attackers try to collect trophies for their participation in the mob. Furthermore, we noticed a sophisticated actor who was able to generate malicious traffic on a level beyond anyone else that we documented targeting BLM. Using bulletproof hosting to coordinate their attacks, they did not go to great lengths to obfuscate their identity, creating instead a complicated web of social media accounts, possibly fake public attribution claims, and general intrigue about their motivations and purpose.

The ‘Ghost Squad’

The first, and only, publicly attributed attacks began in late April, as _s1ege, a professed member of the Ghost Squad Hackers crew, began tweeting screenshots showing site defacement and reports from website up-time checkers that the BLM site was no longer reachable. The action was part of #OPAllLivesMatter, likely in response to the #AllLivesMatter slogan (and then hashtag) created in 2015. On May 2nd, 2016, a YouTube video uploaded by @anonymous_exposes_racism contained a warning from a group identifying themselves as Anonymous to leaders of the Black Lives Matter movement, asking them to also denounce anti-white racism.

This first set of attacks against BLM, beginning on April 29th, lasted a mere 30 minutes. They came from six IP addresses and generated a little under 15,000 connections. A single method of attack and very few resources were brought into play, making this small action only temporarily effective at best. That evening five different IP addresses conducted another attack against the BLM website that topped off at over 158,000 connections over a period of an hour.

Timelion expression tracking malicious connections, by attack method, on April 29th

During this attack @_s1ege posted Twitter comments taking credit. Alongside photos that showed the Black Lives Matter website had been temporarily taken down by this attack, _s1ege posted a photo of the software he was using, “BlackHorizon”.

Timelion expression tracking malicious connections, by attack method, on April 29th

During this attack @_s1ege posted Twitter comments taking credit. Alongside photos that showed the Black Lives Matter website had been temporarily taken down by this attack, _s1ege posted a photo of the software he was using, “BlackHorizon”.

BlackHorizon is a clone of a piece of HTTP DoS software called GoldenEye, which was written by Jan Seidl in 2014. It was itself an expansion on the 2012 HULK project by Barry Shteiman. Unlike Seidl’s thoughtful adaptation and expansion of HULK, the BlackHorizon codebase mainly changes the ASCII art and the author’s name. When examined, it was clear that the functional components of the code were almost entirely unaltered from GoldenEye.

Several media publications rushed to interview _s1ege, with the @ghostsquadhack Twitter and GhostSquadHackers Facebook account referencing these publications. Around 30 minutes after the second attack Waqas Amir published an article on HackRead describing both incidents alongside his conversation with a GSH member. Later that evening one member of the GSH came back reusing an earlier bot and creating an attack that generated well under 700 connections, before giving up after less than 20 minutes.

Shortly after the tweets and HackRead publication, we witnessed an increase in attack frequency and variety. Only a portion of these had a similar behavioral profile on the network to those attributed by _s1ege to GSH. The attackers were using well-known software and may have called out to others on the Internet to follow suit. On May 10th, @_s1ege announces @bannedoffline as a new member in the Ghost Squad crew and two days later stops tweeting from this account altogether.

Maskirovka

BLM began to face larger scale attacks on May 9th. The first one lasted a little over 90 minutes and consisted of 1,022,981 connections from legitimate WordPress websites. This was not the first WordPress pingback attack against the BLM website, but it was an indication that we were beginning to face adversaries prepared to deploy much greater resources than before.The level of severity and aggression continued to mount and on July 9th we witnessed a WordPress pingback attack that generated over 34 million connections to BLM in a single day. The attackers did not seem to be interested in obfuscating their provenance, allowing us to track these activities over the next few months. The attacks were coordinated from machines hosted at a “bulletproof” provider – so called because they offer servers for rent on a no-questions-asked basis. The incidents associated with these attacks were the largest faced by BLM during the reporting period.

On July 25th we received a subscription for Deflect protection from a “John Smith” asking us to enlist http://ghostsquadhackers.org. We traced this request and further conversation with this user to @bannedoffline on Twitter and Facebook, as well as the owner of the following domains: ghostantiddos.com; ghostsquadsecurity.com; bannedoffline.xyz; www.btcsetmefree.org, among others.

Our analysis of actions run from the “bulletproof” hosting provider identified several IP addresses that were used for command and control. These addresses were correlated by a peer mitigation provider who had dared @bannedoffline on a hackers forum to DDoS them and recorded the resulting activity. Two IP addresses, one belonging to the DMZhosting provider mentioned further on in this report and a Digital Ocean machine, were identified in our individual records – and correlated to eight separate incidents in our study.

  • 191.96.249.80 Dmzhost Limited https://dmzhost.co
  • 178.62.152.134 DigitalOcean https://www.digitalocean.com

It is hard to say with any certainty why there were no more public attributions for attacks on BLM after the first week of May, considering that the severity and sophistication increased several-fold. @bannedoffline deleted all of their social media postings in late September, just before we recorded the biggest attack against the BLM website. bannedoffline was also linked to a 665gbps attack (the largest attack of its time, before the Mirai botnets) against the Krebs on Security website. The Ghost Squad did not attribute or deny @bannedoffline’s continued participation in their crew. Attacks attributable to bannedoffline and _s1ege, who could very well be the same person, made up less than 20% of recorded DDoS activity against BLM.

Technical Analysis Of Attacks

Incidents using a similar attack method were distinguished through an iterative process of identifying possible behavioral characteristics that distinguish one type of attack from others. First we identified combinations of behaviors and features that distinguished possible attacks from normal traffic. These profiles were then matched to existing types of attacks by looking for signatures from other reports and known codebases of these attacks to create an attack method profile. At this point secondary characteristics of the attack were examined to see if they distinguished individual attacks. This ranged from the hosting provider used for botherders, to the collection of innocent websites used as reflectors, and the methods used to check the status of the website, among others. If one or more of these characteristics overlapped for a specific set of attacks, those attacks were flagged for further investigation. Once we clustered these attacks, we looked across the entire set of attacks and attempted to reject any characteristic that could clearly differentiate that subset of attacks from similar attacks.

The most common category of attacks against the BLM website has been “application level” (layer 7) HTTP flood attacks. These bots mimic human behavior by connecting to a website and requesting a large amount of content until the server crashes for lack of resources. In this report we will only be looking at this type of attacks.

The capability of individual attackers has ranged greatly. As the BLM website faced more resourced and effective attackers, the mob became a persistent background noise.

Attack type (including variants and clones) April May June July Aug Sept Oct
WordPress pingback 5 6 4 4 5
Joomla pingback 1 6 6 4 3 3
Slow Loris 2 5 3 1
Fully Randomized NoCache Flood 6 14 11 5 7 2 4
Cache Bypass flood 1 1 2 2
Python script flood 2 2

You can view the entire attack portfolio on Google Docs


Slowloris

Aliases/Tools Slowloris, Pyloris, Torloris
Attack Type Layer 7 Denial of Service
Exploits Connection exhaustion
Obfuscation None
Attack Class Single-source
Attack Rate Low

The first attack identified against the Black Lives Matters website occurred on April 18th, just a few days after it had switched over to Deflect. A single address made between 5 and 30 connections per second to the main BLM web page. This lasted for 28 seconds. In total it made only 168 connections. Usually, this type of behavior would not raise any flags. But in this case, the user agent of this client matched the user agent used in the original proof of concept code for “Slowloris – the low bandwidth, yet greedy and poisonous HTTP client!”

Slowloris is a DoS tool that was originally released in 2009. It is unique among the other Layer 7 attacks we will be discussing in this report because it does not focus on flooding the network with traffic. Instead, it attempts to use up all the connections to a web server leaving none left for legitimate users. This low number of connections allows Slowloris to attack a website without drawing the same attention that a flood of traffic would. There have been 12 identified attacks using the original Slowloris codebase since the BLM website has been protected by Deflect. All but one of these attacks were under 1000 connections. The largest Slowloris attack occurred on July 10th from 0:50 to 3:20 and from 6:00 to 7:20, making over 40,542 connections and clearly misusing this tool or not understanding its original purpose.

In the initial code release Slowloris used a single user agent. Today, many of the custom versions of Slowloris have changed the user agent [pyloris.py] or added source client obfuscation by randomly picking from a list of user agents [slowloris.py]. It is not surprising to see someone using an unmodified version of such an arcane tool even when the server used on the BLM website is protected against that attack. Many of the actors conducting DoS attacks are not building upon existing tools. While Slowloris was elegant at the time, the DoS space is dominated by attackers using simplistic measures. This is because one does not need a highly complex tool to take down most sites on the Internet.

Slowloris attacks on the BLM website have a tendency to overlap with or occur around the time of two low-skill “basic HTTP flood” attacks: [Blank] and [Python], as well as (Blank+WordPress) WordPress attacks.

HTTP Floods

HTTP floods are easy to implement and hard to identify attacks. Generally, they attempt to exhaust a system’s application resources or the network bandwidth. They do this by either creating a large amount of connections to the website or by continuously downloading a large amount of files. Because they only require an attacker to create many legitimate connections to a server, HTTP floods are quite easy to implement. Since these connections are legitimate, it can be very difficult for a defender to differentiate these connections from those of real users.

Simple HTTP Flood

Aliases/Tools None
Attack Type Layer 7 Denial of Service
Exploits None
Obfuscation None
Attack Class Single-source
Attack Rate Low

A simple example of this type of attack can be seen on April 30th. For just under ten minutes one lone address conducted a low sophistication HTTP GET request attack against the Black Lives Matter website. Over a five-minute period this attacker made 1503 connections from a single address using an Internet Explorer user agent. The BLM website only received a few of these connections as the attacker was banned within a second.

 


Basic Python

Aliases/Tools None
Attack Type Layer 7 Denial of Service
Exploits None
Obfuscation None
Attack Class Single-source
Attack Rate Low

Just a few hours after the previous HTTP Flood concluded, two different attacks started and subsided. They missed each other by just two minutes. The first was a “Fully Randomized NoCache Flood” and connected 2,000 times in its two minutes of attack. The second was a test run of an even simpler HTTP Flood attack than the previous example. The code behind this attack was written without any attempt to make it look like a legitimate user. Over the six minute attack, this script made around 400 connections. There were also 23 connection from a Chrome browser at the same IP address during this period, as the attacker frantically refreshed the web page to check on their impact. As in the previous attack, it took under a second for this IP address to be banned.

While a DoS attack does not need much sophistication to be effective, we mention it here because its unique signature shows that this attack was written by an inexperienced programmer. To explain how basic this attack is, the Deflect Labs researchers have recreated a working version of it below.

import urllib
while True:
   urllib.urlopen("http://www.blacklivesmatter.com")

This attacker came back again after a few hours using a different address. As in many single-source attacks, they were likely using a proxy to disguise the original IP of their attacks as they conducted these test runs. Before running the python script, they ran the same “Fully Randomized NoCache Flood” attack for about a minute and then quickly switched back to their python script. The python script made another 429 connections during the approximately six minute long attack. It was, like before, stopped within seconds.

This testing behavior continued over the next few days. With another small attack on the morning of May 1st that made up to 700 connections in just under 10 minutes and one with just over 1000 connections in just under 20 minutes. By the end of that week this attacker had concluded their experiment in attempting to build their own script. Its simple nature made it automatically blocked almost as soon as it connected. At its peak, it could only create a hundred or so connections per minute, which is far too little for a machine conducting a DoS attack.

HTTP Flood DDoS

Aliases/Tools None
Attack Type Layer 7 Denial of Service
Exploits None
Obfuscation None
Attack Class Multi-Source
Attack Rate High

The HTTP floods we have described so far in this section have only come from a single source. In this section we will explore how a botnet can leverage thousands of machines to conduct a distributed HTTP Flood and how we can identify these floods among regular traffic.

HTTP floods that involve many sources (DDoS attacks) are difficult to identify because they can look very similar to regular traffic. But because the BLM website, like every other, has traffic patterns that show the general behavior of their usual readership, there are some clear examples of DDoS HTTP Floods that we can explore.

Unsurprisingly, people in the US visit the BLM website far more often than other groups. This also impacts traffic patterns to the site. Traffic to the BLM website follows a daily cyclical pattern. There is a peak in its traffic between 12:00 and 14:00 EST. (The numbers in our screenshots reflect UTC+0 timestamps.) After that, the traffic slows until around 07:00 EST, when it spikes for the evening and then slows for the night.

Between August 5th and August 9th the hourly pattern changed from a smooth usage pattern like the above into this.

That week between 11:00 and 13:00 EST there was a surge of traffic from China, Indonesia, Turkey, and Slovenia. While the Deflect Labs team is not surprised that BLM receives international attention, it is a bit odd to see it occurring during the same period worldwide. When looking for HTTP Floods that have multiple sources, knowing these usage patterns can make it far easier to identify possible attacks like this one.

The anomaly we can see above was an HTTP POST Flood attack on August 8th. Based upon the dozens of countries per minute that are seen making higher than average connections, it seems plausible that this attack was using a botnet of infected machines.

Over a period of just over an hour, 11,514 machines attempted to upload (POST) a series of large files to the BLM website. This created a flood of large content-length requests that the BLM website had to process.

 



Fully Randomized NoCache Flood

Aliases/Tools Hulk, GoldenEye, BlackHorizon
Attack Type Layer 7 Denial of Service
Exploits KeepAlive, NoCache
Obfuscation Source Client Obfuscation, Reference Forgery
Attack Class Multi-Source
Attack Rate High

Websites that are protected by DDoS mitigation services – such as Deflect – use a “caching” system to store commonly requested pages and provide them to users so the protected website’s server does not have to. This “cache” of recently requested web pages allows Deflect to further limit the requests made to the protected server. Even if simple bots, like those in the last section, evade blocking, they often are just receiving responses from Deflect’s caches of recently requested URLs and not impacting the origin server at all.

DoS providers responded to the use of caching by creating a bot that tricks the cache into thinking that they are requesting a page that was never requested before. These “Cache-bypass” HTTP Floods are bots that add a randomized query at the end of their requests. These randomly generated queries cause a cache to view each request as a new request, even though the bots we are examining in this report only ever requested the main BLM URL “blacklivesmatter.com”.

GoldenEye is a Layer 7 DoS tool. It allows a single computer to open up multiple connections to a website, each of which pretends to be a different device. To do this, GoldenEye provides a different user agent string for each connection. Over the combined hour and a half of attacks, these 11 bots pretended to be hundreds of different types of users to avoid detection.

 

Later in the evening of April 30th another attack consisting of just under 11,000 connections was attempted. This attack used an improved “Fully Randomized NoCache Flood.” While the attack starts with 9 bots using something similar to the code used by GSH, a single address joins a minute into the attack and quickly dwarfs the other attackers in both number of connections and variety of user agents that it employs.

If it were not for the variety of intensity and method used by the individual addresses, attacks like this would look like they involved a single actor. But as is common for attacks against the BLM website, this attack starts slowly with one or two initial actors, who are then joined by a small mob of “bandwagon bullies.” As was seen in the early GSH attacks, they share the tools used in their attacks with the other attackers. Whoever this late attacker is, they are clearly not just another member of the team. This attacker has considerably different network resources and likely software that allows them to have far more impact than all the participating GSH team members.

Reflection DDoS

Joomla! Reflection DDoS

Aliases/Tools DAVOSET, UFONet
Attack Type Layer 7 Denial of Service
Exploits None
Obfuscation None
Attack Class Reflected
Attack Rate High

In 2013 a series of vulnerabilities were discovered in a Google Maps plugin for the Joomla! CMS. One of them made it possible for anyone to request a Joomla! site to make an HTTP request to remote websites. By June 2013 this vulnerability had already been weaponized and included in an existing DDoS framework called DAVOSET (DDoS attacks via other sites execution tool). In 2014 this same vulnerability was included in the UFOnet DDoS framework.

Each of these DDoS frameworks have easy-to-use web-based point-and-click interfaces and a built-in list of vulnerable Joomla! websites. This makes them ideal for a low-resourced or unsophisticated attacker looking to amplify another attack. Of the 23 WordPress attacks made against the BLM website, only 7 of them were not paired with a Joomla! attack.

Initially, it was difficult to identify Joomla! attacks because most of the connections do not provide a user agent string. Empty user agents are somewhat common on the Internet. Many non-malicious, but quickly made, bots do not provide a user agent. As such, when we initially saw these spikes of traffic, we assumed that they were from another sloppily made DoS bot.

