FEATURE Hacktivism: assessing the damage Steve Mansfield-Devine Steve Mansfield- Devine With the rise to stardom of activists Anonymous and hacking group LulzSec, cyber-attacks have entered a new phase. There’s nothing original in the technical exploits they’re deploying – most are very basic. But unlike most attackers, these to the general public) on IRC servers. groups actually crave publicity and are eager to share the data they steal. They While many of those who join in the frequently claim that this is for the greater good, to encourage better security campaigns will simply download and and a more responsible custodianship of personal data. These are issues close use the Low Orbit Ion Cannon (LOIC) to the hearts of information security professionals; so will these attacks have an DDoS tool, it appears to be this core effect on organisations’ attitudes to security? And has the infosecurity landscape group that is capable of wielding at least changed forever? some basic hacking skills. Nevertheless, the key campaigns under the name of First, we have to ask, who are these peo- the music industry for its heavy-handed Anonymous have tended to use DDoS ple? And there’s no easy answer. These legal pursuit of filesharers. It also fore- as the weapon of choice, and a new tool, are not well-defined groups with mem- shadowed what was to become a char- RefRef, has just made an appearance.2 bership lists. And their activities have acteristic of subsequent operations – a This exploits resource exhaustion to take spawned many imitators and fellow- certain superficiality in the arguments down targets. travellers. There are also some distinc- supporting them. Underlying Operation The group also continues non-hacking tions between the groups defined by the Payback (which continues, sporadically, campaigns. Recently, for example, it ‘members’ themselves. This makes labels to this day) was a dislike of copyright announced Operation UnManifest difficult: ‘hacktivists’, ‘activists’, ‘hackers’, that was conflated with the self-serving in which people are encouraged to ‘members’ – even the word ‘group’ itself interests of major media corporations modify copies of the manifesto written – all map very poorly on to how these and narrowly focused on music and by Norwegian mass-murderer Anders people organise and operate. However, movies. It’s a crudity of argument that Breivik, creating versions that ridicule his for the sake of discussion, and brevity, has resurfaced in the group’s attacks on ideology. By flooding the web with these we’ll use words like ‘group’ and ‘hacktiv- information security companies and mauled copies, anyone seeking the mani- ists’ to encompass Anonymous, LulzSec ‘whitehats’. festo can never be sure they are getting and those who tag along in their shade. The group’s ambitions are often the real thing.3 couched in terms of uncovering cor- Anonymous ruption and fighting oppression and LulzSec use the vocabulary of revolution, even Anonymous has a long track record of though their activities are commonly According to LulzSec – or Lulz Security activism, only a portion of it involv- perceived as little more than juvenile – its hacking activities had no higher ing hacking. The group first came to stunts or vandalism. But this isn’t to purpose but were simply for the ‘lulz’ – public attention as a result of its Project doubt the authenticity of their motiva- the pure joy of creating mayhem. This (or Operation) Chanology campaign tions or feelings. These were particu- assertion has been undermined by the against the Church of Scientology. This larly evident during the pro-Wikileaks group itself a number of times: in fact, frequently involved ‘Anons’ gathering in campaigns which, famously, brought the action that really brought it to public street protests, many wearing the now- minor grief to the likes of Mastercard attention was the defacement of a web- iconic Guy Fawkes masks. Anonymous and PayPal.1 site belonging to the Public Broadcasting quickly established a style characterised Anonymous says it is leaderless, a Service (PBS) in the US because LulzSec by anarchic wit and portentous (and, claim that is both partially true and dis- was unhappy with the treatment of many would argue, pretentious) videos. ingenuous. Certainly, anyone can join Wikileaks in a documentary. This light-hearted posturing and the in a campaign – or mount one of their What followed was 50 days of hack- nature of its target won Anonymous own – under the Anonymous banner. ing stunts, including repeated attacks on widespread sympathy. At the same time, there is clearly a core Sony. Many of the attacks resulted in Its next major campaign could be said group running key Twitter accounts, the theft of users’ login credentials for to have appealed to a narrower demo- producing YouTube videos and control- websites and other online systems. There graphic: Operation Payback attacked ling important channels (some closed were government targets, too, including 5 August 2011 Network