H4cked Off: Losing the Cyber War

17 Jun 2011

In recent months hacktivist group Anonymous has been keeping security commentators busy with its humiliation of such global brands as Sony, Mastercard and Paypal.

Though often basic in nature, the sheer muscle-power behind these attacks was sufficient to knock these mighty websites off their not-so-mighty pedestals, and go some way towards the group's political goal of supporting whistle-blowing site Wikileaks.

Its preferred method of attack? Distributed denial of service (DDOS). This is where a website is bombarded with so many requests for information that the server, unable to cope, falls over and has to go for a quiet lie down and a glass of milk.

As Graham Cluley from security firm Sophos told me this week, it's like a group of fat men all trying to go through the same revolving door – it just won't work.

This is a very basic form of attack – the DDOS, that is. It's successful for two reasons. First: scale. Anonymous ‘members' (though the group is so loosely affiliated that this can apply to just about anyone who once visited one of its forums, or who just plain thinks it's ‘cool') can download a tool that enables their PC to be used as a bot.

And that's all they need to do. Then their machine becomes part of the Anonymous network, and can be programmed to send out countless requests to a targeted website until it runs sobbing from the internet.

As anyone in the world with access to a PC can do this, and as a lot of people like the vague sense of rebellion and the stylings of V from the graphic novel series (chosen as the Anonymous figurehead), that results in a very large, free, powerful network.

The second reason it's successful is that even in this day and age of DIY malware kits, Zeus, SpyEye and Stuxnet, hardly anyone seems to know how to secure a website.

Even security companies such as HBGary and secure token specialists RSA seem not to know, both having experienced large-scale and embarrassing cyber attacks in recent months.

DDOS is not a sophisticated form of attack. Neither is SQL injection, where malicious code is inserted into a webform rather than, say, a user's name and address as the original coder anticipated. But that seems often to work too.

But now there's a new(ish) kid on the block. I've written a few stories over the past couple of weeks about Lulzsec, another hacking collective, although this one is nothing like Anonymous, as one of its members told me recently (at least I assume he's one of the members – pretty secretive on the whole, hackers). As the name implies, Lulzsec are in it for the lulz (laughs).

This week, besides taking down the CIA website (a DDOS attack) and an Australian web registrar, it published 62,000 email and password combinations via a file-sharing site.

It said shortly afterwards on Twitter: "Hope everyone enjoys that list. Good to see some refreshing carnage." Their followers later thanked the group for access to other people's Paypal accounts, pornographic sites and in one case, ownership of a World of Warcraft account.

And Lulzsec appears to be engaged in something of a spat with security firm Sophos, having posted several disparaging posts aimed its way on Twitter.

One read: "Sophos, every one of our tweets gets more views than a week's worth of your website traffic, and we're just spouting inane sh*t. umad?"

All in all, the episode lends further credence to the idea that hackers are unaccountable, unassailable and just maybe, unstoppable. Anonymous style themselves as the ‘Lords of the Internet'. At the moment it appears that they, and their peers are exactly that.

Stuart Sumner, Chief Reporter and security geek

blog comments powered by Disqus