FEATURE Hacktivism: assessing the damage
Steve Mansfield-Devine Steve Mansfield- Devine With the rise to stardom of activists Anonymous and hacking group LulzSec, cyber-attacks have entered a new phase. There’s nothing original in the technical exploits they’re deploying – most are very basic. But unlike most attackers, these to the general public) on IRC servers. groups actually crave publicity and are eager to share the data they steal. They While many of those who join in the frequently claim that this is for the greater good, to encourage better security campaigns will simply download and and a more responsible custodianship of personal data. These are issues close use the Low Orbit Ion Cannon (LOIC) to the hearts of information security professionals; so will these attacks have an DDoS tool, it appears to be this core effect on organisations’ attitudes to security? And has the infosecurity landscape group that is capable of wielding at least changed forever? some basic hacking skills. Nevertheless, the key campaigns under the name of First, we have to ask, who are these peo- the music industry for its heavy-handed Anonymous have tended to use DDoS ple? And there’s no easy answer. These legal pursuit of filesharers. It also fore- as the weapon of choice, and a new tool, are not well-defined groups with mem- shadowed what was to become a char- RefRef, has just made an appearance.2 bership lists. And their activities have acteristic of subsequent operations – a This exploits resource exhaustion to take spawned many imitators and fellow- certain superficiality in the arguments down targets. travellers. There are also some distinc- supporting them. Underlying Operation The group also continues non-hacking tions between the groups defined by the Payback (which continues, sporadically, campaigns. Recently, for example, it ‘members’ themselves. This makes labels to this day) was a dislike of copyright announced Operation UnManifest difficult: ‘hacktivists’, ‘activists’, ‘hackers’, that was conflated with the self-serving in which people are encouraged to ‘members’ – even the word ‘group’ itself interests of major media corporations modify copies of the manifesto written – all map very poorly on to how these and narrowly focused on music and by Norwegian mass-murderer Anders people organise and operate. However, movies. It’s a crudity of argument that Breivik, creating versions that ridicule his for the sake of discussion, and brevity, has resurfaced in the group’s attacks on ideology. By flooding the web with these we’ll use words like ‘group’ and ‘hacktiv- information security companies and mauled copies, anyone seeking the mani- ists’ to encompass Anonymous, LulzSec ‘whitehats’. festo can never be sure they are getting and those who tag along in their shade. The group’s ambitions are often the real thing.3 couched in terms of uncovering cor- Anonymous ruption and fighting oppression and LulzSec use the vocabulary of revolution, even Anonymous has a long track record of though their activities are commonly According to LulzSec – or Lulz Security activism, only a portion of it involv- perceived as little more than juvenile – its hacking activities had no higher ing hacking. The group first came to stunts or vandalism. But this isn’t to purpose but were simply for the ‘lulz’ – public attention as a result of its Project doubt the authenticity of their motiva- the pure joy of creating mayhem. This (or Operation) Chanology campaign tions or feelings. These were particu- assertion has been undermined by the against the Church of Scientology. This larly evident during the pro-Wikileaks group itself a number of times: in fact, frequently involved ‘Anons’ gathering in campaigns which, famously, brought the action that really brought it to public street protests, many wearing the now- minor grief to the likes of Mastercard attention was the defacement of a web- iconic Guy Fawkes masks. Anonymous and PayPal.1 site belonging to the Public Broadcasting quickly established a style characterised Anonymous says it is leaderless, a Service (PBS) in the US because LulzSec by anarchic wit and portentous (and, claim that is both partially true and dis- was unhappy with the treatment of many would argue, pretentious) videos. ingenuous. Certainly, anyone can join Wikileaks in a documentary. This light-hearted posturing and the in a campaign – or mount one of their What followed was 50 days of hack- nature of its target won Anonymous own – under the Anonymous banner. ing stunts, including repeated attacks on widespread sympathy. At the same time, there is clearly a core Sony. Many of the attacks resulted in Its next major campaign could be said group running key Twitter accounts, the theft of users’ login credentials for to have appealed to a narrower demo- producing YouTube videos and control- websites and other online systems. There graphic: Operation Payback attacked ling important channels (some closed were government targets, too, including
5 August 2011 Network Security FEATURE
