A shift in the balance of power
Sophisticated malware feeds into script kiddie tools, enabling embittered individuals to take on corporations and governments. What are the consequences asks Sarb Sembhi?
A shift in the balance of power
Children at school have a fierce sense of justice – and injustice – often with thoughts of revenge as a likely response if perceived to be picked on by others. As we grow older we learn to forgive and sometimes forget those who have wronged us, with few acting on their impulses, or holding a lifelong grudge.
Now, with so much of our lives lived online, bullying, humiliation or slights big and small are recorded for all time internationally – notwithstanding the right to be forgotten. Anyone can become a target for any reason. And the source can come from anywhere in the world. Conversely, the wronged-party is also now in a position to respond to the hurt felt from anywhere on the globe.
Hacking tools have become more powerful and easier to use each year, and are now big business for the criminal underworld, coming close to a point where they will advance at the same rate as micro-chips. That is, every 18 months hacker tools will be able to find/exploit vulnerabilities twice as fast as they can today, and become even easier to use by non-technical people.
This is further helped by the release of sophisticated malware believed created by highly skilled state actors or multinational corporations, with Stuxnet, and more recently Regin viewed as created by states. Although these malware have been around for a while the techniques used in them have been filtering into attack kits for all.
It isn't just criminals who use these tools to pursue their objectives. Just as worrying are those who seek to achieve mischief, be it trolling, hacktivism, etc, who are also able to target an individual, group or business, and cause harm – often in ‘revenge; for something about which the victim may be unaware, as the attacker's motivation is not financial.
If you, a group you belong to, or your business has expresses a controversial opinion, or you have taken some action that may be objected to by someone who feels differently, you may well become a target of attack.
We have even seen groups of hackers from India and Pakistan who attack each other's' government web sites, (officially these groups don't have the backing of their governments) in retaliation for a perception of being wronged.
The hacktivist group Anonymous has also had several campaigns attributed to it, and more recently the Guardians of Peace claimed credit for the Sony Pictures attack, and Iran is reportedly behind a different batch of high profile attacks. One only has to look at the growing phenomena of revenge porn on the internet, which doesn't even required specialist skills or tools, just a feeling of hurt, or the desire to humiliate or damage.
Gone are the days where an individual or a corporation could hold views that were different to those held by others and not consider how other people view you or your organisation – let alone take action others disagreed with, whether clearly wrong such as bullying, or more debatable such as medical research on animals. Now we have to worry about possible consequences, assuming we accept that behind these attacks there is some element of revenge for a perceived wrong-doing.
The power to bring down a multi-billion pound business has been put into the hands of a youngster that you have just insulted. It doesn't bear thinking about. But is this what the law-enforcement agencies are trying to tell us regarding asymmetric power on the internet?
For some this changes nothing, but for others it begs many questions: what will you take into consideration when you are working on your risk register (Sony Pictures for example)? Is it even possible to foresee attacks like the Sony Pictures attack? How far can human resources go in ensuring that interviewers don't upset interviewees, or that Directors don't make public statements which may be cause offence to others who may have the know-how to retaliate massively.
Further, if we were to accept that we shouldn't upset the script kiddies with powerful hacking tools, could we really take any political action that would upset a foreign nation with far greater response capabilities and resources, and which could have been quietly developing those capabilities for years?
We could ask ourselves whether we should really be surprised about those attacks from a publicly wronged individual, group or government? The balance of power has shifted, the barriers to entry have lowered to the level of the individual, and the threshold for retaliation has all but disappeared. Does this proliferation of easy-to-use powerful hacker tools mark the end of free speech as we have known it? Or can we all grow up in time?
Contributed by Sarb Sembhi, director, Storm Guidance.