Leadership

How do you protect yourself from hacktivist groups?

Anonymous and LulzSec are two groups that have made a lot of news for security cracking activities. Avoiding compromise by groups like these may be a social, rather than technical, problem.

When security cracker groups like Anonymous and LulzSec start making the news, enterprise IT people start worrying. These groups make the news in large part because they very specifically target large organizations that stand to lose a lot of money any time there is even a minor disruption in their operations. Two prime examples are Anonymous and LulzSec, both of which are probably most recently famous for their independent attacks on Sony.

While LulzSec itself has announced on 25 June 2011 that it was done with its operations, as we have seen thus far, there is certainly nothing to suggest that similar groups may not arise -- and, depending on your definition of "similar", it might be said that several already exist. In fact, LulzSec and the even more infamous (and evidently less organized) Anonymous bear some striking similarities in their methods and motivations. A planned assault on government IT resources around the world was agreed upon by these two groups and named "Operation Anti-Security".

Panicky IT professionals have started asking questions like, "What kind of vulnerabilities should I focus on fixing to avoid getting compromised by groups like this?" They want to know things like, "Should I focus on SQL injection vulnerabilities to protect myself from groups like LulzSec in the future?" SQL injection has, in fact, featured prominently as a class of vulnerability exploited by LulzSec operations. In general, the sorts of technical vulnerabilities one should try to fix are pretty much "all of them", starting with the SANS Top Cyber Security Risks.

A more useful answer for the specific case of groups with motivations similar to those of LulzSec is, quite simply, to identify those motivations to the best of your ability and try to avoid being a juicy target. Identifying them is not too difficult for anyone willing and able to think about it with a clear, somewhat unbiased mind for a few minutes, focusing on the group's statements and activities as evidence of motive.

First and foremost, LulzSec representatives have stated quite blatantly that the group does what it does "for the lulz". In the terminology of overeducated literature majors, this boils down to schadenfreude -- delighting in the misery of others. This is not so much mere undirected chaos-mongering, however. Delight in the misery of others is most delicious when the others are people who particularly draw one's ire, and LulzSec has some clear distaste for very specific groups.

In an announcement of its Anti-Security activities, LulzSec said:

Every week we plan on releasing more classified documents and embarassing [sic] personal details of military and law enforcement in an effort not just to reveal their racist and corrupt nature but to purposefully sabotage their efforts to terrorize communities fighting an unjust "war on drugs". Hackers of the world are uniting and taking direct action against our common oppressors - the government, corporations, police, and militaries of the world.

This announcement's message was demonstrated by the release of sensitive information acquired by cracking the security of the Arizona Department of Public Safety, a statewide law enforcement organization. The particular focus of the the attack on AZPDS seems to have been motivated at least in part by Arizona's law requiring some noncitizens to carry documentation with them at all times and yield such documentation to any law enforcement officer at any time.

The reference to oppressors, listing both governmental and corporate organizations, suggests the group's ire particularly focuses on large bureaucratic organizations whose activities involve treating their "customers" badly. Ironically, many of LulzSec's activities also potentially harmed the same people the organizations allegedly oppress, as in the case of releasing customer data acquired by cracking the security of large corporate entities. The common thread, however, is that whatever data is acquired, and whatever effects their attacks have, the targets are overwhelmingly large bureaucratic organizations perceived to have mistreated people through deception or intimidation -- or worse.

Anonymous has generally selected its targets in a similar manner. Sony is a target common to both groups, and enjoys one of the worst reputations for customer relations in the world, for activities such as installing rootkits on customers' computers and trying to sue customers by the hundreds. Anonymous has also targeted the Church of Scientology, widely known to be accused of using intimidation tactics to keep former members from talking about their experience with the organization. Not long ago, Anonymous launched retaliatory strikes against a number of corporations that participated in the ad-hoc coalition of organizations that tried to push WikiLeaks off the Internet.

The long and the short of it appears to be that as long as there are such egregious cases of governmental and corporate organizations mistreating people (or at least appearing to do so), the businesses that do not attempt to censor, intimidate, or lie to people; that care about their customers' security and privacy and do their best to protect them; and that, broadly speaking, do not try to control the movements of people or data, or make arrogant statements about the impervious state of their IT security, are probably fairly safe from these groups. Those prone to saying "no" to governmental requests that do not come with warrants, who advocate for transparency, and who support community building initiatives such as open source software development are probably even safer.

