Terry Zink's Cyber Security Blog

Discussing Internet security in (mostly) plain English

Spamhaus under DDOS for publishing Wikileaks mirror site is hosted in spammy IP range

Spamhaus under DDOS for publishing Wikileaks mirror site is hosted in spammy IP range

  • Comments 1

The release of numerous documents on Wikileaks this past year has caused a major uproar all throughout the press.  To many on the libertarian right, and on the left as well, Julian Assange (founder of Wikileaks) is a hero because he has unmasked numerous secrets that the US government was hiding.  In order to maintain liberty, all government secrecy must be exposed so they cannot conduct covert operations and clamp down on all of us who they govern.  By shining a light on the diplomatic cables, the United States will be unable to act in an unethical or immoral manner because once the general public finds out about their actions, they will protest strongly and evoke a change in behavior in the way foreign policy (or even domestic policy) is created.  The theory is that people don’t complain about what the government does because they don’t know what it does.  If they did know, then they would protest strongly.  A government in a western democracy survives by the will of the people; they can only act covertly for so long.  Assange has stated that this will revolutionize the way that governments interact.

On the other side of the coin, and probably far more realistic, the diplomatic cables don’t really change all that much to people who were paying attention.  Sure, a few careers may be cut short, and it is embarrassing to refer to Putin and Medvedev as Batman and Robin, not to mention that American diplomats see Italian Prime Minister Silvio Berlusconi as ineffective (and kind of a playboy).  However, it should not have come as any surprise that Saudi Arabia is urging the United States to take military action against Iran.  On the contrary to Assange’s assertion, it seems like American diplomats have a pretty good grasp of foreign relations even if they don’t verbalize it.  Of course, when it comes to diplomacy none of us really say what we are thinking in order to be polite.  It is simply good social relations to restrain yourself and not really say what’s on your mind (everyone does this; how many people do you interact with that you don’t really like but still behave politely with?). 

The United States classified information policy has a culture of secrecy built around it.  They compartmentalize information.  Because of this Wikileaks reveal, the US is not more likely to be more open with information, but instead less likely. They will institute new policies and restrict access to this information, making it more difficult to attain.  Furthermore, diplomats of all stripes will be more reticent to negotiate for fear that anything they say will be leaked on Wikileaks.  If what you say in confidence is not really confidential, then you might not say it at all.  The argument can be made that governments shouldn’t keep secrets, but the reality is that governments keep secrets all the time about their policy decisions, net assessments, and so forth.  Businesses keep trade secrets, governments keep policy secrets.  There are lots of conversations that I have with my own circle of friends that I do not wish to publish to the rest of the world.  If I thought that they were going to blab them, I would stop sharing that information with them (I’ve actually done this before).

Thus, somewhat ironically, I think that Assange’s leaks will have the opposite effect he intended.  When everyone is watching their backs, it makes diplomacy less open and sows the seeds of distrust, not openness.  I am not saying that I agree with Assange’s actions, or (more importantly) that I disagree.  Instead, I am pointing out the likely reality that what he intends to accomplish (more openness) is less likely to occur given his actions.

I shift now to the topic of hacking.  The hacker ethic, as has been defined elsewhere, is the following:

  • Information should be free and accessible to all.
  • Access to computers should be unlimited.
  • Computers and the Internet can be a force for the betterment of humanity.
  • Authority is not to be trusted.
  • The principle of decentralization goes hand-in-hand with all of the above.

Hackers have a lot of ideologies and one of them is “hacktivism”.  We have seen hacktivism at work before during the 2007 attacks on Estonia, the 2008 attacks in South Ossetia, the 2009 Twitter attacks, and now Wikileaks.  The term hacktivism is a portmanteau of “hacking” and “activism”.  It promotes the use of hacking to accomplish political goals or advance political ideologies. Depending on the campaign, these actions may involve both white-hat hackers and black-hat hackers and can include Web site defacement, redirects, DoS attacks, virtual sit-ins and electronic sabotage. Many hacktivist actions often fall under the media radar but their political, economic, military and public impact can be significant as evidenced by the examples I cited.

We have now seen hacktivism with regards to a Wikileaks DDOS attack on Spamhaus.  Neil Schwartmann wrote the following on CircleID on behalf of Steve Linford, founder of Spamhaus:

"As our site can't be reached now, we can not continue to warn Wikileaks users not to load things from the Heihachi IP. If you know journalists who would get this message out, please forward this message (entire) to them."