After we saw this bot accompanying attacks from a variety of different attackers, we investigated further and noticed a fingerprint hidden in the traffic that led us to the Joomla! attack. Although most of the user agents used by Joomla! sites to make these requests are blank, a small subset of these machines include the version of PHP language that was used to run the request. While blank user agents are somewhat common, many of the attacks that included them were combined with user agents that contained PHP versions. Given the relative rarity of PHP, we realized that the odd increase in empty user agents alongside other attacks was because they were being combined with Joomla! attacks.

 


Introduction to WordPress XMLRPC Floods

Aliases/Tools WordPress Pingback
Attack Type Layer 7 Denial of Service
Exploits NoCache
Obfuscation Spoofing
Attack Class Reflected
Attack Rate High

By default, WordPress has a “pingback” feature that was built to allow WordPress sites to alert other blogs when they linked to their content. On a high level, this works similarly to a mention in Twitter. When a WordPress site publishes a post that links to another website, it sends out a “pingback” to that site with a link to the post containing the original link. If the receiving site is also based on WordPress, it responds to the original site to confirm that it received the pingback.

Pingbacks have been a part of WordPress sites since Version 1.5, which came out in 2005. It wasn’t until 2012 that Christian Mehlmauer released a working implementation of code that took advantage of this feature to ask WordPress sites to verify “pingbacks” from spoofed URLs. Two years later, in March 2014, Akamai released a post that described a “pingback” attack consisting in over 162,000 WordPress sites. In September 2015 they announced that WordPress pingback attacks made up 13% of all Layer 7 attacks they faced.

At 22:00 on May 1st a WordPress pingback attack began targeting the Black Lives Matter website. In just 13 minutes it made 181,301 connections. As this WordPress attack subsided, a Joomla! attack took its place. The moment the WordPress attack started, the second attacker began to use free online services dozens of times a minute to check if the Black Lives Matter website had gone down. As the second attack began, the attacker increased the frequency at which they monitored the state of the website. Four minutes into the attack, when it had obviously succeeded, the attacker stopped checking the site. Altogether, this attack consisted of around 350,000 connections in a period of less than an hour.

 

As was mentioned in the original bulletin, the most intense attacks against the Black Lives Matter website have been WordPress pingback attacks. The first large-scale attack against the BLM website was a WordPress attack on May 9th. This attack made over 1,130,000 connections in just under three hours. It was a mix of over 1,000,000 connections from a WordPress pingback attack alongside 100,000 connections from a “Fully Randomized NoCache Flood.”

 

The following WordPress sections will provide some illustrative examples to show how we explored the relationships between these bots. But we will not examine every attack. Nor will we try to attribute attacks to their source.

WordPress pingback & Botherder Addresses

While WordPress attacks work similarly to Joomla! attacks they are far easier to identify. These attacks clearly list their WordPress version as their user agent. Because these attacks started to become more widespread, a new feature was released in version 3.9 of WordPress. This version updated pingbacks to include the IP address that made the original pingback request.

WordPress/4.6; http://host.site.tld; verifying pingback from 127.0.0.1

We call these IP addresses “botherder” addresses. Some of these addresses correspond to globally addressable IP addresses that one can reach over the Internet. Others are addresses that should never appear on the public Internet. These bogon addresses are private/reserved addresses and netblocks that have not been assigned to a regional Internet registry. The bogon address seen in the example above is called localhost. It’s the IP address used by a computer to refer to itself.

While adding the address of the botherder was implemented to de-anonymize the true source of an attack, most attackers are very adept at concealing their true IP address through the use of spoofed packets, proxies, virtual private servers (VPSs), and the use of compromised machines to conduct the original requests. When we started looking into the botherder addresses, we assumed that we would only find spoofed addresses. To our surprise, the botherder addresses exposed far more than we expected them to. By clustering the botherder IPs exposed in an attack, we were able to develop behavioral profiles that helped us link different attacks together to understand which attacks were likely conducted by the same attacker.

The first thing we looked at were the botherder IPs used in WordPress attacks against the BLM website. Our exploration of bogon addresses showed clear relationships between the attacks that could be exposed by looking at the botherder addresses.

The large blue ball of shared IP addresses on the left side of the bogon graph above surrounds two small incidents that occurred on August 8th and 9th. This massive ball of shared IP addresses consists of over 500 addresses from the private IP address spaces. Specifically, they include 382 addresses from the 172.16.0.0/12 address range and 177 addresses from the 10.0.0.0/8 address range. Private address ranges are not entirely uncommon for WordPress pingback attacks. They can appear when the botherder is on the same hosting provider as the WordPress sites they are exploiting and can also be created when a botherder is spoofing random addresses. What is unusual is how clearly the overlapping bogon IP addresses link these two attacks.

There were also globally addressable botherder IP addresses that linked each of the individual attacks against BLM together. It is likely that areas of sparse overlapping IPs exist because many botherders were clearly spoofing IP addresses. But the areas with many connections showed relationships that were worth exploring.

One commonality between all the attacks was that while every attack has hundreds of spoofed botherder addresses that appear only once or twice, there are also a small number of botherder addresses that account for a majority of the bots herded for the attack. In the August 8th and 9th attacks, which can be seen at the bottom of the globally addressable IP graph, three IP addresses accounted for 95% (13,963 / 14,585) of the WordPress connections that identified a botherder.

Because Deflect’s primary purpose is DDoS mitigation, Deflect Labs’ investigations often happen days or weeks after the fact. This means that we often have to rely on our logs and open source intelligence. In this case one of the first things we looked at was who owned the three primary botherder IP addresses. These IP addresses belong to Digital Ocean, a VPS provider based in New York. Digital Ocean does not provide multiple IP addresses per machine, and so we know that this attack was herded by three separate Digital Ocean “droplets.” Hourly pricing for Digital Ocean droplets runs between $0.007 USD/hour and $0.119 USD/hour. With each of these attacks lasting under half an hour, the cost to run this attack was well below a single dollar.

 


“Bulletproof” Hosting

By far the largest cluster of associated WordPress attacks occurred between July and October. This set of attacks includes the five largest attacks over that four-month period.

Among the 206 globally addressable IPs used by those attacks, 5 botherder IP addresses make up 65% (41,030 / 62,488) of the botherder IPs identified in the attack. Each of these botherders were hosted on an “offshore” hosting provider called DMZHOST. The two most connected botherder IPs in our attacks are mentioned countless times on a variety of IP address reputation websites, forums, and even blog posts as the source of a variety of similar attacks.

“Bulletproof hosting” providers like DMZHOST provide VPSs that advertise themselves as outside of the reach of Western law enforcement. DMZHOST offers its clients “offshore” VPSs in a “Secured Netherland datacenter privacy bunker” and “does not store any information / Log about user activity.” At the same time, DMZHOST’s terms of service are just as concise. “DMZHOST does not allow anything (related) to the following content: – DDos – Childporn – Bank Exploit – Terrorism – NO NTP – NO Email SPAM”.

Conclusion

Silencing online voices is becoming ever easier and cheaper on the Internet. The biggest attacks presented in this report did not require expensive infrastructure, they were simply reflected from other websites to magnify their strength. We are beginning to see authorities pursue and shut down “bulletproof” hosting and booter services that enable a lot of these attacks, yet more needs to be done. In the coming age of IoT botnets, when we begin to witness attacks that can generate over a terabyte of traffic per second, the mitigation community should not guard their intelligence on malicious activity but share it, responsibly and efficiently. Deflect Labs is a small project laying the groundwork for open source community-driven intelligence on botnet classification and exposure. We encourage you to get in touch if you would like to contribute.


 

Deflect is a website security project working with independent media, human rights organizations and activists. It offers DDoS mitigation, secure hosting and attack analytics, free of charge to qualifying organizations. All of our tools are open source and we operate according to strict terms of service and principles promoting the privacy of our clients. Deflect is a project of eQualit.ie, a Canadian not-for-profit organization working to promote and defend human rights in the digital age.

Deflect Stats November 2016

In November the Deflect network served pages to many legitimate visitors interested in breaking news reported by deflected websites, and mitigated automatically some intense attacks.

november_metrics

During the month, Deflect served 585 million pages to 9.8 million visitors, with a slight increase of unique IPs as compared to our October statistics, suggesting a rise in the number of our legitimate visitors despite the decrease in the total number of requested resources. This is also reflected by the statistics on banned bots, which dropped from 50,323 in October to 38,740 in November.

nov_hits_by_country

Daily hits on the Deflect network, by country: in November, visitors of websites protected by Deflect originated from Ukraine, the USA and Turkey, closely followed by Russia, which became the second country of origin of requests on the 22 November.

nov_bandwidth_by_country

Bandwidth usage by country of requesting IP: as in previous months, Ukraine and the USA are the first two countries requesting resources from deflected websites, followed by Turkey and Russia, which rises to the second position on the 22 November.

nov_uniqueips_by_country

November statistics on unique visitors of websites protected by Deflect are topped by Turkey, Ukraine and the United States. On the 22 November the Russian Federation topped the statistics rising to the first position.

As in August, the peak in legitimate requests we recorded last month was linked to news from Uzbekistan, which also explains why we can clearly see a higher number of hits from a country where the internet, and most of the websites protected by Deflect, are censored for common citizens (but probably not for members of government and connected people).

Beyond the number of unique visitors and requests, here are two pie charts describing Deflect’s cache response and our visitors’ operating systems.

nov_cache_result_pie

In November, nearly 80% of the pages we served were cached in the Deflect edges. We had to get a copy from origin web servers for less than 20% of the requests we received.

nov_osname_pie

The pie chart on operating systems used by visitors of deflected websites in November shows that the trend we observed last month is unchanged: with Android at 37.03, iOS at 8.7% and Windows at 39.29%, mobile devices (45.73% total) are apparently being used as much as, if not more than PCs (43.38%) to browse sites protected by Deflect.

November attacks

In November Deflect mitigated automatically all DDoS incidents targeting our network, including one major attempt on the 15th November that didn’t last long, possibly because it was being blocked by our edges.

 

Bots used in these attacks originated mostly from the US, Germany and the Russian Federation. One detail sets apart last month’s statistics from what we observed in the previous months — WordPress doesn’t appear among the most used user agents in botnets, which suggests a change in attack methods.

November stats on the countries of origin of bots are mostly unchanged in comparison to previous months. A singular detail is the “Anonymous Proxy” that can be spotted in the list of countries.

During the short but intense attack Deflect mitigated on the 15th November, what triggered the bans were mostly a user agent string that is known to be used in botnets and a high number of GET requests sent to the root directory of the targeted website.

User agents used by banned bots in November: WordPress is not one of the most frequent user agents in DDoS attacks, where we observe a prevalence of browser user agent names.

TA3M, December 19th – the Cryptmas edition

Our techno activism 3rd Mondays events are back! This time with a focus on mobile security and anonymity. As recent reporting highlighted once again the dangers to personal privacy from modern day surveillance, we are offering an overview of current possibilities for improving your mobile privacy, just in time for Christmas! We will discuss:

– Surveillance on cellular and data networks
– Tools for secure and anonymous communications
– Communicating without the network
– Smartphone security
– Android without Google

As usual this will be an informal presentation with a lively discussion and refreshments. This is a public event but please RSVP as space will be limited.

Location: 5445 de Gaspé, suite 602

When? December 19th, 18:00-20:00

Yes, I want to come! Please RSVP below…

  • TA3M Montreal - Dec '19




To see a history of past TA3M Montreal events please refer to our archive.

Deflect Stats October 2016

In October Deflect’s metrics kept following the trend we had seen in September, with comparable figures in terms of unique visitors (9.3 million) and a slight increase in total hits (632.8 million requests reaching our edge servers), but with almost twice as many bots identified and banned by Deflect’s banning system – 50,323 bots against 27,238 in September. This means that deflected websites attracted a lot of legitimate visitors, but that we also had to mitigate stronger DDoS attacks.

october_metrics

Looking at some more detailed graphs dividing Deflect’s metrics by country of origin of our visitors, we can see that while Ukraine and the United States keep topping the scores as in previous months, the peak of visits originating from Russia in August and September has been subsiding in favour of Turkey.

oct_hits_country

In October, requests received by the Deflect network originated mostly from Ukraine, the US and Turkey.

oct_bandwidth_country_pie

October bandwidth usage on the Deflect network: Ukraine and the USA keep their first and second position respectively, with Turkey rising back to the third place as in the summer months, though still closely followed by Russia.

In terms of unique visitors of deflected websites, in October Ukraine is still the first country of origin, followed by Turkey and the United States, with Syria peaking above Turkey in some occasions.

In terms of unique visitors of deflected websites, in October Ukraine is still the first country of origin, followed by Turkey and the United States, with Syria rising above Turkey in the first half of the month.

 

oct_cache_result_pie

In October 78% of the requested contents was cached in Deflect’s edge servers. We had to retrieve a copy of your pages for around 20% of the requests we received.

oct_osname_pie

Among the changes we have seen in October’s statistics, probably the most interesting is this pie chart on operating systems used by visitors of deflected websites. For the first time, we see Android overtaking Windows, even if by few decimals. With a 37.5% slice of Android users and an 8.5% slice of iOS users, there are nearly as many mobile devices as there are personal computers accessing the websites protected by Deflect.

 

October attacks

Deflect mitigated some major attacks around mid-October. Two websites were targeted in particular, and the method was most probably a common WordPress pingback reflective attack.

 

oct_bans_country

Number of banning events by country. The peak of banned bots originating from the USA corresponds to the intense attacks Deflect mitigated between the 13th and 15th October

 

oct_banjax_uaname_pie

Most bots identified and banned by Deflect during the month of October were characterized by a “wordpress” user agent – this is common in WordPress pingback reflective attacks

 

The most intense DDoS attempt this month targeted the official Black Lives Matter website, which has been under attack for months, as we will describe in the new Deflect Labs report that will soon be published.

As we have often seen in DDoS attacks against Black Lives Matter, the botnet originated in great part from the United States, and was characterized by a large number of bots masquerading themselves with a “spider” user agent device and a “wordpress” user agent name.

blm_ddos_131016_bans_country

Between the 13th and 14th October, most bots banned by Deflect originated from the US

The banning events connected to the DDoS attack against Black Lives Matter were masquerading with a "wordpress" user agent name and a "spider" user agent device

The bots used in the DDoS attack against Black Lives Matter were masquerading with a “wordpress” user agent name and a “spider” user agent device

blm-banjax_uaname-trigger

What triggered the banning events in the two peaks of the attack were mainly WordPress user agents

Towards the end of the month, we were struck by news of another DDoS attack elsewhere on the internet. On the 21st October a record-breaking DDoS attack against the domain name provider Dyn caused an outage that made important websites like Twitter, Reddit or Spotify unreachable for several hours on the East Coast of the United States and in Japan. As in the September attack against KrebsOnSecurity, this attack exploited Internet of Things devices through malware called Mirai that had just been released to the public. As Bruce Schneier concludes in his post on this episode and the lessons we can learn from it, DDoS attacks are likely to become stronger and stronger. If you defend human rights, fight for social justice or produce independent media, consider protecting your website under Deflect!

Deflect Stats September 2016

In September, Deflect metrics grew as new websites joined the service and a popular Syrian website rejoined Deflect to ensure an uninterrupted news stream on the regional conflict. In other news, the Internet witnessed the largest ever DDoS attacks, surpassing 600gbps and then 1 terabyte of traffic per second. These events followed the leaks of an online DDoS service, called vDOS. We ingested and visualized the leaked database, presenting some findings below for your perusal :)

september_metricsOverall, the Deflect network served 623.2 million pages to 9.3 million unique visitors and our banning mechanism banned 27,238 bots. Let’s break up these statistics to put the figures in context and give them meaning:

 

sept_deflect_uniqueips_by_country

While Ukraine is as usual the first country of origin of unique visitors of deflected websites, in September the United States lost their top second position in favour of Turkey.

sept_hits_by_country

As regards daily hits on the Deflect network, the rise in requests from the Russian Federation we had observed at the end of August continued in September, when Russia became the third country of origin, after Ukraine and the USA.

sept_deflect_bandwidth_by_country

September’s statistics on bandwidth usage match the trend we have observed in the graph on daily hits: Ukraine and the USA are as usual the first two countries, followed by Russia.