While it is certainly less than noble to let a criminal organization dictate how one behaves through fear of the consequences, you may want to stop and ask yourself one question before dismissing the idea that you could conceivably avoid becoming a target by avoiding actions that tick off people like LulzSec and Anonymous security crackers:

Is making myself less of a target really any different than just trying to be a good Internet citizen?

Put another way, if you wonder whether you are a likely target of groups like Anonymous and LulzSec, you might ask whether you are in fact being an [censored] or dealing with [censored]s.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

33 comments
mishkafofer
mishkafofer

I recommend Anonymous and Lulzsec to try to hack Russian state owned companies such as Gazprom or other major Companies. I wonder how many lulzs they will enjoy before the bitter end. Or better yet try to infiltrate FSB, that will ensure tons of lulz for the rest of us.

merlyn
merlyn

If you look like prey, you will be eaten - Clint Smith If you don't attract attention you will be over looked. If you get looked at any way, look like a hard target, and don't give the looker any reason to keep trying.

AZ_IT
AZ_IT

Wow we seem to be assuming that there is some standard definition of what a good internet citizen vs. what a bad internet citizen is. While hacktivism, like terrorism may be seen as both good and bad depending on what your perspective is or which group you support, stealing customer data from any organization and posting it online for everyone to use or abuse hurts first and foremost the little guy. Sure the corporation looses reputation and brownie points but does it make their products any less used? Slightly if at all, especially in the case of Sony. How many thirteen year-olds will boycott Playstation because of lax security regarding user data? The idea that hacktivist groups are noble is laughable. Robin Hood is considered noble in that he robbed from the rich and gave to the poor. Hacktivists steal the personal details of the poor from large corporations and post them on the internet. Is that noble? If your beef is with the corporation or government go after that entity not John Doe from Omaha and a hundred thousand like him who just happen to enjoy Playstation when they have some downtime. I'm not supporting or condoning Sony's business practices but I am most definitely speaking out against hurting the little guy in the hopes of embarrassing the big guy. Is putting a rootkit on a cd that 100,000 people buy any better than putting a rootkit or botnet on 100,000 people's computers in order to target an organization with a DoS attack? Any hacktivist that hurts the little guys is not noble they are merely changing the oppressor from corporation A or government B to hackivism group C. Noble indeed. *edited to improve readability

Alpha_Dog
Alpha_Dog

If you can be perceived as doing something nefarious, even if you are not, you will likely be a target for a hactivist group eventually. One may forestall this by having a boy scout image, but eventually good press will run out. You should prepare for an organized attack in addition to your normal efforts. If your data is sensitive, (HIPAA, Comsec, PCI-DSS, or embarrassing pictures) you can eliminate a lot of grief by a very simple practice: until and unless you need to, DON"T PUT IT ON THE NET! The classic attacks in current use are old standbys. If you are vulnerable to SQL injection attacks, this is something you need to tighten up anyway. In most cases it is a sign of a lazy coder or dba and in these cases the resolution will be simple but likely not cheap or transparent to the business process. DDoS attacks are harder to shield against, but a high majority can be resolved by good firewall rules. Many times, the organization's infrastructure is the one clogging the works with their response to malformed packets, pings, arps, and fraudulent HTTP requests. Use a good firewall and block (log, no response) these and you will be able to handle a much higher volume of attacks. If you don't, the jerk on the other end can get your own servers and firewall to play that sophomoric game of "quit hitting yourself" until he gets tired. These are all things we should be doing anyway. Practice good and open business practices. Lock down your firewall. Make your mission critical systems secure against known attacks, Keep anything sensitive on servers which are in some way isolated (the level of this dependent upon the sensitivity of the data). Finally, do good deeds for your clients and your community.

wizard57m-cnet
wizard57m-cnet

Are you advocating that in order to not be targeted by hactivist groups, we should give them "Lulz"? Isn't that what kept the Chicago gangsters of the 1920s and 30s in power? Store owners "paying insurance"? How does this equate to being a good internet citizen? If we follow this line of thinking, then criminals, regardless of the field of crime, dictate to us how we live our lives. Don't say anything derogatory about car thieves or they'll steal your car. Keep your mouth shut about mass-murderers or you could be the next victim. Don't tick off a hactivist online group or your site could be targeted. Sorry, but this doesn't sit too well with many. Anti-social behaviour that can result in harm to people is not something to be ignored, and sticking your head in the sand doesn't make the criminals disappear. If I misinterpreted your post, I apologize. However, since you claim to be involved in IT security, it sounds like you are proposing to just forget about your security and pay your internet security insurance payment to the gang boss.

