Attacks/Breaches
1/28/2013
11:33 AM
Connect Directly
RSS
E-Mail
50%
50%

Anonymous Plays Games With U.S. Sites

Protesting over death of Internet activist Aaron Swartz, Anonymous defaces U.S. government websites to hide a free game of Asteroids.

Anonymous has gone old-school with its latest attack, altering a number of U.S. government websites to hide a free game of Asteroids.

The hacktivist collective's initial target was the website of the U.S. Sentencing Commission, which establishes sentencing policies and practices for the federal courts. After the site was reportedly altered Friday, the site's administrators expunged the Asteroids game over the weekend. As of Monday morning, the site's administrators had apparently taken the site -- which Anonymous claimed to still control -- offline.

A statement posted by Anonymous to Reddit said the website defacement was meant as retaliation for the manner in which prosecutors handled the case of Aaron Swartz, who co-created the RSS 1.0 specification and helped establish Reddit. Facing a 35-year jail sentence for downloading millions of documents from the academic journal archive JSTOR, Swartz -- who had long battled depression -- earlier this month committed suicide.

Anonymous said it selected the Sentencing Commission's website for its obvious relevance to Swartz's case. "Two weeks ago today, a line was crossed. Two weeks ago today, Aaron Swartz was killed. Killed because he faced an impossible choice," read the Anonymous statement. "Killed because he was forced into playing a game he could not win -- a twisted and distorted perversion of justice -- a game where the only winning move was not to play."

[ For more on Anonymous's recent exploits, see Anonymous DDoS Attackers In Britain Sentenced. ]

The FBI said it's investigating the website defacements. "We were aware as soon as it happened and are handling it as a criminal investigation," read a statement released by Richard McFeely, executive assistant director of the Criminal, Cyber, Response, and Services Branch of the FBI, reported Bloomberg. "We are always concerned when someone illegally accesses another person's or government agency's network."

If the Sentencing Commission's website was offline, Monday morning the Asteroids game could still be played on the U.S. Probation Office for the Eastern District of Michigan website, after entering a so-called Konami code (a series of arrows and letters). After that, a dialog box pops up, reading, "PEW PEW PEW PEW PEW! End Prosecutorial Overreach!" From there, site visitors are given a spaceship and allowed to shoot lasers -- and later, a smart bomb -- which obliterates the Web page. Anonymous promised prizes for "a small fraction of winners."

The Anonymous website defacement -- for lack of a better word -- was made as part of the group's broader Operation Last Resort, which seeks to reform the Computer Fraud and Abuse Act (CFAA) under which Swartz was charged. "There must be reform of mandatory minimum sentencing ... a return to proportionality of punishment with respect to actual harm caused, and consideration of motive and mens rea." (Mens rea refers to acting with a "guilty mind.")

To add impetus to its request, Anonymous on Saturday promised that the Asteroids game defacements aren't the only card up its sleeve. The group tweeted on Monday, "How about a nice game of chess Mr Government?" According to a statement released by the group, it's infiltrated a number of government websites and databases -- it refused to disclose which ones -- and stolen sensitive information, which it's been distributing in an encrypted file that has been mirrored to numerous websites.

"The contents are various and we won't ruin the speculation by revealing them," said Anonymous. "Suffice it to say, everyone has secrets, and some things are not meant to be public. At a regular interval commencing today, we will choose one media outlet and supply them with heavily redacted partial contents of the file."

Threats aside, Anonymous is far from the only group calling for the CFAA to be revised. Notably, George Washington University professor Orin Kerr, a former Department of Justice computer crime prosecutor, has proposed specific changes to CFAA, including making it harder for minor crimes to be classified as felonies.

Kerr's proposals have been picked up and refined by the Electronic Frontier Foundation (EFF), in what calls "Aaron's Law." The group's suggestions have also been endorsed by Jennifer Granick, the director of civil liberties at the Stanford Center for Internet and Society, who described Kerr's initial efforts as "necessary but not sufficient."

Both the EFF and Granick are pushing for a better definition of "without authorization" in the CFAA, which governs when accessing a network resource or system is, or isn't, illegal. "There should be an exception to CFAA liability when a service is offered for free to the public but implements technological controls on either automation, download rate or access time," said Granick in a blog post. "Certainly evading these limits could be a civil violation, or the service may find a way to ban the offender completely, but it should not be a federal crime."

But will Congress pick up on the proposals and reform CFAA?

Hackers Unmasked: Detecting, Analyzing And Taking Action Against Current Threats. In this all-day InformationWeek and Dark Reading Virtual Event, experts and vendors will offer a detailed look at how enterprises can detect the latest malware, analyze the most current cyber attacks, and even identify and take action against the attackers. Attendees of the Hackers Unmasked event will also get a look at how cybercriminals operate, how they are motivated -- and what your business can do to stop them. It happens Feb. 7. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1544
Published: 2014-07-23
Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3.so in Mozilla Network Security Services (NSS) 3.x, as used in Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, allows remote attackers to execute arbitrary code via vectors that trigger cer...

CVE-2014-1547
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1548
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1549
Published: 2014-07-23
The mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBuffer function in Mozilla Firefox before 31.0 and Thunderbird before 31.0 does not properly allocate Web Audio buffer memory, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and applica...

CVE-2014-1550
Published: 2014-07-23
Use-after-free vulnerability in the MediaInputPort class in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) by leveraging incorrect Web Audio control-message ordering.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Where do information security startups come from? More important, how can I tell a good one from a flash in the pan? Learn how to separate ITSec wheat from chaff in this episode.