In September we also observed an improvement in our cache response: as you can see in the pie chart below, around 82% of the pages we served were cached in our servers, while we had to get a copy from your websites for approximately 17% of the requests we received.

sept_cache_response

Our stats on the operating systems used by visitors of deflected websites suggest that the usage of Android is spreading, from around 25% in the last few months to nearly 35%, while the quantity of Windows users has shrunk from around 50% to 39.34%. We are glad to see that the slice of pie corresponding to the obsolete Windows XP is getting smaller and smaller (6.42% last month) — we hope it will soon disappear altogether from our graphs!

sept_deflect_os_name

September attacks

Last month Deflect mitigated automatically several DDoS attempts targeting especially three websites.

sept_bans_by_country

A vast majority of the bots banned by Deflect in each of the three incidents appears to have originated from the United States.

sept_bans_by_country_1

sept_bans_by_country_2

sept_bans_by_country_3

A split visualization of the major incidents targeting three deflected websites divided by country of origin of the bots shows that in each case the main country of origin was the United States. Another common feature we have observed in most of these DDoS attempts is the method used to launch the attack – the common WordPress Pingback reflective attack method we have often reported about lately.

sept_bans_ua_name

Another attack gave us a lot of food for thought in September. Although it wasn’t targeting the Deflect network, it marked a turning point in the history of DDoS attacks and online censorship. The attack targeted independent journalist Brian Krebs’ website KrebsOnSecurity, an important source of digital security news that had recently reported on the hack of a DDoS-for-hire business known as vDOS. One of our clients appeared in the vDOS target list. Otherwise we saw that the most common method of attack requested was DNS (likely reflection) and the majority of clients were from China, attacking websites that were also from China.

target_countryvsclient_country

attack-type

client_cityvstarget_isp

What made this attack particularly concerning was its unseen intensity: 620 gigabits per second of data were constantly thrown at the website for hours, until Akamai, a network provider that was supplying KrebsOnSecurity DDoS mitigation services for free, decided that it was unsustainable for them and their clients to keep protecting Krebs’ website from that onslaught.

Read more about the attack on KrebsOnSecurity in this article, which also explains how its huge botnet was made of Internet of Things devices: common routers, printers, CCTV cameras and the like. The code used to create that botnet has now been released, and similar attacks will probably become more and more frequent. As Brian Krebs himself has noted in this readworthy post, we are witnessing an alarming trend towards an all-pervasive internet censorship. In the future DDoS attacks are foreseen to become more and more violent. Any website could be targeted, especially if they cover news from an independent point of view or support a hard-fought cause. DDoS mitigation is much more effective if a website gets protected in advance. If you defend Human Rights, run a civil society organisation or produce independent media, consider registering your website on Deflect now :)

 

 

Deflect Stats August 2016

“No news is good news” in the DDoS mitigation game, and this is what we were hoping for in August 2016. We decided to capitalize on this opportunity and focus the team on new developments supporting free Let’s Encrypt certificates for all Deflect clients, as part of the TLS/HTTPS system.

Then, on the 29th everything changed, as one of our oldest clients, Ferghana News, was the first media to report on the death of the president of Uzbekistan, several days before the official announcement. The bottom line is that Deflect’s statistics for August 2016 show what happens when no important DDoS attack hits our edges and at the same time some of the websites we protect get a lot of traffic from human visitors who are interested in news they have published.

aug_metrics

In comparison with the previous month, in August we recorded a decrease in our total metrics, falling even below the figures we saw in the uneventful month of June, but at the end of the month we experienced a sudden peak, that made our monthly statistics bounce back to the latest trends. Overall, Deflect served 474 million pages to 7,7 million visitors. Meanwhile Banjax, our banning system, banned 20,294 unique IPs.

aug_uniqueips_by_country

August statistics on unique visitors of websites protected by Deflect are topped as usual by Ukraine, followed by the United States and by the Russian Federation, which peaks above every other country towards the end of the month

aug_bandwidth_by_country

Bandwidth usage by country of requesting IP: as in previous months, Ukraine and the USA are the first two countries requesting resources from deflected websites, followed by Turkey and Russia as in July. The peak at the end of the month corresponds to an increase in bandwidth usage by Russian IPs.

aug_hits_by_country

Daily hits on the Deflect network, by country: visitors of websites protected by Deflect originate as usual from Ukraine, the USA and Turkey, but at the end of the month connections from the Russian Federation rise above all the others

Dividing Deflect hits by requested websites, we can see that a large part of this increase is connected to Ferghana News, one of the most popular news outlets dealing with Central Asian countries, which was reporting about the death of the president of Uzbekistan in those same days.

aug_hits_uzb1

August total requests for Ferghana News

aug_fergana_by_country

Connections to Ferghana News in August divided by country

 

Analysing this peak of connections by country of origin, it appears clear that the news published on Ferghana News attracted a lot of attention from Central Asian countries, including Uzbekistan, where actually the website is blocked for common citizens (but apparently not for government officers and powerful people). This is a common occurrence in censoring countries, where citizens are stopped from accessing information but rulers know very well how much value can be brought by an open internet.

aug_fergana_russia

Connections to Ferghana News from the Russian Federation in August

aug_fergana_uzbekistan

Connections to Ferghana News from Uzbekistan in August

aug_fergana_kyrgyzstan

Connections to Ferghana News from Kyrgyzstan in August

aug_fergana_tajikistan

Connections to Ferghana News from Tajikistan in August

Finally, here’s our monthly pie chart on our visitors’ operating systems. Fortunately, the usage of Windows XP keeps falling (7.58% against 8.13% last month), but overall statistics on the operating systems used by our visitors are unchanged, with about half the connections originating from a Windows system, a quarter from Android devices, less than 10% from iOS devices and just a tiny fraction of users choosing Linux or even Mac.

aug_os_name

August attacks on the Deflect network

In August, Deflect didn’t experience any noteworthy attacks on its network, and all DDoS attempts were mitigated automatically.

aug_banjax_uniqueips_host

Number of banned IPs in attacks against single websites protected by Deflect

Even at their peaks, the attempts at attacking websites protected by Deflect didn’t involve more than a couple thousand bots, and from their most common user agents and from the elements triggering our banning system, we can conclude that the most common method used these days to launch DDoS attacks is the WordPress Pingback reflective attack, which we have been describing in each one of our reports in the last few months.

aug_ddos1_trigger

Triggers that activated Deflect’s banning system in August

aug_ddos1_uaname

User Agents used by bots banned by Deflect in August

aug_ddos2_uaname

In one of the attempts at attacking a website protected by Deflect in August, a vast majority of bots masqueraded themselves as a “wordpress” User Agent.

Deflect Stats July 2016

From what we can conclude from our statistics, during the month of July bot controllers must have come back from their holidays, since the traffic on the Deflect network has started to increase again and we have witnessed one of the most intense bursts of DDoS attacks we had observed so far. This series of incidents slightly increased our metrics in terms of total hits (652.8 millions vs. 514.1 millions in June) and unique visitors (8.8 millions vs. 7.8 millions in June), but in terms of banned IPs the increase was significant, with 601,219 total banning events, against 33,637 bans in June, and with 52,034 unique IPs banned, against 2,915 unique IPs banned during the previous month.

metrics_julyA notable increase was recorded also in our bandwidth usage, which peaked to 18.7TB from an average monthly usage of about 13.6TB reached in the previous quarter.

bandwidth_usage_july

bandwidth_may-jul

Daily bandwidth usage on the Deflect network between May and July

Setting aside malicious events, trends in our statistics are mostly unchanged, with a majority of connections originating from Ukraine, the United States and Turkey.

uniqueIPs_by_country

In July, unique visitors of websites protected by Deflect connected mostly from Ukraine, followed by Turkey and Germany

hits_by_country

Daily hits on the Deflect network, by country: also in July, the main country of origin of visitors of deflected websites was Ukraine, followed by the USA and Turkey. The peak on the 10th of July confirms that the DDoS attacks we helped mitigate on that day originated mostly from the United States

bandwidth_by_country1

Bandwidth usage by country of requesting IP. Once again, Ukraine and the USA are the first two countries requesting resources from deflected websites. Note the peak of requests originating from the United States on July 10th

Looking at visitors’ user agents, we can see that Windows is still the most used operating system, covering at least 46.1% of all connections, followed by Android with 24.63% and by iOS with 9.28%. The amount of connections from Windows XP has luckily reduced from 10.18% last month to 8.13% in July, but still the same recommendations we gave in the post on June statistics apply to anyone who’s still running Windows XP on their computers: update your system to a newer version of Windows or, better, switch to Linux!

UAOS_pie_chart

From the statistics on requested resources, we can also visualize what kinds of contents are being requested, with over half of the connections requesting text and images from websites.

content_pie_chart

July attacks on the Deflect network

Among the DDoS attacks Deflect helped mitigate, there were some of the most intense bursts we ever observed on our network, targeting the Black Lives Matter official website on the 10th July, and a series of smaller attacks against an independent media website between the 18th and 19th July.

bans__jul

Banning events during the month of July on the Deflect network

bans_by_host_jul

Banning events by host: this month 2 deflected websites were targeted in particular

bans_by_country

Banning events divided by country. The peaks corresponding to the main attacks we mitigated, on the 10th and on the 18th-19th July, all originated mostly from the USA

As we noted in the post on the attack on Black Lives Matter, the 10th July incidents were based on the frequent WordPress Pingback reflective attack method. This can be seen in the graph on the user agent declared by banned bots in the peak corresponding to the attack, where the “wordpress” UA makes up the majority of connections. The same user agent is also clearly visible in the peak of banning events observed on the 18th and 19th July.

A similar pattern can be observed in the count of all connections to the Deflect network, where Google Chrome is the most used browser for regular connections to deflected websites, but a peak of “WordPress” UAs can be seen on the 10th July – those are clearly malicious requests coming from bots.

bans_UAname

Banning events by user agent name: bots used in the attacks were declaring a “wordpress” UA

UA_name

Total hits to the Deflect network divided by user agent: while most of the connections to deflected websites originate from Google Chrome browsers, during the attack we observed a peak of “WordPress” UAs

UA_name_WP

Total hits to the Deflect network divided by user agent: the peak of “WordPress” UAs observed during the attacks is highlighted

The main incident observed on the 10th July against the Black Lives Matter website triggered a dramatic increase in banning events by our banning tool Banjax, which recognized the malicious requests from their Old WordPress UA, despite the fact that bots were masquerading themselves as “spiders“.

BLM_july_trigger

What triggered our system to ban bots during the 10th July attack was mainly an old WordPress UA

BLM_july_UAdevice

Bots taking part in the WordPress pingback attack against the BLM website were identifying themselves with a “spider” user agent device

Deflecting cyber attacks against the Black Lives Matter website

Last week and throughout the weekend, Deflect helped mitigate several DDoS attack bursts against the official Black Lives Matter website. At current estimates over 12,000 bots pounded the website just over 35 million times in 24 hours. An unusual trait of this attack was the prevalence of  malicious connections originating from the US. An in-depth analytic report will follow this prima facie bulletin.

 

hits_BLM

Hits against the BLM site

unique_ip_country

All unique visitors (IP) by country

unique_bots_by_country

Unique bots (IP) by country

The Black Lives Matter website had already been attacked in May using a similar method of a WordPress Pingback reflective attack and similarly an unusually high percentage of bots from the US.

unique_ip_banned_ddosrule

Deflect banning rules triggered by the attacks

Despite its intensity, the attack has been successfully contained by Deflect, and the Black Lives Matter website is functional and accessible throughout much of the weekend. Black Lives Matter has released an official statement on this incident together with eQualit.ie, Design Action Collective and May First/People Link:

Keeping a website available when attackers are seeking to take it off-line is essential for many reasons. The most obvious is the importance of protecting the fundamental right to human communication. But the specific targeting that characterizes recent DDOS attacks (on networks supporting reproductive rights, Palestinian rights and the rights of people of color) highlights this type of on-line attack as part of the arsenal being used to quash response and social change movements.

DDOS attacks will increase as our protests and organizing increases and so must our movements’ ability to resist them and stay on-line. The collaborative work that spawned the response to this attack is both an example of this protective effort and yet another step in improving it and making it stronger.

Our organizations work in different areas with different programs but we are united in our  commitment to vigorously preserving our movements’ right to communicate and defeating all attempts to curtail that right. Without the ability to communicate freely, we can’t organize and, if we can’t organize, our world can never be truly free.

Read the Statement on the Recent Attacks on Black Lives Matter’s Website.

We are in the process of studying and classifying these attack using Deflect Labs technology and aim to publish the results in our next Deflect Labs report.

Deflect Stats June 2016

If any conclusion can be drawn in comparing this month’s statistics with the rest of the year, it’s probably that hot weather is also discouraging to those bot controllers launching DDoS attacks! The month was rather uneventful on the malicious side of things, but the team worked in earnest to improve our mitigation mechanisms, including threat detection and banning systems… because, you know, winter is coming.

june_metric

During the month of June, Deflect served almost 8 million unique visitors. Our DDoS mitigation system identified 2,885 bot IPs identified as bots, with a significant decrease as compared to previous months.

Overall, the distribution of visitors and bandwidth usage by country has not changed much in comparison to last month.

june_hits_by_country

Daily hits on the Deflect network, by country: the main country of origin of visitors of websites protected by Deflect was Ukraine, followed by the USA and Turkey

Bandwidth summed by country of requesting IP. Again, Ukraine and the USA are the first two countries requesting resources from deflected websites, this time followed by Russia

Bandwidth summed by country of requesting IP. Again, Ukraine and the USA are the first two countries requesting resources from deflected websites, this time followed by Russia

june_unique_visitors_by_country

Unique visitors of deflected websites connect mostly from Ukraine, this month followed by Germany and by a tie between the USA and Turkey

Hits during this month by the most popular content type requested

Hits during this month by the most popular content type requested

A more careful look at our visitors’ user agents shows a regular pattern in the usage of operating systems: as usual, Windows is the most used OS, followed by Android with everything else trailing well behind.

june_deflect_uaOS

The real conundrum is illustrated by the following pie chart: how is it possible that in 2016, more than 2 years after its support ended, so many of our visitors still use Windows XP? If you are using it, we strongly recommend to update your system to a newer version of Windows or to switch to Linux (also to make our pie charts a bit more varied!).

june_deflect_uaOS_winXP

June attacks on the Deflect network

This month the Deflect network didn’t face major incidents, and the few DDoS attack that targeted deflected websites were mitigated automatically.

june_banjax_by_country

Banning events on the Deflect network divided by country

Bots captured this month as identified by the rules they violated

Bots captured this month as identified by the mitigation rules they violated

Most of the bots this month were captured using automatic and hard coded mitigation methods. A few required the deployment of a reverse SHA challenge

Most of the bots this month were captured using automatic and hard coded mitigation methods. A few required the deployment of a reverse SHA challenge

Bots this month as sorted by those requesting content (GET) and sending content (POST)

Bots this month as sorted by those requesting content (GET) and sending content (POST)

The main incident was observed on the 2nd June. It lasted few hours and was caused by a smaller botnet made up of around 300 bots that attacked a Ukrainian website. As usual, the method was a WordPress Pingback reflective attack.

2june_ddos_ua_name

The main user agent name used by the bots involved in the 2nd June DDoS attack was “wordpress”

This method, which we often observe in our everyday activity, exploits the WordPress Pingback feature to attack websites, and any WordPress-based site can be affected unless it is adequately secured.

To check if your WordPress website has been used to attack others, you can use this tool. But if your website runs on WordPress, what’s most important is to secure it against this kind of attacks. It isn’t difficult: what you need is just to install a plugin called Disable XML-RPC Pingback in your website. This will make it impossible for attackers to exploit the WordPress Pingback feature to attack others.

If you want to secure your WordPress-based website against any kind of attacks, Deflect can help: eQPress is our secure hosting platform based on WordPress, where you can either migrate your website or create one from scratch. Visit eQPress’ website for more details.

Deflect Stats May 2016

May 2016 was an interesting month for Deflect. We began the month with two intense attacks that required our team’s intervention right in the middle of May Day. After this, the month unrolled with a series of smaller attacks against the same websites, which were by then automatically mitigated by the Deflect network without requiring further effort. Traffic figures were comparable to those recorded in April.

 

metrics

During the month of May, Deflect served 600 million pages to 8.7 million unique visitors. Our DDoS mitigation system also banned 14,579 IPs identified as bots

 

 

hits_by_country

Daily hits on the Deflect network, by country: the main country of origin of visitors of websites protect by Deflect was Ukraine, followed by the USA and Turkey

 

 

bandwidth_by_country

Bandwidth summed by country of requesting IP. Again, Ukraine and the USA are the first two countries requesting resources from deflected websites, this time followed by Russia

 

 

UA_OS

Windows remains the most common operating system among Deflect readers this month too, closely followed by Android devices. We still see a substantial amount of Windows XP users several years after Microsoft pulled support for this operating system.

