ProtonMail: encrypted email provider held ransom by hackers

Discussion in 'privacy general' started by Justintime123, Nov 5, 2015.

  1. Justintime123

    Justintime123 Registered Member

    Joined:
    Jun 15, 2013
    Posts:
    95

    ProtonMail: encrypted email provider held ransom by hackers

    UK Guardian Sam Thielman in New York

    ProtonMail, a Switzerland-based encrypted email provider, was forced offline on Thursday after hackers held the company’s internet connection for ransom by using a distributed denial of service (DDoS) attack.

    “ProtonMail is likely under attack by two separate groups, with the second attackers exhibiting capabilities more commonly possessed by state sponsored actors,” the company said. “It also shows that the second attackers were not afraid of causing massive collateral damage in order to get at us.”

    -
     
  2. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    325
    They say the infrastructure necessary to resist the kind of sophisticated attack that took down their entire ISP just to get at Protonmail costs about $100K/year. They're asking for donations: https://www.gofundme.com/protonmaildefense

    I hope they're able to survive this.
     
  3. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
    Under DDOS again from this morning (Swiss time).
     
  4. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    325
    I just saw that someone id DDOSing VFEmail today. Their regular url is down. Check instead: https://nl101.vfemail.net/

    Is this the beginning of a deliberate campaign against private email services?
     
  5. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,025
    DDoS ransoming is the latest thing, I've heard :eek:
     
  6. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,002
    Location:
    USA
    Don't know if it's related -- or just my system, but haven't been able to log into Tutanota either.
     
  7. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    325
    I''m not having trouble with Tutanota. But I just saw that Neomailbox and Runbox are both being DDOSed. So it does really seem like a coordinated attack on private email services.
     
  8. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,002
    Location:
    USA
    After just seeing your note, I tried again and was able to get in -- so must have just been on my end.
     
  9. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    325
  10. Lyx

    Lyx Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    83
    RunBox, Hushmail, and NeoMailBox (swiss service as Protonmail) were too under DDOS attacks these days.
     
  11. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,054
    ProtonMail sets a dangerous precedent and opens itself up to further attacks by paying ransom
    http://betanews.com/2015/11/06/prot...tself-up-to-further-attacks-by-paying-ransom/

     
  12. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    325
    The news source you cite, like many, is radically misrepresenting what happened. When the attack on Protonmail escalated, it took down the entire network of its ISP, affecting hundreds of companies, including banks. Protonmail did not want to pay the ransom, but these other companies put a huge amount of pressure on them to do so. That's where the quote of "grudgingly" comes from, they "grudgingly" went along with the pressure from all the other companies.

    Here's Protonmail's full explanation of the course of events that led to the ransom payment:
     
  13. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,054
    Thank you for explaining things up, @cb474 :thumb:
     
  14. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,147
    Location:
    UK
    It's very suspicious that the attackers didn't honor the ransom payment, because if it were a criminal organisation, it is in its interests - ironically - to be honest about that.

    Instead, it increases the likelihood of state-level actors being the culprits.

    I imagine also, that ProtonMail (and the other similar providers) will be seeking a different ISP, voluntarily or involuntarily - independent of the issue of DDos protection.

    I also wonder whether this illustrates the problem with the architectural model here, which is still central server - clients (and this has other downsides such as attack on their certificates, and the subversion of their javascript code).
     
  15. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    325
    @deBoetie

    Protonmail believes they were subject to attack from two different parties. The first, easily handled, small scale attack came from those who demanded the ransom. This group, the Armada Collective, has plagued a number of sites lately. The second much more sophisticated attack, Protonmail says reflects the level of capability normally associated with a state sponsored actor. They think this was a second attack by a party unrelated to the Armada Collective. In fact, after they paid the ransom and the attack did not stop, the Armada Collective contacted Protonmail to tell them they were not responsible for this (which has some credibility, since if they were responsible it would be more natural to ask for more money).

    Protonmail explains all of this in the link to their Wordpress blog I provide above.

