Attacks/Breaches
1/28/2013
11:33 AM
50%
50%

Anonymous Plays Games With U.S. Sites

Protesting over death of Internet activist Aaron Swartz, Anonymous defaces U.S. government websites to hide a free game of Asteroids.

Anonymous has gone old-school with its latest attack, altering a number of U.S. government websites to hide a free game of Asteroids.

The hacktivist collective's initial target was the website of the U.S. Sentencing Commission, which establishes sentencing policies and practices for the federal courts. After the site was reportedly altered Friday, the site's administrators expunged the Asteroids game over the weekend. As of Monday morning, the site's administrators had apparently taken the site -- which Anonymous claimed to still control -- offline.

A statement posted by Anonymous to Reddit said the website defacement was meant as retaliation for the manner in which prosecutors handled the case of Aaron Swartz, who co-created the RSS 1.0 specification and helped establish Reddit. Facing a 35-year jail sentence for downloading millions of documents from the academic journal archive JSTOR, Swartz -- who had long battled depression -- earlier this month committed suicide.

Anonymous said it selected the Sentencing Commission's website for its obvious relevance to Swartz's case. "Two weeks ago today, a line was crossed. Two weeks ago today, Aaron Swartz was killed. Killed because he faced an impossible choice," read the Anonymous statement. "Killed because he was forced into playing a game he could not win -- a twisted and distorted perversion of justice -- a game where the only winning move was not to play."

[ For more on Anonymous's recent exploits, see Anonymous DDoS Attackers In Britain Sentenced. ]

The FBI said it's investigating the website defacements. "We were aware as soon as it happened and are handling it as a criminal investigation," read a statement released by Richard McFeely, executive assistant director of the Criminal, Cyber, Response, and Services Branch of the FBI, reported Bloomberg. "We are always concerned when someone illegally accesses another person's or government agency's network."

If the Sentencing Commission's website was offline, Monday morning the Asteroids game could still be played on the U.S. Probation Office for the Eastern District of Michigan website, after entering a so-called Konami code (a series of arrows and letters). After that, a dialog box pops up, reading, "PEW PEW PEW PEW PEW! End Prosecutorial Overreach!" From there, site visitors are given a spaceship and allowed to shoot lasers -- and later, a smart bomb -- which obliterates the Web page. Anonymous promised prizes for "a small fraction of winners."

The Anonymous website defacement -- for lack of a better word -- was made as part of the group's broader Operation Last Resort, which seeks to reform the Computer Fraud and Abuse Act (CFAA) under which Swartz was charged. "There must be reform of mandatory minimum sentencing ... a return to proportionality of punishment with respect to actual harm caused, and consideration of motive and mens rea." (Mens rea refers to acting with a "guilty mind.")

To add impetus to its request, Anonymous on Saturday promised that the Asteroids game defacements aren't the only card up its sleeve. The group tweeted on Monday, "How about a nice game of chess Mr Government?" According to a statement released by the group, it's infiltrated a number of government websites and databases -- it refused to disclose which ones -- and stolen sensitive information, which it's been distributing in an encrypted file that has been mirrored to numerous websites.

"The contents are various and we won't ruin the speculation by revealing them," said Anonymous. "Suffice it to say, everyone has secrets, and some things are not meant to be public. At a regular interval commencing today, we will choose one media outlet and supply them with heavily redacted partial contents of the file."

Threats aside, Anonymous is far from the only group calling for the CFAA to be revised. Notably, George Washington University professor Orin Kerr, a former Department of Justice computer crime prosecutor, has proposed specific changes to CFAA, including making it harder for minor crimes to be classified as felonies.

Kerr's proposals have been picked up and refined by the Electronic Frontier Foundation (EFF), in what calls "Aaron's Law." The group's suggestions have also been endorsed by Jennifer Granick, the director of civil liberties at the Stanford Center for Internet and Society, who described Kerr's initial efforts as "necessary but not sufficient."

Both the EFF and Granick are pushing for a better definition of "without authorization" in the CFAA, which governs when accessing a network resource or system is, or isn't, illegal. "There should be an exception to CFAA liability when a service is offered for free to the public but implements technological controls on either automation, download rate or access time," said Granick in a blog post. "Certainly evading these limits could be a civil violation, or the service may find a way to ban the offender completely, but it should not be a federal crime."

But will Congress pick up on the proposals and reform CFAA?

Hackers Unmasked: Detecting, Analyzing And Taking Action Against Current Threats. In this all-day InformationWeek and Dark Reading Virtual Event, experts and vendors will offer a detailed look at how enterprises can detect the latest malware, analyze the most current cyber attacks, and even identify and take action against the attackers. Attendees of the Hackers Unmasked event will also get a look at how cybercriminals operate, how they are motivated -- and what your business can do to stop them. It happens Feb. 7. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-6477
Published: 2014-11-23
Unspecified vulnerability in the JPublisher component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors, a different vulnerability than CVE-2014-4290, CVE-2014-4291, CVE-2014-4292, CVE-2014-4...

CVE-2014-4807
Published: 2014-11-22
Sterling Order Management in IBM Sterling Selling and Fulfillment Suite 9.3.0 before FP8 allows remote authenticated users to cause a denial of service (CPU consumption) via a '\0' character.

CVE-2014-6183
Published: 2014-11-22
IBM Security Network Protection 5.1 before 5.1.0.0 FP13, 5.1.1 before 5.1.1.0 FP8, 5.1.2 before 5.1.2.0 FP9, 5.1.2.1 before FP5, 5.2 before 5.2.0.0 FP5, and 5.3 before 5.3.0.0 FP1 on XGS devices allows remote authenticated users to execute arbitrary commands via unspecified vectors.

CVE-2014-8626
Published: 2014-11-22
Stack-based buffer overflow in the date_from_ISO8601 function in ext/xmlrpc/libxmlrpc/xmlrpc.c in PHP before 5.2.7 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code by including a timezone field in a date, leading to improper XML-RPC encoding...

CVE-2014-8710
Published: 2014-11-22
The decompress_sigcomp_message function in epan/sigcomp-udvm.c in the SigComp UDVM dissector in Wireshark 1.10.x before 1.10.11 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted packet.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?