Powerful special interests are attempting to force legislation for tighter control of the Internet, because they believe such legislation will preserve their power. The bill they have sponsored, SOPA (Stop Online Piracy Act), not only has severe consequences for the Internet, it doesn’t even achieve their objectives.

The internet creates market efficiencies that forces industries to adapt, thus pushing forward progress for humanity as a whole. Public freedoms should not be curtailed and the Internet, built by the masses, should not be destroyed, so that a powerful few may have a false sense of security that their business models are sustainable without technological evolution.

This program is a proof of concept that SOPA will not help prevent piracy. The program, implemented as a Firefox extension, simply contacts offshore domain name resolution services to obtain the IP address for any desired website, and accesses those websites directly via IP. Similar offshore resolution services will eventually maintain their own cache of websites, without blacklisting, in order to meet the demand created by SOPA.

If SOPA is implemented, thousands of similar and more innovative programs and services will sprout up to provide access to the websites that people frequent. SOPA is a mistake. It does not even technically help solve the underlying problem, as this software illustrates. What it will do is give undue leverage to predatory organizations, cripple innocent third party websites, severely dampen digital innovation and negatively impact the integrity and security of the Internet.

Please bring this to the attention of congressmen responsible for voting on SOPA. SOPA will not technically achieve its stated objectives. Anyone voting in favor of it is morally responsible for destroying the freedoms, innovation, hard work and aspirations of many.

HOW TO USE
– Enable the Status/Add-on bar if it is not enabled (View->Toolbars->Add-on bar)
– Click on the light blue DeSopa button in the Status/Add-on bar, at the bottom of the browser window, to access websites by IP.
– Click the green DeSopa button to switch back to DNS resolution.

KNOWN LIMITATIONS
– Can only resolve tabs one at a time.
– First time resolution is a bit slow because three services are checked serially and compared. This may be done in parallel in the future, or a trusted single source may be used.

HOW IT WORKS
When turned on, DeSopa intercepts URLs, sends the base URL to three offshore DNS services via HTTP, makes a best effort to check that two of them are equivalent, caches the IP for the browser session, redirects to the equivalent URL using the IP, and substitutes out the domain name in the source code with the IP address for future requests.

Add to Firefox: DeSopa 1.2

An emerging malware threat identified as the Duqu trojan has received a great deal of attention because it is similar to the infamous Stuxnet worm of 2010.

What is Duqu?
The Duqu trojan is composed of several malicious files that work together for a malicious purpose. The first component is a Windows kernel driver that searches for and loads encrypted dynamic link library (DLL) files. The decrypted DLL files implement the main payload of Duqu, which is a remote access trojan (RAT). The RAT allows an adversary to gather information from a compromised computer and to download and run additional programs.

Duqu Vs Stuxnet

The facts observed through software analysis are inconclusive in terms of proving a direct relationship between Duqu and Stuxnet at any other level.

Does Duqu target industrial control systems?
Unlike Stuxnet, Duqu does not contain specific code that pertains to supervisory control and data acquisition (SCADA) components such as programmable logic controllers (PLCs). Duqu’s primary purpose is to provide an attacker with remote access to a compromised computer, including the ability to run arbitrary programs. It can theoretically be used to target any organization.

Is there any evidence in the code indicating specific targets?
Duqu facilitates an adversary’s ability to gather intelligence from an infected computer and the network. Any specific market segments, technologies, organizations or countries that are targeted by the Duqu malware have not yet identified.

What are indicators of a Duqu infection?
The Duqu trojan attempts to use the network to communicate with a remote command and control (C2) server to receive instructions and to exfiltrate data. Analysis of Duqu revealed that it uses the 206.183.111.97 IP address as its C2 server. This IP address is located in India and has been shut down by the hosting provider. Also, Duqu may attempt to resolve the kasperskychk.dyndns.org domain name. The resulting IP address is not used for communications, so this lookup may serve as a simple Internet connectivity check. Administrators should monitor their network for systems attempting to resolve this domain or connect to the C2 IP address for possible infection.

The byproducts in Table 2 have been collected from multiple Duqu variants and would not be present on a single infected computer.

The name “Duqu” was assigned to this malware because the keylogger program creates temporary files that begin with the prefix “~DQ”. A computer infected with Duqu may have files beginning with “~DQ” in Windows temporary directories.

How do Duqu infections occur?
The mechanism by which Duqu infections occur is unknown. Current analysis of Duqu has not revealed any ability to infect additional systems like the Stuxnet worm could.

Is antivirus and antimalware protection sufficient for detecting Duqu?
Since its discovery, security vendors have worked to improve their ability to detect Duqu. However, the author may simply release newer variants that are no longer detected by antivirus and antimalware products.

THC-SSL-DOS is a tool to verify the performance of SSL.

Establishing a secure SSL connection requires 15x more processing power on the server than on the client.

THC-SSL-DOS exploits this asymmetric property by overloading the server and knocking it off the Internet.

This problem affects all SSL implementations today. The vendors are aware of this problem since 2003 and the topic has been widely discussed.

This attack further exploits the SSL secure Renegotiation feature to trigger thousands of renegotiations via single TCP connection.

Download:
Windows binary : thc-ssl-dos-1.4-win-bin.zip
Unix Source : thc-ssl-dos-1.4.tar.gz

Use “./configure; make all install” to build.

