| 
  • If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

  • You already know Dokkio is an AI-powered assistant to organize & manage your digital files & messages. Very soon, Dokkio will support Outlook as well as One Drive. Check it out today!

View
 

Agent Provocateurs

Page history last edited by David Shutkin 11 years, 5 months ago


New Scientist
September 10, 2011
Agents provocateurs

BYLINE: Samantha Murphy

SECTION: FEATURES; No. 861

LENGTH: 2529 words

HIGHLIGHT: Hacktivists have noisily exposed the sorry state of internet security. Samantha Murphy reports

 

The arrests of three hacktivists in Spain sparked demonstrations

THE attack, when it came, was swift and brutal. Aaron Barr, a security consultant for the US government, had just announced that he would unmask the members of an elusive hacker collective called Anonymous. To retaliate, Anonymous broke into Barr's email account at HBGary Federal, the cybersecurity contractor in California where Barr was chief executive, and publicly posted over 70,000 of his and other company executives' private emails. They hijacked his social media accounts, deleted massive amounts of data from the company's servers, and defaced its website with their signature logo of a suited, invisible man. "You have angered the hive," they told him. He resigned from the company soon after.

The attack on HBGary in February was neither the first nor the last of the unrelenting and public security breaches that have taken place this year. But it was perhaps the first example of the year's spate of signature attacks; one motivated not by profit or espionage, but as a form of political protest tinged with "lulz", internet parlance for laughter based in schadenfreude. The authors of this destruction were "hacktivists" who claimed to be exposing what they said were shamefully shoddy corporate security policies, and for their actions they were variously reviled as villains and hailed as heroes.

Could hacktivists have been doing the public a favour? Their repeated attacks have arguably accomplished what no legislative body had managed in 10 years: they have forced many companies to begin to revise previously lax security policies. They also motivated a bevy of new US laws that if passed, will make it a crime not to report data breaches –; a gain for anyone who values the security of their personal data.

If the effects were to end there, hacktivists could be considered heroes of agitprop. However, the consequences might ripple out far beyond what these upstart groups had intended: they may have set in motion a chain of events that will change some fundamental properties of the internet for good. Hacktivists' role in internet history could be much bigger than they had ever imagined, and very different too.

Hacktivism traces its roots back to the late 1990s, when a hacker collective called Electronic Disturbance Theater (EDT) protested against Mexican government policies that it considered oppressive by staging online versions of sit-ins. These took the form of DDoS (distributed denial-of-service) attacks, a technique using large networks of hijacked computers to jam up websites with so much traffic that they crash. That shut down several websites, including that of the Mexican president, igniting a flurry of concern about the security of the internet. However, hacktivists were on the whole a self-policing bunch; EDT and other self-styled principled hacker collectives insisted that anyone acting in their name keep to a set of self-imposed rules of engagement, which included not disrupting the internet.

Heroes or villains?

That culture began to change in 2008, when the Anonymous collective was established. Like EDT, many of Anonymous's fluid membership see their activities as functionally no different from conventional activism. According to Gabriella Coleman, an anthropologist at New York University who has studied the group since its inception, "the group's core values are access, freedom of speech, and fighting censorship". In January this year, the collective unleashed their cyber-networking and programming skills to help protesters in Egypt and Tunisia evade government web filters that prevented the world from seeing the full extent of their struggles. "Sabu", a core member of Anonymous, says helping the Tunisians re-establish their connections with the rest of the world made him understand how powerful hacktivism could be. "I still get chills when I think about it," he told New Scientist in July (9 July, p 26).

However, events in Tunisia preceded the HBGary incident. The satisfaction of exposing the arguably flawed personal security practices of cybersecurity company staff motivated Sabu and five other Anonymous members to form an aggressive splinter cell focused on a new goal. Not long after Lulz Security –; more commonly known as LulzSec –; had set up its Twitter feed, the group breached the websites of popular culture, video game and media corporations, publicly posting the names, phone numbers, emails and passwords of the sites' members.