Security FEATURE law enforcement: the move was part of the hackers’ constant attempts at mis- direction and disinformation. Shortly before this issue went to press, the Metropolitan Police arrested Jake Davis who, they claim, is Topiary. The AntiSec campaign is focused on alerting the world to security weak- nesses – particularly on the part of government entities and corporates – and what AntiSec sees as dishonesty and ineffectiveness on the part of the information security industry. One early action was the leak of 700 con- fidential documents from Arizona’s Department of Public Safety. Although still seen as a LulzSec attack, it was accompanied by an attempt at justifi- cation: “We are targeting AZDPS spe- cifically because we are against SB1070 and the racial profiling anti-immigrant police state that is Arizona,” said a statement.7 Other high-profile stunts included the downloading of large numbers of documents from defence and FBI contractor ManTech, the leak- ing of emails from the Department of Homeland Security, 90,000 email addresses – many of them mili- tary – from defence firm Booz Allen Hamilton, and the defacement of 77 law enforcement websites and the leak- ing of the personal details (including social security numbers and home addresses) of 7,000 law enforcement officers.8,9 LulzSec adopted a whimsical, piratical theme for its announcements. Security awareness the CIA and, in the UK, the website of It’s worth repeating, though, that the AntiSec supporters are not slow in the Serious Organised Crime Agency Anonymous name is adopted by a wide taunting or denigrating ‘whitehats’. In a (SOCA), which was brought down by a variety of people around the world. discussion on the AnonOps IRC server, DDoS attack.4 in the #reporter channel used to talk to At first, LulzSec denied any con- AntiSec the press, someone identifying himself nection with Anonymous. But it soon as ‘joepie91’ explained: “The problem became apparent that LulzSec mem- In mid-June 2011, LulzSec suddenly most people have with the majority of bers, who probably never numbered announced it was disbanding – or rather, ‘whitehat security researchers’ is that they more than half a dozen or so, were the merging with Anonymous as part of a charge insane amounts of money for same people behind many Anonymous new campaign, AntiSec.5 The reason for supposed ‘security’, and then fail to pro- activities and may even represent the the change was never clear. ‘Topiary’ – tect from even the most basic attacks.” people within the Anonymous core with regarded as the mouthpiece of LulzSec (It’s important to note that, while genuine (albeit low-level) hacking skills. – claimed in an interview that the group joepie90 had admin privileges for This became explicit when LulzSec wanted to quit on: “A high note, a classy the #reporter channel, and others later admitted responsibility for attacks ending”.6 Most onlookers, however, seemed to defer to him, as they did to against security firm HBGary, which believed the decision was driven by the Anonymous9 during a later chat, this were originally claimed by Anonymous. heat the group was starting to feel from does not make either of them a 6 Network Security August 2011 FEATURE spokesman for Anonymous. It is part of the fiction of Anonymous being ‘leader- less’ that no-one speaks in an official capacity. However, the personal opinions offered during IRC chats echoed those frequently stated by Anons.) The hostility towards whitehats could be brushed aside as nothing more than name-calling, but perhaps it is more revealing than that. It may demonstrate a fundamental lack of understanding when it comes to the root cause of security vulnerabilities, which isn’t a lack of skill or under- standing among security professionals, but among those who pay them. It’s an institutional or business problem. “There are lots of good information security professionals out there that have great technical skills, but technical skills alone will not protect your com- pany,” says Brian Honan, an independ- ent consultant based in Dublin who Following a number of arrests, LulzSec announced via Twitter that it was unaffected – but it was specialises in the strategic risk aspects clearly feeling the heat. of information security. “You also need to have management skills, budgeting • joepie91: 2. the ‘whitehat security London that works with organisations skills and political skills – because you researchers’ take advantage of this of all sizes. He believes that the security have to make sure that your agenda is incapability on the managers side, industry has been fuelling fear, uncer- part of the company’s agenda – and and charge outrageous amounts of tainty and doubt. “I think this is, by you need to have risk management money for things that do not appro- and large, pushed by vendors who are skills. If I’m an attacker, I can take my priately secure the systems saying, be afraid, be very afraid,” he time and focus on one element of your But even this basic understanding is says.