law enforcement: the move was part of the hackers’ constant attempts at mis- direction and disinformation. Shortly before this issue went to press, the Metropolitan Police arrested Jake Davis who, they claim, is Topiary. The AntiSec campaign is focused on alerting the world to security weak- nesses – particularly on the part of government entities and corporates – and what AntiSec sees as dishonesty and ineffectiveness on the part of the information security industry. One early action was the leak of 700 con- fidential documents from Arizona’s Department of Public Safety. Although still seen as a LulzSec attack, it was accompanied by an attempt at justifi- cation: “We are targeting AZDPS spe- cifically because we are against SB1070 and the racial profiling anti-immigrant police state that is Arizona,” said a statement.7 Other high-profile stunts included the downloading of large numbers of documents from defence and FBI contractor ManTech, the leak- ing of emails from the Department of Homeland Security, 90,000 email addresses – many of them mili- tary – from defence firm Booz Allen Hamilton, and the defacement of 77 law enforcement websites and the leak- ing of the personal details (including social security numbers and home addresses) of 7,000 law enforcement officers.8,9 LulzSec adopted a whimsical, piratical theme for its announcements. Security awareness the CIA and, in the UK, the website of It’s worth repeating, though, that the AntiSec supporters are not slow in the Serious Organised Crime Agency Anonymous name is adopted by a wide taunting or denigrating ‘whitehats’. In a (SOCA), which was brought down by a variety of people around the world. discussion on the AnonOps IRC server, DDoS attack.4 in the #reporter channel used to talk to At first, LulzSec denied any con- AntiSec the press, someone identifying himself nection with Anonymous. But it soon as ‘joepie91’ explained: “The problem became apparent that LulzSec mem- In mid-June 2011, LulzSec suddenly most people have with the majority of bers, who probably never numbered announced it was disbanding – or rather, ‘whitehat security researchers’ is that they more than half a dozen or so, were the merging with Anonymous as part of a charge insane amounts of money for same people behind many Anonymous new campaign, AntiSec.5 The reason for supposed ‘security’, and then fail to pro- activities and may even represent the the change was never clear. ‘Topiary’ – tect from even the most basic attacks.” people within the Anonymous core with regarded as the mouthpiece of LulzSec (It’s important to note that, while genuine (albeit low-level) hacking skills. – claimed in an interview that the group joepie90 had admin privileges for This became explicit when LulzSec wanted to quit on: “A high note, a classy the #reporter channel, and others later admitted responsibility for attacks ending”.6 Most onlookers, however, seemed to defer to him, as they did to against security firm HBGary, which believed the decision was driven by the Anonymous9 during a later chat, this were originally claimed by Anonymous. heat the group was starting to feel from does not make either of them a
6 Network Security August 2011 FEATURE spokesman for Anonymous. It is part of the fiction of Anonymous being ‘leader- less’ that no-one speaks in an official capacity. However, the personal opinions offered during IRC chats echoed those frequently stated by Anons.) The hostility towards whitehats could be brushed aside as nothing more than name-calling, but perhaps it is more revealing than that. It may demonstrate a fundamental lack of understanding when it comes to the root cause of security vulnerabilities, which isn’t a lack of skill or under- standing among security professionals, but among those who pay them. It’s an institutional or business problem. “There are lots of good information security professionals out there that have great technical skills, but technical skills alone will not protect your com- pany,” says Brian Honan, an independ- ent consultant based in Dublin who Following a number of arrests, LulzSec announced via Twitter that it was unaffected – but it was specialises in the strategic risk aspects clearly feeling the heat. of information security. “You also need to have management skills, budgeting • joepie91: 2. the ‘whitehat security London that works with organisations skills and political skills – because you researchers’ take advantage of this of all sizes. He believes that the security have to make sure that your agenda is incapability on the managers side, industry has been fuelling fear, uncer- part of the company’s agenda – and and charge outrageous amounts of tainty and doubt. “I think this is, by you need to have risk management money for things that do not appro- and large, pushed by vendors who are skills. If I’m an attacker, I can take my priately secure the systems saying, be afraid, be very afraid,” he time and focus on one element of your But even this basic understanding is says. “In the past two months I’ve seen infrastructure and try to chip away at often skewed by the crude ideology that the vendors capitalise on what has hap- that. As an information security pro- drives Anonymous. The following is pened … These guys have a huge mar- fessional I have to cover everything. I from a chat with Anonymous9, discuss- keting machine and have pushed the wouldn’t think that many of these peo- ing ‘whitehats’: fear button.” ple involved in LulzSec or Anonymous have had major networks of tens of • Anonymous9: They like to think of