Trying To Hack My Web Site

Attempts continue daily trying to hack my web site. On multiple occasions I have approached IP address holder via the WHOIS service to complain and received bland reassurances. An example of the recent IP address is below the table. Once a host has been established from where the hacking attempt is coming from, you then have to fill in the contact form or abuse form for the host company. A few days later you’ll get a bland reassurance back and the hacks continue sometimes from the same IP address. In the table below, I have listed some of these hacking attempts over the last month. I get 50-100 every 24 hours. I’ll probably get more now.

UPDATE

Nothing back from web sites about IP addresses and in last 48 hours 1-3 Aug 2023 I’ve logged over 500 attempts. Waste of bandwidth….

Purpose of Trying To Hack My Web Site

It’s unclear why these bots or their instigators are trying to hack my site. The site has reputational value to me, but has no e-commerce element except links to book sites. It does not hold membership lists of thousands – in fact no members with no private data, except cookie lists – see privacy policy. It may be fun but it’s just a pain and so far unsuccessful. I’m not saying what my user account name is for admin access. Nor am I giving out a password/phrase but it’s strong and then there is 2FA, Two-Factor Authentication. That means these brute force attempts get nowhere even if they did get my username and password.

It’s all a colossal waste of time and resources for all parties. Having worked in the cyber security field, I know how much effort this costs for a company and what sort of reward these criminals are after. The databases or monetary ransom from encryption, but again why my site?

Dear hackers give it a rest. Why not use your skills for the betterment of human life? Mind you with the endless efforts of Government agencies some of which have leaked into the open this is an ongoing battle. Hadn’t realised this comes 10 years after Snowden’s revelations.

Table of IP Addresses

DateIP AddressUser Account attempted
June 22, 2023 07:24152.32.189.117admin (3 lockouts)
June 22, 2023 06:12148.72.244.186phenweb (1 lockouts)
June 21, 2023 20:1445.120.69.121admin (1 lockouts)
June 21, 2023 01:232a03:b0c0:1:d0::e6c:f001phenweb (1 lockouts)
June 20, 2023 06:10148.72.214.194admin (2 lockouts)
June 19, 2023 15:3266.94.96.129admin (2 lockouts)
June 19, 2023 12:51103.179.56.32admin (2 lockouts)
June 19, 2023 06:1535.187.58.136admin (1 lockouts)
June 19, 2023 05:50134.122.123.193admin (1 lockouts)
June 18, 2023 03:502a03:b0c0:1:d0::ee2:c001wwwadmin (1 lockouts)
June 13, 2023 00:032607:f298:5:6000::cb9:8de4admin (1 lockouts)
June 09, 2023 13:222a03:b0c0:1:d0::ee2:c001admin (1 lockouts)
June 09, 2023 07:18167.99.86.104admin (1 lockouts)
June 09, 2023 03:462a00:d680:20:50::4379admin (3 lockouts)
June 07, 2023 00:405.188.62.21pghadmin (9 lockouts)
June 05, 2023 22:35150.109.148.216admin (1 lockouts)
June 05, 2023 12:13185.2.4.134wadminw (1 lockouts)
June 04, 2023 09:1346.105.29.21admin (1 lockouts)
June 03, 2023 11:352001:41d0:403:1680::admin (1 lockouts)
June 03, 2023 05:132a00:d680:20:50::f4dcadmin (2 lockouts)
June 02, 2023 00:58195.154.184.235admin (1 lockouts)
June 01, 2023 15:25157.230.249.54admin (1 lockouts)
May 25, 2023 20:5147.111.116.44admin (1 lockouts)
May 25, 2023 12:442607:f298:5:6000::d15:5580admin (1 lockouts)
May 25, 2023 11:17116.109.45.9wwwadmin (1 lockouts)
May 25, 2023 05:142400:6180:0:d0::f6f:3001admin (3 lockouts)
May 24, 2023 19:1523.99.229.218admin (1 lockouts)
May 24, 2023 18:3224.199.86.99admin (1 lockouts)
May 23, 2023 01:5151.79.144.41admin (2 lockouts)
May 22, 2023 12:222001:41d0:403:1680::wadminw (1 lockouts)

WHOIS Trying to Hack My Web Site

Whois IP 152.32.189.117

The IP is registered to Hong Kong and UCloud. They have an abuse email hegui@ucloud.cn. I won’t hold out any hope of a response but I’ve tried.

