Fluffy Bunny No Longer Energized

[InfoSec News <isn () c4i org>]

http://www.wired.com/news/technology/0,1282,54040,00.html

By Brian McWilliams   
July 29, 2002 

At the height of its game last year, a loose-knit hacking group
calling itself Fluffy Bunny appeared able to break into websites at
will.

For a six-month period starting in mid-2001, Fluffy Bunny penetrated
the networks of several top Internet firms, including Exodus, VA
Software and Akamai. In effort to expose what it saw as frauds and
poseurs, the cracking group also vandalized websites operated by
leading computer security outfits, including the SANS Institute.

Fluffy Bunny's unique brand of security mischief -- along with its
pink toy-rabbit mascot -- created Fluffy admirers even among computer
system administrators and security professionals.

But Fluffy Bunny dropped the ball on its most outrageous plan -- an
operation that members referred to as "The day the Internet stood
still."

Using their undetected toehold in Akamai's network, last year some of
the group's members contemplated a massive, distributed
denial-of-service (DDoS) attack on the Internet's 13 domain-name root
servers, according to a source close to Fluffy Bunny.

The attack would have marshaled the global network of 12,000
high-bandwidth systems operated by Akamai. These systems are designed
to speed up Web surfers' access to content at high-traffic sites,
including Yahoo, MSNBC, Microsoft and Whitehouse.gov.

If successful, such a bludgeoning of the Internet's nerve center could
have paralyzed the Net far beyond the brief, localized outages
experienced by big sites during the historic DDoS attacks of early
2000, according to experts.

To commandeer the attack, hinted at in the text of one of the group's
defacements, Fluffy Bunny would rely heavily on a set of proprietary
files members stole from an internal Akamai server in April 2001.

Copies of the archived files -- which included around 100 MB of Akamai
source code, private encryption keys, and internal company
documentation -- were provided to Wired News last week by the
anonymous source.

According to Akamai, the purloined files currently pose no threat to
the company's content delivery network or to customers. Spokesman Jeff
Young said this week that Akamai took "appropriate action" when it
learned of the intrusion on its network last year.

"While no systems are completely invulnerable, we do not believe the
information alone could enable attackers to devise programs to exploit
our network," said Young, who declined to detail the steps Akamai took
to mitigate the risk created by the file theft.

Contained in the stolen Akamai archives are two chapters of a document
titled "Akamai Secure Communications Infrastructure" that is labeled
internal-use only. Also included are programs for deploying software
over the network to Akamai's servers.

The archives additionally contain a collection of public and private
encryption keys, which may have been used as part of a scheme for
authenticating Akamai customers when site content is updated. Also
included is source code to what are apparently programs for
communicating with Akamai routers. Binary copies of the proprietary
build of Linux operating system software used on Akamai's servers are
also part of the package.

Although the files do not appear to be in wide circulation, Akamai
requested that Wired News not publish the file names of the stolen
archives.

Aside from offering a potent army of potential DDoS attack agents,
Akamai's network also poses as a tantalizing target for website
defacers, according to a senior security analyst for a major
consulting firm.

"The idea of attacking Akamai has been floating around in various
hacker circles -- black, gray and white -- for over a year. How else
could you get a controversial message to a ton of people very quickly
and all at the same time?" said the analyst, who asked not to be
named.

But even with knowledge of the inner workings of Akamai's security
infrastructure, attackers would be unable to easily seize control of
its network, according to Steve Gibson, a software developer who
operates the security information site Grc.com.

"If all of the Akamai servers were turned into attack agents, that
obviously would be really bad, but I don't think Fluffy got the keys
to the kingdom," Gibson said.

The complexity of Akamai's infrastructure, as well as its strong
authentication technology, would likely frustrate the hackers despite
their possession of key internal documents and programs, according to
Gibson.

"That's probably why Fluffy never used it. 'The day the Internet stood
still,' never happened, and it's been over a year that they've had
this information," Gibson said.

Indeed, Fluffy Bunny has been stymied in the past. Unable to hack
directly through the defenses of SecurityFocus.com, in November 2001
the group instead compromised a small, online advertising company, so
that banner ads with its trademark pink bunny rotated onto the
SecurityFocus site for several hours before being detected.

But it may ultimately have been law enforcement -- not insurmountable
technical obstacles -- that reined in Fluffy Bunny's hacking hubris.  
Two key Fluffy members, a European and an American, were arrested last
year according to sources familiar with the investigation.

The defacement archive at Alldas.org shows no website attacks
attributed to Fluffy Bunny since early this year.

The FBI and federal prosecutors would not provide specifics on their
pursuit of the group, citing the ongoing nature of the investigation.

Its brief tenure in the limelight as the Internet's savviest hacking
crew seemingly over, Fluffy Bunny appears to have gone underground for
good.

 

-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.