Hacking for a Bad Cause

Verizon study reveals “Hacktivism” as a new and potent force in data theft.

Information assurance-related headlines in 2011 were dominated by news of groups like Anonymous and LulzSec and their efforts to compromise some of the most high-profile computer systems and websites in the world. The work of these groups and others represented a fundamental change in the behavior and motivations of computer hackers – instead of stealing customer data or corporate information with the ultimate goal of profit or financial fraud, these “hacktivists” made political statements by choosing victims based on objections to their ideology and disabling their online systems simply for the sake of entertainment or to cause embarrassment for the target’s lack of online security prowess.

While major hacktivism attacks against Sony, the FBI, PBS, and various police departments made the most news, an annual survey of corporate data theft by Verizon Communications, Inc., shows politically-motivated cyber attacks were much more widespread in 2011 than previously believed. In fact, Verizon estimates 58% of all data theft worldwide in 2011 was perpetrated under the banner of the Hacktivist Movement. According to Verizon's calculations, that means approximately 9.7 million data records were compromised for the sake of political theatre last year, and while the groups responsible claim no intention to exploit these records for financial gain, the data is nevertheless out in the open of the Internet and now potentially accessible by criminals with more traditional, financial motivations.

While hacking for the sake of political posturing represented more than half of all cyber attacks in 2011, Verizon reports the phenomenon had never previously appeared in its research. Each year, Verizon produces its Data Breach Investigation report, which is one of the largest and most comprehensive surveys of cybersecurity in the world, with the help of the U.S. Secret Service, the Australian Federal Police, the Dutch National High Tech Crime Unit and the Irish Reporting and Information Security Service. Together, these agencies admit that hacktivism was a new concept for 2011, and experts are stunned at how quickly and vehemently the cause caught on.

Professionals in information assurance careers hope, however, that the fall of hacktivism as a dominant security threat may be just as rapid. Throughout the second half of 2011, authorities around the world made several high-profile arrests of hackers accused of leading the Anonymous and LulzSec movements. While these groups publicly suggest their hacking activities are purely for their own entertainment, the sudden specter of significant jail time for participants quickly attached very real consequences to the digital political haymaking. The man accused of founding and directing LulzSec, a New York based, former cybersecurity consultant known online as “Sabu,” was apprehended by police in June, 2011 and is reportedly helping federal authorities identify and arrest other Anonymous/LulzSec members as part of a plea arrangement to minimize his own incarceration. This turn of events has stymied the largest hacktivist organizations, and security experts are counting on the arrests to convince others to abandon politically-motivated hacking.

Verizon also reports that many of the attacks carried out by hacktivists were not overly sophisticated and could have been prevented with simple improvements to a victim’s cybersecurity protocols, most notably the use of stronger passwords. By regularly rotating passwords to sensitive online systems and following industry-standard guidelines for password complexity, Verizon predicts potential targets could turn the major information assurance phenomenon of 2011 into a relative afterthought in 2012.

Source: Verizon Communications, Inc. “2012 Data Breach Investigation Report”