As shown in the pie chart below,  also in May, as in April, around 70% of the pages we served were cached in our servers, while we had to get a copy from our users’ websites for approximately 20% of the requests we received.

cache_response

Deflect’s caching system responses for the month of May

May attacks on the Deflect network

On May Day Deflect mitigated two strong attacks that required our staff’s intervention.

DDoS_by_host

DDoS attacks mitigated by Deflect in May 2016 targeted mainly two websites

Several incidents observed during the month were using the WordPress Pingback reflective attack method, which is very common and we often encounter in our day-to-day work. This is the method used in one of the strong attacks we mitigated on the 1st May, when thousands of bots attacked the targeted website for the most part of the day, up to midnight. Although we have seen much larger botnets attacking our protected websites, this one hit with short peaks of high intensity, forcing us to intervene manually in order to trigger an earlier blockage of these requests and make sure they couldn’t reach the origin server, as well as to reduce the load on our servers. Since the WordPress Pingback attack uses any WordPress website available anywhere on the web to create a botnet, it was impossible for us to identify a main country of origin for this attack.

By deploying the Banjax Challenger, we eliminated all the bots requesting these pages.

WPattack

Among the UAs used by bots in May 1st attacks, a large number identified themselves with a “wordpress” user agent name

One of the websites targeted by the May Day DDoS attacks was blacklivesmatter.com, which was attacked again during the rest of the month, in particular on the 9th and 21st May. These attacks were based on  different methods: while in the latter cases a common WordPress pingback attack method was used, on May 1st the attackers flooded the site with GET requests to its root path (“/”), coming from various locations across the world. Deflect automatically mitigated the second and third attacks, but the first one, which lasted 2 hours with a fairly steady level of 8000 hits per minute, managed to take the server down despite a lot of content being served by Deflect’s edge servers. We will be investigating these attacks in more detail with the aim of publishing our analysis in a Deflect Labs report.

BLM_trigger

The triggers that alarmed our botnet detection system during the DDoS attack on Black Lives Matter’s website

Deflect Labs Report #2

Botnet attack analysis of Deflect protected website bdsmovement.net

This report covers attacks between February 1st and March 31st of six discovered incidents targeting the bdsmovement.net website, including methods of attack, identified botnets and their characteristics. It provides detailed technical information and analysis of trends with the introduction of the Bothound library for attack fingerprinting and botnet classification. We cluster malicious behaviour on the Deflect network to identify individual botnets and employ intersection analysis of their activity throughout the documented incidents and further afield. Our research includes discovered patterns in the selection of targets by the actors controlling these attacks.

Deflect is a website security project working with independent media, human rights organizations and activists. It offers DDoS mitigation, secure hosting and attack analytics, free of charge to qualifying organizations. All of our tools are open source and we operate according to principles promoting the privacy of our clients. Deflect is a project of eQualit.ie, a Canadian not-for-profit organization working to promote and defend human rights in the digital age.

Navigation links: Attack Profile; Botnet profile; Botnet target selection; Botnet behaviour comparison; In-depth incident analysis; Report conclusions

General Info

The Boycott, Divestment and Sanctions Movement (BDS Movement, bdsmovement.net) is a Palestinian global campaign, initiated in 2005. The BDS movement aims to nonviolently pressure Israel to comply with international law and to end international complicity with Israel’s violations of international law. Their website has been protected by Deflect since late 2014 and has frequently been attacked.

Graph 1. Timelion graph showing the average hits per day in the period of February 1 to March 31 (in red) and the moving average + 3 standard deviation (in blue).

Graph 1. Timelion graph showing the average hits per day in the period of February 1st to March 31st (in red) and the moving average + 3 standard deviation (in blue).

Attack Profile

During February and March of 2016, there were 6 recorded incidents against the target website. The Deflect Labs infrastructure allows us to capture, process and profile each attack, analysing unique incidents and intersecting findings with a database of profiled botnets. We define the parameters for anomalous behaviour on the network and then group (“cluster”) malicious IPs into botnets using unsupervised machine learning algorithms.

Graph 2. Total hits to the website, by country of origin. The spikes represent attacks investigated in this report

Graph 2. Total hits to the website, by country of origin. The spikes represent attacks investigated in this report

Graph 3. Prevalence of WordPress pingback attacks during the six incidents

Graph 3. Incidents where the WordPress pingback attack is used against the target site

We define each incident by wrapping it inside a given time frame, record the total number of hits that reached the website during this time and use our analytic tool set to separate malicious requests made by bots from genuine everyday traffic.

Table 1. Attacks Summary, including start/end date, duration, size of the incident, size and number of the botnets detected

id Incident Start Incident Stop Duration Total hits Unique IPs No. of bots identified Identified botnets
29 2016-02-10 21:00 2016-02-11 01:00 ~5hrs 879,634 14,773 12,921 3
30 2016-02-11 10:30 2016-02-11 12:30 ~2hrs 321,203 11,108 9,023 3
31 2016-03-01 15:00 2016-03-01 19:30 ~6h30 3,597,689 5,918 3,243 3
32 2016-03-02 12:30 2016-03-02 16:00 ~3h30 13,559,169 19,851 2,748 2
33 2016-03-04 09:00 2016-03-04 09:30 ~30min 2,058,710 9,613 8,844 1
34 2016-03-08 14:20 2016-03-08 16:40 ~2h20 5,017,045 7,937 7,151 1

The number of unique bots and their grouping into specific botnets is the result of clustering work by BotHound. This toolkit classifies IPs by their behaviour, and allows us to determine the presence of different botnets in the same incident (attack).

Botnet profile

Using BotHound, we have calculated the percentage of unique IPs (classified as bots) that recur in separate incidents. A substantial percentage of previously seen bots would be one way to identify whether a botnet was re-used for attacking the same target. It would reveal a trend in botnet command and control behaviour. This intersection of botnet IPs also creates an opportunity to compare activity between several target websites, whether protected by Deflect or on one of our peers’ networks. Taken together, we begin to build a profile of activity for each botnet, helping us make assumptions about their motivation and target list.

Table 2. Intersection of identical bots across the incidents

Incident #

No. of identical bots
in both incidents

The portion of identical bots
(of the smallest incident)

29, 30 6,928 76.8%
31, 32 1,450 91.0%
33, 34 4,249 59.4%
32, 33 438 17.9%
Graph xx. Hits from bots, by the identified botnet, by the country of origin

Graph 4. Hits from bots and their country of origin, grouped by identified botnets. Update your software and malware cleaners please!

Table 3. Identified botnets and the incidents they appear in

Botnet ID Seen in incident Unique bots Top 10 countries of bot origin Attack method
1 29, 30 13,857 Russian Federation; Ukraine; China; Lithuania; Germany; Switzerland; Gibraltar; United Kingdom; Netherlands; France POST
2 29, 30 8,913 Russian Federation; China; Ukraine; Germany; Lithuania; United States; Switzerland; United Kingdom; France; Gibraltar POST
4 31, 32 2,589 United States; Germany; United Kingdom; Netherlands; China; Japan; Singapore; Ireland; France; Spain; Australia Pingback
5 31, 32 772 United States; United Kingdom; Germany; Netherlands; Italy; France; Russian Federation; Singapore; Canada; Japan; China Pingback
6 31 971 United States; China; Germany; Japan; United Kingdom; Singapore; Netherlands; France; Ireland; Canada; Australia Pingback
7 33, 34 11,746 United States; United Kingdom; Germany; France; Netherlands; China; Canada; Russian Federation; Ireland; Spain; Turkey Pingback

Botnet target selection

Deflect protects a large number of qualifying human rights and independent media websites the world over. Our botnet capture and analytic tool set allows us to investigate attack characteristics and patterns. We consider the presence (intersection) of over 30% of identical bots as originating from a similar botnet. During our broader analysis of the time period covered by this report, we have found that botnet #7, which targeted the bdsmovement.net website on March 3rd, also hit the website of an Israeli Human Rights organisation under our protection on April 5th and April 11th. In each incident, over 50% of the botnet IPs hitting this website were also part of botnet #7 analysed in this report. Furthermore, a peer website security organization reviewed our findings and concluded that a substantial amount of IPs belonging to this botnet were targeting another Israeli media website under its protection, on April 7th and April 12th. Organisations targeted by this botnet do not share a common editorial or are in any way associated with each other. Their primary similarities can be found in their emphasis on issues relevant to the protection of human rights in the Occupied Territories and exposing violations in the ongoing conflict. Our analysis shows that these websites may have a common adversary — the controller or renter of botnet #7 — that their individual work has aggrieved. We will present our findings on this investigation in more detail in an upcoming report.

Botnet behaviour comparison

BotHound works by classifying the behaviour of actors on the network (whether human or bot) and clustering them according to a set of pre-defined features. Malicious behaviour stands out from the everyday trend of regular traffic. On the picture below the RED spots refer to attacker sessions, while BLUE spots refer to all other (regular traffic). The graphic displays all the 6 incidents combined. We chose the following 3 dimensions to visually represent a projection from a 7-dimensional space (where BotHound clustering is calculated):

  • HTTP request depth
  • Variance of HTTP request interval
  • HTML to image ratio

Graph 5. Clustering of bot behaviour from the six incidents covered in this report. The graphic illustrates that malicious behaviour, no matter the botnet characteristics, follows a determined pattern which resembles automated machine-driven properties of a botnet attack.

In-depth incident analysis

We have captured, analysed and now profiled each botnet witnessed in the 6 incidents. We break down incidents into three groups, by similarity of attack characteristics and the time of occurrence.

Incidents #29 & #30

Date: February 10-11, 2016
Duration: approximately 28 hours
Identified botnets: 2 (botnet id: #1 #2)
IP intersection between botnets: 76%
Attack type: HTTP POST


image11

Attack analysis

After doing extensive cluster analysis to separate “good” from “bad” IPs based on their behaviour during the incident time frame, we applied a novel secondary clustering method which identified two different patterns of behaviour spanning both incidents. The first attack pattern was using bots to hit the target very fast, with similar characteristics (session length, request intervals, etc.). The second botnet was hitting slower, but more consistently. The session length was varying, likely to evade our mitigation mechanisms. However, the request interval between hits was zero, which helped us identify them. It is easy to distinguish two different botnets from the graphs below.

Identified botnet #1
Members: 13,857
Observations:

  • Session length = 314 sec
  • Payload average = 521 byte
  • Hit rate = 0.04 /minute
  • Requests: 500,000
  • Host header: accurate
  • Method: POST (> 99.9%)
  • URI path: / (> 99.9%)
  • UA: low variation, with most major UAs represented

Deflect Response: Moderate blocking success, origin was affected.


Identified botnet #2
Members: 8,913
Observations:

  • Session length = 429 sec
  • Payload average = 447 byte
  • Hit rate = 0.05 /minute
  • Requests: 600,000
  • Host header: accurate
  • Method: POST (> 99.9%)
  • URI path: / (> 99.9%)
  • UA: low variation (slightly higher than botnet 1), most major UAs represented

Deflect Response: Moderate blocking success, origin was affected.

Attacks results primarily in response code 502 (bad gateway) and 504 (gateway timeout) codes.

The botnet utilises several hundred unique IPs and a few dozen rotating user agents

The botnet attacks with several hundred unique IPs (purple) and rotates through a few dozen user agents (yellow)

The botnet attacks with several hundred unique IPs and rotates through a few dozen user agents. Graph tallies at 15 second intervals.

IP geo-reference

The IP address requesting a site can be geo-located. Another way we visualize botnet behavior is by cross-referencing the country of bot origin. We can easily see attack intensity (number of hits) versus bot distribution (unique IPs) in the diagrams below.

Graph 6. Hits against target website, by their geographic origin.

Graph 6. Hits against target website, by their geographic origin.

Graph 7. The same timespan as per the previous graph, only this time showing a count of unique IPs, per country geoIP

Graph 7. The same timespan as per the previous graph, only this time showing a count of unique IPs, per country geoIP

User agent and device

Every website request usually contains a header with identifying information about the requester. This can be faked, of course, but in any case stands out from the general pattern of traffic to the website. These incidents had a high consistency of “Generic Smartphone” and “Other” devices – describing the hardware unit from which the request was supposedly made. It is common for botnets to spoof a user agent device or, at least, share a common one.

Graph 8. Shows the devices used in the February botnet attack. As we can see, the majority comes from “Generic Smartphone” or “Other” device. Such consistency shows that these are part of an attack, rather than regular visitors.

Graph 8. Shows the devices used in the February botnet attack. As we can see, the majority comes from “Generic Smartphone” or “Other” device. Such consistency shows that these are part of an attack, rather than regular visitors.

Conclusions on incident #29 and #30 attacks
  • These attacks were distinguished by the relatively large number of participating bots, but were smaller in intensity (number of hits on target) compared to incidents #31-34. Three attacks were launched during the period of these incidents, requesting the same url ( /- ), as well as using the same “device” in the user agent of the request.
  • There were two and possibly three botnets in these incidents. They can be differentiated by the geographic location of their bots and hit rates during attack. What is interesting is that the attack method between the different botnets and attack times is the same. Also the two botnets share a high percentage of intersecting bot IPs (76.8%). This may be an indication that they are subnets of a larger malicious network and are being controlled by the same entity.

Incidents #31 & #32

Date: March 1-2, 2016
Duration: approximately 21.5 hours
Identified botnets: 3 (botnet id: #4 #5 #6 )
IP intersection between botnets: 91%
Attack type: Reflection – WordPress Pingback[1]

Attack Analysis

Attackers utilised the same botnet (91% intersection) during incidents #31 and #32 within a time range of 22 hours. Incident #32 is the biggest in terms of hits out of the entire period covered by this report – counting over 13.5 million total hits in 6 hours. These incidents have a very similar UA (device) characteristic, the majority of which are identified as “Spider” (we are making an intersectional analysis on the UA further down in this report).

Identified botnet #4

Members: 2,589
Observations:

  • Session length = 2,971 sec
  • Payload average = 8,217 byte
  • Hit rate = 1.7 /minute
  • Requests: 10.8 million
  • Host header: accurate
  • Method: GET (> 99%)
  • URI path: / (> 99%)
  • UA: high variation, all WordPress pingback

Deflect Response: Successfully blocked. 91% of responses to botnet processed by edge within 20ms

Comparison of unique IPs versus unique user agent strings at 30 second intervals

Comparison of unique IPs versus unique user agent strings at 30 second intervals

Identified botnet #5
Members: 772
Observations:

  • Session length = 3,587 sec
  • Payload average = 10,221 byte
  • Hit rate = 0.48 /minute
  • Requests: 3 million
  • Host header: accurate
  • Method: GET (> 99%)
  • URI path: / (> 99%)
  • UA: high variation, all WordPress pingback

Deflect Response: Successfully blocked. 85% of responses to botnet processed by edge within 20ms

Comparison of unique IPs versus unique user agent strings at 30 second intervals. Note the probing attack before escalation

Comparison of unique IPs versus unique user agent strings at 30 second intervals. Note the probing attack before escalation

Identified botnet #6
Members: 971
Observations:

  • Session length = 583 sec
  • Payload average = 31,317 byte
  • Hit rate = 0.49 /minute
  • Requests: 145,000
  • Host header: accurate
  • Method: GET (> 99%)
  • URI path: / (> 99%)
  • UA variation: high variation, all WordPress pingback

Deflect Response: Relatively small incident – some attackers did not trigger our early detection with around 15% getting through to origin (22,000 requests returned an HTTP 200). Successfully blocked.

Error codes showing blocked request versus those that got to the origin site in incident #31

Error codes showing blocked request versus those that got to the origin site in incident #31

User agent and device

The “UA” parameter in our logging system identifies the user agent string in the request header made to the target website. It usually represents the signature (or version) of the program used to query the website, for example “Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko” means that the request was made from Internet Explorer version 11, running on the Windows 7 operating system [2]. The “device” parameter in our logging system identifies the hardware (device) the user agent is running on, for example “iOS Device” or “Nexus 5” or “Windows 7”. In this case, the vast majority of IP addresses hitting the site were categorised as “spiders”. A spider, or web crawler, is software used by search engines to index the web. User agent strings are just text and can be changed (faked) to say anything – including copying a user agent string commonly used by some other software.