Alpha_Dog
Alpha_Dog

...but Russia has a very effective response to cyber-warfare. Just ask Georgia.

Alpha_Dog
Alpha_Dog

That is it in a nutshell. Now, let's talk specific applications. "If you look like prey, you will be eaten - Clint Smith" Quite true. Don't make yourself a target by engaging in business practices you really shouldn't. "If you don't attract attention you will be over looked." It goes back to the ethical conduct. No one is going to hit Doctors without Borders (if they do they will make my list) because they do good works. Bank of America or the CIA? Not so much. "If you get looked at any way, look like a hard target, and don't give the looker any reason to keep trying." Yep. Lock it down. Tiger team you network. Fix the issues you find. Do it again until you come up clean. The best result is if you can make like a hole in the water in all ways except the ports you need open, and these must be restricted to the type of request expected or solicited. Follow this advice and hactivist groups will either have no interest, not find you, or choose to move to greener pastures.

apotheon
apotheon

> stealing customer data from any organization and posting it online for everyone to use or abuse hurts first and foremost the little guy You say that as if the article somehow disputes this point. It does not. > Sure the corporation looses reputation and brownie points but does it make their products any less used? Slightly if at all, especially in the case of Sony. This is an argument about the effectiveness of the hacktivists' methods, which is not even a topic addressed by the article, so I'm not sure how that's relevant in this case. All in all, your commentary seems to suggest that you think the article casts the hacktivists in question in the role of "hero", but it does not. As such, it's kind of a strange comment to make, in this context.

Neon Samurai
Neon Samurai

I had someone say that the other day and I'm still shaking my head in amazement. Not "availability does not indicate security" but "availability is not a security concern" in reference to DDoS attacks not being a security issue. It's good to i know I'm not alone in thinking that ignoring DDoS as a security concern is madness.

mla_ca520
mla_ca520

Hmmm...I think you mis-read this article completely. What I got from Chad's article is this...if your business is doing dishonest and harmful things like installing root-kits on your customer's computers, using personal information in a manner that most customers would disapprove of, using unfair and unethical business practices, etc... (even if your companies activities are technically legal) Then you will draw the ire of hacktivist groups (read between the lines here...maybe you deserve to as well). So don't participate in these unethical business practices and you are much less likely to be targeted! Wizard, your arguments, within the context of Chad's article, remind me of those who condemned the activities of Black Panthers in the 60s for their illegal activities on behalf of ending segregation and combating the institutional racism that had been immorally but legally imposed. We might not agree with all the actions taken by the Black Panthers and some members were undoubtedly only involved for the purpose of being violent, however, they wouldn't have existed if the "system" hadn't been so corrupt in the first place.

Neon Samurai
Neon Samurai

I didn't read it as "cower and pay your protection racket fee." It was more a "fix your business" kind of thing. If your business practices are predatory and consumer hostile, expect to draw the attention of some sort of group. Mabye it's activists online, maybe it's activists on the street.. someone will take notice. If info system management practices are irresponsible, expect to be broken into easily. Don't fix your SQL injection vulnerabilities because some group threatened you, fix them because they shouldn't be in a properly coded and maintained database. Encrypt customer data because it's the better way to store it; cleartext user data is downright neglegent. No firewall on your servers, not keeping your software up to date with the latest patches? If your storing customer information that has to fall into the criminally neglegent category. Anonymous and Lulzsec may have deminstrated these issues with sensationalized headlines but the issues existed and where being exploited long before public attention was drawn to them.

Sterling chip Camden
Sterling chip Camden

I think he's saying that the problem is not all black and white -- the crackers aren't completely evil and the corporations are far from completely innocent. I think he advocates understanding the complexities of the relationships and to master not only your would-be enemies but more importantly yourself.

