Hacktivism Pt. 2: A Flaw In the System

In my bathroom at home, there is a screen blocking the window so that if we need to air out the room, no bugs will be able to get in. However, the screen currently has a small hole in it, so if the window is opened, bugs can get in through the hole and buzz around the bathroom.

I thought this a rather appropriate metaphor for the challenges of cybersecurity in the 21st century. We have these huge, elaborate security systems in place to guard our most important information, but the tiniest hole in the system gives hackers a way to break in.

According to a 2010 report by the Internet Crime Complaint Center, 75% of all reported instances of U.S.-based cybercrime were perpetrated by male users, and 15.8% originated in California. Obviously, the vast majority of cybercrime was based in the United States, followed by England and Nigeria (no surprise on that one).

Silly little blogs that get targeted might not have the best security, but you would think that the website for the Central Intelligence Agency would be well-protected. But when the site was hit a few months ago, it was brought down by a DDoS attack. They weren’t targeted with a sophisticated hack, their site crashed due to overtrafficking. Let me put that into perspective: that would be like a famous person with tons of security getting taken down by a mob of crazed fans as opposed to a well-trained sniper with years of experience. The CIA should be more prepared than that.

LulzSec targeted everything from the Senate website to the X Factor contestant list. And why on God’s green earth would they want to hack that group of egomaniacal losers? AND the X-Factor contestant list? Because they were dedicated to the cause. But dedication means nothing if you have the proper security in place. And government websites should really have this kind of security.

Now, in fairness, most of these hackers aren’t necessarily amateurs. Security experts believe that a good percentage of them are former security analysts, and are “reverse engineering tools to discover vulnerabilities.” However, in England, many web experts are leaving British intelligence agencies for the private sector because they’re not getting paid enough. The head of the Government Communications Headquarters said, “I can offer them a fantastic mission, but I can’t compete with their salaries.” So if you like the James Bond lifestyle, but have zero interest in going outdoors or getting paid well, the GCHQ is for you!

One of the most powerful and time-consuming hacks are brute force attacks. Brute force hacks are basically automated programs that run through every possible combination until they come up with the correct password. That’s why it is always important to come up with complicated passwords. Utilize dots, dashes, letters and numbers, words & phrases, etc. If you care at all about protecting your information, you’ll take this seriously and not just type in something generic. In 2010, cloud security firm Imperva published a list of the 20 most common passwords used on the internet. Here are the first ten:

  • 123456
  • 12345
  • 123456789
  • Password
  • iloveyou
  • princess
  • rockyou
  • 1234567
  • 12345678
  • abc123

See what I mean? This is how high-security firms like HBGary got hacked by Anonymous. Even with slightly complex passwords, brute force attacks are like virtual atomic bombs.

But clearly, when security is threatened, law enforcement agencies are expected to devote all their resources to trace those who are responsible. I present the following paragraph, direct from the FBI website, on the kind of individuals responsible for cyberattacks:

It runs the gamut–from computer geeks looking for bragging rights… to businesses trying to gain an upper hand in the marketplace by hacking competitor websites, from rings of criminals wanting to steal your personal information and sell it on black markets…to spies and terrorists looking to rob our nation of vital information or launch cyber strikes.

The FBI has been investigating many of the recent high-profile security hacks, from Gawker to Google to the IMF. However, in 2008, a “penetration tester” (which is quite possibly the best double entendre ever) was able to hack the FBI database in six hours. So what does this say about the kind of security employed by organizations that are supposed to specialize in security?

Some of the less high-profile hacks in the past few months have also targeted lacking web security, but in several instances specifically carried out to provide a public service. England’s National Health Service has hacked by LulzSec, and the group collected several administrative passwords. But they later send an e-mail to the NHS, one that wasn’t necessarily malicious but rather well-meaning.

Greetings [REDACTED].

We’re a somewhat known band of pirate-ninjas that go by LulzSec.

Some time ago, we were traversing the Internets for signs of enemy fleets.

While you aren’t considered an enemy – your work is of course brilliant – we did stumble upon several of your admin passwords…

We mean you no harm and only want to help you fix your tech issues. Also, we hope that little girls feasts on the bones of many giving souls.

Charming. But also surprisingly candid. Hackers targeting a website and warning it about its faulty security? You don’t see that very often.

Security company Panda Security reported the second quarter of 2011 was one of the most negative in terms of how many cyberattacks were launched. They described the giant hacks of Sony’s PlayStation Network as “the biggest data theft ever.” Over 68% of hacking attempts were made through Trojan programs, thus making cybercrime the second industry where people en masse use Trojans for heavy penetration.

But one interesting gem contained in Panda Security’s press report was this little anecdote about a hacking attempt in a foreign country.

The Norwegian military stated in [sic] May 19 that it had been the victim of a serious cyber-attack that took place at the end of March. The attack happened when 100 senior military personnel received an email in Norwegian with an attachment. The attached file was in reality a Trojan designed to steal information. At least one person opened the attachment, but the attack was a failure and no data was lost.

I am, obviously, not a military expert. I am not a cybersecurity professional. But I do know this: if you get an e-mail from an address you don’t recognize, the dumbest thing you could do is open the attachment. Need I remind everyone of the infamous Anna Kournikova virus? Same deal.

And let’s not forget the financial consequences of web vulnerability. Sony lost upwards of $170 million after the PSN Network was hacked, and one infamous PS3 jailbreaker suspects they wouldn’t have lost all that money if they had their priorities straightened out.

Let’s not fault the Sony engineers for this… The fault lies with the executives who declared a war on hackers, laughed at the idea of people penetrating the fortress that once was Sony, whined incessantly about piracy, and kept hiring more lawyers when they really needed to hire good security experts.

In 2010, companies paid a total of $16.5 billion for security software, a 12% increase over total 2009 investments. However, it’s not enough to invest more in security software, you have to use your resources wisely. You need highly trained security professionals working for your company, and you actually need to have the latest software on hand. If you aren’t devoting a significant percentage of your budget to computer security, you’d better hope nobody wants to hack you.

Because there aren’t many Casper the Friendly Ghosts browsing the internet looking for sites with faulty security systems to probe and advise.

Now, to be perfectly clear, I am not arguing for more security, I’m just explaining how innocent victims can protect themselves against malicious hacks. After all, sometimes hackers can be allies in the cause of internet freedom.

But that’s for tomorrow’s post…