1. WikiLeaks.org back in the USA

    After being taken down two weeks ago, WikiLeaks.org is back up and running in the US.

    The restored site has been hosted by Silicon Valley Web Hosting since Friday night, but does not appear to be serving any of the leaked cables or other content that it used to hold. Instead, the site immediately redirects visitors to a WikiLeaks mirror hosted in Russia.

    Nonetheless, it is surprising to see WikiLeaks.org being hosted in the US again, even if it is only being used to redirect traffic. Two weeks ago, Amazon decided to remove hosting services from WikiLeaks. After the domain had been pointed to a new hosting location in Europe, EveryDNS then took the site down by terminating DNS services used by the WikiLeaks.org domain, preventing the domain name being resolved into an IP address. Joe Lieberman of the United States Senate Committee on Homeland Security and Government Affairs urged other companies to make similar decisions, saying "No responsible company – whether American or foreign – should assist Wikileaks in its efforts to disseminate these stolen materials."

    The WikiLeaks.org domain name also uses a US company, Dynadot, as its registrar and DNS provider. The domain registration was last updated on 10 December 2010 and is not due to expire until 2018.

    Posted by Paul Mutton on 14th December, 2010 in Around the Net

  2. Operation Payback’s next DDoS target: Fax machines

    Operation Payback has begun a new fax-based campaign against some of the companies who decided to distance themselves from WikiLeaks. As part of its new Leakflood mission, the Anonymous group of 'hacktivists' is encouraging its members to send a large number of faxes to Amazon, MasterCard, Moneybookers, PayPal, Visa and Tableau Software.

    This latest campaign by the Anonymous group is analogous to the distributed denial of service attacks it has been carrying out against websites over the past week. In essence, this has turned into a DDoS attack against fax machines. The group started the fax-attacks today at 13:00 GMT and published a list of target fax numbers in their call to arms:

    The Anonymous collective are being encouraged to send faxes of random WikiLeaks cables, letters from Anonymous, Guy Fawkes, and the WikiLeaks logo to the target fax numbers all day long. It is not clear how many people are taking part in the attacks, but an IRC channel set up to provide information about the campaign contained 73 users just a few hours after the fax-attacks started.

    As well as dishing out attacks, the group has also found itself under attack for supporting WikiLeaks. Many users were knocked off its IRC network after its servers came under attack this morning. It is also understood that the anonops.eu domain (which used to announce the locations of IRC servers and the current attack target) has also come under attack and is currently unavailable.

    We have already witnessed website attacks against each of the fax targets, apart from Tableau Software. Two weeks ago, this company removed graphs published by WikiLeaks to its free Tableau Public data visualisation tool. A statement on the Tableau Software website admits this decision was taken as a result of political pressure:

    "Our decision to remove the data from our servers came in response to a public request by Senator Joe Lieberman, who chairs the Senate Homeland Security Committee, when he called for organizations hosting WikiLeaks to terminate their relationship with the website"

    The poster instructs participants in the attack to use the MyFax free fax service at http://myfax.com/free/, and recommends using a proxy to keep Anonymous, well, anonymous.

    Real-time performance graphs for websites that have been involved (or may become involved) in the WikiLeaks attacks can be monitored at http://uptime.netcraft.com/perf/reports/performance/wikileaks; however, Netcraft is not monitoring any of the fax machines.

    Posted by Paul Mutton on 13th December, 2010 in Around the Net

  3. Amazon goes offline in Europe

    Amazon.co.uk, Amazon.de, Amazon.fr, Amazon.it and Amazon.at suffered approximately half an hour of downtime at around 21:15 GMT. The cause is not yet apparent, although all of these sites share one thing in common: they are all hosted at Amazon's data centre in Ireland.

    Amazon's service health dashboard reported elevated error rates and latencies for the EC2 APIs in the EU-WEST-1 region, so many other sites may have been affected (Amazon accounts for more than a third of all web-facing computers in Ireland).

    The Anonymous group behind Operation Payback had intended to carry out another attack against Amazon after last week's attempt failed to have any impact on Amazon.com. However, the websites and IRC servers operated by Anonymous suggest that the current target is still mastercard.com.

