With Anonymous and other 'hacktivism' groups rarely out of the headlines at the moment, Steve Evans looks at just how much of a threat this could prove to be for businesses and that they can do to protect themselves
"We are Anonymous. We are Legion. We do not forgive. We do not forget. Expect us." So ended a warning message posted on YouTube from Anonymous aimed at The Church of Scientology. Posted in early 2008, the video marked the arrival of Anonymous to a worldwide audience following its emergence from internet imageboard 4Chan in 2003.
The group said it was targeting Scientology because of its "campaigns of misinformation, suppression of dissent [and] litigious nature".
Anonymous vowed to destroy the organisation. "We shall proceed to expel you from the internet and systematically dismantle the Church of Scientology in its present form. We recognise you as a serious opponent, and we are prepared for a long, long campaign," the video said.
Codenamed Project Chanology, the movement was essentially a protest against internet censorship - the Church of Scientology has previously demanded the removal of a video from YouTube that featured famous Scientologist Tom Cruise.
A series of denial of service (DoS) attacks were launched against Scientology's website and Anonymous members - stepping out from behind their keyboards - protested at Scientology headquarters and at the premiere of a Tom Cruise film.
The group members protected their identity with masks modelled on Guy Fawkes and made famous in the film V for Vendetta.
The group continued to attack various websites throughout 2008 and 2009, but its campaigns were primarily defensive moves, hacking and attacking websites that had criticised Anonymous.
However, in the summer of 2009 Anonymous turned its attention towards what many people now consider to be its raison d'etre - the self-proclaimed protection of civil rights and freedom on the Internet.
Spurred on by reports of the Iranian government shutting down access to the web to stop the news of alleged vote-rigging during an election from spreading, Anonymous set up a support website where people could share information about protests in Iran.
Anonymous then attacked websites in Australia, supported whistle-blowing site WikiLeaks and its embattled founder Julian Assange, and launched Operation Payback, a worldwide campaign against opponents of Internet piracy including Sony, the Motion Picture Association of America and the British Phonographic Industry.
Part of its support for Julian Assange included launching attacks on MasterCard and Visa's websites in retaliation for their refusal to accept donations for WikiLeaks following the publication of thousands of highly secret US diplomatic cables.
Attacks continued throughout 2010 and 2011 on a variety of targets; anyone or anything that got caught in Anonymous's sight was at risk of having their site knocked offline or obscene images posted on their homepage.
The group's tactics didn't stop there though: accessing sensitive data and posting it online was also a favoured trick. Aaron Barr, CEO of security firm HBGary Federal, was targeted after boasting that he had infiltrated the group and would make public details of Anonymous' membership.
The group responded by hacking Barr's Twitter account and exposing his address and social security number online. They also defaced HBGary's homepage and intercepted thousands of emails.
More recently, in a highly embarrassing move, Anonymous managed to record and publish a conference call between British and US police, which discussed legal actions planned against hackers. The group obtained an email sent on 13 January to various law enforcement agents that contained the date, time, phone number and the access code needed for the conference call.
Discussions on the call centred on investigations of alleged hackers and major players in Anonymous that were being tracked, two of which included Ryan Cleary and Jake Davis. Both had previously been arrested for Anonymous and LulzSec-related activities.
The headlines generated by Anonymous certainly make a change from the sort of hacking stories we have been covering over the past few years. For a long time headlines were (and some still are, it has to be said) focused on hacks that were designed to steal money, IP or sensitive information that could then be sold on.
The early days
The likes of Anonymous are almost a throwback to the early days of hacking, when people did it simply because they could. Indeed, Anonymous affiliate LulzSec says it does what it does for the 'lulz', internet speak for laughs. But it is more serious than that: targets are not selected at random - attacks are carried out in the name of a cause.
And real damage can be done as a result of a hack, even if no vital information is actually accessed. The damage can be reputational.
One thing the headlines about Anonymous have done is bring the issue of hacktivism and hacking in general to the attention of companies the world over. But if a business has no links to anti-piracy groups or similar previous targets, should they be worried about the hacktivism practised by Anonymous, LulzSec and others?
Absolutely, says Alan Calder, CEO of IT Governance, a provider of risk management, compliance and governance services.
