Part two of Computerworld Australia's look at hacktivism and its consequences.
While far from endorsing hacktivists, F-Secure chief research officer, Mikko Hypponen, says that at least in the instance of the attacks on Sony’s PlayStation Network, things aren’t black and white.
“Sony is an easy company to hate,” he says. “Sony goes to extreme lengths to try to protect their own intellectual property, but they don't seem to care much of the protection of their customers’ information.”
Hypponen says Sony has long history of “going after legitimate innovation and hobbyists” and cites examples such as Sony BMG shipping hidden Windows rootkits on music CDs, Sony shipping a rootkit on its Microvault USB sticks, the killing of Linux support on the PlayStation 3, and threatening hobbyists for creating software that enables Sony's Aibo robot dog to dance.
Rather than fist waving, Hypponen says organisations, industry and government need to take a different approach to their relations with hackers.
“Don't make enemies,” he says. “Don't belittle hackers. Understand that people want to tinker with your products. Don't go after pirates too aggressively. Be tolerant.”
Sophos’ head of technology, Paul Ducklin, says he doesn’t see any positives in the actions of groups like LulzSec and refuses to use words such as ‘activism’ in the same sentence as LulzSec “without a strong negative to join them”.
“LulzSec, whoever he/she/it/they was/were, expressly stated that their ‘hacking’ was for fun, because the cyber security industry was boring,” he says. “If you must find a silver lining to the ugly cloud that is LulzSec, then perhaps it will be that more business managers will see security as having value to be sought, not just as being a cost to be avoided.”
Ducklin also points to the Hackers For Charity group — a non-profit organisation that seeks to solve technology challenges for various non-profits and provide food, equipment, job training and computer education to the world's poorest citizens.
“As for ‘the future of hacktivism’ — to the Anonymous and LulzSec hangers on out there, grow some social conscience and learn to hack for good, if you're good enough,” Ducklin says.
Already signs are emerging that the predicted crackdown is occurring. In late July the FBI said it had arrested a total of 14 individuals thought to belong to the Anonymous hacking group for their alleged participation in a series of distributed denial-of-service attacks (DDoS) against PayPal last year.
Reports also suggests that as many as half — suspects Jake Davis, Ryan Cleary and an unnamed 17 year old — of LulzSec’s believed six members have either been arrested or detained by police.
However, signs point to the arrests as being far from the end of LulzSec or Anonymous or hacktivism in general. If anything the arrests have prompted greater co-operation between LulzSec and Anonymous and an evolution toward more focus on activism than hacking.
It what appears to be a deliberate movement against PayPal’s decision to cut off users from donating to WikiLeaks, LulzSec is now calling for the use of alternate payment methods such as MyBitCoin, Liberty Reserve, WebMoney, Neteller, Moneybookers.
The group has also appears to have taken a leaf out of WikiLeaks’ book and now claims to be working with media to expose more of those involved with the recent News of the World phone-hacking scandal.
“We're currently working with certain media outlets who have been granted exclusive access to some of the News of the World emails we have,” a tweet from the group’s @LulzSec account reads.
IBRS’ Turner argues that while there will always be teenagers and script kiddies out to prove themselves, the attention-seeking nature of Anonymous and LulzSec means that these “noisy, splashy hackers” days’ may be numbered.
“Groups like LulzSec and Anonymous have raised their heads far too high above the wall,” he says. “You will have many law enforcement agencies very determined to make sure this doesn’t become a rallying cry: they will prosecute these guys.
“Agencies like the CIA face the double whammy: If they don’t prosecute these guys then it makes them look like they are running a false flag operation so they are doubly incentivised to make sure these guys are brought to justice.”
Ultimately, hacktivist groups may well fall victim to the relentless march of technology and become eclipsed by far more sophisticated, automated hacking techniques.
“They will be increasingly irrelevant as the real threat on the internet is the one we don’t yet know about,” Turner says. “For example, Stuxnet is now a blue print on the internet for bunker busters — a completely automated hack attack.
“It was designed based on expert intelligence into the systems and wormed its way through multiple layers of defence-in-depth and it did it in an automated fashion. It wasn’t reliant on a hacker monitoring its progress and exploring for the next layer before proceeding. That will inspire groups such as organised crime and nation states.
“With a little bit of homework they could develop something with complete plausible deniability and I think that is the real danger. When you are facing malware which has been specifically crafted for your organisation… then you have a problem.”
The internet service provider community, via its industry body, the IIA, is also doing its part to thin the arsenal of weapons hacktivist groups, as well as organised crime, have access to.
Unsurprisingly, the IIA’s Coroneos is keen to put forward the industry group’s iCode as a powerful tool to curtail zombie computers and botnets, which are used to carry out DDoS attacks. The iCode would give ISPs the discretion to place infected customer machines into a ‘walled garden’ limiting access to the internet until the machines were cleaned.
”The idea is the early identification of zombie activity on networks, then notification, then remediation,” he says. “We are trying to reduce the pool from which hacker groups can draw on.
“The case for internationalising the iCode is now quite good. New Zealand is saying it understands where its vulnerabilities are but it has no strategy to ameliorate them. Ultimately, we hope if we can make a significant reduction in the number of zombie computers around the world then we can make a big dent on hackers’ preferred method of attack.”
RMIT’s Gregory also argues the case for the widespread adoption of a system to curb spam and malware infected email which would seek to assign SSL certificates to email servers allowing emails to be tracked back to their source.
“If the server is being used for spam or malicious emails an infringement notice can be given to the organisation which owns it. If it keeps coming then the email server can have the SSL certificate revoked,” he says.
“What you are trying to do is register and control the devices on the network. About 80 per cent of [zombie PCs] are created through bad email and bad Web pages, so it’s better to attack the root cause of the problem rather than whacking the problem on end users and mums and dads at home.
“That’s an example of how the government could act [to improve security] but the trouble is getting government to act.”