So far, this year, hundreds of millions of users of online services have had their accounts compromised or sites taken down. From Sony, Nintendo, the US Senate, SOCA, Gmail to the CIA, the FBI and the US version of X-Factor. Self-inflicted breaches have occurred at Google, DropBox and Facebook. Hackers have formed semi-organised super-groups, such as LulzSec and Anonymous. Are we at the point where information security professionals are starting to say, “I told you so”?
The telling thing about nearly all of these breaches is simple it would have been to limit the impact: passwords have been stored in the clear, known vulnerabilities not patched, corporate secrecy getting in the way of a good PR message and variable controls on sites of the same brand.
The media’s response is often “hire the hackers!”, an idea that is fundamentally flawed. Would you hire a bank robber to develop the security for a bank? No. The fact is that there are tens of thousands of information security professionals, many of whom are working in the organisations recently attacked, who know very well what needs to be done to fix many of the problems being exploited.
Many corporations have decided to prioritise functionality over security to the extent where even basic security fundamentals get lost. There needs to be a re-assessment of every organisation’s priorities as LulzSec and Anonymous will soon realise that there are juicy and easier pickings away from the large corporates and Government sites, who have had the foresight to invest in information security controls.
This may sadly be just the beginning.
So, here’s a question: how much hacktivism should be tolerated?
This cropped up in a discussion with a friend regarding the arrest of the Anonymous members who had taken part in the LOIC attacks against organisations perceived to be against WikiLeaks, including Amazon and PayPal. In the “Real World”, people have a right to demonstrate, get out on a march and wave banners and all the rest, as well as peaceful sit-ins, flashmobs and other acts of disruption. Some members of our society would shudder at rubbing shoulders with thousands of people and would prefer to spend their time in front of a screen.
Are their views any less important that those more socially adept? And if not, what outlet do they have to express their views?
From an information security perspective, you have to assume that there are always people out to get you and, if you do a good job, it should affect you too much if people start targeting you. However, recent events have shown that Distributed Denial of Service attacks against organisations with very sophisticated infrastructures can be very disruptive.
Should the organisers or participants in online demonstrations be punished more severely than those taking part in equivalent physical demonstrations? How should companies react to them?
Something that has intrigued me about the Anonymous attacks on those companies/organisations and countries that are perceived to be anti-Wikileaks: the fact that members of the public are voluntarily installing a botnet client and allowing Anonymous to control their machine and direct their resources at will. The tool is called Low Orbit Ion Cannon (LOIC) and is so popular it is now available for iPhone and iPad.
This post isn’t a comment on Wikileaks or on Anonymous but rather the fact that there is a big unknown risk in installing something like this on your own computer which could so easily be hijacked and redirected to another target, not Wikileaks-related or even be used as a backdoor to install something far worse.
On top of this, it needs to be pointed out that the act of knowingly participating in a Distributed Denial of Service attack is probably illegal in the UK and USA.