Illegal activity thousands of computers spread over dif- themselves as “the good guys” of hack- ferent time zones in different jurisdic- ing, but are they really? None of this alters the fact that most tions with different legal and regulatory • Anonymous9: Is providing services of the hacktivist actions are illegal. requirements and had to try to man- to governments to allow them to spy And the motivation is largely irrelevant age and keep all those things running on people, to allow them to cover up to the victims. “Whether they have an together at the same time with a very their abuses, to allow them to break agenda or not, they should be looked limited budget.” the law – is this positive? at as the same thing,” says Chris There is some awareness of these • Anonymous9: “White hat” is a term Wysopal, CTO of Veracode, a firm issues. In the IRC chats, joepie91 out- which essentially describes someone that provides software security testing. lined two reasons firms have poor secu- who co operates with the authorities, “If you’re an organisation trying to rity (chat logs are presented verbatim): and often includes co operating with figure out if you’re at risk from one of their crimes. So I for one object to the these groups and whether you’re vul- • joepie91: 1. the managers and others term white hat because it implies they nerable, it doesn’t really matter what in charge of deciding the budgets etc, are doing good, when in fact in many their motivations are. You want to are underestimating the importance of cases, they are aiding corruption. make sure you’re not at risk and your IT security, and do not have the neces- Do they have a point? Richard Hollis corporate data’s not exposed.” sary skills to determine whether their is a director of Orthus, an informa- In many ways, for infosecurity profes- security is acceptable tion risk management consultancy in sionals it’s business as usual. “We’re
7 August 2011 Network Security FEATURE
crude weapon that requires no hacking ing one piece of data in one organisa- at all. So are these skilled hackers? tion. They might pick an organisation, Francis Brown and Rob Ragan, but then they’re trying to find any researchers at Stach and Liu and special- weakness they can. Certainly, there are ists in the use of search engines for find- organisations they’ve tried to attack and ing web vulnerabilities, have suggested they haven’t been able to get in, and you that so-called Google Hacking is a key just don’t hear about that.” part of the Anonymous/LulzSec attack The bigger an organisation is, the more toolkit. Basic SQL injection is also clear- likely it is to have a weak spot somewhere. ly used for most of the breaches, and “Sony is a perfect example of that – the logs leaked by the attackers themselves fact that they have so many business units suggest the use of automation tools operating in dozens of countries,” Wysopal Chris Wysopal, Veracode. such as Havij. And chat logs also sug- says. “It shows that when you have a far- gest remote file inclusion and cross-site flung organisation like that it’s hard to scripting are also techniques commonly have a consistent security policy unless you dealing with this stuff every day any- deployed. build a security programme that’s designed way,” says Honan. “Attacks are increas- “These guys aren’t terribly sophisti- to do that. And most companies do not ing, but they’re increasing because the cated,” says Wysopal. “They’re certainly have a programme like that when it comes number of targets is increasing. It’s just a step above script kiddies, but there’s a to things like the security of their web the natural way of things. The more sys- lot of individuals that have the skills sets applications. These web apps are built all tems and people come online, the more that these guys do.” over the place by different teams. Some it’s going to attract criminals. What Hollis agrees. “I’m a 50 year-old guy are outsourced. And a lot of organisa- Anonymous and LulzSec seem to have and I can do a SQL injection,” he says. tions don’t have any consistent view of the that we haven’t had in the past is, to put “And that scares me. So no, they’re not security of those web apps. So you end it bluntly, a better PR machine.” impressive. The attacks are not impres- up with some decent secure ones but you sive. They’ve impressed no-one I’ve ever also end up with some insecure ones and Hacking skills met in the industry; they’re kid’s stuff.” these hacktivists take advantage of that to The low level of skills displayed is a embarrass the whole organisation.” Although the activities of the hacking worry in itself. If hacktivists are achiev- groups have been highly effective in gen- ing this level of mayhem, imagine what Simple weaknesses erating headlines, the actual results have real hackers might do. Their apparent been mixed. For example, the DDoS high frequency of success is most likely a If the skills are basic, that means the flaws attacks by Anonymous in support of result of them going for the weak, find- they’re exploiting are too. Most of the Wikileaks achieved only partial and fleet- ing sites and servers with poor security. SQL injection flaws should simply not ing success. It’s assumed that some hack- “I think they’re opportunistic,” says exist. “It’s pretty basic,” says Wysopal. tivists have access to botnets for their Wysopal. “Most attacks of this type are “I think it just shows that there’s been DDoS attacks, but even so, DDoS is a opportunistic. It’s rare that you’re target- no care to build a lot of these web apps securely, even though they’re putting things like their customer data in there.” Anons agree:
• joepie91: while I am fairly sure that not everything is SQL injection, there have been a *lot* of intrusions that were so basic they shouldn’t have been possible • joepie91: points of entry you would have expected from a 13 year old kids self-programmed forum, but not from a large corporation and/or ‘respect- able’ security firm Other basic mistakes are evident, too. LulzSec’s hack of The Sun started with the breach of a temporary system, set up when News International was creating a Anonymous boasted that it was holding an archive of NATO documents. paywall for its online content. Although no longer in use, this system still had
8 Network Security August 2011 FEATURE links through to the company’s main servers, including the content manage- ment system for its newspaper websites and the email system. It was a classic lateral entry from an unregarded, inse- cure server into a business-critical (and presumably better secured) system.10 Before dismissing hacktivists as script kiddies, though, it’s worth considering if these basic techniques are all they need. “I suspect they’re doing whatever’s nec- essary, as a real penetration testing outfit would,” says Peter Wood, CEO of secu- rity consultancy and pen-testing firm First Base Technologies and member of the ISACA Security Advisory Group. “If you can make your point and get the board’s attention – legitimately and legally, of course – by a simple attack, surely that’s almost more important because the sim- pler the attack the more likely it is to take place in the real world. I don’t deni- grate people for using simplistic attacks. If people are operating outside the law using attacks to show how clever they are, then I’d imagine they’d want to make as sophisticated an attack as possible. But if they have another agenda, which is, per- haps, to make the target organisation look stupid, or to make a political point, they all they need to do is whatever they need to do. It’s whatever anybody would do – you take the easiest route. I’m not sure if it reflects what they’re capable of: I think it reflects what was open to them.” Getting results
So how impressive were the results? The NATO documents that Anonymous leaked actually had the lowest level of security. A recent CNN Money story started “LulzSec took down the CIA’s website in mid-June”.11 That’s a good way of grab- for its work in genetic modification – development. But it’s possible there was bing people’s attention, but it’s not as and posted information on what the another reason for the lack of disclosure. serious as it sounds. Many of the recent group claimed were 2,500 employees.13 The one document the group did release hacktivist attacks resulted in simple web- Monsanto admitted that the breach had – HQ ISAF JOINT CIS CONTROL site defacement or denial of service. And occurred but countered that much of CENTRE – dating from 2007, was clas- where information has been leaked, most the information was publicly available sified as ‘NATO restricted’, which is actu- of it is low-grade and insignificant. anyway, and that most of the ‘employees’ ally the lowest level of protective classifi- For example, one attack that was were not actually connected to the com- cation. In fact, according to Lewis Page, touted by the press as hackers breach- pany, but worked for other firms. ex-Royal Navy officer and now journalist, ing NATO’s defences, turned out to be Around the same time, Anonymous writing on The Register website, docu- a relatively trivial breach of a NATO announced that it had hacked NATO and ments intended for NATO distribution bookshop. LulzSec has even ‘leaked’ was sitting on 1GB of documents, which rarely contain sensitive information, and publicly available information.12 In it wasn’t yet releasing because to do so with those carrying such a low mid-July, Anonymous announced that would be “irresponsible”. This apparent classification, it’s pretty much it had hacked into Monsanto – known attack of scruples struck many as a new assumed that they will be leaked.14
9 August 2011 Network Security FEATURE
followers to use leaked information to take over people’s Facebook and Twitter accounts to embarrass them. This was in connection with login details taken from a porn site, adding a surprisingly con- servative element of moral judgement. Damage done
