Hacker Group Logo for People’s Liberation Front

The hacker group Anonymous has polarized the online communities. Many judge these hackers are heroes, “known for its robust defence of internet freedom,” recently coming in first place in Time Magazine’s 2012 online poll for most influential person in the world.  Anonymous beat out other influential people such as Lady Gaga, Vladimir Putin, Barack Obama, and Jeremy Lin. Others are just as quick to judge them as “domestic terrorists” a term Fox News has branded to the hacker group. This interview is a rare insight into the mind and heart of an influential and famous hacker.

Chris says “There’s a really good argument at this point that we might well be the most powerful organization on Earth. The entire world right now is run by information. Our entire world is being controlled and operated by tiny invisible 1s and 0s that are flashing through the air and flashing through the wires around us. So if that’s what controls our world, ask yourself who controls the 1s and the 0s? It’s the geeks and computer hackers of the world.”

When asked who was winning between hacktivists and law enforcement, “I think it’s a stalemate at the moment. I think eventually we’ll win. I’ve always believed that right will always prevail.” Chris further expounds that “’Information terrorist’ – what a funny concept. That you could terrorize someone with information.” He then compares himself with the Occupy movement comparing hacktivism to the 99% and says the people who consider groups like his ‘information terrorists’ are the 1%.

The interviewer, Catherine Solyom, asks what is next for Anonymous and Chris replies ominously,

“Right now we have access to every classified database in the U.S. government. It’s a matter of when we leak the contents of those databases, not if. You know how we got access? We didn’t hack them. The access was given to us by the people who run the systems. The five-star general (and) the Secretary of Defence who sit in the cushy plush offices at the top of the Pentagon don’t run anything anymore. It’s the pimply-faced kid in the basement who controls the whole game, and Bradley Manning proved that. The fact he had the 250,000 cables that were released effectively cut the power of the U.S. State Department in half. The Afghan war diaries and the Iran war diaries effectively cut the political clout of the U.S. Department of Defence in half. All because of one guy who had enough balls to slip a CD in an envelope and mail it to somebody.

Now people are leaking to Anonymous and they’re not coming to us with this document or that document or a CD, they’re coming to us with keys to the kingdom, they’re giving us the passwords and usernames to whole secure databases that we now have free reign over. … The world needs to be concerned.”

Further information of note in this interview is that Chris pegs the number of hackers worldwide affiliated with Anonymous to be 50,000 people. Also, the “average Anon is not like [Chris], working 12 hours a day dedicating their life to this, He’s an IT guy or a cable installer with a few hours to spare.” This culture of hacktivism is definitely growing in size and scope. This push for information to be “freed” requires better security management efforts to continue in order to safeguard all private information, especially the people who you allow access to your information, as they can be just as dangerous as any hacker. Stay vigilant.

All quotes from interview: http://news.nationalpost.com/2012/05/12/insider-tells-why-anonymous-might-well-be-the-most-powerful-organization-on-earth/

The article also breaks down the hackers into the two common fields, white hat hackers “an anti-virus programmer, for instance, or someone employed in military cyberdefense – aims to make computers work better” whereas black hat hackers “sets out to attack, cause havoc or [rip] people off.” Hacking humble roots have evolved into big business and there is a huge upswing trend of black hat hacking. The U.S. Department of Homeland Security reported a spike of “fifty thousand between October and March, up from ten thousand from the same period last year.”

George Hotz said “My whole life is a hack; I don’t hack because of some ideology, I hack because I’m bored.” “I live by morals, I don’t live by laws,” he went on. “Laws are something made by assholes.” “Nothing is unhackable,” he told the BBC in an interview. “I can now do whatever I want with the system. It’s like I’ve got an awesome new power—I’m just not sure how to wield it.”  It is mentalities like this that are predominant in the hacking world. Often people do these things to see how things work, and how to make things better, but George Hotz blurs the line between white and black hat hacking and polarizes on hot button issues.

After successfully hacking the Playstation3, Sony retaliated changing their code to prevent people from using this particular exploit, but turned off some functionalities that certain user groups, Linux users for example, relied on. Many went to the Sony blogs to express outrage at Sony’s treatment of this person or to hate on geohot, George’s online hacker handle. Someone posted George’s phone number online and soon detractors were calling and harassing him. People on both sides of the fence weighed in, further increasing the fame of geohot.

After this particular exploit was closed to George, he decided to hack the PS3 from another angle, going after and cracking through another area he felt could offer him the access he desired. Unsure of whether to post this new hack, especially after the controversy that erupted after his previous hack, he went online to ask other hacker friends for advice. Hotz recalls one hacker said “Yeah, information should be free; this is the struggle of our generation, the struggle between control of information and the freedom of information.” So he posted the exploit for all to see.

