Hacktivism, namely using computers to promote a political/social issue, can be seen in much the same light as other more physical forms of protest and often exercised for the same broad array of reasons. As with other forms of protest, the question of justifiability is a complex topic with no simple blanket answer.
Hacktivism has taken on many different faces in its short lifespan. From international movements targeting governments and corporations to small acts of protest against schools and employers, hacktivism is a tool utilised for all sorts of causes.
Over recent years, hacktivism has become synonymous with the enigmatic online group Anonymous, who’ve taken on governments and businesses alike in their activities.
However it is difficult to ascertain the motives of nebulous hacktivist groups such as Anonymous. Hacktivists have often cited exposing corruption or cruelty (i.e. torture or child abuse) as their reasons for targeting a person or body, yet the reasons are not always so clear cut and there is no definitive list of 'what motivates hacktivists'.
Furthermore data from such breaches has a market value, and once in the possession of groups or individuals with no accountability, could be used for personal profit.
Looking at the major instances of hacktivism from recent years, DDoS attacks often form a key part of hacktivist attacks, as they knock the target offline and render their service unreachable.
Early examples such as Mafia Boy’s DDoS of Yahoo! and CNN many years ago were hugely effective and DDoS attacks continue to be used by hacktivist; for example the president of Serbia’s website was DDoSed recently.
These groups are also known to commonly employ social engineering tactics to gain access to networks and DNS registry tampering to divert web users either to a malicious site, or one that contains messages from the hacktivists explaining why they’ve chosen to attack a certain site or organisation.
Often hacktivists in America are said to be breaking the law under the first amendment – denying freedom of speech by defacing or downing sites they don’t agree with. In a 2011 interview with CIO.com, the FBI’s then Assistant Executive Director in charge of cybercrime Shawn Henry said that as soon as valuable data is accessed people are breaking the law and breaching a network is looked at in just the same way as trespassing.
When apprehended by authorities, high profile cases have then progressed with prosecutions under the Computer Misuse Act and Criminal Law Act in the US.
Hacktivist-led attacks are in some ways more dangerous than others because attackers are acting without necessarily seeking financial gains, so they aren’t constrained by the need to find valuable data – they can focus on political goals, which are (as we can see from the above examples) pursued in more destructive ways than typical data breaches.
Furthermore these hacktivist-led attacks can turn into PR disasters, as companies or individuals are called out on possibly unethical activities (for instance Anonymous’ exposure of KKK members in the US Senate). The subsequent loss of customers or prestige can be just as damaging as a regular data breach.
As a rule of thumb, organisations should take reasonable steps to secure their digital assets regardless of the profile of the attackers anticipated. Organisations can defend themselves from hacktivists by employing the same approach to security as for any other class of attacker.
A robust security policy should include strategies for prevention, detection and response, the three phases in the security life-cycle. Investment in all three phases is critical, and some general recommendations for each phase are provided below.
Perform security testing on web applications to catch and fix flaws which could lead to data exposure.
Follow the principle of least privilege when deploying systems: if a system does not need to be accessed outside of the internal network, it shouldn't be exposed on the internet.
Involve active, skilled human actors in detection. Automated anti-virus, intrusion detection and prevention systems can be effective tools, but their outputs should be monitored by human actors who have the ability to make informed judgments on the output of these tools.
In the event of a breach, it is necessary to assess the damage done and ensure that the attack paths which led to the breach are closed as quickly as possible, so that similar attacks cannot reoccur.
If users' data is breached, it is important to inform them as soon as possible so that they can protect themselves by changing any reused passwords. The black market value of a data breach immediately falls when it is publicised.
While hacktivists might be motivated by passion, or a sense of justice, it doesn't mean it’s legal nor that it should be tolerated. Organisations can, and must, take steps to prevent being compromised and data being plundered.
Having solid defences in place will not only deflect the antics of hacktivists, but will also prevent a more malicious compromiser taking hold.
Sourced from David Yates, Information Security Consultant, MWR InfoSecurity