% [whois.apnic.net]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html
% Information related to '152.32.128.0 - 152.32.255.255'
% Abuse contact for '152.32.128.0 - 152.32.255.255' is 'email@ucloud.cn'
inetnum:        152.32.128.0 - 152.32.255.255
netname:        UCLOUD-HK
descr:          UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED
country:        HK
org:            ORG-UITL1-AP
admin-c:        UITH2-AP
tech-c:         UITH2-AP
abuse-c:        AU164-AP
status:         ALLOCATED PORTABLE
remarks:        --------------------------------------------------------
remarks:        To report network abuse, please contact mnt-irt
remarks:        For troubleshooting, please contact tech-c and admin-c
remarks:        Report invalid contact via www.apnic.net/invalidcontact
remarks:        --------------------------------------------------------
mnt-by:         APNIC-HM
mnt-lower:      MAINT-UCLOUD-HK
mnt-routes:     MAINT-UCLOUD-HK
mnt-irt:        IRT-UCLOUD-HK
last-modified:  2022-05-16T03:40:43Z
source:         APNIC
irt:            IRT-UCLOUD-HK
address:        FLAT/RM 603 6/F, LAWS COMMERCIAL PLAZA, 788 CHEUNG SHA WAN ROAD, KL,, Hong Kong
e-mail:         email@ucloud.cn
abuse-mailbox:  email@ucloud.cn
admin-c:        UITH2-AP
tech-c:         UITH2-AP
auth:           # Filtered
remarks:        email@ucloud.cn was validated on 2022-12-29
remarks:        email@ucloud.cn was validated on 2022-12-30
mnt-by:         MAINT-UCLOUD-HK
last-modified:  2022-12-30T07:26:18Z
source:         APNIC
organisation:   ORG-UITL1-AP
org-name:       UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED
country:        HK
address:        FLAT/RM 603 6/F
address:        LAWS COMMERCIAL PLAZA
address:        788 CHEUNG SHA WAN ROAD, KL,
phone:          +86-18221224857
e-mail:         email@ucloud.cn
mnt-ref:        APNIC-HM
mnt-by:         APNIC-HM
last-modified:  2019-12-10T12:58:29Z
source:         APNIC
role:           ABUSE UCLOUDHK
address:        FLAT/RM 603 6/F, LAWS COMMERCIAL PLAZA, 788 CHEUNG SHA WAN ROAD, KL,, Hong Kong
country:        ZZ
phone:          +000000000
e-mail:         email@ucloud.cn
admin-c:        UITH2-AP
tech-c:         UITH2-AP
nic-hdl:        AU164-AP
remarks:        Generated from irt object IRT-UCLOUD-HK
remarks:        email@ucloud.cn was validated on 2022-12-29
remarks:        email@ucloud.cn was validated on 2022-12-30
abuse-mailbox:  email@ucloud.cn
mnt-by:         APNIC-ABUSE

Government Snooping Chains

The NSA and GCHQ Programs provide insight into government snooping chains. This blog also provides a forward to my book Sail Chains. The current focus on surveillance and privacy is based on the actions of Facebook, Amazon and google. The allied western intelligence agencies do much more. Previous blogs

Secure communications, tracking, and other jargon is used within this tale. The descriptions are based on real techniques used in Information Technology and Intelligence Surveillance. Some are described below to avoid lengthy passages of explanation in the narrative of the book and here in this blog for public edification.

