Transparency-Seeking 'Hacktivists' Prompt Tight-Lipped Response


Every day, it seems, we're bombarded by things we need to fear: terrorism, economic Armageddon, swine flu, etc. With a full plate of peril perpetually besetting our routines, perhaps its understandable that most of us dont think much about our sensitive datas vulnerability to a cyber attack.

Until now.

The recent rash of hacktivism -- hackers cyber-attacking everything from government web sites to Fortune 500 companies, in order to make a statement, or in some cases, simply to prove they can -- has made it impossible to ignore the holes in our national IT security infrastructure. Recent efforts by various white hat (benevolent), black hat (nefarious) and gray hat (both), hackers show that nearly everything, from financial data to company emails, is in danger of becoming public.

One result of these cyber attacks, ironically, is a move away from transparency, security experts say, as companies and government agencies fear a controversial statement or unpopular stance on a particular issue -- or even the disclosure of a previous attack -- will make it a target in the future.

They are changing things; companies are much more hesitant about information they post or information they make public, said Michael Gregg, COO of Superior Solutions, and an ethical hacker that consults for Fortune 500s and the U.S. government.  Youll see some companies that are hesitant to post certain newsworthy announcements because theyre worried theyll get blowback.

Gregg likens the current situation to the post-9/11 era. He said prior to 9/11, companies would post information about outages and links to their disaster plans right on their websites, but they've stopped doing that in fear that it makes them more vulnerable.

This is the exact opposite of what some of the hackers claim to want. Free-Internet evangelists like hacking group Anonymous extol the virtue of transparency, often citing it as their end-goal. Last May, the group claimed responsibility for the denial-of-service attacks that brought down Visa (NYSE:V), Mastercard (NYSE:MA) and Paypals web sites, after the credit processors announced they would stop accepting donations to WikiLeaks in an effort to defund Julian Assanges pet-project.

Likewise, in the past couple of months the now-defunct Lulz Security pointed out gaping holes in security at corporations like Sony (NYSE:SNE), PBS, the CIA, the Senate and the Arizona Department of Public Safety. And there are still unknown hackers; no one took credit for the attack on Sega or for military contractors Lockheed Martin (NYSE:LMT) and Northrop Grumman (NYSE:NOC), who were both hacked after RSA Security was compromised last March and the companys SecurID tokens linked the breaches. The attacks have prompted swift action to beef up IT security, and in some cases, to hamper disclosure.

Definitely, there is more a sense of keeping things closer to the vest, said Dave Jevans, Founder of IronKey Inc., a global data security firm. Jevans said that the reluctance of some companies to disclose an attack is another problem for security experts.

Disclosure is a bit of a double -edged sword, but disclosure is good because it forces companies to be more secure, even though it can make them more of a target, he said, recalling the hacking of Citigroup (NYSE:C) a couple of weeks ago.

The attack reportedly occurred three weeks prior to when the bank disclosed it to its credit card account holders, and the delay was said to be due to the two-week internal investigation the company conducted. Yet companies like Citigroup are often reluctant to go public, for fear other hackers will capitalize on the firms vulnerability.

The recent string of hacker antics are coming from a myriad of fragmented spin-off groups, and many are launched simply outdo or attack other groups for bragging rights. Anonymous is said to have evolved out of the Internet message board 4Chan. LulzSec, reportedly a spin-off of Anonymous, announced Monday it would disband, after a couple of months of hacking for the lulz, or laughter, a play on the acronym LOL. LulzSec rival The Jester is said to hack other hacking groups and terrorists. British newspaper The Guardian reported last week The Jester had disclosed the identity of one of LulzSecs leaders, while another hacker, Oneiroi, took credit for attacking LulzSecs web site.

You now have all these actors in this space that arent predictable, said Hugh Thompson, RSA Conference Program Chair, and an adjunct professor at Columbia University. Thats the one thing about cyber crime -- you generally know what theyre after and you know how theyre going to go after it, but with these guys, youre not sure what theyre after or who theyre after, and youre not sure what they will do with what they get.

Security firms are busier than ever, helping corporations and government agencies protect their data, says Thompson, but they themselves are often subject to attack, as in the case of the attack on RSA. While there is no silver bullet to fix this problem, data security firms say they helping to educate corporate and government employees about how their systems are often breached, since employees are often the weakest link in the security chain.

In discussing a sample hack he performed to help alert employees to possible dangers, Gregg said he was able to break into a clients system by gaining access to the companys mens room and placing CDs labeled Spring Break Photos 2010 in all of the stalls. All five discs contained a file the security company had planted, and all five files were launched on employee computers, meaning the hack was successful in pointing out vulnerability.

The whole purpose of training awareness is that if you find something and you dont know what it is, you turn it into security, said Gregg.

On the corporate side, fewer companies feel comfortable making their positions known on certain unattractive issues said Levan, and they are fighting back by buying Internet search terms and monitoring Google search activity to see if the company has become a target.

Were seeing companies taking out ads on Google that would be search terms like security settings on a network& and then they can track in Google ad words how many people are searching for that and ideally you want to see zero, but when people start targeting your employees, you can start seeing that if in one week 20 to 30 people are searching that term, you know youre under attack. Levan said.

Although Lulzsecs reign of lulz has come to an end, there are plenty of others plotting their next cyber-prank, hack, or attack. No one is expecting a break from the hackers anytime soon, but in the interim, Thompson thinks more transparency and information sharing between companies that have been attacked is the best way to learn and prevent future breaches.

A lot of companies have been attacked over the last few months and I think a lot can be gained from those folks talking to their peers and really looking for battle-tested strategies, Thompson said.