January 11^th Sony announced a lawsuit against him, requesting a restraining order for violating the Computer Fraud and Abuse Act. Instantly the web was a flurry of opinions on the matter. The Electronic Frontier Foundation, a digital-rights advocacy group, released a statement saying that the case sent a “dangerous message [that Sony] has rights in the computer it sells you even after you buy it, and therefore can decide whether your tinkering with that computer is legal or not. We disagree. Once you buy a computer, it’s yours.” Riley Russell, the general counsel for Sony Computer Entertainment of America, said “our motivation for bringing this litigation was to protect our intellectual property and our consumers.”

LulzSec and Anonymous Logos

A California district court granted Sony the restraining order and further approved a request for ISP providers to release addresses of anyone who downloaded the hacking instructions from the website, further angering digital-rights advocates and people in the hacking community. This further propelled him to martyrdom fame in the eyes of some hackers. Soon he had gained the allegiance of Anonymous. The article describes Anonymous as “an international, decentralized, shape-shifting hive. All you have to do to join is say you are part of it. No one goes by his or her real name.” A specific chat room in the Anonymous community was created called Operation Sony, or #OpSony. Their mission statement read “it is the duty of Anonymous to help out this young lad, and to protest against Sony’s censorship.”

This chat room decided what punishment was most fitting for Sony’s “crime” against George Hotz, their anointed martyr. They settled on DDOS attacks, causing the Sony.com and Playstation.com websites to crash. They released in a public press release “Congratulations Sony. You have now received the undivided attention of Anonymous. You must face the consequences of your actions, Anonymous style.” Later they posted to YouTube a video demanding they leave geohot alone. “I’m the complete opposite of Anonymous,” he told me. “I’m George Hotz. Everything I do is aboveboard, everything I do is legit.” Hotz was trying to distance himself from this band of black-hat hackers, but their names and stories would be forever intertwined.

April 11^th, Sony and George Hotz settled a deal, George agreeing to not reverse-engineer any Sony product ever again. This riled the digital-rights advocates and black hat hackers up. Black hat hackers all called for more attacks against Sony in retaliation.

April 19^th Sony “concluded that it had been the victim of a sophisticated attack that had exposed the addresses, passwords, birthdays, and email addresses of seventy-seven million PSN subscribers” one of the biggest security breaches of all time. Sony accounced it would keep the network down indefinitely at an estimated cost of ten million dollars a week in lost revenue.

April 29^th, Hotz uploaded a rant saying “hacking into someone elses server and stealing databases of user info is not cool. You make the hacking community look bad, even if it is aimed at douches like Sony… pointing out the distinction between white- and black-hat hackers.”

May 1^st another data breach exposed twenty-four million personal accounts from Sony.

June 2^nd. LulzSec, an Anonymous “splinter group”, hacked the Sony Pictures web site, compromising more than a million passwords. Sony claims the number is only thirty-seven thousand.

The entire summer of 2011, continued “attacks on media, technology, and other institutions came almost daily. Nintendo got hacked, and so did Sega, Electronic Arts, the News Corporation, Booz Allen Hamilton, NATO, and Lady Gaga. Even the C.I.A. was hacked, LulzSec claimed. It was the Summer of Lulz.”

Despite some high profile arrests of high-ranking members of Anonymous, they continue to hack. Jim Kennedy, senior vice-president of strategic communications for Sony Corporation of America warns “in the end, it must be recognized that no system is absolutely foolproof. Constant vigilance is essential.” He could not be more correct.

All quotes from New Yorker article, http://www.newyorker.com/reporting/2012/05/07/120507fa_fact_kushner?currentPage=all

This new $20,000 reward is “major bump from the $3,133.70 that represented the company’s maximum payout for security bug information until now, and may be a recognition that the company’s limited bounties haven’t measured up to much higher payouts from buyers who use the same vulnerability information for offensive hacking.”[1] Other developers, such as Facebook and Mozilla offer a few thousand dollars reward for similar vulnerability assessments. Fun fact: the number 3,133.70 is a “number that’s meant to spell out ‘elite’ in hacker slang.”[2] According to a Google Security Blog, in the past year they have given out “$460,000 to roughly 200 individuals [and are] confident beyond any doubt the program has made Google users safer.”[3]

A renowned hacker and “Bangkok-based security researcher who goes by the handle ‘the Grugq’ [says] if they want their bugs fixed, they can buy them at market rates like everyone else.”[4] Grugq acts as an intermediary, finding these security holes and selling them to the highest bidder. Grugq says buyers of these exploits include “Western governments [limiting] his sales to the American and European agencies and contractors not merely out of ethical concerns, but also because they pay more.”[5]Though his actions are completely legal, they are not without critics, including Chris Soghoian, a “privacy activist with the Open Society Foundations, who has described the firms and individuals who sell software exploits as ‘the modern-day merchants of death’ selling ‘the bullets of cyberwar.”[6]

Andy Greenberg, the writer of these Forbes articles, assembled the costs associated with hacking a list of zero-day threat prices broken out by software companies into a chart below.

