How do you protect yourself from hacktivist groups?

Anonymous and LulzSec are two groups that have made a lot of news for security cracking activities. Avoiding compromise by groups like these may be a social, rather than technical, problem.

When security cracker groups like Anonymous and LulzSec start making the news, enterprise IT people start worrying. These groups make the news in large part because they very specifically target large organizations that stand to lose a lot of money any time there is even a minor disruption in their operations. Two prime examples are Anonymous and LulzSec, both of which are probably most recently famous for their independent attacks on Sony.

While LulzSec itself has announced on 25 June 2011 that it was done with its operations, as we have seen thus far, there is certainly nothing to suggest that similar groups may not arise -- and, depending on your definition of "similar", it might be said that several already exist. In fact, LulzSec and the even more infamous (and evidently less organized) Anonymous bear some striking similarities in their methods and motivations. A planned assault on government IT resources around the world was agreed upon by these two groups and named "Operation Anti-Security".

Panicky IT professionals have started asking questions like, "What kind of vulnerabilities should I focus on fixing to avoid getting compromised by groups like this?" They want to know things like, "Should I focus on SQL injection vulnerabilities to protect myself from groups like LulzSec in the future?" SQL injection has, in fact, featured prominently as a class of vulnerability exploited by LulzSec operations. In general, the sorts of technical vulnerabilities one should try to fix are pretty much "all of them", starting with the SANS Top Cyber Security Risks.

A more useful answer for the specific case of groups with motivations similar to those of LulzSec is, quite simply, to identify those motivations to the best of your ability and try to avoid being a juicy target. Identifying them is not too difficult for anyone willing and able to think about it with a clear, somewhat unbiased mind for a few minutes, focusing on the group's statements and activities as evidence of motive.

First and foremost, LulzSec representatives have stated quite blatantly that the group does what it does "for the lulz". In the terminology of overeducated literature majors, this boils down to schadenfreude -- delighting in the misery of others. This is not so much mere undirected chaos-mongering, however. Delight in the misery of others is most delicious when the others are people who particularly draw one's ire, and LulzSec has some clear distaste for very specific groups.

In an announcement of its Anti-Security activities, LulzSec said:

Every week we plan on releasing more classified documents and embarassing [sic] personal details of military and law enforcement in an effort not just to reveal their racist and corrupt nature but to purposefully sabotage their efforts to terrorize communities fighting an unjust "war on drugs". Hackers of the world are uniting and taking direct action against our common oppressors - the government, corporations, police, and militaries of the world.

This announcement's message was demonstrated by the release of sensitive information acquired by cracking the security of the Arizona Department of Public Safety, a statewide law enforcement organization. The particular focus of the the attack on AZPDS seems to have been motivated at least in part by Arizona's law requiring some noncitizens to carry documentation with them at all times and yield such documentation to any law enforcement officer at any time.

The reference to oppressors, listing both governmental and corporate organizations, suggests the group's ire particularly focuses on large bureaucratic organizations whose activities involve treating their "customers" badly. Ironically, many of LulzSec's activities also potentially harmed the same people the organizations allegedly oppress, as in the case of releasing customer data acquired by cracking the security of large corporate entities. The common thread, however, is that whatever data is acquired, and whatever effects their attacks have, the targets are overwhelmingly large bureaucratic organizations perceived to have mistreated people through deception or intimidation -- or worse.

Anonymous has generally selected its targets in a similar manner. Sony is a target common to both groups, and enjoys one of the worst reputations for customer relations in the world, for activities such as installing rootkits on customers' computers and trying to sue customers by the hundreds. Anonymous has also targeted the Church of Scientology, widely known to be accused of using intimidation tactics to keep former members from talking about their experience with the organization. Not long ago, Anonymous launched retaliatory strikes against a number of corporations that participated in the ad-hoc coalition of organizations that tried to push WikiLeaks off the Internet.

The long and the short of it appears to be that as long as there are such egregious cases of governmental and corporate organizations mistreating people (or at least appearing to do so), the businesses that do not attempt to censor, intimidate, or lie to people; that care about their customers' security and privacy and do their best to protect them; and that, broadly speaking, do not try to control the movements of people or data, or make arrogant statements about the impervious state of their IT security, are probably fairly safe from these groups. Those prone to saying "no" to governmental requests that do not come with warrants, who advocate for transparency, and who support community building initiatives such as open source software development are probably even safer.

While it is certainly less than noble to let a criminal organization dictate how one behaves through fear of the consequences, you may want to stop and ask yourself one question before dismissing the idea that you could conceivably avoid becoming a target by avoiding actions that tick off people like LulzSec and Anonymous security crackers:

Is making myself less of a target really any different than just trying to be a good Internet citizen?

Put another way, if you wonder whether you are a likely target of groups like Anonymous and LulzSec, you might ask whether you are in fact being an [censored] or dealing with [censored]s.