In short order, LulzSec wreaked havoc on major companies and agencies which had the means to make their websites more robust, if not impregnable: Sony, the US Public Broadcasting Service, The Sun newspaper in the UK and even government agencies like the FBI, the CIA and the UK's Serious Organised Crime Agency. They noisily distanced themselves from the umbrella of hacktivism –; "if you want ethics, go cry to Anonymous", they taunted on their Twitter feed. Where Anonymous often trod the line between civil disobedience and criminality, LulzSec blasted right through it.

But unlike other cybercriminals, LulzSec didn't sell the pilfered information, choosing instead to post it to public forums. Some of their hacks more closely resembled whistleblowing. But why the selective public shaming for their targets? "From a single line of code, we accessed everything," the group said after one attack. "Why do you put such faith in a company that allows itself to become open to these simple attacks?"

Through gritted teeth, many security professionals admit that LulzSec had a point. "The state of security is pretty poor," says Chris Hadnagy, a consultant at cybersecurity firm Offensive Security, whose employees impersonate malicious hackers in order to find vulnerabilities in corporate websites. If Lulzsec could access your information, it meant the information had been available to criminals all along. When it comes to cybersecurity, companies tend to comply as minimally as they can with regulations, he says, begrudgingly admitting that LulzSec and Anonymous are likely to force companies to take responsibility for their customers' information.

It has been hard to get them to do it of their own accord. Hadnagy reports that he frequently finds Fortune 500 companies still using woefully outdated software. Hackers often exploit vulnerabilities in older versions of popular software to load malicious programs into computers, which can then be used to launch attacks.

Even banks have left their customers vulnerable. In early May, more than 360,000 Citigroup accounts were exposed when criminal hackers identified a hole in the programming that allowed them to change one number in an internet address to access customers' accounts. Citigroup reported the breach to their customers three weeks later, after it had initiated its own investigation.

Curse of security

Citigroup is not alone. Without regulation to insist otherwise, it is up to individual companies to tell you when your data has been breached. No regulations now mandate how quickly a company must inform its customers of a breach.

But the loud, public actions of LulzSec and Anonymous appeared to reinvigorate the discussion. A flurry of new laws has been proposed in the US and in the European Union. In the US, myriad senators campaigned for laws that would make it a criminal offence for a company to fail to report an intrusion in a timely fashion.

Meanwhile, the European Commission has proposed new mandatory reporting rules for data breaches in the EU. If adopted, such a law would require businesses to account for their sensitive information and also report breaches to the authorities.

But just when it seems that Anonymous's peculiar brand of tough love is sparking some necessary changes, some worry that there could be unintended consequences.

Paypal's chief information officer Michael Barrett is concerned that the steady increase in cybercrime will raise awareness of the fragile state of internet security, which might ultimately lead to "a collective loss of faith in its safety" (bit.ly/hxMkpW).

Barrett worries that the internet's inherent lack of built-in security –; a major reason for the rapid innovation that characterised the early internet –; is about to become a curse rather than a blessing for innovation. For example, a study by Ziff Davis, a media company based in New York, found that security concerns are slowing many companies' adoption of mobile technologies.

And little wonder. After all, the anti-security campaign was a reminder that no matter how many data-breach laws you have, there's no such thing, fundamentally, as internet security. "Internet security is just an illusion," a LulzSec member told New Scientist in July. "Secrets should be kept in big buildings, guarded by large men with automatic rifles," he said, "so maybe the government should just stop putting their sensitive material on our turf and go back to paper."

A government's logical response to a cyber-threat is to make more laws, and that is exactly what's coming, warns Marcus Rogers. Rogers is a forensic psychologist and digital forensics specialist at Purdue University in West Lafayette, Indiana, and he thinks that we have already hit a point at which the internet's inherent lack of security has stopped being a boon and could become a fatal roadblock to innovation. As a result, he thinks an increase in regulation is inevitable and necessary. "I'm not a fan of it," he says. That's because he thinks such legislation is subject to missteps and overreaching, a danger that can be seen in three recently proposed laws.