Five-Eyes

Five-Eyes is an intelligence alliance comprising Australia, Canada, New Zealand, the United Kingdom, and the United States. These countries are parties to a multilateral agreement which is a treaty for joint cooperation in signals intelligence. It is a wide ranging agreement and includes facilities in each country including the Government Communication Headquarters, GCHQ, in Cheltenham, UK, and the National Security Agency, NSA, with its HQ at Fort Meade in the USA. Both organisations also carry out their own operations and programmes. Many of these programmes were known in small parts to the media and hence general public; however the extent of these programmes was not well known until the revelations leaked or stolen by Edward Snowden.

Hadn’t realised this comes 10 years after Snowden’s revelations.

GCHQ

GCHQ
NSA Signpost
NSA Sign post

Legal restrictions in all Five Eyes countries are supposed to restrict or prevent gathering of information on citizens. Secret courts, FISA (Foreign Intelligence Surveillance Act) in USA and CMPs (Closed Material Procedures) in UK provide legal cover. Parliamentary or Congressional scrutiny is very limited. In many cases the elected representatives or their advisors do not have sufficient levels of security clearance to see the material about the programmes let alone the technical understanding of the implications.

The NSA is not supposed to spy on US citizens without a warrant but they can collect data about US citizens whilst spying on foreigners. In one example 90% of the data collected in one sweep was about US citizens (>9,500 citizens out of 11,000 contacts). In this way GCHQ can spy on US Citizens and vice versa and each can pass data to the other through the Five Eyes and not be subject to any scrutiny. It is clear from multiple sources that this spying is not just on threats but also on journalists, whistleblowers and multiple other targets that the security services have decided are legitimate targets.

Snowden

The main details were leaked by Edward Snowden to two reporters Barton Gellman who published via the Washington Post and Glenn Greenwald in The Guardian. A film maker, Laura Poitras conducted interviews and also acted as a go-between, especially between Snowden and Gellman during the initial contacts when source VERAX was making contact. Many of the electronic copies of papers and programme details remain unreleased by the journalists. The NSA and GCHQ continue to deny many of the details, see here


STELLARWIND

was the code name of a warrant less surveillance program begun under the George W. Bush administration’s President’s Surveillance Program. The National Security Agency (NSA) program was approved by President Bush shortly after the September 11, 2001, attacks and was revealed by Thomas Tamm to The New York Times in 2004. STELLARWIND’s output is fed into the MAINWAY database

PRISM

PRISM is a code name for a program under which the NSA collects internet communications from various US internet companies. The NSA had placed collection systems directly in the data centres of the large tech companies including Microsoft, Google, Apple, Facebook and others. Due to the nature of Internet routing many non-US connections route or partially route via the data centres. Thus privacy campaigners use Virtual Private Networks, VPNs, and other techniques to mask their messages. These techniques are also used by enemies including terrorists.

MAINWAY

MAINWAY is a database maintained by the NSA (and Five Eyes partners) containing metadata for hundreds of billions of telephone calls made through the four largest telephone carriers in the United States: AT&T, SBC, BellSouth (all three now called AT&T) and Verizon. The existence of this database and the NSA program that compiled it was unknown to the general public until USA Today broke the story on May 10, 2006. It is estimated that the database contains over 1.9 trillion call-detail records. The records include detailed call information (caller, receiver, date/time of call, length of call, etc.) for use in traffic analysis and social network analysis, but do not include audio information or transcripts of the content of the phone calls.

Contact Chaining

Contact Chaining is a method of querying data held in MAINWAY to produce contact maps and then using associated algorithms of contacts of a target several levels away e.g. secondary, tertiary and beyond contact of contacts of contacts. Because MAINWAY holds historical data, officially 5 years worth for US citizens but with many caveats, previous contacts can be traced. Exceptions to deletion are any link to on-going or security investigations. This gives rise to an exponential increase in potential contacts. If the first contact has ten contacts and each has ten more and these in turn have ten more at 3rd degree of separation there are now 10x10x10 = 1,000. Most humans have far more than 10 contacts thus chains become very large very quickly. The game 6 Degrees of Kevin Bacon, the US Actor, demonstrates this is more humorous ways.