Usage:
./thc-ssl-dos 127.3.133.7 443
Handshakes 0 [0.00 h/s], 0 Conn, 0 Err
Secure Renegotiation support: yes
Handshakes 0 [0.00 h/s], 97 Conn, 0 Err
Handshakes 68 [67.39 h/s], 97 Conn, 0 Err
Handshakes 148 [79.91 h/s], 97 Conn, 0 Err
Handshakes 228 [80.32 h/s], 100 Conn, 0 Err
Handshakes 308 [80.62 h/s], 100 Conn, 0 Err
Handshakes 390 [81.10 h/s], 100 Conn, 0 Err
Handshakes 470 [80.24 h/s], 100 Conn, 0 Err

Comparing Flood DDoS vs. SSL-Exhaustion Attack:
A traditional flood DDoS attack cannot be mounted from a single DSL connection.
This is because the bandwidth of a server is far superior to the bandwidth of a DSL connection: A DSL connection is not an equal opponent to challenge the bandwidth of a server.

This is turned upside down for THC-SSL-DOS: The processing capacity for SSL handshakes is far superior at the client side: A laptop on a DSL connection can challenge a server on a 30Gbit link.

Traditional DDoS attacks based on flooding are sub optimal: Servers are prepared to handle large amount of traffic and clients are constantly sending requests to the server even when not under attack.

The SSL-handshake is only done at the beginning of a secure session and only if security is required. Servers are _not_ prepared to handle large amount of SSL Handshakes.

The worst attack scenario is an SSL-Exhaustion attack mounted from thousands of clients (SSL-DDoS).

Tips & Tricks for WhiteHats:
– The average server can do 300 handshakes per second. This would require 10-25% of your laptops CPU.
– Use multiple hosts (SSL-DOS) if an SSL Accelerator is used.
– Be smart in target acquisition: The HTTPS Port (443) is not always the best choice. Other SSL enabled ports are more unlikely to use an SSL Accelerator (like the POP3S, SMTPS, … or the secure database port).

Counter measurements:
No real solutions exists. The following steps can mitigate (but not solve) the problem:
– Disable SSL-Renegotiation
– Invest into SSL Accelerator

Either of these countermeasures can be circumventing by modifying THC-SSL-DOS. A better solution is desireable. Somebody should fix this.

According to Daniel Krebs an independent security researcher, hackers have started contending among themselves openly by providing DDoS (distributed denial-of-service) services that can help in causing websites to collapse. Signalnews reported this on August 2, 2011.

Apparently, several secret forums exist on which subscribers canvass their skills for carrying out devastating DDoS assaults in return for a payment.

Krebs writes that all services for distributed denial-of-service assault are priced an identical value, with the mean price charged for deactivating an Internet site astonishingly affordable. The prices for DDoS attack services are $5-$10 every hour; $40-$50 daily; $350 to $400 every week; and $1,200 and above every month. InfoSecurity published this on August 2, 2011.

Moreover, for their assaults, the hackers chiefly utilize botnets, while ignorant operators of computers remain unaware that they’ve gotten contaminated with malware as also being controlled remotely. A certain DDoS attackers’ gang canvasses a DIY (do-it-yourself) DDoS toolkit that explains how users can effortlessly assemble their own bot-infected PCs to create a network, which’s complete with an administration panel that’s Web-based to be utilized for remotely monitoring and regulating the compromised PCs i.e. the bots.

A particular Russian gang estimates that 15-30 bots are required for destabilizing small-sized websites, 250-280 for medium-sized ones and 750 to 800 for big websites. If the websites are still larger then 2,000 to 2,500 bots can cripple DDoS safeguards on them, while 15,000 to 20,000 bots can crash nearly all web-pages despite any number of security precautions on them.

Overall, services of DDoS attacks are available for sale pertaining to websites of the above sizes. These attacks are executed via botnets i.e. networks of malware-infected PCs. When contaminated, an average computer operator mayn’t be aware that his PC has been converted into a zombie under a hacker’s control and being used for a DDoS.

Krebs writes that one DDoS gangsters’ group, which has been around for no less than 3-years, has a DIY DDoS toolkit for sale, teaching how one can make his own network of bots, while the kit contains one bot builder along with an admin panel that’s web-based.

Following the arrest of 16 individuals in the U.S. and five in the U.K. and the Netherlands who are allegedly connected to the various cyber attacks organized by Anonymous, the hacktivist group continues its mission unabated.

According to the claims the group made on their Twitter account, they have managed to hack the servers of the North Atlantic Treaty Organization (NATO) and exfiltrate around one GB of its restricted and confidential documents.

To prove the veracity of their assertions, they have also published two of those documents – one classified as “NATO Restricted” – but said that they would not publish the rest of them as it would be irresponsible of them. NATO has said that its security experts are investigating the group’s claims.

In the meantime, the LulzSec hackers have stated that they are currently working with certain media outlets who have been granted exclusive access to some of the News of the World emails the group got their hands on, even though Anonymous has previously stated that they would not release The Sun emails because they might compromise the ongoing court case against the news corporation.

Sabu, one of the members of LulzSec, has also shared that the News International emails just part of the data the group has in its posession.

Both groups have not commented on whether the individuals arrested at the beginning of the week had anything to do with them, except for saying that they show respect for the “fallen anons”.