This same hackers group hacked UFC.com, the ultimate fighting conference website, for their support of the Stop Online Piracy Act (SOPA) bill. The hacker claiming credit on behalf of the UGNazi group, JoshTheGod, issued a statement saying “We aren’t done…not even close.” [4]These DDOS attacks seem primarily aimed at the SOPA bill and legislation geared towards more restrictive internet rights. This particular brand of hacking, or hacktivism, seems more and more geared towards highlighting various causes as opposed to actual theft of information or other more tradition hacking efforts. Their image is posted below.

Additional hacks continued the next week in the United States, affecting such sites as USTelecom, TechAmerica, two technology trade websites with denial-of-service attacks and later Boeing, an airline manufacturer, all supporters of the current Cyber Intelligence Sharing and Protection Act (CISPA) legislation[2].

April 7^th, Anonymous, on their YouTube channel stated: “CISPA, the Cyber Intelligence Sharing and Protection Act of 2011, and those who have crafted this bill have now become sworn enemies of Anonymous. We will unleash the worst pain on those who threaten our existence. You will neither eat, nor sleep, without hearing our voices through your walls. Your actions will be monitored… We will march through the streets, we will destroy your reign of terror on our domain, you will cease to exist. This is not a threat, this is a promise.”[3]

The bill is designed “To provide for the sharing of certain cyber threat intelligence and cyber threat information between the intelligence community and cybersecurity entities, and for other purposes [and] the Director of National Intelligence shall establish procedures to allow elements of the intelligence community to share cyber threat intelligence with private-sector entities and to encourage the sharing of such intelligence.”[4] Despite the overall sentiment that cybersecurity is necessary and good for United States national security, the details were not specific enough to satisfy those worried about issues such as net neutrality, privacy, and censorship on the World Wide Web.

The blog Geekosystem, thinks CISPA “aims to theft of government information or intellectual property and cybercrime in general; unlike SOPA, however, CISPA operates under the guise of national cybersecurity as opposed to economic concerns, but CISPA’s overly broad language could be used for surveillance or censorship because the bill lacks sufficient restrictions.”[5]

Bill co-sponsor, Rep. Mike Rogers, says the bill aims to “help the private sector defend itself from advanced cyber threats.” Rep. Dutch Ruppersberger further posits, “Without important, immediate changes to American cyber security policy, I believe our country will continue to be at risk for a catastrophic attack to our nation’s vital networks – networks that power our homes, provide our clean water or maintain the other critical services we use every day.”

This legislation is being likened to the polarizing Stop Online Piracy Act (SOPA) bill which created a firestorm of controversy between Internet privacy and neutrality advocates such as the Electronic Frontier Foundation (EFF) and the content creators concerned with piracy and copyrights, such as the Motion Picture Association of American (MPAA). Massive online protests tabled the initial bill, and privacy advocates “won” that initial battle. Though this bill is different in scope, considered to be more focused on cybersecurity, it, like SOPA, is considered overreaching in its abilities and vague in its language, an overreach of due process and a potential censoring of the internet. Undoubtedly this will continue to be an important issue to monitor for security and privacy advocates everywhere.

This virus initially was discovered in September 2011, and it “tried to trick users into installing it by masquerading as an installer for Adobe Flash” [3]stealing data, including usernames and passwords upon a user visiting the infected websites. A user would click to update a version of Adobe Flash to allow this virus access. This latest variation of Flashback is “the first widespread drive-by malware to attack Macs [and] is one of the most pernicious attack techniques, which has long troubled Windows users, and it does represent a major advance.”[4]

Roel Schouwenberg, a researcher with Kaspersky says that “for now, the hijacked Macs are being used for click fraud, creating Web traffic from the infected machines to boost revenue from pay-per-click and pay-per-impression advertisements [but] like any Trojan, the malware functions as a backdoor on the user’s computer, and can allow new software updates to be downloaded.”[5]

Dr. Web and Kaspersky both “estimate that more than 600,000 Macs are infected with Flashback, which would represent more than 1% of all of Apple’s PCs; its sheer size represents a shift in the cybercriminal underground, which has long ignored Macs to focus on Windows’ larger market share.[6] This marks a change in how hackers are working, further complicating efforts to manage effective cyber security across platforms.

