'Hacktivist' – An old word in the lexicon, a new twist in
execution
In light of the growing profile and threat of ‘hacktivism’,
brought to the fore by the recent disclosure of many highly
secretive and sensitive documentation by Wikileaks, Vega considers
what challenges this cyber weaponry poses to government and
commercial organisations.
In November 2006, Julian Assange, the catalyst for the current
outbreak of ‘hacktivity’, wrote in the online version of
Counterpunch – an American political newsletter – a short article
on the origins of ‘hacktivisim’. He described the incidents of
1989, when US Department of Energy and NASA computers, all over the
world, were affected by the ‘W**K worm’ (Worms Against Nuclear
Killers). The affect of the worm was to present a ‘log-in’ screen
with the message “your system has been officially W**Ked”
underneath an appropriately artistic logo!
However, reports of ‘hacktivism’ (hacking for
political purposes) go back further to 1984, the year picked,
coincidently, by George Orwell to describe the existence, in his
novel, of a ‘big brother’ state, where every person’s movement is
watched.
Fast forward to the headlines of late 2010,
where online business and online social interaction are now a way
of life, and ‘big brother’ exists in the form of Governments,
Google and ISPs can watch us all, 24 hours a day.
In this world, the threat of ‘hacktivism’ has
been attributed to a group of radicals joined together by a common
distrust of corporations and government. However, hacktivism
can also be a weapon in the hands of an organisation or state
looking to seek strategic advantage over its perceived enemies.
Whatever the origin of the attack, the
disruption of service and loss of reputation for the subject of the
attack have the potential to be critical and long lasting. Such
threat calls for two major issues to be resolved; how does an
organisation adequately protect itself against such attack, and how
do they do so in a way that does not effect their ability to run
their business.
To answer these questions, we must first
understand the kinds of ‘hacktivity’ we are seeing today, where it
is from, and why it is different.
The age of Hacktivism
The current hacktivist campaign,
Operation:Payback, is driven by an anonymous organisation that
proudly claims responsibility for the damage and disruption
suffered by these corporate websites. Until now, Operation:Payback
had focussed its attacks on those trying to protect themselves
against theft of IPR, notably the Motion Picture Association of
America (MPAA) and the Recording Industry Association of America
(RIAA).
Since Assange’s arrest however, credit card
companies including MasterCard and Visa, the Pay Pal Blog site,
Sarah Palin’s website, and others, have experienced Distributed
Denial of Service (DDoS) attacks after closing down payment
facilities or criticising the Wikileaks organisation. Fortunately,
for the credit card companies, their operational systems were
largely unaffected, and regular payment transactions continued.
The usual DDoS attack happens through
compromised PCs, or “bots,” formed into groups called “botnets” and
used as weapons by cyber attackers to
launch various forms of cyber attack. Additional to DDoS
disruption, these botnets, among other things, can support identity
theft and clandestine intelligence gathering operations.
Operation:Payback perpetrators are different
from common DDoS in one crucial respect – they are willing
participants who download the DOS application and submit themselves
to external control and cause widespread mayhem. This aids them in
overcoming a number of standard defensive techniques that should
normally increase resilience to DDoS. However, the
concentrated power of even a small botnet of 20,000 computers can
take down over 90% of corporate internet sites.
Transversally, Wikileaks itself continues to
thrive despite the efforts of the US Government to shut it down,
and its resilience displays a classic defence against DDoS attack!
The Wikileaks site is currently hosted at 507 different locations,
or "mirror sites," worldwide. The organisation encrypts its data
and keeps the source of its whistle-blower submissions anonymous.
In addition, at any given time, Wikileaks computers are feeding
hundreds of thousands of fake submissions throughout its network to
obscure the real documents, their points of origin and their
destinations. Moreover, the US Government is prevented from
employing illegal DDoS attacks against its elusive opponent, and
for the moment the struggle goes on.
Taking up arms against a sea of troubles
So in the light of such clearly premeditated
and co-ordinated hacktivism, how can business, government and those
charged with our national safety and security, best protect the
potential technological targets on which we all rely?
The first thing to say is there is no magic
bullet. Just as with any threat throughout history, the best way to
meet a threat is pull together your intelligence on your enemy,
identify your weakness against their strengths, and then plan and
prepare accordingly.
As within the physical world, perfect information security and resilience against all
forms of cyber attack is unaffordable and
largely unachievable. However, whereas traditional battlefield
countermeasures could be developed over weeks to effectively halt
the advances in military technology, the innovations and exploits
available to a cyber attacker mean the threat they pose can change
daily.
The first question those organisations reliant
on web-based operations, especially those with online transactions
taking place, should ask therefore is: ‘What is our risk
appetite?’
Key to successfully answering the question is
to set a value on what would be lost if an attack was successful.
This could include loss of revenue if sites are taken down, loss of
reputation (and subsequent loss of custom) if a site is
compromised, and in real cyber intrusion (subtle and silent, as
against DDoS), loss of company data (lost
IPR), loss of know how, and indeed many forms of fraudulent
activity. Developing an appropriate level of information assurance (IA) is therefore based on
how much money you wish to spend to safeguard against the loss of
information which has real monetary value to you.
Once this answer is understood, an
organisation must review its own capability to understand the
required information
assurance policy and procedures, and whether it has the
internal resource with the appropriate domain and technical
knowledge to ensure that the proposed solution can be properly
implemented?
If it does not, then just as in the physical
world you broker a deal with an ally, organisations should consider
engaging an independent, expert service provider to help manage the
challenge.
The real secret is picking the right
advisor/supplier and working in partnership to establish your
specific requirements.
If, as a company, it is agreed that a DDoS
attack is an unlikely threat – for example you may have limited
access from your internal communications network to the internet,
and this has a hardened ‘Security Managed Interface’ and hopefully
your website hosting is separate from internal business (and you do
not care if it is disrupted) – then you may not need to invest in
load balancing, multiple web server sites, and intelligent queuing
etc.
Up to 80% of the cyber
threats facing organisations today, including hacktivists, can
be overcome by applying conventional information security policy, processes and
technology to a level proportionate and appropriate to the
threat.
If, however, your major threat is judged to be
from serious organised crime or ‘state-sponsored espionage’,
employing co-ordinated and ‘Advanced Persistent Threats’, then you
will most likely be advised to seek the protection of a high grade
Security Operations Centre (SOC). SOCs can be designed to protect
classifications of information from IL1 (UNCLASSIFIED) up to IL5
(SECRET). Once again, the trick is to find a system that matches
the threat level and the integral value of an organisation’s
information assets.
Hacktivists will never go away, not in a free
world (although their actions are breaking the law), but their
success is often due to the victim organisations not assessing such
an attack as high probability and taking appropriate measures. We
have had our warning, let us learn the lesson!
Contact Vega for more information about
hacktivism and cyber security