The public nature of the disclosures is important, and the facet of this hacktiv- ism phenomenon that so crucially distin- guishes it from other forms of hacking. Organisations affected have no choice about whether they disclose the breach. And the hacktivists are not just announc- ing that the breach has happened, but often share details of how it happened. And they usually share the spoils. One problem for hacktivists looking to make a point is that their activities are generally of such low impact that they fail to rise above the overall noise. For exam- ple, many of the attacks by Anonymous A hack of The Sun newspaper resulted in LulzSec posting a fake news story. and LulzSec have been website deface- ments – an activity that happens practi- “RESTRICTED information is so unim- to contact a number of people to warn cally every day, for a variety of motives or portant that hard copies don’t even have that personal details have been leaked.16 no motive at all. Even the data breaches to be shredded on disposal,” he wrote. have to compete with a flood of oth- “Add a NATO prefix and you have some- Collateral damage ers. Ironically, the very transparency that thing completely insignificant.” So the Anonymous claims it wants is presenting decision by Anonymous not to publish Indeed, the organisations targeted by it with a problem. In many places now, may have been motivated by the sheer hacktivists are not the only victims. The companies are obliged to confess data triviality of the material. Of course, the spilling of personal details, such as login breaches. This makes them a wearily fact that a NATO site was hacked at all is credentials, email addresses and even familiar occurrence. It’s therefore difficult an embarrassment for the organisation. physical addresses puts many innocent for politically motivated data breaches to LulzSec briefly came out of ‘retire- people at greater risk of phishing, spam- differentiate themselves and gain public ment’ to hack The Sun newspaper, brief- ming and ID theft. Or worse. The attacks awareness. The high profile – or notori- ly putting a spoof story on its website. against Arizonan law enforcement, for ety, if you prefer – that Anonymous and The stunt provided some entertainment, example, have put into the public domain LulzSec have achieved is the result more but was generally overwhelmed by the sensitive information about police offic- of the groups’ self-publicity than the sig- far more significant story of phone hack- ers. This is information that could be nificance of their actions. ing that was consuming the attention of used by criminals seeking revenge. There is an associated problem, too, most people in the UK. LulzSec claimed The hacktivists’ response to this is typ- which is to do with reputational dam- to have a large hoard of emails but with- ically cavalier. Mentioning it usually elic- age. Although it seems self-evident that, drew its early promise to publish them. its a blithe assertion that, once leaked, for example, the leaking of customer The group made a vague statement this information becomes useless to the data will erode the public’s confidence about working with news organisations genuinely bad guys, because people will in an organisation and degrade the – in the manner of Wikileaks – but that change their login details. This assumes, value of its brand, there is a question has yet to come to anything.15 A cou- of course, that everyone affected knows mark over just how important this ple of weeks later, The Sun was hacked their details have been leaked (reflecting, is, especially over the long term. The again by someone operating under the perhaps, the high opinion Anons have of worry for a hacked company is that name Batteye, who leaked a database their own social significance) and under- customers will abandon it at the time containing details of Miss Scotland 2010 stand that they need to do something the breach is made public, and other contestants – hardly a revolutionary act, about it – which may not be easy. In one people will be disinclined to buy prod- although it has forced the organisation instance, LulzSec actually encouraged ucts or services in the future.
10 Network Security August 2011 FEATURE
• Anonymous9: For example, you for their games. That’s big money … that Wood believes that these high-profile would hope to trust a company like would have a genuine impact on them, hacks have achieved that, although he’s Viacom with your data when you on their business, their bottom line.” uncertain for how long. subscribe to them. You’re handing Sony came under repeated and sustained “Every time there’s some kind of very over your credit card, contact details, attack. In the US, the firm is facing as many high profile event, or series of events, media preferences, the lot. as 55 class-action suits following the breach it seems to capture the attention of, for • Anonymous9: Now, how do you feel of up to 100 million records containing example, risk insurance committees, knowing that a small team of Lulzsec personal information. There are three more non-executive directors, senior people,” hackers managed to breach their cases in Canada. Normally, an organisation he says, “and they will inevitably bring it servers and download an absolutely would look to its insurers to protect it from to the table at audit and risk meetings. colossal amount of information from financial damage under these circumstances, As a result, we see a lot more attention them? but its insurer – Zurich American Insurance being given to information security than However, there’s no proof that this – has gone to the courts seeking absolution when these events don’t happen.” But, has happened to any of the commercial from any requirement to cover the costs. he adds, senior executives, “have about a organisations attacked by hacktivists Zurich American is claiming the policy three-week memory for these