Graph 9. Hit count from various devices throughout incidents 31-32

Graph 9. Hit count from various devices throughout incidents 31-32

Graph 10. Unique IP count from various devices throughout incidents 33-34

Graph 10. Unique IP count from various devices throughout incidents 33-34

Conclusions on incident #31 and #32 attacks
  • These incidents stand out for their common attack and attacker characteristics, with an intersection of 91% of bots used in both instances (of the smaller incident). Botnet #4 and #5 behaviour differs only in their hit rate. Botnet #5 and #6 have a similar number of bots and an almost identical hit rate. Interestingly, they differ greatly in the number of hits each one of them launched at the target site. It seems that all three botnets had strong presence on computers in the United States. All botnets used the same attack method – WordPress pingback – in both incidents.
  • The similarities between bot IP addresses and the attempts to vary the attack pattern from very similar botnets indicates human lead efforts to adapt their botnet to get past Deflect defences. It appears that the botnets used in these two incidents have the same controller behind them.

Incidents #33 & #34

Date: March 4, March 8, 2016
Duration: 30 mins, 2 hours and 20 minutes
Number of bots: 8,844 and 7,151
Identified botnets: 1 (botnet id: #7)
Attack type: Reflection – WordPress Pingback[1]


Identified botnet #7
Members: 11,746
Observations:

Graph XX. Comparable values of unique IPs and unique UAs. We see a huge difference from other botnets in this report

Graph 11. Comparable values of unique IPs and unique UAs. We see a huge difference from other botnets in this report

  • Session length = 2,665 sec
  • Payload average = 15,572 byte
  • Hit rate = 0.30 /minute
  • Requests: 7.9 million
  • Host header: accurate
  • Method: GET (> 99%)
  • URI path: / (> 99%)
  • UA variation: high variation, mostly WordPress pingback (92%)

Deflect Response: Moderate blocking success. 75% of requests dealt with in <200ms, 5% origin read timeouts

Graph 10. Unique IP count from various devices throughout incidents 33-34

Graph 12. Unique IP count from various devices throughout incidents #33-34

Conclusions on incident #33 and #34 attacks
  • Incident #33 comes across as a probe (or a first attempt) before a much stronger attack with similar characteristics is launched in incident #34. This is backed up by the use of a single botnet in both incidents.
  • Botnet #7 appears in other attacks against Israeli websites, on our network and on the network of one of our peers. The attack pattern used in these incidents is similar to the previous two incidents, and we have found a 17.9% intersection between bots used in incidents #32 and #33, possibly linking #31-34 together. Along with the prevalence of bots originating from the United States, there is some justification that botnets 4-7 originate from a similar larger network.

Report conclusions

Attempts to bring down the bdsmovement.net website were made using several (at least two distinct and relatively large) botnets and varied in their technical approach. This shows a level of sophistication and commitment not generally seen on the Deflect network. The choice of attack method allowed us to see which website was being targeted, which may have been a conscious decision. However, we did not find anything linking attacks in incidents #29-30 with attacks in incidents #31-34. Relative success with affecting the origin in the first two incidents was not built upon in the next four. Furthermore, other effective methods to swarm the network with traffic or overwhelm our defence mechanisms could have been used, had the attackers had enough resources and dedication to achieve their aims.

The creation of historical profiles for botnet activity and the ability to intersect our results with peer organizations will lead to better understanding of trends, across a greater swath of the Internet. Adapting botnet classification tooling to automated defense mechanisms will allow us to notify peers about established and confirmed botnets in advance of an attack. By slowly chipping away at the impunity of botnet controllers, we hope to reduce the prevalence of DDoS attacks as a method for suppressing online voices.

eQualit.ie is inviting organizations interested in this collaboration to reach out.

 



[1] A WordPress pingback attack uses a legitimate function within WordPress, notifying other websites that you are linking to them, in the hope for reciprocity. It calls the XML-RPC function to send a pingback request. The attacker chooses a range of WordPress sites and sends them a pingback request, spoofing the origin as the target website. This feature is enabled by default on WordPress installations and many people run their websites unaware of the fact that their server is being used to reflect a DDoS attack.
[2] http://www.useragentstring.com/index.php

Deflect Stats April 2016

April 2016 was noticeable for the amount of attacks launched against Deflect protected websites. Most of them were using the WordPress Pingback reflective attack method. Ukrainian readers topped our statistics this month, with readers from the United States, Ecuador and Russia also generating several million daily hits.

april-16-stats

 

Daily hits on the Deflect network, by country

Daily hits on the Deflect network, by country

 

april-16-bandwidth-country

Bandwidth, measured hourly and summed by country of requesting IP

 

april-16-OS-pie

Windows 7 is the most common operating system among Deflect readers this month

An interesting set of data regards our cache response: as shown in the pie chart below,  in April around 70% of the pages we served were cached in our servers, while we had to get a copy from your websites for approximately 20% of the requests we received.

 

Deflect's caching system responses for the month

Deflect’s caching system responses for the month of April

 

Attacks on the Deflect network in April 2016

Around a dozen separate incidents were recorded on the network in April.  It’s important to note that the statistics represented here are from requests that triggered our banning mechanisms. In reality there may have been many more malicious requests. As per last month’s stats, the majority of bots were originating from the United States.

april-16-swabber-by-country

 

The majority of botnets captured by Deflect were using the WordPress Pingback attack mechanism, masquerading themselves with a “spider” user agent device. The “Ua_Device” parameter is a finding by our system, which recognises the user-agent strings used by many different devices, and categorises traffic accordingly. In this case the vast majority of IP addresses hitting the site were categorised as “spiders”. A spider, or web crawler, is software used by search engines to index the web. In order to index pages, however, a spider would usually visit each page of a website only once. In this case each IP address claiming to be a “spider” was requesting pages a very large number of times. User-agent strings are just text and this can be changed by clients to anything they like – including copying a user-agent string commonly used by some other software. We conclude that this was malicious traffic from a botnet masquerading as web-crawler traffic.

april-16-swabber-by-ua-device

Bots taking part in a WordPress pingback attack identifying themselves with a “spider” user agent device

 

april-16-swabber-ua-spider

Most of the “spider” bots were originating from the United States

 

 

TA3M May ’16 – “Who Am I” Film Screening

Join us for the next TA3M for a screening of the German hacker film Who Am I.

After the screening we will host a group discussion led by Gabriella Coleman (Professor at McGill University who works on computer hackers) and Thomas Geffroyd (Ubisoft, Content Director for the Hacker game Watchdogs) about the film and the role popular culture plays in heroizing or demonizing hackers.

 

Location: McGill Arts Building
Room: ARTS 260

When? May 16th, 18:00-20:00
We will be starting the movie by 18:15, so please try to arrive on time.

Yes, I want to come! Please RSVP below…

  • TA3M Montreal - May '16




To see a history of past TA3M Montreal events please refer to our archive.

eQPress – secure hosting with Deflect

In the last few months, the Deflect team has set up a hosting platform that allows anybody to have an easy-to-manage, secure website (or even a multisite) that protects you not only from DDoS attacks, but also from other problems that may arise if your hosting provider is poorly resourced, unable to handle basic attacks or easily susceptible to social engineering.

We are now proud to present eQPress to the world: a WordPress-based platform protected by Deflect and by our team’s experience with infrastructure hardening and secure service provision where you can migrate your WordPress-based website or create a new one from scratch.

Built on the easypress.ca managed WordPress framework, eQPress codebase has been reviewed, refactored and finally open-sourced by eQualit.ie’s team. This framework offers a peace of mind to you when it comes to manage your website(s) and to us in terms of technical security and stability. Most importantly, it keeps the hosting server completely hidden behind the Deflect network, preventing direct brute force and denial of service attacks against your website.

Other features included in eQPress are:

  • A customized plugin for administration tasks that would otherwise require shell access
  • A “lockdown” feature, so that normal users cannot “break the site” and attackers cannot inject malicious scripts
  • A secure system for generating passwords and distributing them to users
  • Full disk LUKS encryption on eQPress infrastructure and fully encrypted external backup
  • High performance nginx, php-fpm
  • Quick WordPress install of single sites and multisites
  • A sustainable and easily replicable system

And the good news is that if you meet our eligibility criteria and already have a WordPress-based website or want to create one, you can be hosted on eQPress too!

Use the Console to manage your eQPress account

When you first create a website on eQPress, what you need to know is how to configure it and how to use WordPress. But if you’ve ever managed a WordPress-based website or blog and/or have just migrated your existing site to eQPress, you will probably be already familiar with the WordPress Dashboard and don’t need any introduction to its usage.

What you will find different in the eQPress administration panel, though, is the Console – an additional administration panel that enhances the functionalities of the common WordPress admin interface. Through the Console, you can perform some administrative tasks that would otherwise require shell access, like changing some settings that would be complicated to edit otherwise and enhancing the security of your website.

By accessing the Console, you will be able to:

To access this interface, click “Console” in the sidebar on the left of your WordPress admin panel.

 

console1

View your statistics

In the “Website Stats” section of the Console, you can view the exact number of times your site has been accessed in the last few months (“Monthly Stats”) and days (“Recent Daily Stats”), with a highlight on the busiest day your website has recorded. Please, note that robots and spiders are also included in the total number.

console2

Click “Website Stats” in the Console menu in the left-hand sidebar and then click the “Show Web Stats” button: after a moment your monthly and daily statistics will be visualized, including: the number of visited pages (“Hits”); the number of visits and unique visitors, and the amount of transferred data (“Transferred”).

This tool is a good compromise if you want to monitor how your website is doing in terms of traffic and engagement without violating your visitors’ privacy. By installing a specific plugin for statistics, you would have a more precise vision of your public, but most of these plugins often track users for commercial purposes. Please, consider what risks this might imply for your visitors before you decide to install additional plugins for statistics.

Delete the server cache

The “Manage Cache” section provides you a way to delete the server cache.

console3

If you are making changes to your content and need to see them immediately, you can use this feature to purge the web server’s cache. Just click the “Delete cache” button and wait a bit: it might take up to a minute for the cache to be removed depending on its size.

console3b

View web and PHP logs

By clicking on “View Logs” in the Console sidebar, you will be able to view the following log files:

  1. PHP error log – contains a record of all PHP errors produced by plugins and themes.
  2. Web server access log – contains a record of every file transferred from your site.
  3. Web server error log – contains a record of every error encountered by the web server.

console4

To view each of these logs, click the respective button.

Reset your file permissions

The “File Permissions” feature allows you to reset the permissions and ownership on your files back to the default settings: by clicking the “Reset Now” button, you will reset all directories and files under your document root to be owned by the web server user.

You may want to use this feature because sometimes, after uploading or installing a plugin manually, you may need to change its permissions for it to work properly. Since you have uploaded the plugin through your SFTP account, that directory is owned by your SFTP user, which is different from the web server user that is making your website, together with the installed plugins, work. So when the plugin tries to write to a file or directory that is owned by your SFTP user, it fails because the web server user is trying to change something it doesn’t have the permission to change.

console5

This default setting is very convenient for installing and updating plugins and themes but is not the most secure way to configure a WordPress environment. This is why the Console also includes a “Security Lockdown” feature.

console5b

Protect your website from hacks with the Security Lockdown

You can use the “Security Lockdown” feature of your eQPress Console to secure your website from potential hacks that try to create or download new files in your SFTP root directory in order to take control of your site and/or of your server. This risk can be prevented by stopping the web server from writing to any of your files or directories, which is what happens if those files are owned by a user different from the web server user.

The Security Lockdown feature does just that: it allows you to change the permissions and assign the ownership of all the files and directories under your document root to your SFTP user. If you want to protect your website from this kind of hacks, click the “Lockdown” button and wait for the changes to take effect before you leave the page. Once the process is completed, none of your files will be owned by the web server user, which will effectively prevent it from writing to any of your files or directories.

console6 console6b console6c

When the site is locked down, you will see the text “Site Locked Down” in your admin bar at the top of the page. This is also a link to the “Security Lockdown” section of the Console.

console6e

 

Important: When the site is locked down, you will not be able to install new plugins or themes. You will not be able to update plugins, themes or WordPress itself. This is not a bug, but a feature: it’s exactly what the Security Lockdown is supposed to do. If you need to update or install a plugin (or theme), simply unlock your site, perform the update or installation and then lock the site down once again.

SFTP info and password reset

By clicking on “Reset Password” in the Console sidebar, you will access a panel with information on your SFTP user name and host. You can access this page in case you need to find quickly the SFTP credentials you received by email when your eQPress account was activated, or to check that the host address hasn’t changed.

console7

The “Reset Password” section of the Console also gives you the possibility of resetting your SFTP password: by clicking the “Reset Password” button in this page, you will change your SFTP password and the new password will be temporarily visualized under the line with your SFTP host, as well as sent to you by email.

console7b

Please note: If what you want to change is not your SFTP password but your WordPress admin password, click on your user name in the right end of the admin bar at the top of the WordPress panel to open your Profile page, and then click the button “Generate Password” in the Account Management section: a new password will be generated for your WordPress user. Make sure to store this password in a secure place: the best way to do this is to use a password manager like KeePass. To change your database password, read this guide.

Protect your login and admin panel with SSL

SSL provides confidentiality between your browser and the web server. By encrypting the communication between you and the server, you are making it very difficult for malicious hackers to steal your private information. If you use SSL, credentials such as user names and passwords will be undecipherable if they are intercepted while in transit. The same applies to your authentication tokens, such as the cookies that are sent every time you view or make changes via the admin panel.

The Console offers you 3 choices when configuring WordPress to use SSL. To change the settings, click the relevant button and wait for the process to be finished before you leave the page.

1. Enable SSL for logins and all admin screens.
This is the most secure choice, and will protect both your access credentials and your connection to the server through the admin panel.
console8b
2. Enable SSL for logging in only.
This choice will protect your credentials from being intercepted when you log into the eQPress admin panel.
console8d
3. Disable SSL.
If you choose to disable SSL, your connection to the server will not be protected.
console8

Please note that if you enable SSL you will be using our SSL certificates, and therefore you will encounter SSL warnings the first time you visit your admin screens. If you have your own SSL certificates, you can install them to solve this problem: please get in touch with the Deflect team through the Deflect dashboard and we will do it for you.

You can read more about Administration Over SSL on the WordPress Codex.

Disable or enable the Plugin and Theme Editor

Occasionally you may wish to disable the Plugin or Theme Editor in your WordPress admin panel so as to prevent overzealous users from editing sensitive files and potentially crash the site. Disabling the editor also provides an additional layer of security if a hacker gains access to a well-privileged user account.

There are 2 choices:

  1. Enable plugin and theme editing via the admin screens.
  2. Disable plugin and theme editing via the admin screens.
console9b console9c console9

Please note that for the changes to take effect you will need to wait until the end of the process before you leave the “Code Editor” page.

Read more about Disabling the Plugin and Theme Editor on the WordPress Codex.

TA3M APRIL ’16 – a Basic Internet Service in Canada?

Should Canada do more to encourage broadband adoption? The CRTC is currently debating whether to define a basic Internet service and whether to subsidize Internet access to rural, remote or low income communities. For people interested in the information superhighway, this hearing is when the rubber hits the road. Concordia professor Fenwick McKelvey will introduce the hearing to attendees, discuss his work in Internet Measurement and workshop ideas. A response to the CRTC making recommendations about Internet Measurement and defining basic service will be forthcoming for May 5th.

Location: GareMTL

When: April 18th 18:00

Yes, I want to come! Please RSVP below…

  • TA3M Montreal - April '16




To see a history of past TA3M Montreal events please refer to our archive.

Deflect stats March 2016

This is the first in a monthly series of posts sharing and discussing statistics on the Deflect network. March 2016 was a busy month for us. We began to publish analytic reports on DDoS attacks against some of the clients we protect on the network. Our aim is to help the target’s advocacy efforts and begin strip away at the impunity currently enjoyed by botnet operators. As our analytic tooling and understanding of these attacks improve, so will the reports.

In terms of people served and traffic on the network, this was our busiest month to date. We averaged around 20 million daily hits, a significant percentage of which came from readers in Mexico. Around ten separate DDoS incidents were recorded during the month, of various strength and sophistication.

 

Total hits this month, unique IPs we banned; unique IPs we served

Total hits this month, unique IPs we banned; unique IPs we served

 

Daily hits on the Deflet network

Daily hits on the Deflect network

 

Daily count of unique IPs by country of origin

Daily count of unique IPs by country of origin

 

This month's share of unique IPs by country of origin is a tortilla!

This month’s share of unique IPs by country of origin is a tortilla!

 

Most popular operating systems on the network

 

Attacks on the Deflect network in March 2016

Around a dozen separate incidents were recorded on the network in March. It’s important to note that these are requests that triggered our banning mechanisms. In reality there may have been many more malicious requests.