"It's about stealing information and compromising systems and defences, and most managers will say: 'We're not an IBM or a Microsoft, who'd want to go after us?' But threats, if they take down or damage a significant organisation, are likely to damage a whole bunch of other organisations in the process," he says.
"If there is an attack on a big company and you are a supplier or customer," Calder adds, "what's the likelihood that you might be seen as a vector for that attack to be directed through?"
Calder's thoughts were echoed by Amnon Bar-Lev, president of Israeli security firm Check Point.
"A lot of our customers are worried about whether they are secure enough," he tells CBR. "The landscape has changed dramatically because the motivation has changed. Before it was very unprofessional, motivated by a desire to see how defences are. Now there is a lot of financial motivation and data motivation, but there's also business espionage and political action, as with Anonymous."
But whether the hacking is done for financial gain, political ideologies or just for the 'lulz' doesn't really matter; businesses still need to defend their networks. "At the end of the day, if someone hacks your systems for whatever reason, they are still in there," says Bar-Lev. "You need the same protection whether the attacks come for financial reasons or political motivation."
What makes the likes of Anonymous so difficult to defend against is the very make-up of the group. There is no centralised headquarters and anyone can join; it is more of an ideology than a physical entity.
One of the reasons it has been so successful when it comes to launching huge distributed denial of service (DDoS) attacks is that all you need do to join in is download a toolkit from the web and away you go.
The arrests of Cleary, Davis - accused of being well-known hacker Topiary - and many other Anonymous and LulzSec members across the world shows the authorities are moving in the right direction in the fight against hacktivists.
However, the Internet is not an easy place to police due to its borderless nature, and many in the security industry believe a more coordinated approach to defending against cybercrime is needed.
Speaking to CBR, Eugene Kaspersky, founder and CEO of Russian security house Kaspersky Lab, called for an online version of Interpol to help tackle the cybercrime issue. "Cyber police are limited by national borders; they want to coordinate but there are many bureaucratic procedures in place. If [cyber police] want to investigate with cyber police from another country they have to send an official letter, which then gets sent around various people. It doesn't work."
Kaspersky added that he believes an online version of Interpol will eventually happen, but until then it seems businesses will have to look to their own defences to remain secure. Having said that, the likes of Anonymous and LulzSec do not raise any additional security risks because they use long-established attack vectors to exploit common vulnerabilities.
While there is no silver bullet when it comes to security there are things you can do to add a little more protection to your infrastructure. The main one is simple: spend more money. While that may not be what a lot of IT departments want to hear in this economic climate, spending on security should be a much higher priority for many businesses.
IT Governance's Alan Calder points out: "The notion of cyber resilience is that you should be capable of defending yourself against a cyber attack but also recognise that there are cyber attacks that will succeed. You need to have a method of ensuring that when something gets through your defences you are resilient enough to respond. There is no way you can do that without spending money."
Calder says that the average spend of the IT budget on IT security is just 6%, but a much more effective figure should be around 13%.
"Cyber attacks are there; it's not something that should only be worried about by power or utility companies or big organisations. If you are connected to the Internet then you are at risk, it really is as simple as that. If managers don't understand that, they are almost certainly in trouble," Calder concludes.
Five principles to define your security strategy
- Coherent policy: More than the best technology, companies need to have coherent policies. They should use business terminology and turn data into security information, which is simple and gives meaningful insights. People should know clearly who can see, send and use what data via what medium at what location.
- User awareness and education: Companies need to train people on security issues while they go about their day-to-day work, not in separate lessons outside of work. Training should be embedded in the workflow, with clear real-time alerts with explanation and mitigation support.
- Prevention: Detection systems should be able to give yesterday's security events in a report. In the gateway equates to inline, which in turn works out to prevention.
- Multi-layer defences: Companies need to have multi-layer detection systems with multiple layers of control in mobility, data and malware. They need to have consolidated security where all parts of the security setup act together.
- Central management: Companies should have well-coordinated policies. Multiple vectors should be handled with multiple security layers and coordination. They should have a single view of all events logged by gateways, endpoints, firewall, IPS, DLP and applications.
Source: Amnon Bar-Lev, Check Point.
After this article was first published it was revealed that Sabu, the alleged leader of Anonymous affiliate LulzSec, was actually an FBI informant. According to Fox News, he was turned after being arrested in June 2011 and provided details of Anonymous and LulzSec members in return for avoiding jail.