It’s nigh on impossible to make a system completely secure from outside threats, especially if it’s going to be available to the general public. Still there are certain measures you can take that will make it a lot harder for a would be attacker to get at your users’ private data, which is usually enough for them to give up and move onto another more vulnerable target. However, as my previous posts on the matters of security have shown, many companies (especially start ups) eschew security in favor of working on new features or improving user experience. This might help in the short term to get users in the door, but you run the very real risk of being compromised by a malicious attacker.
The attacker might not even be entirely malicious, as what appears to be the case with one of the newest hacker groups who are calling themselves LulzSec. There’s a lot of speculation as to who they actually are but their Twitter alludes to the fact that they were originally part of Anonymous, but decided to leave them since they disagreed with the targets they were going after and were more in it for lulz than anything else. Their targets range drastically from banks to game companies and even the USA senate with the causes changing just as wildly, ranging from simply for the fun of it to retaliations for wrong doings by corporations and politicians. It would be easy to brand them as anarchists just out to cause trouble for the reaction, but some of their handiwork has exposed some serious vulnerabilities in what should have been very secure web services.
One of their recent attacks compromised more than 200,000 Citibank accounts using the online banking system. The attack was nothing sophisticated (although authorities seem to be spinning it as such) with the attackers gaining access by simply changing the identifying URL and then automating the process of downloading all the information they could. In essence Citibank’s system wasn’t verifying that the user accessing a particular URL was authorized to do so, it would be like logging onto Twitter and then typing say Ashton Kutcher’s account name into the URL bar and then being able to send tweets on his behalf. It’s basic authorization at its most fundamental level and LulzSec shouldn’t have been able to exploit such a rudimentary security hole.
There are many other examples of LulzSec hacking various other organisations with the latest round of them all being games development companies. This has drawn the ire of many gamers which just spurred them on to attack even more game and related media outlets just so they could watch the reaction. Whilst it’s kind of hard to take the line of “if you ignore them they’ll go away” when they’re unleashing a DDoS or downloading your users data the attention that’s been lavished on them by the press and butthurt gamers alike is exactly what they’re after, and yes I do get the irony of mentioning that :P. Still had they not been catapulted to Internet stardom so quickly I can’t imagine that they would continue being as brash as they are now, although there is the possibility they might have started out doing even more malicious attacks in order to get attention.
Realistically though the companies that are getting compromised by rudimentary URL and SQL injection attacks only have themselves to blame since these are the most basic security issues that have well known solutions and shouldn’t pose a risk to them. Nintendo showed that they could withstand an attack without any disruptions or loss of sensitive data and LulzSec was quick to post the security hole and then move onto to more lulzy pastures. The DDoSing of others though is a bit more troublesome to deal with, however there are many services (some of them even free) that are designed to mitigate the impact of such an incident. So whilst LulzSec might be a right pain in the backside for many companies and consumers alike their impact would be greatly softened by a strengthening of security at the most rudimentary level and perhaps giving them just a little less attention when they do manage to break through.
It really was only a matter of time until the collective hive mind of Anonymous got whipped up into a fury over the latest censorship news in Australia. What with our strange stance on certain female bodily functions and minimum restrictions on their bust sizes to even being so bold as to ask the almighty Google themselves to censor Youtube (and comparing us to China in the process, seriously Conroy are you that bonkers?). The media is already in a tizzy over all these issues but of course the stand alone complex that is Anonymous will take any opportunity to strike at the heart of the beast and they did so with Operation Titstorm yesterday morning:
Several Australian government websites were slowly recovering Wednesday hours after the online prankster group Anonymous unleashed a massive distributed denial-of-service attack to protest the country’s evolution toward internet censorship.
The group, which previously brought down Scientology’s websites has also undertaken a host of other online pranks. It dubbed the new attack “Operation Titstorm” to protest the government’s move to require the filtering of pornography that uses adult actors if they appear underage. Violent material targeting children is also to be censored.
“No government should have the right to refuse its citizens access to information solely because they perceive it to be unwanted,” the e-mail said. “The Australian government will learn that one does not mess with our porn. No one messes with our access to perfectly legal (or illegal) content for any reason.”
It was just over 5 months ago that Anonymous launched their first attack against the government and to be honest my opinions on the attacks haven’t changed. Whilst this certaintly has accomplished the goal of getting more attention on the issue using such nefarious means is both childish and damaging to people who are fighting the course through legitimate channels. Luckily many of the media outlets only go so far as to say the attackers called themselves Anonymous and list their various pranks. Heaven help us if a real journalist did some investigation and made the connection back to 4chan and all the inaccurate connections that implies.
What did suprise me though was the reaction at my workplace, which spurred a quite intelligent discussion about the matter. Don’t get me wrong we’re all quite tech savvy but my reaction amongs the general populace when it comes to talking about the Internet filter in Australia is usually one of either misinformation or complete disdain. When the proposal was first introduced I spent a good hour explaining to the in-laws how damaging it would be. With 2 of them being members of the Australia Federal Police force it was even harder as they have had to deal with real world implications of what the filter would attempt to stop. To their credit though once the facts were laid out to them (I think the tipping point was how easy it was to circumvent) they did come around and are now at least questioning what benefit the filter will provide.
The sad thing is that an attack like this generated more press in a day than most of the No Clean Feed campaigns have done in their entire lifetime. I still believe that the grass roots approach is the best legal method of garnering attention but when a collective hive mind can flood a couple servers and in doing so the newspapers as well it makes you look at all the effort put into these legitimate campaigns with a twinge of frustration. Sure our initial volleys certaintly did damage to the proposal (by all means it was meant to be implemented now) but few of us made waves comparable to that of Operation Titstorm.
I can’t condone these attacks yet I feel that I also can’t condem them either. The more publicity the Internet Filter gets the more likely it is to go down in flames however every one of these attacks is yet another rhetorical weapon to use in the fight to get it implemented. Only time will tell whether the end justified the means in this case and I hope our fight won’t suffer because of it.
That won’t stop me from giggling at the name though 🙂