11:33 AM

Anonymous Plays Games With U.S. Sites

Protesting over death of Internet activist Aaron Swartz, Anonymous defaces U.S. government websites to hide a free game of Asteroids.

Anonymous has gone old-school with its latest attack, altering a number of U.S. government websites to hide a free game of Asteroids.

The hacktivist collective's initial target was the website of the U.S. Sentencing Commission, which establishes sentencing policies and practices for the federal courts. After the site was reportedly altered Friday, the site's administrators expunged the Asteroids game over the weekend. As of Monday morning, the site's administrators had apparently taken the site -- which Anonymous claimed to still control -- offline.

A statement posted by Anonymous to Reddit said the website defacement was meant as retaliation for the manner in which prosecutors handled the case of Aaron Swartz, who co-created the RSS 1.0 specification and helped establish Reddit. Facing a 35-year jail sentence for downloading millions of documents from the academic journal archive JSTOR, Swartz -- who had long battled depression -- earlier this month committed suicide.

Anonymous said it selected the Sentencing Commission's website for its obvious relevance to Swartz's case. "Two weeks ago today, a line was crossed. Two weeks ago today, Aaron Swartz was killed. Killed because he faced an impossible choice," read the Anonymous statement. "Killed because he was forced into playing a game he could not win -- a twisted and distorted perversion of justice -- a game where the only winning move was not to play."

[ For more on Anonymous's recent exploits, see Anonymous DDoS Attackers In Britain Sentenced. ]

The FBI said it's investigating the website defacements. "We were aware as soon as it happened and are handling it as a criminal investigation," read a statement released by Richard McFeely, executive assistant director of the Criminal, Cyber, Response, and Services Branch of the FBI, reported Bloomberg. "We are always concerned when someone illegally accesses another person's or government agency's network."

If the Sentencing Commission's website was offline, Monday morning the Asteroids game could still be played on the U.S. Probation Office for the Eastern District of Michigan website, after entering a so-called Konami code (a series of arrows and letters). After that, a dialog box pops up, reading, "PEW PEW PEW PEW PEW! End Prosecutorial Overreach!" From there, site visitors are given a spaceship and allowed to shoot lasers -- and later, a smart bomb -- which obliterates the Web page. Anonymous promised prizes for "a small fraction of winners."

The Anonymous website defacement -- for lack of a better word -- was made as part of the group's broader Operation Last Resort, which seeks to reform the Computer Fraud and Abuse Act (CFAA) under which Swartz was charged. "There must be reform of mandatory minimum sentencing ... a return to proportionality of punishment with respect to actual harm caused, and consideration of motive and mens rea." (Mens rea refers to acting with a "guilty mind.")

To add impetus to its request, Anonymous on Saturday promised that the Asteroids game defacements aren't the only card up its sleeve. The group tweeted on Monday, "How about a nice game of chess Mr Government?" According to a statement released by the group, it's infiltrated a number of government websites and databases -- it refused to disclose which ones -- and stolen sensitive information, which it's been distributing in an encrypted file that has been mirrored to numerous websites.

"The contents are various and we won't ruin the speculation by revealing them," said Anonymous. "Suffice it to say, everyone has secrets, and some things are not meant to be public. At a regular interval commencing today, we will choose one media outlet and supply them with heavily redacted partial contents of the file."

Threats aside, Anonymous is far from the only group calling for the CFAA to be revised. Notably, George Washington University professor Orin Kerr, a former Department of Justice computer crime prosecutor, has proposed specific changes to CFAA, including making it harder for minor crimes to be classified as felonies.

Kerr's proposals have been picked up and refined by the Electronic Frontier Foundation (EFF), in what calls "Aaron's Law." The group's suggestions have also been endorsed by Jennifer Granick, the director of civil liberties at the Stanford Center for Internet and Society, who described Kerr's initial efforts as "necessary but not sufficient."

Both the EFF and Granick are pushing for a better definition of "without authorization" in the CFAA, which governs when accessing a network resource or system is, or isn't, illegal. "There should be an exception to CFAA liability when a service is offered for free to the public but implements technological controls on either automation, download rate or access time," said Granick in a blog post. "Certainly evading these limits could be a civil violation, or the service may find a way to ban the offender completely, but it should not be a federal crime."

But will Congress pick up on the proposals and reform CFAA?

Hackers Unmasked: Detecting, Analyzing And Taking Action Against Current Threats. In this all-day InformationWeek and Dark Reading Virtual Event, experts and vendors will offer a detailed look at how enterprises can detect the latest malware, analyze the most current cyber attacks, and even identify and take action against the attackers. Attendees of the Hackers Unmasked event will also get a look at how cybercriminals operate, how they are motivated -- and what your business can do to stop them. It happens Feb. 7. (Free registration required.)

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.