things.” (with the possible exception of Sony). only covers “bodily injury” and “property He adds: “I think what we’re seeing For people in the security business – damage”.17 So Sony may be seriously out here is what the industry’s been saying infosec professionals, geeks and hackers of pocket when the dust settles. Or not, for years and years – that systems aren’t – having a database of login credentials depending which way the courts decide. In patched up to date like they should be. leaked is close to a cardinal sin. To the gen- any case, Sony might be calculating that the We continually say to clients that the gen- eral public, it’s yet another data breach in cost of this kind of action is still less than eral public isn’t interested in understand- a daily litany of such failings. And the fact ensuring that all its servers are secured. ing the difference between a well-protect- that these breaches do not involve sensitive “We haven’t seen a lot of credit card ed database containing their credit card data, such as health records or credit card danger exposed,” says Wysopal, “which data and some marketing database put in information, means they probably barely has a real cost associated with the type place with your badge on by a third party. register on the public’s radar. Far from of response – sending out notices to As far as they’re concerned, it’s all you. discouraging future customers, it’s just as customers, perhaps re-issuing credit If they’re not going to do due diligence likely that these attacks won’t be remem- cards – those things have real significant across the whole estate, understand what bered by most people outside those keenly cost associated with them.” The leak they’ve got in place and make sure they’re interested in this subject. And if they are, of customer logins or email addresses all secure to a decent standard, they’re they will be recalled as the work of just might be seen as relatively unimportant going to get this sort of problem.” another bunch of cyber-criminals. Sony is by many firms, he adds. “There’s no It’s the old story of security opera- a special case, but even there a cynic might real hard cost. You have to investigate tions being under-resourced. But that conjecture that antipathy towards the firm it and you have to fix the problem, but is unlikely to change, thinks Hollis, (perhaps even among Anons) might last it’s not as bad as if it was PII [Personally because firms aren’t seeing this as a seri- only up until the release of the next cool Identifiable Information] exposed.” ous issue. “I haven’t seen any difference PlayStation game. This may explain why the sites were so whatsoever in implementing a more Business and market sentiment is poorly protected. “Protected against what?” heightened defence mechanism because another matter. In assessing the damage, asks Hollis. “If this was bank account of this. In the last two months I’ve one can track stock prices, but only over numbers and authentication, then we’d probably discussed this with at least 50 the very short term – long-term there are be having a different conversation, but I clients and across the board I can say, too many other factors in play to isolate don’t see any value in this material. While without a doubt, everybody sees this the impact of just the hacking attacks. it’s private, the severity of disclosure of this as nuisance hacking by a bunch of kids causes little or no impact on corporations who are looking for some press.” Periodic problem other than this reputational damage. This And Honan isn’t seeing companies beat is not low-hanging fruit – this is fruit that’s a path to his door because of LulzSec and Even those firms that care about repu- on the ground and you’re stepping on it, as Anonymous. His clients, he explains, are tational damage (and not all do) gener- far as security is concerned.” already security aware. “If companies are ally treat this as a phase they need to go reacting only to Anonymous and LulzSec through. Put simply, they know that time Raising security attacks, I would posit that they have big- is a healer. For all the public humilia- ger security issues than having to deal tion and apologising, Hollis believes that awareness with Anonymous and LulzSec because most executives in Sony do not regard So if the reputational damage is short- there would be motivated criminals the recent breaches as a ‘significant’ hack. lived and the material leaked insignifi- and organised crime who will be taking “You know what Sony thinks is a signifi- cant, what about the other hacktivist advantage of these weaknesses and caus- cant hack?” he says. “Taking their avatars ambition of raising security awareness? ing more long-term damage than simply