    Real-time performance graphs for these Amazon sites can be viewed at http://uptime.netcraft.com/perf/reports/performance/wikileaks

    Posted by Paul Mutton on 12th December, 2010 in Around the Net

  4. MasterCard goes down as Anonymous launch 2nd attack

    MasterCard.com has been taken down after a second distributed denial of service attack by Anonymous. The first attack occurred 3 days ago, after which Visa and PayPal were also successfully attacked.

    MasterCard's payment processing systems were affected during the first DDoS attack on Wednesday, with many consumers reporting that they were unable to pay for goods online. Businesses reported a corresponding drop in trade during that first attack.

    Anonymous struck out against MasterCard after the credit card giant announced a move to ensure that WikiLeaks would not be able to accept payments using MasterCard-branded products. Anonymous also tried to attack Amazon.com in retaliation for terminating WikiLeaks' EC2 web hosting services, but the first attempt did not succeed.

    This second attack against MasterCard was announced in IRC channels, on Twitter and on http://anonops.eu. The group's previous website was suspended on Wednesday. The new site is hosted at OVH in France, where wikileaks.ch is also hosted.

    IRC remains an important component in the group's command and control structure. Thousands of volunteers have installed the LOIC attack software, which receives its next attack instructions from the group's IRC network.

    The total number of computers involved in these attacks is unclear, as some volunteers have been experiencing difficulties connecting to the IRC network and so have been running the software manually. Additional volunteers have also been using a browser-based version of the attack tool, which can be run without having to install any software. Some of the previous attacks have involved at least 2,000 computers.

    The group's IRC network has continued to grow and is now spread across 18 servers. Not only does this allow more users to connect, but it also makes the IRC network more resilient to attacks and other outages.

    This latest attack against MasterCard was initially directed towards www.mastercard.com. A few hours later, the target was changed to mastercard.com, which was served from a different IP address. When www.mastercard.com became accessible again, the homepage contained the following statement ...

    "MasterCard has made significant progress in restoring full-service to its corporate website. Our core processing capabilities have not been compromised and cardholder account data has not been placed at risk. While we have seen limited interruption in some web-based services, cardholders can continue to use their cards for secure transactions globally."

    ... however, its corporate website at mastercard.com then became innaccessible due to the DDoS attack.

    Real-time performance graphs for www.mastercard.com, mastercard.com and several other sites involved in the WikiLeaks attacks can be monitored at http://uptime.netcraft.com/perf/reports/performance/wikileaks

    Posted by Paul Mutton on 12th December, 2010 in Around the Net

  5. Moneybookers.com taken down by DDoS attacks

    Moneybookers.com is the latest site to be taken down by the ongoing WikiLeaks-related attacks.

    The attack was organised to start at 09:20 GMT on Friday, but did not appear to have any immediate impact; however, the site eventually succumbed shortly after 11:00.

    This latest attack was announced in advance on Operation Payback's Twitter stream. Moneybookers had previously collected WikiLeaks donations, but closed down their account after WikiLeaks was put on an official US watchlist and an Australian government blacklist.

    Real-time performance graphs for www.moneybookers.com and several other sites involved in the WikiLeaks attacks can be monitored at http://uptime.netcraft.com/perf/reports/performance/wikileaks

    Posted by Paul Mutton on 10th December, 2010 in Around the Net

  6. Operation Payback aborts attack against Amazon.com

    The scheduled attack against Amazon.com has been called off after it failed to make any impact on the site's performance.

    The Anonymous group decided the "hive" of computers in its botnet was not big enough to take on the might of Amazon, who are evidently quite good at providing highly scalable web hosting services, not just on their own website, but also on their EC2 service. Their European datacenter, which formerly hosted the WikiLeaks website, accounts for more than a third of all internet-facing web servers in Ireland.

    Operation Payback still intend to carry out a distributed denial of service attack against Amazon.com, but appear unable do so without more volunteers taking part in their botnet. The botnet currently contains around 2000 computers, each of which can receive attack commands from the group's IRC network.

    It is likely that other computers are also involved in the attacks. The group's network of IRC servers is under a fair amount of load, with some servers refusing connections, and others already at their user limits. To solve this problem, some 'hacktivists' are instead using a browser-based JavaScript version of the LOIC tool. Clicking on the "IMMA CHARGING MAH LAZER" button causes the page to make a large volume of requests to the target site.

    Posted by Paul Mutton on 9th December, 2010 in Around the Net