JamesRL
JamesRL

But I didn't interpret his article that way. I think what he is suggesting is that companies pay more attention to their public perception and avoid making serious PR blunders which may bring the company to the attention of hacktivist groups. Don't put rootkits on the CDs that you send out. Because no matter how prepared you are for cyber attacks, a group of motivated hacktivists is probably going to find your vulnerabilities before you do, and hope to embarass you. I read this book and met this author 9 years ago, and much of what he has predicted has come true: http://www.amazon.com/World-Without-Secrets-Ubiquitous-Computing/dp/0471218162 We are moving towards a world without secrets.

santeewelding
santeewelding

Is the first, most important, perhaps the only lesson in martial art and practice: "Don't be there".

apotheon
apotheon

The next time someone says that availability is not a security concern, ask him how he'd feel if someone made his lungs unavailable to him.

Alpha_Dog
Alpha_Dog

What's the purpose of a DDoS? to shut down a site and possibly crash something into revealing some secrets... kinda like tripping grandma to see her knickers and grab the change she drops. Pitiful really, but we need to prepare for this as much as any other attack if not more considering the prevalence.

bboyd
bboyd

Maybe if you run a IT based company like these you can demonstrate your business skill and acumen by getting free advertising by being compromised and newsworthy. /sarcasm ON

Alpha_Dog
Alpha_Dog

Simply put, the issue is not black and white at all, but rather shades of grey. Hactivist groups create an arbitrary threshold where you are safe from reprisals unless you cross their line. This "crossing" may not be an act of will, but rather a function of a moving value system. Today the line is covering up global warming. Tomorrow its allowing your employees to eat beef on their breaks. No one is truly safe with a moving target like this, but some industries are perceived as more "evil" than others. The thing that upsets me is that an admin who should know better has either dropped the ball, allowing known exploits to be used against systems entrusted to their care, or the higher ups have not allowed them to solve the issues. When a script kiddie exploits them with these vulnerabilities, the executives and legal will want their pound of flesh and may get it when the bored 8 year old gets caught, but the people who could have prevented it with a little effort and time walk away scott free.

apotheon
apotheon

Best title EVAR!!!!11!!!!1oneone! That made me do the wheezy-laugh. Thanks, Sterling.

wizard57m-cnet
wizard57m-cnet

To quote Chad's summarizaton: "While it is certainly less than noble to let a criminal organization dictate how one behaves through fear of the consequences, you may want to stop and ask yourself one question before dismissing the idea that you could conceivably avoid becoming a target by avoiding actions that tick off people like LulzSec and Anonymous security crackers: Is making myself less of a target really any different than just trying to be a good Internet citizen?" This is the part I'm having a bit of difficulty understanding. How does appeasing a criminal organization make you a "good Internet citizen"? Isn't this exactly what the various shopkeepers and storeowners of "gangland Chicago" did? Yes it could be argued that those businesses profited a bit, but what was the cost? I understand that the times were different, and public opinion of a variety of mobster/gangster/criminals were not black and white, they still aren't. But did allowing the corruption and criminal activity result in a better environment to conduct business, or did business grow and prosper more when the shadow of mobster protection rackets were largely eliminated? Would internet commerce prosper if the criminal elements were deterred? Or do we continue to maintain a low profile and hope we don't anger the mob bosses to the point they throw a digital bomb through our ecommerce storefronts? What happens when the next LulzSec and Anonymous gangs decide to step up their "enforcement" and demand we pay our "insurance"?

Alpha_Dog
Alpha_Dog

We (the big we, not anyone here) expect things to just magically work and be there anytime we want with no commitment in the form of time of money. To be blunt, I'm not sure how to fix this larger issue of the typical corporate behavior: 1. expect the moon 2. ignore the issues and responsibilities 3. go for blood if someone demonstrates how incompetent you are.

Neon Samurai
Neon Samurai

now.. if only there was some large tech company getting a lot of free advertising for being breached lately... :D

Alpha_Dog
Alpha_Dog

You might just have something here. If the stock price is already dipping, a little pity may arrest the freefall and cloud the real issue of why the company is having issues in the first place. Take a few of these hits, pop the golden parachute and update the resume. Lather, rinse, repeat. Too bad we're too dang honest to play that game. Instead we're the IT folks left holding the bag. How much does an IT person trust their company? Easy way to tell is IMAP or POP3. Are they willing to loose the ability to pick up emails anywhere in order to have a permanent local record?