    Protonmail has moved to install hardware which can mitigate the second more sophisticated attack, but it is very expensive, hence they started a fund raiser to support this. Details about this can be found in their Twitter feed.

    I've read some people speculating that the second attack may have taken the opportunity of the first attack to act, perhaps to obfuscate who is responsible. I know that Protonmail has a lot of users in China including dissident groups (and also Iran, I think). It would not be surprising that China would want to disrupt access of dissident groups to a secure private method of communication and obviously they have both the capability and willingness to do something like this. I don't know what Iran's capacities are. I also am not sure if Iran is as interested in cracking down on stuff like this.
     
  16. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,147
    Location:
    UK
    Thanks, whichever you believe, the notion that there is a state-sponsored attacker is pretty compelling.

    And the sad thing is that peoples' suspicions will not be limited to "official" rogue/repressive states, and that protestations from TLAs simply cannot be believed. That's the legacy they've created.
     
  17. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,591
    Just wondering as I pass through this thread. Are any of the email providers being "attacked" running hidden servers? Was just wondering if TOR's hidden network configuration would insulate this at all? I haven't given it any thought but my stuff hasn't been down. Its private, and being who I am it'll stay that way. LOL!
     
  18. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,721
    Location:
    Texas
  19. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    325
    That article kind of gets the chronology wrong and mixes up what different tweets from Protonmail were referring to. Protonmail came back online on Nov 8, after installing new hardware to handle the second more sophisticated attack, but the next day they were attacked again using a different method and went down again for a couple hours. After mitigating that third attack they seem to have remained up so far, but they say the remain under continuing attack.

    Protonmail has provided a detailed account of what's going on and what happened here:

    https://protonmail.com/blog/protonmail-ddos-attacks/

    They also sound confident now that there were two attackers, the first, who demanded the ransom and who have plagued other sites recently, and the second much more sophisticated party, who they think had probaby been planning the attack for a while and took the opportunity of the first attack to try to hide their tracks. Experts are working with Protonmail to see if they can identify the second attacker.

    If you read the whole Protonmail post on this, it's nice to see how many other companies and experts really rallied behind them.
     
  20. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,054
    FastMail the latest victim of a sustained DDoS offensive
    http://www.welivesecurity.com/2015/11/12/fastmail-latest-victim-sustained-ddos-offensive/

     
  21. ComputerSaysNo

    ComputerSaysNo Registered Member

    Joined:
    Aug 9, 2012
    Posts:
    1,413
    I'm betting China is responsible. They have the capabilities to do such an attack and they have the motives.

    Iran doesn't have the capability to run such a large sustained DDoS attack.
     
  22. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    325
    Yeah, I don't really know, but if I had to bet, I'd put my money on China. They have the capability to do this, they have a history of this sort of action, and my impression is that Protonmail is popular with Chinese dissidents. If they could bring down the service, it would be a step in hindering their communication.

    I don't know about Iran's capabilities, but I'm will to believe others on this. And western agencies don't tend to go for such blatant attacks (especially within the context of the west itself). They try to do more sureptitious things, figure out if they can compromise the service and then spy on people (rather than just bring the service down).

    On the other hand, in the face of more and more sophisticated encrypted communications services, perhaps western agencies will have no other choice. If they can't compromise the communications, then some other sort of mischief might become more appealing.
     
  23. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,147
    Location:
    UK
    A major part of the draft Investigatory Powers Bill in the UK is trying to legitimatize precisely this (what they are already doing). Except, it's not blatant attack, it's equipment interference. Only China would attack.
     
  24. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    325
    What's equipment interference, as counter distinguished from an "attack"? I don't think I understand the distinction you're making.
     
  25. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,147
    Location:
    UK
    Sorry, my pathetic attempt at humor in the face of a bad situation - there is no difference except "interference" is supposed to make it more palatable. You are supposed to trust that they are always after the bad guys, despite disgraceful evidence to the contrary.
     
Loading...