IP-Bans_by_country_date_histogram

Daily unique IP bans by country

 

Geographical bot distribution

Geographical bot distribution

We are also beginning to track botnets as anomalies on the network. Herein a graph built using the Timelion toolkit for ElasticSearch. It consists of time-series based representation of total hits on the network (red line) and a moving average (blue line) – specific browsing patterns as generated by readers behavior week upon week. We then multiply the blue line values by 3 so we can clearly see when an anomaly is happening on the network. Most of the time, although not every-time, the anomaly represents a spike in traffic or hits on websites – an attack.

timelion

We have also been contributing towards the development of a tool called GreyMemory. It is an anomaly detection tool which accepts any multi-dimensional time series as input, then predicts the next state of the system, measures the error of prediction and generates an anomaly rate. It uses predictive algorithms to evaluate what might happen next on the network, and compares this evaluation with the eventual result. If the quality of prediction drops, it alerts the anomaly. On the following diagram GRAY is the ratio of successful HTTP requests divided by the total # HTTP requests; BLUE is the anomaly rate, as calculated by GreyMemory and ORANGE is the anomaly Alert, where we should create incidents. Alerts are triggered when anomaly rate exceeds a threshold, which is currently on 95%

GreyMemoryReportMarch2016_2

Deflect Labs Report #1

Botnet attack analysis covering reporting period February 1 – 29 2016
Deflect protected website – kotsubynske.com.ua

This report covers attacks against the Kotsubynske independent media news site in Ukraine, in particular during the first two weeks of February 2016. It details the various methods used to bring down the website via distributed denial of service attacks. The attacks were not successful.

General Info

Kotsubynske is a media website online since 2010 created by local journalists and civil society in response to the appropriation and sale of public land (Bylichaniski forest) by local authorities. The website publishes local news, political analysis and exposes corruption scandals in the region. The site registered for Deflect protection during an ongoing series of DDoS attacks late in 2015. The website is entirely in Ukrainian. The website receives on average 80-120 thousands daily hits, primarily from Ukraine, the Netherlands and the United States.

 

image1

Attack Profile

Beginning on the 1st of February, Deflect notices a rise in hits against this website originating primarily from Vietnamese IPs. This may be a probing attack and it does not succeed. On the 6th of February, over 1,300,000 hits are recorded against this website in a single day. Our botnet defence system bans several botnets, the largest of which comprises just over 500 unique participants (bots).

Using the ‘Timelion’ tool to detect time series based anomalies on the network, such as those caused by DDoS attacks, we notice a significant deviation from the average pattern of visitors to the Kotsubynske website (on the diagram below, hits count on the website are in red, while the blue represents a 7-day moving average plus 3 times standard deviation, yellow rectangles mark the anomalies). The fact that the deviation from the normal is produced over a week (Feb 1 to Feb 8) points to the attack continuing over several incidents. This report attempts to figure out whether these separate attacks are related and display attack characteristics and makes assumptions about its purpose and origin.

 

Illustration 1: Timelion graph showing a prolonged attack

Illustration 1: Timelion graph showing a prolonged attack period between February 1 and 8

February 06, 2016 Attack profile

This incident lasted 1h 11min and was the most intensive attack during this period, in terms of hits per minute.

Incident statistics
Here are listed part of the incident statistics that we get from the deflect-labs system. They show the intensity of the attack, the type of the attack (GET/POST/Wordpress/other), targeted URLs, as well a number of GEOIP and IP information related to the attacker(s):

  • client_request host:”www.kotsubynske.com.ua”
  • Hits between 24000 and 72000 per minute
  • Total hits for the attack period: 1643581
  • Attack Start: 2016-02-06 13:34:00
  • Attack Stop: 2016-02-06 14:45:00
  • Type of attack: GET attack (bots requested page from website)
  • Targeted URL: www.kotsubynske.com.ua
  • Primary botnet request: “http://www.kotsubynske.com.ua/-”
Illustration 2: Geographic distribution of bots

Illustration 2: Geographic distribution of bots

The majority of hits on this website came from Vietnam, Ukraine, India, Rep of Korea, Brazil, Pakistan. Herewith are the stats for the top five countries starting with the most counts and descending:

geoip.country_name Count
Vietnam 817,602
Ukraine 216,216
India 121,405
Romania 70,697
Pakistan 61,201

 

Cross-incident analysis

We’ve researched three months of incidents on the Kotsubynske website, namely from January to March 2016. We have detected five incidents between February 01 – 08 and present a detailed analysis of botnet characteristics and the similarities between each incident. The point is to figure out if the incidents are related. This may help us define whether the actors behind this attack were common between all incidents. For example, we see relatively few IPs appearing in more than one incident, while each incident shares a similar botnet size and attack pattern.

 

Illustration 3: GeoIP location of bots over the 5 incidents

Illustration 3: GeoIP location of bots over the five recorded incidents

 

Table 1. Identical IPs across all the incidents

We identify, in sequence of incidents, botnets IPs which re-appeared from a previous attack.

ID Incident start Incident end Duration botnet IPs Recurring botnet IPs Attack type Attack pattern (URL request)
1 2016-02-02 12:0700 2016-02-02 12:21:00 14 min 224 GET 163224 hits: /-
2 2016-03-02 08:27:00 2016-03-02 08:31:00 4 min 120 22 GET 35991 hits: /-
3 2016-05-02 21:10:00 2016-05-02 22:00:00 50 min 99 0 GET 49197 hits : /-
23 hits: /wp-admin/admin-ajax.php
4 2016-06-02 13:34:00 2016-06-02 14:45:00 1h 11 min 484 0 GET 1557318 hits: /-
5 2016-08-02 12:20:00 2016-08-02 16:40:00 4 h 20 min 361 0 GET 392658 hits: /-

 

Table 2. Pairs of incidents with significant numbers of identical IPs banned by Deflect

Here we correlate each incident against all other incidents to see whether any common botnet IPs reappear and present the incident pairs where there is a match

incident id banned IPs incident id banned IPs recurring IPs % of recurring botnet IPs
in the smaller incident
1 224 2 120 22 18.3%
3 99 4 484 15 15.2%

Analysis of the five attacks shows thats very few botnet IPs were reused in subsequent attacks. The presence of any recurring IPs however suggests that they either belong to a subnet of the same botnet or are victims whose computers have been infected by more than one botnet malware. Furthermore, each botnet’s geoIP characteristics and behaviour is almost identical. For example, whilst traffic during this period followed the normal trend, both in terms of number of visitors and their geographic distribution, banned IPs were primarily from Vietnam, India, Pakistan and other countries that do not normally access kotsubynske.com.ua

This is a reliable indicator of malicious traffic and a transnational botnet.

  • 71.1% of banned IPs come from Vietnam, India, Iran, Pakistan, Indonesia,Saudi Arabia, Philippines, Mexico, Turkey, South Korea.
  • 99.9% of banned IPs have identical user agent string: “Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)”.
  • The average hit rate of IPs with the exact identical user agent string is significantly higher: 61.9 hits/minute vs 4.5 hits/minute for all other traffic.
Illustration 4: Banned machines from 'unusual' countries

Illustration 4: Banned machines from ‘unusual’ countries for kotsubynske.com.ua

The user agent (UA) string seems to be identical in all five incidents, when comparing banned and legitimate traffic. In the diagram below, Orange represents the identical user agent string, whilst blue represents IPs with other user agent strings. The coloured boxes contain 50% of IPs in the middle of each set and the lines inside the boxes indicates the medians. The markers above and below the boxes indicate the position of the last IP inside 1.5 height of the box (or inside 1.5 inter quartile range).

Illustration 5: Hit rate distribution for the IPs with the same identical user agent string

Illustration 5: Hit rate distribution for the IPs with the same identical user agent string: “Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)”

Even though there are not many identical botnet IPs across all of the 5 incidents, the behaviour of botnet IPs from different incidents is very similar. The figure below illustrates some characteristics of the botnet (different colours) in comparing with regular traffic (blue colour).

Scatter plot of sessions in 3-dimensional space:

  • Request interval variance
  • Error rate
  • HTML to image ratio

image7

Report Conclusion

On the 2nd of February, the Kotsubynske website published an article from a meeting of the regional administrative council where it stated that members of the political party ‘New Faces’ were interfering with and trying to sabotage the council’s work on stopping deforestation. The party is headed by the mayor of the nearby town Irpin. Attacks against the website begin thereafter.

Considering the scale of attacks often witnessed on the Deflect network, this was neither strong nor sophisticated. Our assumption is that the botnet controller was simply cycling through the various bots (IPs) available to them so as to avoid our detection and banning mechanisms. The identical user agent and attack pattern used throughout the five attacks is an indication to us that a single entity was orchestrating them.

This is the first report of the Deflect Labs initiative. Our aim is to strip away the impunity currently enjoyed by botnet operators the world over and to aid advocacy efforts of our clients. In the near future we will begin profiling and correlating present-day attacks with our three year back log and with the efforts of similarly minded DDoS mitigation efforts.

Deflect Labs – fighting impunity with analytics and advocacy

For the last four years, the Deflect DDoS mitigation system has protected independent online voices from the onslaught of cyber-attacks aiming to silence them. We have grown, learning our lessons as we took the punches. One aspect of this work stood out as particularly interesting during this time: there were stories to be told in the sea of data brought on by each attack. Those stories could shine a light in the direction of the provenance of the attacks and the motivations of the actors behind them. Most importantly, it would aid the advocacy efforts of the targeted website and begin to strip away the impunity for launching these attacks, raising their cost in the long run. The more they attack us, the smarter we’ll get.

Deflect Labs is a new effort to collect and study distributed denial of service (DDoS) attacks launched against the websites we protect. It is built on a variety of open source tools, utilizing machine learning, time-series anomaly detection and botnet classification tools, many of which have been contributed to or wholly developed by eQualit.ie’s Deflect team. We aim to responsibly share news and our analysis of the attacks in a series of ongoing reports, the first of which is released today.

infogram

TA3M MARCH ’16 “WHO BYTES YOUR BITS”

We’re all familiar with the idea of a search warrant — but how else can the government access your private information in Canada? This informal TA3M workshop will explore this question—whether in the context of a criminal investigation or otherwise. We’ll also discuss the implications for businesses and organizations that hold private data for their clients, and the circumstances in which they might be forced to hand over records about their clients, users or communities. Together, we’ll think about how to mitigate risk and work through questions like:

  • How can law enforcement and intelligence agencies access private information about you? Do they always need a warrant? Should activists and community groups be particularly concerned?
  • If you’re hosting data for others, or holding private information that belongs to your users, what are your obligations as custodian of that data?
  • What are the situations in which you might be required to share or disclose data about others? What are your responsibilities to your users and clients in these situations?

Following a brief talk, attendees will be invited to bring share their own thoughts, experiences and questions. Presenters are happy to answer questions in English and French.

Presenters

Lex Gill is a researcher for the Canadian Civil Liberties Association’s Privacy, Surveillance and Technology Project and an affiliate to the Berkman Center for Internet and Society. She studies at McGill’s Faculty of Law.

Jillian Friedman is a technology lawyer. Her views on privacy law, and other technology law issues have been published in legal, academic and news media. Jillian has spoken before the Senate Committee on Banking, Trade and Commerce where she testified about digital currency, consumer protection and pseudo-anonymity. She is currently writing a book on financial technology law.

Location

We have moved!! Tonight’s TA3M will be held at GareMTL

When? March 21st, 18:00

Yes, I want to come! Please RSVP below…

  • TA3M Montreal - March '16




To see a history of past TA3M Montreal events please refer to our archive.

IFF Tool Showcase: the winners!

During the Internet Freedom Festival in Valencia, eQualit.ie hosted a tool showcase on Thursday 3rd March. 15 awesome tools were presented, and the audience voted for their favourite projects for three different categories – “You did whaaaat?”, “Wish I’d thought of that!”, and “You get a biscuit”.

We are now proud to announce the winners, with a list of the other projects that got the best scores:

You did whaaaat?

  1. NetAidKit
  2. StingWatch
  3. Peerio / uProxy (joint winners)

Wish I’d thought of that!

  1. OnionShare (in tie with NetAidKit)
  2. SecurePost
  3. StoryMaker

You get a biscuit

  1. Qubes OS
  2. Code of Conduct Builder / OnionShare / Peerio (joint winners)
  3. Psiphon / NetAidKit / StoryMaker (joint winners)

IFF Tool Showcase #14: CGIProxy

First created in 1996, CGIProxy is a clientless web proxy that supports Javascript and Flash, enabling access even to the most complex websites, and can be used to anonymize connections and circumvent censorship. Over the years, CGIProxy has been downloaded over 2 million times and has been a model for several other similar web proxies.

CGIProxy

Actively maintained and developed, CGIProxy is installed in numerous servers, allowing for a decentralization that makes these web proxies harder to block and, if the server is hardened, to detect. Users just need to access the proxy interface of a trusted server through a common web browser and to enter the URL of the website they want to visit in the form. Without having to install anything in their computers, anyone can thus securely and anonymously access any restricted website.

IFF Tool Showcase #15: SecurePost

SecurePost is an Android App that allows a group to share a Twitter account or Facebook page without sharing the account password. Every post published through SecurePost is cryptographically signed and can thus be verified through the app itself or with a Chrome plugin, that will clearly show if the post has been published by a legitimate member of the group. On the other hand, SecurePost also ensures plausible deniability for each member of the group, so that while readers can be sure that a post has been published by the group that owns that specific account, no member of the group can be held accountable for any content.

securepost

Integrating libraries by The Guardian Project, SecurePost encrypts by default all content while the app is at rest and offers emergency features based on the Guardian Project’s Panic Kit, like wiping of the app content and triggering other Panic Kit apps if someone enters a special “wipe password” at the app’s password prompt. Furthermore, if the account is compromised, its creator can reset it, thus excluding any malicious group member and warning readers about the incident by turning all posts to an  unverified state.

SecurePost has been developed in view of real users’ needs: its creators have travelled to Zambia, Turkey and Mongolia, interviewing activists and journalists to assess what was needed to make their work more efficient and secure. By ensuring authenticity and plausible deniability, this tool offers groups and organizations the possibility of publishing on a shared account or page without having to share a password and at the same time prevents self-censorship among dissidents.

IFF Tool Showcase #2: Code of Conduct builder

Usually, those who are most hurt by censorship, surveillance and a lack of Internet freedom are the most marginalised members of society; people who have been too often excluded from the world of tech, policy and other important areas which impact Internet freedom and human rights. To face this problem, many groups have taken inspiration from the women’s liberation movement of the 60s and 70s, creating Codes of Conduct as a set of shared behavioural guidelines to ensure that the physical or virtual space they’re acting in becomes a safe space.

The Code of Conduct builder has been created to help community leaders implement a Code of Conduct that is both customized and has the ability to support all members of that community. Thoroughness and an understanding of the issues is key to successful implementation of a Code of Conduct, however, and that is why each section in this web-based tool features a clear explanation of the reasons for inclusion, live preview of the customized text and tips for enforcement.

Safe-Space-Sticker

Currently, resources for building a Code of Conduct for online and offline spaces (such as conferences and repositories) take the form of blog posts and copyable policies. There are lots of details, opinions (sometimes lacking consensus) and supporting processes to consider when creating a Code of Conduct, and the task of a good implementation can be overwhelming.

Unfortunately, because of this, organizers decide to either not have a Code of Conduct, or to copy and paste an existing one without properly considering how to support it. Both are poor solutions that fail to support attendees and can give them a false sense of security. The Code of Conduct builder is the first tool of its kind that goes beyond a customized Code of Conduct by also aiming to educate users on the various aspects of a well-implemented and supported policy.

By making the process of implementing a Code of Conduct more efficient and considered, the Code of Conduct builder helps event organizers, repository maintainers and other leaders to create a more inclusive community. This inclusivity helps to bring a wider range of voices, backgrounds and skills to the fight against censorship and surveillance. The end result being that the solutions produced are better suited to protect not just the majority, but really everyone’s digital and human rights.