The proposals range from the benign to the draconian. At the end of July, the US House of Representatives overwhelmingly approved the Cybersecurity Enhancement Act of 2011, which would exhort private businesses to develop voluntary cybersecurity standards. "The cyber-threat is real and it's here now," said Republican representative Michael McCaul, who co-sponsored the bill. However, these standards would be elective, and experience has shown that companies are reluctant to put effort into thorough security if there's no incentive or threat of punishment.

But not all the proposed laws were written to ensure that companies close their own security loopholes. Some laws have specifically targeted the hackers. Under a new US cybercrime law, for example, organised hacker groups such as Anonymous and LulzSec would be included under the Racketeer Influenced and Corrupt Organizations Act, originally designed for the mafia and other organised crime factions. Hackers who target critical infrastructure, which includes the websites of security contractors, would forfeit any eligibility for probation or reduced sentences for multiple counts of the same offence. This means that simply for their hacks of three federal contractors –; including HBGary –; each Anonymous hacktivist convicted could face three consecutive 20-year sentences, a punishment more severe than those given to rapists and some murderers.

Perhaps few will shed tears for the undue persecution of hackers who exposed their personal information with such gusto. However, the proposed laws don't end there. A third law goes perhaps the furthest to prevent data breaches, but in so doing, would also intrude significantly on the privacy of everyday internet users. Under the US's ISP Data Retention Bill, which took a crucial step towards becoming law in July, internet service providers (ISPs) would be required to retain every single piece of data about every single move a person has made online for 12 months. Crucially, the law would not require the usual legal hurdles, such as a subpoena, to release your personal information; officials merely need to ask for it.

Far-reaching as these laws are, however, the consequences of this year of the hacker may not even end there. Barrett believes the time has come for legislation even beyond these proposed laws. He points to the automobile and aviation fields as guideposts. "When any technology becomes commercially significant and ubiquitous enough, it becomes necessary to regulate the industry," he says.

Just as regulatory agencies were quickly formed to impose standards on roads and airways, Barrett predicts that we could be on the cusp of a new movement to regulate the internet. But it is not at all clear who is responsible for making the internet safer.

By sounding the alarm about the sorry state of internet security, hacktivists could unwittingly be giving credence to a long-standing but marginal proposal to place the internet under some form of governance. Several countries, including China and Russia, have long intimated that the United Nations' International Telecommunications Union ought to regulate internet content and services. Barrett thinks that worsening security concerns might inspire other countries to agree. He worries, however, that such oversight would change the entire culture of the internet. "Most technical innovation on the internet has come from single individuals who have had the right idea at the right time," he says. "The World Wide Web as we know it is basically the invention of one man, who was a lowly researcher at CERN when he came up with the idea. These innovators are exactly the kind of people who would find themselves shut out."

Hacktivists see themselves as guardians of freedom on the internet: Anonymous and LulzSec have fought censorship and exposed fundamental security flaws across the internet –; everywhere from major corporations to the FBI –; by nabbing personal information and waving it around for the world to see. However you look at it, their tactics have worked and as a result of their actions, corporations and governments alike have never been more aware of the cybersecurity problem or made a more concerted attempt to fix it.

But have they gone too far? After all, they have opened a can of worms that no one can shut any more. Neither the criminal hackers who steal information covertly nor the hacktivists who call attention to the security holes that allow the theft are going anywhere anytime soon, says Rogers. Jailing the hacktivists, he says, will not have the desired deterrent effect. "They're like a seven-headed hydra. Cut off one head and there will always be another ready to take its place," he says.

And that means laws will be made. The question that remains is how many restrictions will be deemed sufficient to ensure that the internet remains secure. n

Samantha Murphy is a freelance writer in based in Pennsylvania

Summer of Lulz: how hacktivists have exposed the sorry state of internet security

Are they heroes or villains? Samantha Murphy reports on the rise of hacktivism and how it is making big corporations and governments rethink the rules of web

"In short order, LulzSec wreaked havoc on major companies and agencies which had the means to make their websites more robust"

Anonymous kept social networks in Tunisia free of state censorship

Hacktivists helped Egyptians to evade government web filters

"When it comes to security, companies tend to comply as minimally as they can with regulations. Hacktivists are likely to force them to take responsibility"

 

Comments (0)

You don't have permission to comment on this page.