Tuesday, March 06, 2012

‘Hacktivist’ assault on World Youth Day site provides insights

An internet security firm’s report on an apparent anti-Catholic “hacktivism” attack has renewed interest in an assault on World Youth Day computers in August 2011. 

Rafael Rubio, communications director of World Youth Day, said Feb. 28 that the electronic assault that took place during the Aug. 17-21, 2011 event caused some disruptions but that they “survived the attack more or less,”

The hackers’ actions had an effect on days when the server crashed, but event organizers had set up a warning system and a social network system asking volunteers and others to report if they noticed the servers going down.

“(T)hanks to the early warning system we set up on the social networks, we were able to respond to the attacks in real time, and the site was only down for a few hours.”

Rubio said the consequences could have been serious.

“In reality, any kind of attack like this not only could have brought down the website but the mail servers as well, and that really would have caused the collapse of the entire organization,” he said.

The California-based computer security company Imperva has reportedly analyzed the attack in a new report called “The Anatomy of an Anonymous Attack.”

Robert Rachwald, Director of Security Strategies at Imperva, told CNA he would not confirm or deny that the World Youth Day site was the target examined in the report. 

The New York Times said two people briefed on the investigation confirmed that “the Vatican” had been the target, meaning the World Youth Day website www.madrid11.com.

Yago de la Cierva, executive director of the World Youth Day Madrid organizing committee, said Feb. 28 that the attacks were “very limited” in scope.

“They mostly made life hard for accredited journalists, who had to wait longer for their registration and had to receive the translations of the Pope’s words in print, instead of in electronic format. But otherwise, there were no major effects and the pilgrims never noticed anything.”

In mid-2011, hackers posted a video on the World Youth Day website threatening some kind of attack.

 The event’s web services provider Telefonica then organized several meetings to reinforce security and to ensure the website had enough capacity to respond to increased traffic.

Rubio was unsure whether Telefonica had contracted with Imperva, though Rachwald said the website examined in the report used an Imperva application firewall product that worked “beautifully.”

The Imperva report found 25 consecutive days of hacker activity: 19 days of preparation, communications and recruitment; four days of reconnaissance and hacking tool attacks; and finally a two-day denial-of-service attack distributed across many computers.

In the recruitment and communications phase, the Anonymous branch created a website and used Twitter and Facebook to publicize it. 

YouTube videos also “rationalized the attack by denigrating the target and exposing perceived transgressions,” Imperva said. 

One such promotional video received over 72,000 views.

The Anonymous campaign “Operation Pharisee” specifically targeted World Youth Day, citing clergy sex abuse as a motive for protest. 

One of the campaign’s recruitment videos used a computer-generated voice and stock video of a man in a Guy Fawkes mask. 

It called Pope Benedict XVI a “Pharisee.”

“It’s outrageous seeing how many young people march like sheep to the Vatican’s orgy that will take place in Madrid,” the English-language video said. 

“It’s humiliating seeing all the crowd in ecstasy, loving Benedict XVI like a god,” it continued, showing a video of cheerful Catholics at a youth event.

The video cited several Bible verses. It attacked the sacrament of confession for encouraging “dependency of souls,” saying that people should confess directly to God. 

The video also charged that the Catholic Church is using Jesus’ image to get rich and that it is hypocritical for the Pope to wear ornate liturgical dress while condemning vanity.

“Prepare your weapons, my dear brother, for this Aug. 17-21,” the video concluded. “We will drop the anger over the Vatican.”

Eighteen days into the attack, a group of “savvy hackers” then evaluated the security of the targeted website, the Imperva report says. 

They used hacking tools and anonymity services to disguise their identity. 

They kept a “low profile,” but still created relatively high internet traffic compared to normal days.

The hackers failed to find vulnerabilities in the website’s applications and fell back on a distributed denial-of-service attack intended to flood the target’s web server with crippling levels of traffic. 

This tactic used recruited individuals to run programs on their computers and mobile devices. 

Many of these recruits did not use anonymity services.

About 500,000 denial-of-service attacks happened on the first day of this phase, while almost 600,000 happened the following day. One PC can generate up to 200 attacks per second.

The Imperva report advised potential targets’ internet security staff to monitor social media for hints of coming attacks.

“Hacktivism is loud by definition,” the report said.

Rachwald said the use of social media is “the only thing that’s really unique about this attack.”

“Typically an attack is not pre-announced,” he explained.

“The big difference with hacktivism in general is they need to recruit and they need to announce ‘We’re going after target X.’”

Such hackers are typically after user data, he explained. 

In one instance, hackers under the banner of Anonymous stole user data from Sony and exposed information on 100,000 credit cards, causing customer outrage and a drop in stock prices. They also exposed police officer data from the San Francisco mass transit system.

“If you steal and expose data, then you can really hurt an organization,” he said. “What they’re looking for is vulnerabilities around data exposure.”

Traditional defenses such as network firewalls, anti-virus programs and intrusion protection cannot be the sole defense, he advised. 

A proper application security program is necessary for websites that transact user information and for e-commerce sites where goods and services are sold.

“Whoever was in charge of security in this case had the foresight to recognize that data would be a target,” Rachwald said. “I think that recognition is really, really important.”

Vatican spokesman Fr. Federico Lombardi reported Feb. 27 that there were “no problems” in the Vatican from the hacker attack because the World Youth Day website systems were “totally independent.”

World Youth Day communication’s director Rubio characterized the attack as “a waste of time” and “disrespectful.”

He saw the targeting of World Youth Day as “an obvious sign of the worldwide impact that World Youth Day was having at that moment.”

“We never really understood, because the video wasn’t clear either, what they hoped to gain by attacking World Youth Day. I think the only thing they wanted was attention.”