Attacks on Visa, PayPal by just ‘a bunch of criminals’

WikiLeaks defenders not hacktivists, security expert says

Distributed denial-of-service (DDoS) attacks Wednesday by WikiLeaks defenders that temporarily took down the Web sites of Visa, MasterCard and PayPal, among others, were not done by people with a cause, but with an inclination toward criminality, computer security expert Ira Winkler says.

Winkler, president of Internet Security Advisors Group and someone I’ve quoted before on this blog, believes the attacks on the financial services Web sites were conducted by people who know how to use a botnet to launch a DDoS because they’ve probably done it before for criminal purposes.

The attacks were credited to a group calling itself Anonymous, according to the IDG News Service’s Robert McMillan. The sites were attacked because they cut off service to WikiLeaks.org, which depends on credit card or PayPal payments from supporters. The companies cut off funding in the wake of WikiLeaks distributing 250,000 U.S. State Department documents, some classified. WikiLeaks earlier this year released thousands more U.S. documents related to the wars in Iraq and Afghanistan. The card companies cut off WikiLeaks accusing the organization of engaging in illegal activity.

Anonymous also posted a message on Twitter yesterday claiming, “IT’S DOWN! KEEP FIRING!” But a click on a link to that message today reads, “The profile you are trying to view has been suspended.”

The people who launched the DDoS attacks are “at least recreational criminals,” Winkler said in an interview. “An otherwise law abiding citizen that is just concerned about freedom of information is not just sitting there with a botnet ready to launch a denial of service attack. These are people who otherwise commit crimes and just are rationalizing their crime with the latest cause.”

However, as McMillan reports, Anonymous encouraged “volunteers to download software called LOIC (Low Orbit Ion Cannon), which lets them centrally control these systems and direct them into a DDoS attack,” which could make it easier for someone with limited hacking knowledge to join in the protest. Still, as Winkler contends, there are people who publicly protest and there are those who engage in civil disobedience.

And hacking as a form of political protest, even just ostensibly, is nothing new, he adds. DDoS attacks followed the accidental bombing by U.S. forces of the Chinese Embassy in Belgrade in 1999 and the imprisonment of hacker Kevin Mitnick, who was sentenced to prison by a U.S. District Court in Los Angeles in 1999. He had hacked into several corporate and government computer systems, but his supporters felt his five-year prison sentence was excessive, according to Wikipedia.

But taking down the Web sites of Visa or MasterCard is the equivalent of egging the State Department. It’s mischievous, but really doesn’t cripple the financial industry companies.

“Big deal. You took down MasterCard’s Web site,” Winkler said. “If you didn’t take down their processing, who gives a damn?”

Nonetheless, it’s still disconcerting that the DDoS succeeded, even only briefly, he added, because he would have expected those sites to have had the bandwidth to handle such an attack. Asked what this attack says about the defense against such attacks -- including the defenses built by Microsoft, whose operating systems, software and security are ubiquitous -- Winkler said, “It says that it could be better.”

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2010 IDG Communications, Inc.