* * *

In a statement released today on wikileaks.info entitled "Spamhaus' False Allegations Against wikileaks.info", the person running the wikileaks.info site (which is not connected with Julian Assange or the real Wikileaks organization) called Spamhaus's information on his infamous cybercrime host "false" and "none of our business" and called on people to contact Spamhaus and "voice your opinion". Consequently Spamhaus has now received a number of emails some asking if we "want to be next", some telling us to stop blacklisting Wikileaks (obviously they don't understand that we never did) and others claiming we are "a pawn of US Government Agencies".

None of the people who contacted us realised that the "Wikileaks press release" published on wikileaks.info was not written by Wikileaks and not issued by Wikileaks - but by the person running the wikileaks.info site only - the very site we are warning about. The site data, disks, connections and visitor traffic, are all under the control of the Heihachi cybercrime gang. There are more than 40 criminal-run sites operating on the same IP address as wikileaks.info, including carder-elite.biz, h4ck3rz.biz, elite-crew.net, and bank phishes paypal-securitycenter.com and postbank-kontodirekt.com.

Because they are using a Wikileaks logo, many people thought that the "press release" was issued "by Wikileaks". In fact there has been no press release about this by Wikileaks and none of the official Wikileaks mirrors sites even recognise the wikileaks.info mirror. We wonder how long it will be before Wikileaks supporters wake up and start to question why wikileaks.info is not on the list of real Wikileaks mirrors at wikileaks.ch.

Currently wikileaks.info is serving highly sensitive leaked documents to the world, from a server fully controlled by Russian malware cybercriminals, to an audience that faithfully believes anything with a 'Wikileaks' logo on it.

Spamhaus continues to warn Wikileaks readers to make sure they are viewing and downloading documents only from an official Wikileaks mirror site. We're not saying "don't go to Wikileaks" we're saying "Use the wikileaks.ch server instead".

From this, we can probably infer the following:

  • Someone is mirroring Wikileaks information in a spammy IP range that is known to be associated with criminal enterprises associated with the Heihachi cybercrime gang.

  • A common spamming tactic is to use legitimate looking information in order to trick users into visiting malicious sites.  This is a very commonly used tactic in Black Search Engine Optimization.  Thus, it is a not a stretch to believe that a cyber criminal gang is using Wikileaks as a cover to host malicious software.  The theory is that people who believe in Wikileaks’ mission will go to that web page where they think they are viewing actual Wikileaks documents, but instead are getting infected with malware.

  • Spamhaus lists this IP and asserts that this page is malicious.  Because IP space can be divided into very clean or very dirty (most of the time, but not always), and because that this IP is hosted in very dirty space, it is advisable that people do not visit this particular mirror.

  • Hackers DDOS Spamhaus because they think that Spamhaus is anti-Wikileaks.  You can see that the hackers believe that Spamhaus believes that information shouldn’t be free, and authority can be trusted (why else would Spamhaus say don’t go to Wikileaks? Because Spamhaus believes that you can trust the US government and that this information must be concealed).  In an attempt to punish the pro-authoritarian Spamhaus, the hackers launch a DDOS attack in order to evoke a change in behavior from Spamhaus who normally lists malicious organizations.  Wikileaks couldn’t be malicious (they are advancing the hacker ethic, after all), so Spamhaus shouldn’t be listing them!

  • But Spamhaus is not saying “Don’t go to Wikileaks”, they are saying that if you visit them, go to a reputable site.  In this case, your curiosity is being exploited by those who wish to do your computer harm.

The DDOS attack is misdirected.  Indeed, Spamhaus’ actions are benign in that they wish to protect computer users.  They are not using the site to advance their own political agenda.

Leave a Comment
  • Please add 8 and 3 and type the answer here:
  • Post
  • Julian Assange has become the hero and is all over the news...whether it is for right reasons or wrong!It is indeed tough to form an opinion about someone whom you do not even know(ie government). But the major question to answer is the what are the intentions of  Wikileaks behind doing all this?So lets try and gather information from a few other sources as well to form an authentic opinion. I am sharing one which i came across...www.identitysecurityandaccessblog.com

Page 1 of 1 (1 items)