wizard57m-cnet
wizard57m-cnet

"If I misinterpreted your post, I apologize." There...sheesh...as for me equating Sony with a small shopkeeper, no, I didn't say anything of the sort. I'm merely looking at possibilities not only for the immediate future, but long-range. Oh, I know your nickname as well. I read your security blogs to get ideas on securing my systems. I do not mean any disrespect, and if it appears that way, then again, I apologize. I'm still curious as to the "what if" scenario, but since at the moment my internet presence is very limited as far as my systems go, I'll be safe with my low profile. The collateral damage from hacktivists attacking larger sites may be concerning, but I still do very little online commerce.

apotheon
apotheon

> This is the part I'm having a bit of difficulty understanding. What's so difficult to understand? You, for some hypothetical definition of "you", are considering how to deal with the possibility of being targeted by a hacktivist group. You consider the motives of this group, which involve "punishing" those who behave in a particular way. You ask yourself "Would making myself less of a target by ceasing to behave a way that would draw the ire of this group equate to being a good Internet citizen?" If the answer is "Yes, it would just equate to being a good Internet citizen," then there's no shame in making such a change in your behavior, and you should do so -- both to be a better person yourself, and to avoid the ire of those who might otherwise do some real damage to your business. If the answer is "No, it would not equate to being a good Internet citizen," then maybe you should not change your behavior. I (for I am Chad, if this was not obvious to you) did not say you should always cave in to the implicit demands of malicious security crackers. I said you should ask yourself a question. Your response to this seems to be that no, you should not even ask the question, that you should in fact continue to behave in a way such hacktivists don't like precisely because they don't like it -- that you should perhaps stubbornly be a bad Internet citizen just because someone else who may be a bad Internet citizen doesn't like it. That's asinine, spiteful, counterproductive, and frankly vile. Hell, you're basically equating Sony -- pretty much a "criminal element" in its own right -- with a shopkeeper who is being intimidated into paying protection money. The truth of the matter is that Sony is more like a mafia family being targeted by destructive vigilantes in this case. Get your analogies right before trying to use them to undermine my arguments, please.

santeewelding
santeewelding

"In all [i]of[/i] your critiques..." I would have blown that ill practice into proportions of cosmic inflation, with utterly no margin. Like what I'm tempted to do with your "irrelevant" and "misleading", which owe to ethic founded on the asinine.

apotheon
apotheon

What I see is two things: 1. You ignore the fact that this article is about a very specific case of avoiding being a target, where the case is that of someone who targets only "bad" people. 2. You blow every perceived error way the hell out of proportion, ultimately inflating it to the point that it no longer even marginally resembles the original point. . . . and to that kind of "argument", I have no answer, because its premises are irrelevant and misleading.

Neon Samurai
Neon Samurai

If these issues exist then you may be "there" but you sure as heck are not ready. If you show up to a sword duel, bring your sword.

wizard57m-cnet
wizard57m-cnet

What is "unfounded ethic"? You may not hold the same ethic as someone else, but those ethics are just as founded. Ignore them or not, it is your choice and right. Even as others have the choice and right to hold them or another ethic.

santeewelding
santeewelding

One being death as "endpoint". Acceptance means no beginning or end to death. Thou art only that: alive to death. Two being your handling of pronouns you, your, we, our; first-person, I; the verb, to be; and the hilarious one, reality. Comes to pass, I think, over your confusion with Point One, about being. The other stuff, between the pronouns, I may safely ignore as unfounded ethic, grasshopper.

wizard57m-cnet
wizard57m-cnet

death is the inevitable endpoint of life. So the question becomes how do you live your life, as a celebration or in mourning. Anyhow, Chad seems to be espousing the position that to not be a target of these groups, don't piss them off. Sounds easy, but in reality it is not so simple. What if you have used some business online, they have your personal data, and the business ticks off some wannabee...do we just accept that it's "OK" and normal operating risks that the wannabee hacks into the business' database and steals our data along with a million other accounts? I'm not ready to do that. It would be tatamount to not doing anything in the hypothetical case of, let's say, someone buys a new Lexus auto, and the auto turns out to be junk. Instead of dealing with Lexus in a reasonable manner, the purchaser instead decides to go the dealership and steal all the keys to the other new Lexus autos, and places those keys in public places where they possibly could be found and used to drive off with a new Lexus. In Chad's post, this thief should be hailed as a hero for exposing some issue with Lexus autos, maybe even rewarded with all kinds of goodies. Is this the way we should do business "online"? We as a society do not condone this behaviour "offline", so why should we accept it online?

santeewelding
santeewelding

To play catch-up, a potentially losing proposition, per Lesson #2: "Accept death".