Last year saw a massive surge in hacktivism – hacking motivated by political and social objectives – according to Verizon’s 2012 Data Breach Investigations Report [PDF file].
The report attributed fully 58 percent of all data stolen, more than 100 million records, to hacktivists.
“The most significant change we saw in 2011 was the rise of ‘hacktivism’ against larger organizations worldwide,” the report states. “The frequency and regularity of cases tied to activist groups that came through our doors in 2011 exceeded the number worked in all previous years combined.”
Gartner research director Lawrence Pingree says hacktivism reflects a fundamental change in the nature of protest. “People can protest from a thousand miles away … while in the past, if you had a political disagreement with an organization, you had to go and protest on their steps,” he says.
Staying off Hackers’ Radar
In a recent email interview, hacktivist group ZCompany Hacking Crew, or ZHC, which was first established in 2008 to protest India’s presence in Kashmir, suggested it really shouldn’t be too hard to avoid hacktivists’ ire. “We only target racists, fascist organizations and ignorant organizations towards any faith – don’t be a bigot, and keep away from being targeted,” ZHC wrote.
Similarly, in a recent online interview, hacktivist group NullCrew offered the following advice to companies: “If you want the truth, what they can do if they wish to fly off our radar; then they can make sure they have only ethical actions, because if we see one wrongful deed, that leads to the harm of a family? We will be coming for them, the very next second,” NullCrew wrote.
As examples, NullCrew listed the following: “Fast and Furious, a bill that Obama agreed on, and this bill prompted fire arms that were already used for murder to land in the hands of drug cartels. Or Foxconn, how they pushed their employees constantly, leading to suicides. Those are the types of forms we normally look for when we are getting ready to work. We never sit and just randomly go through a server; every server has a reason.”
At the same time, ZHC admits that it does target some sites simply for the publicity – for instance, they defaced a Megan Fox fan site with an anti-NATO protest message. “Our message reached all over the world and more people got to know the real news of oppression that the mainstream media fails to cover,” the group explained by email. “It was nothing personal to Megan Fox, we just used her fame and worldwide audience to spread our message.”
Increased Awareness of Messaging
Gartner’s Pingree says there are some things any company can do to avoid becoming an obvious target. “Put some guidance in place in terms of educating [your] employees on how to appropriately represent the company externally. … I don’t want to discourage organizations from taking part in the political process, but they’ve got to be cautious that the political stances that they take don’t incite certain groups,” he says.
And Sophos senior security advisor Chet Wisniewski says some companies should simply expect attacks from hacktivists. “Clearly, there are companies that engage in behaviors that anger that community, like Sony,” he says. “Obviously, being a movie company and a music company who regularly sues their customers for copying files, that ticks people off and makes people who may have some hacking skills more interested in targeting them.”
At the same time, Wisniewski suggests, there’s not much that Sony’s IT team could actually do to avoid being targeted. “It’s not like Sony was out there taunting Anonymous – they’re just doing their business the way they apparently deem that it should be done,” he says. “And I don’t know that the board of directors is going to change the direction of how a company behaves in order to mollify some random people on the Internet they might piss off.”
Monitoring Social Networks
Wisniewski suggests a good and simple way to monitor hacktivists’ plans (and anticipate potential attacks): look at their Twitter feeds. “If you’re an IT person concerned about keeping an eye out about whether you might be a target, it would be prudent to follow Anonymous and the other guys on Twitter – because they’re not shy about talking about what they’re doing,” he says.
While many companies already monitor Twitter for public relations purposes, Wisniewski recommends training the people responsible for that to watch for security alerts as well.
“If you have brand police that are keeping an eye on the pulse of what your brand is doing in the community, it would be smart to make those people aware of what kinds of things they might want to watch for when it comes to hacker threats on the Internet,” he says. “They don’t have to know what an SQL injection attack is, but if they know to watch for things that sound threatening and to alert the IT staff or the security staff, that would be a prudent thing to do.”
Wisniewski isn’t the only one offering that advice – in a recent interview with Softpedia’s Eduard Kovacs, DeadMellox, leader of the hacktivist group Team GhostShell, suggested, “People should check our Twitter page more often, we let them know in advance what’s going to happen.”
Still, Frost & Sullivan analyst Ben Ramirez says there’s only so much real and actionable intelligence you can expect to gather from Twitter posts. “The best strategy to protect yourself is to have the mentality that you will be under attack,” he says. “Either now or later on, companies must have the mentality that they are going to be at risk for an attack … that’s just something they need to take into consideration.”
Back to Basic Security
The best way to avoid the majority of attacks may just be to improve your security, even at a very basic level. “In Parmy Olson’s book, ‘We Are Anonymous’ … she confirmed in an interview with these guys that the vast majority of it was random acts … and then later on they said, ‘Oh, we need to find reason to make this political,’” Sophos’ Wisniewski says. “They were just trolling around the Internet and said, ‘Oh, look: a database that’s wide open with a simple SQL injection attack!’”
As a result, Wisniewski says, it’s actually simple to avoid becoming an easy target. “You eliminate a huge percentage of your risk if you’re simply doing a proper penetration test of your public-facing Internet systems twice a year – because if it’s too hard, they’ll move on to another target,” he says. “If you’re MasterCard and Visa, and you know that they’re ticked off about WikiLeaks and you might be a target, if MasterCard have worse security than Visa, they’re the ones that are going to get hacked … you want to be the guy with the best door lock in the neighborhood, so the thief goes to the next door and breaks in over there.”
Many organizations seemingly aren’t checking their “locks” at all. Sophos is seeing 20,000 new Web pages a day hosting malware. “If people were doing penetration testing, that number would nosedive, because almost all of that is stupid, trivial SQL injection stuff … and if you can eliminate even the most obvious of that stuff, you’ve massively reduced the likelihood that you’re going to be the next target,” Wisniewski says.
Jeff Goldman is a freelance journalist based in Los Angeles. He can be reached at jeff@jeffgoldman.com.