The Wall Street Journal reports that “Global Payments also said that the thieves ‘exported’ the information, which is typically more serious than hackers who are only able to break in and view the data.” [4]Though specifics of the hack have not been released by Global Payments there was enough concern for Visa to take Global Payments off of their approved vendors list. MasterCard is conducting an independent review before making any decisions on the matter.

In addition to losing their status as a Visa processing provider, Global Payments stock has taken a beating. Attacks like these can have damaging and wide ranging ramifications. Visa asked Global Payments to revalidate their Payment Card Industry Data Security Standard (PCI DSS) compliance. Amy Corn, a spokeswoman for Global Payments says “we expect to be reinstated once we have been issued a new report of compliance” [5] Each attack like this also undercuts consumer trust in institutions like credit cards to safely and securely manage their data.

The study suggests “this re-imagined and re-invigorated specter of ‘hactivism’ rose to haunt organizations around the world [with a] proclivity to embarrass victims.” Compromising user records and the stealing of personal and corporate data was “certainly a core tactic.” It appears that the personal nature of individual’s data can lead to embarrassment and inevitably the large amounts of publicity these attacks garner, are certainly part of the hacktivism toolkit and motive.

A final note on this, 97% of breaches were avoidable through simple or intermediate controls, and 96% of victims were not compliant. Simple security measures can be taken immediately to lower overall security risks. Once again, this study reminds us “that our profession has the necessary tools to get the job done [and that] the challenge for the good guys lies in selecting the right tools for the job at hand and then not letting them get dull and rusty over time.”

“There are only two types of companies, those that have been hacked and those that will be.”

The technology world has been inundated with stories of hackers, hacktivists, and high profile arrests. One potential benefit from all of this is heightened awareness. There should be no CEO or CTO who is not aware of these attacks and the accompanying damage they have caused. Awareness of these issues is at an all-time high. That being said, awareness is only the first step to being secure; implementing an improved security plan is the necessary follow-up. A recent New York Times article highlights the emergence and potential benefit of these attacks, saying “The Stratfor hack, in which Anonymous claimed to have joined forces with WikiLeaks, drove home a clear lesson about the era of ubiquitous “hactivism,” or hacking as a form of protest [to] raise the alarm about the unguarded state of corporate computer systems.” The article discusses weaknesses in security plans, highlighting that “the Anonymous break-ins take advantage of gaping computer holes and gullible human beings. They persuade company employees — one is all it takes — to click on rogue Web sites or divulge a confidential piece of information, in an exercise known as social engineering.” It is important not to forget the human component required in a successful security protection plan.

 “Anonymous is a wake-up call,” said Roger Cressey, senior vice president of Booz Allen Hamilton, “any company that is patting themselves on the back and saying that they’re not a target or not susceptible to attack is in complete and utter denial.”

2012 Carnegie Mellon CyLab Governance survey

Recent survey results from a Carnegie Mellon study indicate that one of the most important advance findings is that boards and senior management still are not engaging in key oversight activities, such as setting top-level policies and reviews of privacy and security budgets to help protect against breaches and mitigate financial losses. There is no better time for senior management and decision makers to re-examine security procedures and processes than now. Furthermore, Brian Fitzgerald, Vice President of Marketing for RSA states “The models for creating, delivering and managing IT services are in a state of transformation driven by virtualization, cloud computing, the hyper-connectivity of people and organizations, and the emergence of a new class of ‘big data’ applications. With the convergence of these trends amid an increasingly complex compliance and threat landscape, executives and boards must be actively engaged in ensuring their organizations are addressing these risks while reaping the benefits of next generation IT.”

Study Recommendations:

To help company boards improve corporate governance of privacy and security, the advance findings of the research included recommendations for organizations to undertake key governance activities, such as:

• Establish the “tone from the top” for privacy and security through top-level policies.
• Review roles and responsibilities for privacy and security and ensure they are assigned to qualified full-time senior level professionals and that risk and accountability are shared throughout the organization.
• Ensure regular information flows to senior management and boards on privacy and security risks, including cyber incidents and breaches.
• Review annual IT budgets for privacy and security, separate from the CIO’s budget.
• Conduct annual reviews of the enterprise security program and effectiveness of controls, review the findings, and ensure gaps and deficiencies are addressed.
• Evaluate the adequacy of cyber insurance coverage against the organization’s risk profile.