IFF Tool Showcase #11: StoryMaker

StoryMaker is an open source app helping anyone learn to make great multimedia stories and safely produce and publish them with their mobile device, in a privacy-preserving fashion that ensures they can share and publish their stories where they wish, despite the threat of censorship. The final release out of beta comes with the inclusion of a Catalog of new content packs. Content packs provide Lessons, Guides, and Templates for creating new stories. Once templates, guides, or lessons have been downloaded, the user may learn and make stories completely offline, as well as sharing stories via bluetooth or other means that don’t require the Internet. Users may publish their stories online to a variety of outlets, with built-in support for Tor. Currently users can publish over Tor to Facebook, YouTube, Flickr, Soundcloud, Archive.org and private SSH servers.

hqdefault

StoryMaker is brought to you by the StoryMaker Coalition. The StoryMaker Coalition is a collaboration between Small World News, Scal.io, The Guardian Project and Free Press Unlimited to develop and implement the StoryMaker application. The Coalition has trained more than 700 journalists, human rights defenders, and aid workers active in more than 20 countries. At the time of writing, the StoryMaker app has been downloaded by more than 140,000 users around the world, including journalists, civil society members, and activists.

StoryMaker’s libraries provide open source tools for others to add functionalities to publish content safely and securely to a variety of platforms, as well as distribute interactive learning content directly to individual users. StoryMaker enables citizens anywhere to tell their stories despite the threat of surveillance and censorship. The app puts the work of many developers and organizations on digital security into a specific and important context: amplifying the voices of marginalized communities by providing them the skills to tell their stories and the access to ensure they are heard. To underscore this point, Natasha Msonza from Zimbabwe, one of the many trainers using StoryMaker around the world, will join the speakers from the StoryMaker Coalition in the presentation.

IFF Tool Showcase #13: uProxy

uProxy is an open source browser extension for Chrome and Firefox that lets users share their route to the Internet with each other. uProxy has been made for people in two situations: those who need to get safe and unrestricted access to the Internet and those who have an unrestricted connection that they would like to share with their friends. With uProxy, those who have a restricted access to the Internet can get access to the same sites their friends with unrestricted connection have access to.

uproxy_logo

uProxy can make it much harder for a third party to monitor or interfere with the traffic of the user who is getting access to the Web thanks to the extension. It can be compared to a personalized VPN service that you can use to provide secure access to friends and family, and to yourself when you travel. But since VPNs generally rely on shared servers, they can often be identified and blocked, or they can slow down at peak times. Because uProxy users connect to each other, rather than to common servers, uProxy connections may be harder to identify, and the network scales naturally.

On the other hand, uProxy also has limitations: not only should the level of trust between users sharing a connection be very high to avoid the risk of being caught at accessing restricted resources in censored areas, but furthermore uProxy, being a browser extension, is only capable of handling web traffic in Chrome and Firefox and cannot secure other applications connected to the Internet. Nevertheless, for people dealing with nationwide censorship and state surveillance, uProxy can be a precious tool for accessing online resources.

IFF Tool Showcase #6: OnionShare

OnionShare is a desktop application to share files anonymously and securely using the Tor network. It’s incredibly simple and uses the anonymity-protecting and firewall-slicing properties of hidden services. It supports a diversity of use cases such as sending a screenshot to a friend, or leaking classified documents to a journalist.

onionshare

As long as both the sender and the receiver have access to the Tor network (which just requires installing and launching the Tor Browser), OnionShare is censorship and surveillance resistant. Third parties don’t have access to files being shared, network eavesdroppers can’t spy on files in transit, and the anonymity of sender and recipient are protected by Tor.

OnionShare was originally built by Micah Lee to solve the “David Miranda problem”: If you have super secrets files that you need to give to someone, it’s often safer to use the Internet than to physically carry a USB stick. OnionShare makes the using-the-internet option simple, user-friendly and convenient. Micah Lee himself says he uses it all the time for a variety of purposes at The Intercept.

IFF Tool Showcase #1: CENO

CENO (Censorship.NO!) is an innovative approach to censorship circumvention, based on P2P storage networks, and in particular on Freenet. CENO maintains strong privacy and anonymity features as well as offering users plausible deniability in an emergency situation. CENO is built in advance of aggressive Internet filtering and the establishment of national intranets to fence off citizens from the wicked Web, so it’s a tool to access restricted information and resources when everything else fails.

 

CENO Components

The main purpose of CENO is to deliver content that otherwise would not be available because of Internet censorship. When CENO has been launched, users can anonymously request a web page that is inaccessible from their country by entering a normal URL in CENO’s customized browser profile. Their request will reach a so-called bridge node, a peer node that also acts as a CENO server, bridging the p2p network with the World Wide Web. The bridge node will then fetch the requested web page, bundle it and insert it in the distributed storage in the p2p network, where it can be eventually retrieved by the user. While the users wait for the requested page to be delivered, which can take some time, they can read the selection of news feeds that can be reached from the “CENO Portal”. These selected feeds are inserted by default in CENO and are updated on a daily basis.

At the moment CENO bridges are all managed by the CENO team, but users can set up their own bridge nodes, independently from CENO team’s Insertion Authority. No knowledge of the global network topology is required in order to retrieve bundles or send a message to a bridge, and no CENO node can know where the other nodes are located. Last but not least, CENO is a resilient solution to censorship circumvention: in cases of nationwide Internet throttling, content will remain available to the peers given that a copy of that bundle is cached in the in-country network of peers. Read more about CENO here.

IFF Tool Showcase #5: NetAidKit

The NetAidKit is a pocket size, USB powered router that connects everything to everything, designed specifically for non-technical users. The easy to use web interface will allow you to connect the NetAidKit to a wireless or wired network and share that connection with your other devices, such as a phone, laptop or tablet.
Once the NetAidKit is connected to a wireless or wired network, you can make it connect to a Virtual Private Network or to Tor at the click of a button. Any devices connected to the NetAidKit will use these extra security features automatically, without needing to configure each of the devices separately.
NetAidKit
By providing an easy to use tool that can either send traffic over secure VPN tunnels, fighting surveillance, or over the Tor network, circumventing censorship, the NetAidKit brings the Internet Freedom Festival‘s goals of “Joining Forces to Fight Censorship and Surveillance” to everyone.
Free Press Unlimited has developed the NetAidKit to give non-technical users an easy way to secure their connections with VPNs or route around censorship with Tor, so that journalists, activists and others can use these technologies without needing to install and set up complicated software. The NetAidKit is an open source, non-profit project, and proceeds from sales will be used to support the project itself and for future development, with the aim of offering to the masses this open source, reliable and easy to use solution for circumventing censorship and fighting surveillance.

IFF Tool Showcase: the projects

During the Internet Freedom Festival, which will take place in Valencia, Spain, from the 1st to the 6th March 2016, eQualit.ie will host a tool showcase and award ceremony on Thursday 3rd March, starting from 7 pm.

During the showcase, 15 tools will be introduced with a short presentation to the entire room and then be assigned to their own tables for a continuing discussion with the audience, who will then vote their favourite projects for three different categories – “You did whaaaat?”, “Wish I’d thought of that!”, and “You get a biscuit”.

Here is the complete list of the presented projects, with a link to the posts we have dedicated to each of them:

  • CENO – an innovative approach to censorship circumvention, based on P2P storage networks.
  • CGIProxy – a clientless web proxy that supports Javascript and Flash, enabling access even to the most complex websites.
  • Code of Conduct builder – an interactive tool for building a Code of Conduct for a community’s offline and online spaces.
  • CoyIM – a safe and secure Jabber/XMPP client with built-in support for Tor, OTR and TLS.
  • FreedomBox – a free software stack that can be installed in inexpensive hardware to turn it into a personal server that protects your privacy.
  • NetAidKit – a pocket size, USB powered router that connects everything to everything, designed specifically for non-technical users.
  • OnionShare – a desktop application to share files anonymously and securely using the Tor network.
  • Peerio – a tool to send encrypted messages and files, developed with the aim of making encrypted communications attractive and accessible.
  • Psiphon – a widely-used free censorship circumvention tool.
  • Qubes OS – a free and open source security-oriented operating system that implements security by compartmentalization.
  • SecurePost – an Android App that allows a group to share a Twitter account or Facebook page without sharing the account password.
  • StingWatch – a tool enabling ordinary people to monitor and map police use of IMSI-Catchers, aka Stingrays.
  • StoryMaker – an open source app helping anyone learn to make great multimedia stories and safely produce and publish them with their mobile device.
  • Umbrella – a free and open source Android app to help journalists and activists manage their security on the move.
  • uProxy – an open source browser extension for Chrome and Firefox that lets users share their route to the Internet with each other.

IFF Tool Showcase #12: Umbrella

Umbrella is a free and open source Android app to help journalists and activists manage their security on the move. Subdivided in several sections addressing not only digital and physical, but also psycho-social and operational security issues, Umbrella offers simple, practical advice on what to do and what tools to do it with – covering everything from sending a secure email to conducting physical counter-surveillance. Users can choose their level of ability or type of protection needed and get answers that reflect their needs. Users can mark, customise and share simple checklists for quick reminders. Umbrella also has a series of security information feeds from places like the UN and Centers for Disease Control, to keep users updated as they travel.
umbrella
Launched in September 2015, Umbrella is being constantly developed by Security First with the help and input of the NGO, human rights, humanitarian aid and open source technology communities. With the purpose of making easily accessible resources on security that are as numerous as they are difficult to find when needed, the app gathers together all the information that can help manage individual and organizational security and makes it available not only to journalists and human rights defenders, but to a whole range of activists who may be less aware of the threats they are facing and the strategies they can adopt.
At the moment, Umbrella is being localized on Transifex into Spanish, Arabic and Mandarin, and volunteers are helping with many other languages. The app already has the support of the Guardian Project’s Ripple panic button, and in the future it will add new features with advice on security planning and the possibility of sharing checklists with others based on an already existing FOSS encryption protocol. The project shares the principles of free and open source software, and all the resources are shared on Github, with the hope to foster even more a positive cooperation among creators of resources for security.

IFF Tool Showcase #10: StingWatch

An IMSI-catcher is a telephony eavesdropping device used for intercepting mobile phone traffic and tracking movement of mobile phone users. Essentially a “fake” mobile tower acting between the target mobile phone and the service provider’s real towers, it is considered a man-in-the-middle (MITM) attack. Wikipedia article

Employed, among others, by the US federal government and by state and local police departments across the USA, the Stingray is a mobile technology that simulates a cell phone tower and can intercept call and SMS text content, including the call histories of all mobile hand sets within range as well as their location.

StingWatch

Racial bias in police violence has sparked a heated discussion in the US in recent years and cell-cite sumulators, also known as Stingrays, have gained increased media and some public attention as recent reports indicate their frequent use in criminal investigations and at political demonstrations such as Black Lives Matter.

The tools required to discover and investigate the presence and location of theses Stingrays have so far been difficult to obtain and operate, most of them either closed source or requiring root access on your smart phone. The goal of StingWatch is to be a platform independent tool that anybody can use, with the purpose of enabling ordinary people to employ their phones in monitoring and then mapping the use of Stingrays in their vicinity.

StingWatch is a simple app for Android that will do a couple of things:

  1. It will notify its users when Stingray use is detected, so that they can put their phones into airplane mode and avoid having their information collected.
  2. It will send detection locations to a central server so that Stingray use can be mapped on a public website, eventually combining with Census data to examine the demographics of those being targeted.
  3. By exposing use of this secret technology, Stingwatch will hopefully contribute to public pressure to limit its use.

Ultimately, StingWatch is a tool for policy change. Its main purpose is to prove that Stingray technology is often misused to disproportionately target certain minority groups and other civil groups. The developers hope this information will reinforce the larger debate around these devices and ultimately lead to their abolition.

IFF Tool Showcase #9: Qubes OS

Qubes OS is a free and open source security-oriented operating system that implements security by compartmentalization. Its architecture is built to enable a user to define different security environments on her computer and visually manage their interaction with each other. While the most common operating systems like Windows, Mac or Linux are “monolithic”, which means that if an attacker manages to hack into the system, they will have access to the whole machine, Qubes OS greatly reduces this risk by isolating every domain (or qube) from each other, so that if one qube is compromised, the others – and the system – will remain unaffected.

qubes-plus-purism

Each qube can run applications from Debian, Fedora, Whonix, and even Windows. The visual interface to separate domains makes it very easy to manage multiple identities online: each virtual persona, pseudonym or activity can get its own dedicated qube, and Qubes integrates the Tor network so that users can easily create one or more domains with all the software they need for anonymizing their communications and online activities. Simultaneous and non-interacting VPN, Tor, and other proxy connections to the web can be set up, and one can easily route applications through these networks even if they weren’t built for it, such as Pidgin, Chromium, etc.

Separating and isolating social domains can be particularly important for high-risk individuals who could be targeted with surveillance malware. In case the attacker manages to compromise the user’s browser or email client, e.g. through a vulnerable plug-in in a browser or a malicious email attachment, the malware will only be able to access that particular qube and will not affect the whole system – and deleting the affected qube and creating a new, clean one is very easy. With Qubes OS, the user can easily open attachments by default in non-networked disposable domains, so if the attachment contains malware, it is deleted as soon as the PDF or Word document is closed and had no ability to “phone home”. In a similar way, Qubes OS by default can protect the user from USB and wifi-based attacks by isolating the USB and wifi stacks.

Qubes OS was first launched in 2012 and has a growing base of over 9,000 users. While it still requires a rather powerful computer, the Qubes team is concentrating its efforts on increasing usability and outreach, and a training prototype addressed at human rights defenders and activists will be presented within the Training & Best Practices track at the Internet Freedom Festival on Friday 4th March at 6pm.

IFF Tool Showcase #4: FreedomBox

FreedomBox is a personal server that protects your privacy. It is a free software stack, a subset of the Debian universal operating system, that can be installed in many flavors of inexpensive and power-efficient hardware. FreedomBox runs in a physical computer and can route your traffic. It can sit between various devices at home such as mobiles, laptops and TVs and the Internet replacing a home wireless router. By routing traffic, FreedomBox can remove tracking advertisements and malicious web bugs before they ever reach your devices. FreedomBox can cloak your location and protect your anonymity by “onion routing” your traffic over Tor. FreedomBox provides a VPN server that you can use while you are away from home to keep your traffic secret on untrusted public wireless networks and to securely access various devices at home. It can also be carried along with your laptop and used to connect to public networks at work, school, or office to avail its services. It could be used in a village to provide communications throughout the village. In future, FreedomBox intends to provide support for alternative ways of connecting to the Internet such as Mesh networks.

freedombox

FreedomBox provides services: to your computers and mobile devices in your home and to computers and mobile devices of other people who are your friends. It provides file sharing like Dropbox, shared calendaring like Google or Yahoo and photo sharing. FreedomBox provides instant messaging and secure voice conference calling that works on low bandwidth providing high quality. FreedomBox has a blog and wiki to let you publish your content and collaborate with the rest of the world. Coming soon, a personal email server and federated social networking using GNU Social and Diaspora, providing privacy-respecting alternatives to Gmail and Facebook.

Too many of us live in a world where our use of the network is mediated by organizations that often do not have our best interests at heart. By building software that does not rely on a central service, we can regain control and privacy. By keeping our data in our homes, we gain useful legal protections over it. By giving back power to the users over their networks and machines, we are returning the Internet to its intended peer-to-peer architecture. In order to bring about the new network order, it is paramount that it is easy to convert to it. The hardware it runs on must be cheap. The software it runs on must be easy to install and administrate by anybody. It must be easy to transition from existing services. There are a number of projects working to realize a future of distributed services; FreedomBox aims to bring them all together in a convenient package available for everybody.

IFF Tool Showcase #8: Psiphon

Psiphon is a free censorship circumvention tool. Its robust network is made of more than thousand active servers, which can provide you with quick access to any blocked content on the Internet. Psiphon is an open source tool that does not require installation and automatically selects the best performance settings. More than 15 million people around the world and the largest information agencies have put their trust in Psiphon.

psiphon_hero

Psiphon helps millions of netizens around the world to connect to blocked social media and censored websites. Hundreds of thousands used Psiphon in Turkey, Egypt and Iraq to learn about and protest against governmental policies curtailing human rights, including fostering censorship and surveillance. Psiphon also aids human rights organizations and independent media outlets whose websites are blocked in various censorship hotspots. Liberal-minded organizations from Iran, China, the Middle East, the CIS, Latin America and Asia use Psiphon to stay connected to their audiences, propagate ideas of free speech and help people join movements fighting against censorship and surveillance. Many of these organizations are the only independent voices in their regions, who thanks to circumvention technologies like Psiphon manage to survive censorship policies of authoritarian regimes and remain financially viable.

Psiphon was developed as an anti-censorship tool by the Citizen Lab (University of Toronto) back in 2006. Ten years later, it remains true to its original mission, namely, to empower netizens around the world to fight back against oppressive regimes that illegitimately censor information on the Internet.

