InfoSec News

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Research In Motion's co-CEOs Mike Lazaridis and Jim Balsillie have quit after a tumultuous period at the company, which saw intense competition, and a long services outage at the maker of the BlackBerry.

Last week's denial of service attack agains the Department of Justice (justice.gov), the FBI (fbi.gov) and other sites didn't just rely on Anonymous's favorite tool Low Orbit Ion Canon. Instead, a new method was employed to recruit denial of service clients.
The new method uses some pretty simple javascript to launch the attack. The folowers are usually requested to visit a particular web page. The page includes a simple form to adjust the denial of service attack parameters but just launches the attack with default parameters as the page is opened in the browser.

IMPORTANT: The script will start running as soon as the user vists the page.You do not have to press the fire button.

var requestedCtrNode = document.getElementById(requestedCtr),
succeededCtrNode = document.getElementById(succeededCtr),
failedCtrNode = document.getElementById(failedCtr),
targetURLNode = document.getElementById(targetURL)

// requests hash table, may come in handy later

Originally, I figured the attack may take advantage of XMLHTTPRequest.Instead, the code takes a simpler route. It just changes an image URL toa URL on the attacked page. I suspect that this method is more reliable asit does not require the client to implement XMLHTTPrequest Level 2 orXDomainrequest but should work with pretty much any client.
It will not necessarily retrieve an actual image,but just whatever URL was targeted, followed by an id parameter and amsg (which is also set by the user). This format should make it prettyeasy to filter the attacks at a web application firewall. Even other contentsensitive firewalls should be able to deal with this.
Sample weblog:

GET /?id=1327271393334msg=No%20A%20la%20CENSURA%20EN%20INTERNET%A1%A1%A1
HTTP/1.1 200 8395

In order to prevent crashing the browser, the script will limit the numberof outstanding requests.The script attempts to send 5,000 requests per second. I tested it directingmy requests to a lab web server across a pretty slow VPN connection. It managed to create about 5 requests per second. The referer for the request will be the URL of the attack page. The user's user agent is not altered.


Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
SOPA and PIPA may have been put on hold -- thanks to possibly the most contentious uproar seen on Capitol Hill and in the tech world ever -- but other legislation was introduced this week to combat online piracy.
ZionOps has reported that the Official Website of King Saud University (KSU, printpress.ksu.edu.sa) has been hacked by unknown Hacker/s. KSU is a public university located in Riyadh, Saudi Arabia. the leak contain 812 User Accounts.

AlienZ has hit again, we got alerted to this by Zionops, AlienZ has attacked a online diploma and study website that is Arabic based. The leak contains a few hundred accounts and all passwords are encrypted. this comes as another blow to "Arabs" as the on going cyber continues to grow pace and heat.

Internet Storm Center Infocon Status