The art of hacktivism and using cyber attacks as a method of protest have taken a huge step up in the last six months. Owen Cole, technical director at F5 Networks, looks at the threat, capability and ease with which these tactics can be deployed.
In the last few years, we have seen an unprecedented wave of hacking attempts across the western world. The rise of the Anonymous ‘collective' in 2008 has gained pace in the last 18 months with its support for WikiLeaks founder Julian Assange and its protests against copyright and scientology.
The wide availability of the Zeus Trojan, which can enable people to control large networks of compromised PCs (botnets), and the coordinated ‘Night Dragon' attacks on corporate networks has caused widespread alarm in the IT community.
Although many attacks in the past have been either ‘hacktivism' or simply ‘recreational hacking', the ease of access of these tools has led to a great deal of speculation. The Zeus Trojan, for example, has been noted on sale for a mere $5,000.
Hacking, rather like much of the online world, is getting both easier and more serious and we have seen a rise in ‘commercial' hacking attempts. In future, we may well see more advanced blended threats, such as a blend of physical and online threats and even broader denial-of-service (DoS) ‘ransom' attacks.
It doesn't take a genius to work out other possibilities. Amazon.com makes £40,000 every minute; even clothing specialist Asos takes £424. Although DoS attacks are illegal, many organisations rely on the internet as their sole avenue of trade and DoS attacks can cripple an online trader that isn't insured against loss of earnings and even then, the reputational damage can be severe.
Even the threat of a DoS attack from a hacker may be enough to make online retailers reach for their wallets. These kinds of attacks go in and out of vogue and the UK has already seen a few such attacks in previous years. However the tools to conduct a DoS attack are becoming more easily available, making the threat more alarming.
To all intents and purposes, the criminals may be untraceable. Even consumers can hide their online presence using software such as ToR (The Onion Ring), which bounces a network signal around a number of computers, scrambling your online presence. Such attacks may even be conducted from public WiFi hotspots, leaving Starbucks or McDonalds within the liability chain for criminal activities.
It would be an easy matter for a hacker to control a botnet via the Zeus Trojan (which consists of millions of compromised PCs in the US alone) and threaten to carry out a denial-of-service attack against a website unless they are paid off.
According to the BBC, a wave of DoS ransom demands was carried out in 2004 against online betting companies prior to the Cheltenham Festival, when thousands of people bet on the horse racing. Fifteen bookmakers were reported to have been offline, with Full Tilt Poker going offline for approximately 48 hours and four companies even admitting to receiving extortion demands prior to the attacks.
Financial sector organisations, which could lose considerably more than online gambling sites and healthcare organisations (unable to access online patient records), could also be exposed to such threats.
There are a number of things that organisations can do to protect themselves against such attacks without carrying out a server migration. Companies can use software and equipment that sets rules to detect when site latency (i.e. response time) goes up by a certain percentage (e.g. 500 per cent) or latency reaches x milliseconds.
Alternatively, companies can check the number of transactions (i.e. requests for information) per second and block sources when it increases by a certain percentage or reaches a certain figure.
These solutions can easily be handled automatically on the basis of rules and policies, allowing or denying server requests, or simply ignoring all subsequent similar requests.
According to The Guardian, cyber warfare is now rated on a similar level to international terrorism, so it is clear that the government is taking this kind of crime seriously.
However, it will be interesting in future to see how the eCrime unit, for example, will work together with organisational security forces. After all, reporting a DoS attack to the traditional ‘bobbies on the beat' would be an exercise in futility, even though these attacks have been illegal since 2006.
It is worth acknowledging a potential weakness in our argument. Bruce Schneier refers to certain specific security threats as ‘movie plot threats', implying that they only occur in the realm of film. However, these attacks have already taken place against major betting companies and with botnets becoming increasingly easy to acquire, this kind of attack will no doubt occur again.
We need a smarter, more integrated and better funded approach to IT security. With patient records being stored online and banks trading billions of pounds across networks, the propensity for harm, even if it is of the non-physical variety, being caused to huge numbers of people is significant and high.