Algorithms are used to reduce the numbers or combine them into groups. This data is then combined with other communications data, for example, social medial posts and email, to build up a contact map. The seed in this case is the initial target or intercept which by correlating with another seed B. Contact C is thus linked in the chain.

Or a real one shown by the US news programme 60 Minutes

NBC Real Chain

Any one of these contacts or nodes could be the enemy that is sought or allow movements, locations and activity patterns to be tracked thus enabling potential targeting for surveillance or more direct action. Sometimes the enemy is unknown. The node shown is a phone, email address, social media handle, website, which the technique attempts to link to an individual or organisation. A phone number of a head office could be used by hundreds of contacts. How the data is processed into MAINWAY with other named systems mentioned is shown below:

Mainway Dataflow showing Government Snooping Chains

Enemies attempt to hide this activity by changing contact methods, encryption of the content of messages and other evasion techniques. For the NSA and GCHQ they are also tasked with creating method of protecting data from such intercepts by foreign powers or bad actors. Other techniques such as operating cell techniques can founder with just a single contact under the chain. Thus operational security measures are overcome. For example two terrorist cells with a leadership planning a coordinated attack can be linked.

CO-TRAVELER

A system called CO-TRAVELER is designed to track who meets with whom and covers everyone who carries a mobile/cell phone, all around the world. CO-TRAVELER collects billions of records daily of phone user location information. It maps the relationships of mobile/cell phone users across global mobile network cables, gathering data about who you are physically with, and how often your movements intersect with other phone users. The program even tracks when your phone is turned on or off.

TOR – Protects from government snooping or does it?

Tor is free and open-source software for enabling anonymous communication by directing Internet traffic through a worldwide overlay network. It consists of more than seven thousand relays designed to conceal a user’s location and usage from anyone conducting network surveillance or traffic analysis. Using Tor makes it more difficult to trace the Internet activity to the user: this includes “visits to Web sites, online posts, instant messages, and other communication forms”. Tor’s intended use is to protect the personal privacy of its users, as well as their freedom and ability to conduct confidential communication by keeping their Internet activities unmonitored. It was created by the Office of Naval Research and DARPA as a security protection project and the papers from Snowden demonstrated that the NSA had managed to set up infiltration into the network.

VPNs – Encrypt channels of communication thus protecting chains but not that a connection exists

Virtual Private Networks (VPNs) are encrypted channels between one or more network points. They normally use some form of shared encryption key between the end points thus preventing interception of the communication content; however, the metadata (data about data) can still be traced including locations, of end points, times of transmission, etc. Therefore, STELLARWIND can collect this data and deposit into MAINWAY for use in Contact Chaining. If a phone is used as the data connection CO-TRAVELER can match locations and obtain more metadata in addition to location and other data sources nearby.

GCHQ

GCHQ has a different set of names achieving the same ends see here. This shows the applications CARPART, PRIMETIME, SNAPDRAGON, MoaG, SORTING FRIENDS sending data into a system called CHART BREAKER, and onwards into CONTACT LENS which is the Contact Chaining output from MAINWAY and CHART BREAKER

NSA and Snowden – A Year On

NSA and Snowden was written in 2014 but the revelations remain concerning and technology, surveillance and privacy remain key issues

Another anniversary this past week. After the commemoration of D-Day 70 years ago on the 6th June, something far less significant in multiple nation’s collective memories, it is one year since The Guardian first printed Edward Snowden’s revelations about the activities of the NSA, GCHQ et al. For an excellent commentary and summation read the article on The Register.

The article covers not only the scope of what was revealed but also discusses the impact of these revelations. It is clear there is still much to be revealed, and there is also the on-going reluctance of the British Press in particular to publish some of the revelations. Most notably, the Register also published details about the international fibre and communication link tapping operations notably in Oman. Quoting from the article from 2nd June.

