So far, this year, hundreds of millions of users of online services have had their accounts compromised or sites taken down. From Sony, Nintendo, the US Senate, SOCA, Gmail to the CIA, the FBI and the US version of X-Factor. Self-inflicted breaches have occurred at Google, DropBox and Facebook. Hackers have formed semi-organised super-groups, such as LulzSec and Anonymous. Are we at the point where information security professionals are starting to say, “I told you so”?
The telling thing about nearly all of these breaches is simple it would have been to limit the impact: passwords have been stored in the clear, known vulnerabilities not patched, corporate secrecy getting in the way of a good PR message and variable controls on sites of the same brand.
The media’s response is often “hire the hackers!”, an idea that is fundamentally flawed. Would you hire a bank robber to develop the security for a bank? No. The fact is that there are tens of thousands of information security professionals, many of whom are working in the organisations recently attacked, who know very well what needs to be done to fix many of the problems being exploited.
Many corporations have decided to prioritise functionality over security to the extent where even basic security fundamentals get lost. There needs to be a re-assessment of every organisation’s priorities as LulzSec and Anonymous will soon realise that there are juicy and easier pickings away from the large corporates and Government sites, who have had the foresight to invest in information security controls.
This may sadly be just the beginning.
The BBC have an interesting article, entitled “Is cyber-warfare a genuine threat?”, which poses several interesting questions. There is a general consensus that something needs to be done to allow for a consistent approach to
All this relates to the document entitled “[the] First Joint Russian-U.S. report on Cyber Conflict“, created by the EastWest Institute. Some of the things they looked at were:
- Just as a Red Cross designates a protected entity in the physical world, is it feasible to use special markers to designate protected zones in cyberspace?
- Should we reinterpret convention principles in light of the fact that cyber warriors are often non-state actors?
- Are certain cyber weapons analogous to weapons banned by the Geneva Protocol?
- Given the difficulties in coming up with an agreed definition for cyber war, should there be a third, “other-than-war” mode for cyberspace?
One of the things that comes out of this document is the need to provide real-world analogies for issues on the Internet in order to contextualise the issue and come up with an appropriate response. If you sit at a desktop PC as an end-user, you have absolutely no idea what’s going on on the Internet beyond what’s currently displayed on your screen. This opacity has a number of consequences:
- Most people take risks that they wouldn’t do if they understood the threat they faced;
- Hacktivists or casual hackers have no understanding of the damage that they do or the power that they wield, resulting in potentially catastrophic consequences.
In light of my previous post about Hacktivism, is there a danger that if the definition of cyberwar is too strict, that a teenager in his bedroom could start a global conflict? As one comment indicated, the power in the hands of an individual can far outweigh the power they would have in the real world and, therefore, to some extent, everyone is equal. Where are the boundaries? And what should be sacred? The document outlines some ideas about having an agreed set of “neutral” entities, like the Red Cross or Red Crescent, but who is entitled to agree on the list?
Traditionally, only militaries had the capability to wage war and, therefore, it was appropriate for their associated governments to sign treaties that governed the rules of war. Now, however, everyone has the same potential.
While you can control the substances needed to make bombs, you can’t control the creation of code.
This post prompted a lot of discussion offline, summarised thus:
- The biggest problem is determining accurately where an attack comes from in order to respond to it;
- Compromised machines will become the main launch-pad for attacks, as it allows for deniability on the part of the originator of an attack;
- The “super powers” will probably want to have the ability to respond conventionally to a cyber-attack, as online they don’t have the same overwhelming power as they do in the real world;
- “Protected organisations” will quickly find themselves exploited as launch-pads for attacks if their not very well defended.
So, here’s a question: how much hacktivism should be tolerated?
This cropped up in a discussion with a friend regarding the arrest of the Anonymous members who had taken part in the LOIC attacks against organisations perceived to be against WikiLeaks, including Amazon and PayPal. In the “Real World”, people have a right to demonstrate, get out on a march and wave banners and all the rest, as well as peaceful sit-ins, flashmobs and other acts of disruption. Some members of our society would shudder at rubbing shoulders with thousands of people and would prefer to spend their time in front of a screen.
Are their views any less important that those more socially adept? And if not, what outlet do they have to express their views?
From an information security perspective, you have to assume that there are always people out to get you and, if you do a good job, it should affect you too much if people start targeting you. However, recent events have shown that Distributed Denial of Service attacks against organisations with very sophisticated infrastructures can be very disruptive.
Should the organisers or participants in online demonstrations be punished more severely than those taking part in equivalent physical demonstrations? How should companies react to them?