Despite devoting resources and making arrests, authorities seem little closer to stopping the new face of social protest, reports Jim Romeo.
On a bitterly cold Monday morning in mid-January, to little fanfare, roughly two dozen human rights advocates assembled outside the headquarters of US defence contractor Combined Systems. They were there to rally against the company's manufacture of non-lethal weapons, such as tear gas, which have been used against demonstrators in Egypt and elsewhere. About a month later, another protest against the company occurred, but this time it garnered international media attention – and it didn't require anyone to trudge out in the snow to the rural roadway of Route 58 in Jamestown, Pennyslvania, to chant and wave signs.
But it was illegal. From afar, members of the decentralised but powerful online activist collective Anonymous attacked Combined Systems' digital infrastructure, disabling its website and, in the process, revealing the names and email addresses of its employees. The hack was meant to shame a business that Anonymous found offensive.
This type of internet vigilantism is becoming more common with each passing week – hacktivism, which describes the use of computers to further a political cause, has taken off in the past 18 months. What activists have discovered is that it is a very effective weapon, because online attacks can send a strong message – such as knocking a website offline or exposing embarrassing emails about a target – without resort to violence.
“Politically motivated hackers, or hacktivists, have been around for some time,” says Darren Hayes, computer information systems program chairman at Pace University in New York. “In 2008, during the Russia-Georgia conflict in Ossetia, Russian hackers were allegedly responsible for attacks on the Georgian president's website, and on government Twitter accounts. Closer to home, hacktivists – most notably Anonymous, AntiSec and LulzSec – have launched attacks on government agencies and corporations in support of political causes.”
Chris Wysopal, CTO and CISO of Veracode, says hacktivism is not exactly a new strategy, but its presence has increased substantially in recent years. “The hacktivism risk is highest for large organisations that have well-known brands,” he says. “This is because there is a larger attack surface area.”
The bigger the organisation or brand, the more there is to lose from embarrassment and a loss of trust, Wysopal says. “Hacktivism has changed the risk equation for organisations due to a new substantial threat. It is requiring organisations to work to secure any website that has a brand associated with it.”
Meanwhile, the effectiveness of deterrent efforts is still to be determined. US and international law enforcement bodies are often in the news for their concerted efforts to crack down on hacktivism. However, the threat still exists, and rather than abating is proving stealthy.
In fact, the FBI and Scotland Yard fell victim to those they were hunting down when Anonymous posted on the internet a purloined 16-minute conference call between the agencies.
Chase the pigeon
“Law enforcement's efforts have had little real effect on curbing hacktivism since it operates at a scale [of] anonymity and ease that current governments and their laws are incapable of comprehensively acting on,” says Phil Lieberman, president of Lieberman Software. Hacktivism, he adds, is on the increase as the world becomes more and more connected, with a proportional number of weakly secured systems available for exploitation.
As with traditional cyber crime, law-enforcement efforts to curb hacktivism seem to be falling flat. “In the past two years, there have been some high-profile, successful attacks, and some high-profile arrests as well,” says Rob Malan, co-founder and CTO of Arbor Networks. “The fact remains that the rise of hacktivism and the increasing frequency of attacks are far outpacing law enforcement's ability to deal with the problem.”
There are a number of reasons for this, he says – chiefly the lack of confidence in law enforcement's capability, and willingness, to investigate online attacks, as well as the fact that some challenges are simply insurmountable for authorities (such as the distributed nature of attacks, which leads to confusion around disclosure).
Jerry Irvine, CIO of Chicago-based Prescient Solutions and a member of the US's National Cyber Security Task Force, says it should be noted that profit is often the motive behind ostensibly political attacks. “Cyber crime is a multi-hundred-billion-dollar industry and, as a result, many individuals, organisations and even countries are involved,” he adds. “Hacktivism is a growing issue, not just due to unstable political and economic situations, which need to be addressed, but also because the lines between hacktivism and cyber crime have blurred and become indistinguishable.”
For instance, last year, Anonymous compromised the global intelligence firm Stratfor. At first, the company may have thought this was a conventional hack, with the perpetrators seeking data for financial gain. In fact, the hackers stole credit-card numbers so they could make donations to charities, but their main goal was access to emails that they hoped would reveal shady communications between military and intelligence officials.
The broad view
To defend against web attacks, whether they are politically motivated or not, organisations tend to rely on anti-virus software, firewalls and intrusion detection systems. But the exploits are ever-changing, and these solutions cannot prevent everything, warns Jason Mical, director of network forensics at AccessData Group in Utah. “So while these perimeter-defence technologies are critical to securing networks, a fundamental change in our approach to cyber intelligence and response is where we should be putting our focus.”
At the moment, an organisation usually has multiple teams, each using different tools to address one aspect of a much larger process, Mical says. These teams must collaborate more efficiently and correlate their findings to see the whole picture, he adds.
“To be able to verify threats and determine the impact level sooner, the solution is not just a shift in process, but requires technology that facilitates this collaboration and integrates the analysis,” Mical concludes.
This article originally appeared in the US edition of SC Magazine.