Exclusive Above-top-secret details of Britain’s covert surveillance programme – including the location of a clandestine British base tapping undersea cables in the Middle East – have so far remained secret, despite being leaked by fugitive NSA sysadmin Edward Snowden. Government pressure has meant that some media organisations, despite being in possession of these facts, have declined to reveal them. Today, however, the Register publishes them in full.
So not only do we have hidden spying activity, no surprise there, but a marked reluctance by our own media to discuss the issue. The often quoted excuse for not discussing the issues is that it put lives at risk and harms the nation. This is made as a statement with no factual information to back it up. Proof of a negative is always difficult, but really lives at risk from the UK public knowing that a location in Oman is built and operated for the entire purpose of monitoring Internet communication links, something that the locals in Oman. all the people who built and service the staions and all the agencies know, but the British public must not.

This reminds me of the farcical situation a few years ago when Ordnance Survey Maps and road atlases would show blank empty spaces where UK military and other sensitive bases were. Meanwhile the then Soviet Union was scanning those places with satellite photography almost hourly. So our prospective enemy knew what was there (at least what building were) but the British Public was not allowed to see that just inside the main gate was the entrance to the Officers’ Mess and NAAFI next to the tennis court. I have never been able to understand why this was the case, this in built secrecy left over from the war, like changing the road signs around as if an invader would not have a compass and discover our ruse.

Back to NSA and the latest series of revelations. The sheer scope and scale of the observations are in one way comforting, our spies are spying, protecting us. They claim to have prevented all sorts of illegal actions like Germany stealing a march on trade negotiations or when Chancellor Merkel was getting home from the state dinner. The plumbed into the content not just metadata of every single telephone call in the Bahamas. How many pizza takeaway orders were there? We should be told about this vital contribution to national security. The sheer scale of the monitoring beggars belief yet it has raised the merest flicker of interest in the UK. I believe that some of this is down to media jealousy. Much like the Telegraph when it broke the MPs’ expenses scandal. The Guardian had an exclusive and the rest of the media seemed reluctant to follow up.

Whether Snowden was right to release the information will be a matter for history to judge there has been a media backlash against him pushed forward by the self same agencies he has allegedly harmed. The bottom line is that like MPs these agencies work for us. GCHQ is funded by the taxpayer, if it is wasting needed national resources discovering how many of us posted tweets on our favourite dogs isn’t it justified that we question what they are spending our money on. At a time of national austerity with ongoing cuts still impacting numerous government spending, what exactly are we getting for our money. Our MPs don’t seem to want to find out as I have previously blogged here. Our media for spitefulness , boredom or just plain laziness have not followed up. Where is the probing Channel 4 or BBC Panorama expose? Yes, they have reported on the Snowden allegations but where is their own investigation adding to the story. The NSA intercepting and tampering with Cisco routers was an allegation without specificity from Snowden. Then film emerged of the NSA doing it, it’s referenced in The Register’s article but still the doubters question Snowden’s authenticity. This week, having claimed for months that they had no emails from Snowden complaining about anything, they suddenly released one email from him. How did they manage to find that? No emails means no emails, not one. Where are the others he cannot have sent just one? Another scandal waiting to happen unreported in the mainstream press.

My final comments for today concern the real issue. On Friday we commemorated a major step in the fight to bring freedom to Europe. Freedom what does that mean? Freedom in my view is about freedom from oppression, free to think, comment and express opinions. The Internet has greatly extended this freedom. It has also given us the freedom to shop, post dog and children videos and endless meaningless chatter. The e-commerce activities have been significantly undermined by our so called security agencies deliberate attempts to break encryption and other secure systems. There actions have made us less secure as a whole. Billions of financial transactions are at risk because of exploits they either created or left in place so that they could spy on everything else. This is akin to a policeman breaking the locks of every house in case he needs to raid it at some stage in the future or a doctor creating a virus so that he always has plenty of patients.

This is not security, this is not in my interest and it’s a colossal waste of resources. Every part of government is scrutinised about how it spends our money except this one. Perhaps our own MPs might do the job they are elected to do rather than the one their party or government tells them to do. Cosy-ing up to the security services is not their job, representing us is; I wonder if they ever will?