IFF Tool Showcase #3: CoyIM

Despite the fact that one of the most efficient ways of encrypting communications is OTR with Jabber/XMPP, the clients that support these protocols are either flawed from a security point of view or excessively hard to use. This is the reason why CoyIM is being developed. Based on Adam Langley’s xmpp-client, and written in the Go language to avoid  many common types of vulnerabilities that come from using unsafe  languages, CoyIM is a standalone program that runs on Windows, Linux and OS X and only supports one chat protocol – Jabber/XMPP.

coyim

CoyIM tries to be safe and secure by default. The developers’ ambition is that it should be possible for even the most high-risk people on the planet to safely use CoyIM, without having to make any configuration changes. To achieve this, CoyIM has a built-in support for Tor, OTR and TLS. The Tor support allows users to become anonymous when chatting; OTR makes end-to-end encryption of communication possible; and TLS adds another layer of encryption to the communication with the chat servers. These features have been built to be core parts of the application – they are not plugins or extras as in some of the most popular Jabber/XMPP clients.

Started in October 2015, CoyIM is still a very young project. There have been no security audits of the code, and you should currently not use it for anything sensitive. Being at a very early stage of development, the tool still lacks many features that users could expect in a Jabber client. The developers are working eagerly to add the needed functionalities, but for the sake of security and efficiency some other features (like hyperlinks and emoticons) will never be there. With time, CoyIM has good chances of filling an important gap in the range of communication tools that can be used in high-risk contexts.

IFF Tool Showcase #7: Peerio

Until recently, if someone wanted to be sure that their communications could only be read by themselves and their addressees, they had to face the steep learning curve required by encryption tools like GPG or OTR. As efficient as they are in enabling an end-to-end encrypted communication, these tools are problematic for anyone who needs to communicate efficiently and securely in a high-risk or emergency setting where there is no time for learning how to use a complicated technology. To solve this problem, a range of new, more usable encryption tools has started to be developed. This is where Peerio enters the scene.

peerio-encrypted-secure-messenger

First launched in January 2014 and currently counting 17,000 users, Peerio is a tool to send encrypted messages and files, developed with the aim of making encrypted communications attractive and accessible to people of all skill sets and backgrounds. From its intuitive interface to its rapid search of messages and documents, up to its passphrase generator, Peerio puts a strong emphasis on usability in every possible detail, thus simplifying the workflow and mitigating the risks related to user error that are often connected to traditional end-to-end encryption tools.

The encryption of messages and files (which is client-side, so the server cannot decrypt anything) does not rely on a private key that could get lost, but on a mechanism based on the user’s passphrase. When you create a Peerio account, a long random passphrase is generated for you. This passphrase is made up of 5 words selected by the client’s passphrase generator from a dictionary of 12,000 commonly used words, which makes it easier to remember (but you can also generate a shorter password that will only work in the device where you’ve generated it and store the longer passphrase in a password manager). The 5-words passphrase and your user name are all you need to access your account wherever you are, from any computer.

Localized in 12 languages, and available for Mac, Windows and Linux, the client will be soon released for Android and iOS too. Peerio’s development is particularly oriented towards facilitating collaboration and group communication: already groups can share files in Peerio and easily search through them, and in the future Peerio’s team is planning to add new features such as shared folders and documents and collective notes. Peerio client’s code has been audited (PDF) and is available on Github.

Internet Freedom Festival: Tool showcase

The Internet Freedom Festival, which will take place in Valencia, Spain, from the 1st to the 6th March 2016, is a common space where diverse communities working against and affected by censorship and surveillance can come together to teach, plan and act.

Internet Freedom Festival logo

The rich schedule of the festival includes sessions on 8 different tracks and also night events. For the night events, eQualit.ie will host a tool showcase and award ceremony on Thursday 3rd March, starting from 7 pm.

THE TOOL SHOWCASE

During the showcase, 13 tools will be introduced with a short presentation to the entire room and then be assigned to their own tables for a continuing discussion with the audience. You can learn and get to see demos for Android apps carrying security advice and instructions for activists; routers and servers that enhance connection security; censorship circumvention systems; tools for encrypted communication; IMSI-catcher detectors and much more: there will be solutions for every taste and need. Here’s the complete list of the tools that will be presented at the showcase:

 

At the end of the event, the public will be invited to pick their favorite tool for the following unofficial IFF categories:

  • You did whaaaat?
  • Wish I’d thought of that!
  • You get a biscuit.

No one will leave empty handed! There are prizes for winners, drinks for participants and eQualit.ie will interview and blog about each of the contestant’s tools. And if we still have time, a vodka tasting workshop may follow!

 

Pen International gets Caisleán

PEN International is the world’s leading association of writers, working to promote literature and defend freedom of expression around the world. With a dozen permanent staff members and contact with activists all over the globe, the need for efficient collaboration tools and internal data sharing is strong. In addition, in being committed to defending civil rights, PEN International handles information that is often sensitive and must be protected from adversaries.

To fulfill these needs, the organization replaced their in-office Windows server with a dedicated remote machine equipped with Caisleán, an eQualit.ie-developed set of Ansible recipes for secure self-hosting. The former setup was proving to be unsatisfactory, notably in terms of reliability, security and flexibility. This article borrows from our experience setting up Caisleán for PEN’s use case and provides insights into migration process from a Windows Server environment.

Working with eQualit.ie in a consultative manner meant that a staff team with limited experience of IT were able to avail themselves of a service which has contributed to improving the security of our information and communications, as well as contributing to increased productivity of the entire staff team. ♣

Use case and issues

The primary role played by the office server was file sharing through Windows network folders, a convenient way to access common resources on a local network. Each staff member had an individual account to connect to the Active Directory and access the shared folders.

The setup was considered unreliable: workstations randomly could not access network folders and the server needed frequent reboots due to crashes. Security was also a concern: no disk encryption and low physical security of the server, doubts on whether the server was equipped with proper anti-virus software and lack of trust towards proprietary software (a common scenario). In addition, their setup was designed primarily as an internal office network and staff working remotely could not access the shared storage.

Prior to the migration to a secure online system, we were experiencing frequent downtimes when access to the shared drive crashed, which impacted on our ability to carry out our work. Additionally, it was often difficult for staff to access the shared drive remotely. Now we have next to no down times and staff are able to access the shared drives remotely as if they were in the office.

Our approach was to adapt Caisleán services as a remote server, hosted in a professional data center with removable backup storage. Its configuration would replicate Active Directory possibilities whilst solving some of the crucial security issues and introducing the possibility of remote access.

Adapting and setting up Caisleán for remotely accessed shared folders

Windows network folders can be set up on a GNU/Linux server thanks to Samba. Mimicking local network folder sharing on a remote server is possible by making clients connect through an OpenVPN tunnel. Finally, OpenLDAP can store user accounts and thus be used as an authentication backend for Samba and OpenVPN.

Caisleán is aimed at organizations with multiple users who wish to store and share their data, with ease and security. Caisleán’s functional setups for OpenLDAP and OpenVPN were implemented along with security-related features. Stacking Samba on top of this codebase implied the following changes:

  • implementing template configuration files and Ansible tasks to setup Samba, configured for LDAP-based authentication
  • setting up the creation of a Samba-compatible LDAP tree for user accounts and the installation of Samba-LDAP specific user management tools
  • connecting OpenVPN to OpenLDAP to allow password-based VPN access
  • setting up a restricted Usermin version to allow easy password update.

Pushing the newly adapted version of Caisleán to the server resulted in a fully functioning VPN with user authentication and file sharing. To increase security, the server was set up with full disk encryption (FDE). Caisleán repository provides documentation to set up FDE on a remote server.

The final step was to migrate the data to the new server to finally be able to fully decommission the office server.

Migrating

Migrating the data and updating workstations’ configuration was the longest and most difficult part of the process.

Data migration

With 300GB worth of data, transferring PEN International’s files from their office to the new server was a challenge in itself. After a night-long copy onto a portable hard disk followed by a roam through a traffic-jammed London undergoing tube strike, it was finally possible to upload the data from a reliable Internet connection.

User accounts transfer

It was important that everyone with an account on the office server kept their user names on the new system. It is conveniently possible to dump the content of a whole Active Directory tree to an LDIF file using a Windows
built-in tool. After dumping the office server Active Directory tree, the generated LDIF files were used to re-create user accounts in the new server’s LDAP.

The occasion was also used to purge obsolete user accounts, as the presence of such accounts is generally a weakening factor for security.

Reconfiguration of workstations

Workstation logon was controlled by the office server holding all user accounts. With the accounts becoming remote and shared folders becoming accessible from anywhere, binding workstation access to a centralized local server was not making sense anymore.

Nevertheless, as commonly observed in this kind of setup, each workstation held local user data for remotely controlled users: e-mail accounts and cache, web browsing data, applications preferences, etc. At the same time, users were prevented from logging on if the workstation could not contact the logon server, making this data inaccessible through the normal logon process. Before unplugging the office server, local accounts thus had to be created on workstations, and data stored on workstations associated with remotely controlled accounts had to be moved to these local accounts.

This process of disconnecting workstations from the local Windows domain proved to be cumbersome, especially as the Windows registry had to be edited. Thanks to a live GNU/Linux distribution together with registry edition tools like chntpw, hivex and FRED, all account data could finally be properly migrated. This was a fairly tiresome process involving repeated manual operations on fifteen workstations.

In the end, a local account could be used on each workstation. OpenVPN was installed and configured to connect to the remote server and ask for the user’s credentials, subsequently making the Samba shared folders accessible.

At this point, all workstations had become fully independent from the office server.

Office server decommissioning

Fully decommissioning the office server firstly required transferring its secondary roles to other devices: DHCP and IP routing were transferred to an already running network appliance, and the printer drivers were uploaded to the
remote server.

The final step was to erase the office server’s hard disk data using a live system. The machine’s inability to boot on USB devices was the last obstacle, and required to burn a live DVD for the occasion.

Shortly after the migration, we experienced a break-in at our office. The burglars targeted IT equipment, and would previously have been able to access our server, had we still had one on site. However, thanks to the work of eQualit.ie, our information was secure on the cloud, and our back-up drive was in a safe location, thanks to the advice we received.

Conclusion and remaining challenges

PEN International’s office server has been completely replaced, and the staff can share documents from workstations and personal computers. The service is more reliable, provides better data security and can be used from anywhere.

We are also very pleased with the cost savings we have found since the migration. Our server was due to be replaced, so we have avoided the cost of purchasing a new server. Additionally the level of IT support we have needed has dramatically reduced, leading to further savings.

The main lesson taken from this experience is that the most difficult part was not to set up the new system but to migrate the data and change the configuration of the systems already in place. When migrating a whole set of workstations, a variety of small difficulties have to be anticipated.

A main point of improvement is the integration of the process of connecting to the VPN and accessing the shared folders. As it is now, a user needs to enter credentials to access VPN and subsequently connect to network folders, and a single input would make it more user-friendly but would entail implementation of specific scripts for each operating system.

The PEN case provided the opportunity to implement a Samba-LDAP setup into Caisleán. While functional and available in the repository, improvements are still required to make it applicable in more generic use cases.

♣ All quotes in this article attributed to Ann Harrison, Programme Director, Writers in Prison Committee

CryptoClasses – encryption for the masses!

In 2016 eQualit.ie is relaunching the Techno Activism 3rd Monday (TA3M) events in Montreal. To celebrate this occasion we are offering the inaugural Crypto Class – a rotating smörgåsbord of local digital security experts teaching the public about encryption. This will be a free event concentrating on practical skills and knowledge about encrypting (and decrypting) your email communications. Refreshments will be provided. Stick around to discuss our new project DSS514!

What is it? A practical workshop in an informal setting to teach participants about encrypting their webmail with Mailvelope.

Why? Should you be worried about pervasive Internet surveillance? Do you want to rebuild privacy for your online communications? It’s not that difficult at all! CryptoClasses are regular events built around practical workshops teaching modern and open source methods for online encrypted communications. We will demonstrate why you need this, how to do it, and you will leave the workshop with the skill and confidence to regain some privacy in your digital letters.

Where? The event will be held at StationC

When? January 18th, 18:00 (3rd Monday of the month)

This evening will be held in English. Future events will also be held in French and will cover a broader range of topics to include encrypted messaging and disk storage. Those interested in supporting future CryptoClass events are invited to come and discuss possibilities.

Who? CryptoClass will be lead by eQualit.ie with over a decade experience teaching activists around the world digital security basics and authors of numerous self-learning guides.

Yes, I want to come! Please RSVP below…

  • TA3M Montreal - CryptoClass




To see a history of past TA3M Montreal events please refer to our archive.

Activists can run independent and secure online services with Caisleán

Small non-profit organizations, civil rights groups and activist clusters use online tools to work collaboratively. Unfortunately, too many rely on centralized platforms that are actively exploiting private data lucratively. It is crucial for these organizations to switch to self-hosted solutions to keep control of their data and protect users. A system administrator then has to be responsible for maintaining and securing the server on which the services run.

System administration is however not an easy task. Installation, maintenance and user support become more time-consuming and prone to mistakes as the number of services increases: from an e-mail exchanger to a VPN, all have their own configuration specificities and must be functional, while following security best practices.

We are developing Caisleán to address this issue: it aims at quickly installing such services without having to tweak each of their configuration details. Among other services, multi-user e-mail, VPN, XMPP and file-sharing platform can be set up within minutes on a bare Debian system. They are automatically configured according to security best practices, thus helping to provide confidentiality, integrity and authenticity of communications to users.

By decreasing the cost for setting up these tools, Caisleán can help activists and organizations increase their independence, efficiency and security. It comes as a set of Ansible recipes, a software that allows the state of a whole system to be described, notably through the use of template configuration files.

Caisleán’s collaborative tools and services

The following services are provided by Caisleán:

  • an e-mail address for every user thanks to Postfix and Dovecot, with access through webmail (using Roundcube) or e-mail client software such as Thunderbird and K-9 Mail;
  • the Prosody XMPP server for instant messaging;
  • web-based file hosting and sharing thanks to Owncloud and the Nginx web server;
  • a blogging platform thanks to WordPress;
  • a VPN service thanks to OpenVPN, to help users evade surveillance or censorship as well as reduce their traceability when browsing the web.

All these services support multiple users thanks to the OpenLDAP backend.

Of course, administrators are free to use only a subset of these services, depending on users’ needs.

Turned towards best security practices

We have made every effort to ensure that the configuration templates follow what we see as best security practices.

To this end, Caisleán firstly improves the security of a bare Debian system, with measures such as:

  • SSH configuration hardening;
  • firewall with iptables and ufw;
  • rootkit and filesystem alteration checking with chkrootkit and rkhunter;
  • e-mail notifications to the administrator when system packages need to be upgraded.

In addition, each service was given time and attention to make sure its configuration provides good security measures to protect users’ privacy and data confidentiality. This includes, for instance:

  • good TLS cipher list on Nginx, Postfix, and all TLS-enabled services;
  • meticulous privilege separation for web-based services and associated PHP processes.

Finally, it bears stating that Caisleán is free and open-source and uses software that is also free and open-source, a well-known mandatory condition to ease peer-reviewing and improvement. Far from pretending that Caisleán is bug-free, we hope this will help detecting and fixing bugs as well as improving the whole system.

Simple to install thanks to Ansible

The use of Ansible allows the setup of all desired services at once without having to configure each of them separately. This helps avoid mistakes and saves precious time.

Installing the services provided by Caisleán on a fresh Debian server consists in these steps:

  • write a few configuration files to tell Ansible which servers Caisleán should be pushed to and which services are desired;
  • perform the manual operations needed as pre-requisites, such as creating TLS private keys or setting up your DNS to allow your server to be an e-mail exchanger for your domain;
  • finally, run Ansible to automatically set up and configure all services.

The Caisleán repository provides sample configuration files as well as full documentation of the parameters or manual operations that certain services require.

Save time and energy for other security-related issues

System administrators should remember that a system that is presented as “secure” still always requires mindful behavior in order to preserve security and privacy of data and users.

Saying that Caisleán is secure means that we try as much as possible to provide software configuration that minimizes the attack surface.

In doing so, we hope that system administrators will be able to focus on other crucial responsibilities: keeping servers up to date, keeping important passwords safe, staying on top of installed WordPress plugins, raising users’ awareness about their personal password policy, etc.

Give it a try

Take a look and give it a try now by fetching Caisleán’s sources from its GitHub repository.

If you have questions or comments, feel free to contact us and/or submit a GitHub issue.