11 August 2011 Network Security FEATURE defacing your website or giving you bad This means examining all your sys- to be anti-establishment. It’s bound to publicity for a few weeks.” tems, and in many cases asking whether be appealing to people of an impression- you really need them. A full audit and able age.” Good effect? pen-test of every server may be unfea- And Hollis adds: “Wait until the next sible, says Wysopal, but you at least LulzSec. The part that worries me is that Nevertheless, maybe the attention might need to do lightweight testing across the next group will have to out-do LulzSec.” have some beneficial effects, if only to the board, “to keep out the lowest level Sooner or later the breaches will become change attitudes towards the value of attackers.” But remediation is going to serious, he says. “They’re going to cross a security professionals. “A large number be a major undertaking for many firms. line. It’s like reality TV – it just can’t get bad of people in the infosecurity community “There are companies out there that enough to make us stop watching it. This are relieved that someone has finally got literally have thousands of websites,” he is nuisance hacking, and the next guys that the attention of so many major organi- adds. “And there are plenty of companies come along are going to take it to a new sations,” says Wood. These attacks, he that have over 100. That’s a significant height and somewhere a line is going to be adds, highlight, “the difference between amount of assessment work.” crossed. I think it’s a year away myself.” vulnerability assessment and penetration testing.” They’re like penetration testing Changed equation About the author with no holds barred. “And, of course, without permission, which is the bad Companies balance the cost of such Steve Mansfield-Devine is editor of bit. We find that a lot of organisations work against the likelihood of attack and Network Security and its sister publica- are reluctant to have a proper, ethical, the resultant impact. These hacktivist tion Computer Fraud & Security. He is approved penetration test against live attacks may have changed that risk equa- also a freelance journalist specialising in systems because they’re concerned that it tion. “Most companies that have brand information security. could damage uptime. It’s very common names to protect, or who have to have for penetration testing companies to be an image of trust, are looking at this asked to do a penetration test that’s real- and saying, this is a new threat to my References ly nothing more than a glorified vulner- organisation that wasn’t in my equation 1. Mansfield-Devine, Steve. ability scan. Sometimes that’s more than before and I have to deal with that,” says ‘Anonymous: serious threat or mere adequate, other times it isn’t. As a result, Wysopal. “And it’s not hypothetical: it’s annoyance?’. Network Security, Jan these systems never get properly tested.” very palpable to companies now.” 2011, pg4. The result, according to Honan, is But Hollis isn’t convinced that every 2. ‘#RefRef – Denial of Service (DDoS) that, “It’s made our jobs a bit more under organisation will make changes. He Tool Developed by Anonymous’. The the spotlight. Anybody in that [security] believes that many have looked at the Hacker News, July 2011. Accessed role needs to take advantage of that and risk equation and have concluded it’s fine Aug 2011.
12 Network Security August 2011 FEATURE
OpenDemocracy, 22 July 2011. 10. Leyden, John. ‘How LulzSec pwned 14. Page, Lewis. ‘NATO Restricted: Accessed Aug 2011.
Avi Turiel, Commtouch Avi Turiel
As wider deployment of IPv6 begins, organisations need to consider the security risks. In February 2011 the final blocks of IPv4 addresses were allocated to the • IPv6 allows 340,282,366,920,938, five Regional Internet Registries around the world. The regional registries will 463,463,374,607,431,768,211,456 continue to allocate these IPv4 addresses (each allocated block represents about addresses (128-bit address). 16 million IP addresses) among the numerous ISPs and organisations in each For a global population of 7 billion region until the IPv4 addresses are exhausted, which is estimated to occur in people this equates to 48,571 trillion late 2011. As a result of this impending IPv4 address exhaustion, many organi- trillion addresses per person (although sations have begun to more seriously consider their roadmaps to IPv6, the the structure of the allocations will not successor to IPv4. As the global implementation of IPv6 becomes a reality, the allow this). In such an environment, associated security concerns must be considered. Internet addresses can be provided not only to current ‘users’ such as the com- IPv6 technology There are also enhancements to quality puters, tablets and smartphones that are overview of service and security – for example, networked today, but also cars, refriger- IPv6 includes IPSec, an end-to-end ators, microwaves, light bulbs, watches IPv6 was standardised in 1998 by the security protocol that operates at the and many more everyday household Internet Engineering Task Force (IETF) Internet layer and includes authentica- devices. primarily to deal with the anticipated tion and encryption capabilities. The To better understand IPv6, it is impor- IPv4 address exhaustion. IPv6 includes primary driver for IPv6 adoption, tant to note that the new address repre- several enhancements over IPv4 such as however, is the vastly increased address sentation differs from that of IPv4 due simplified address assignment with no space: to the larger address field. IPv6 addresses need for the DHCP (Dynamic Host • IPv4 allows about 4,294,967,296 use hex notation – for example: 3FFE:1 Configuration Protocol) used in IPv4. addresses (32-bit address). 900:4545:3:200:F8FF:FE21:67CF. Web
13 August 2011 Network Security