In the midst of the holiday shopping rush of 2013, Target, the nation’s second-largest discount retail store, acknowledged that hackers had obtained customer’s personal information. According to initial reports, approximately 40 million customers had their credit and debit card numbers stolen.
Target responded by offering discounts on in-store purchases and encouraged customers to monitor their bank statements and credit scores. Those in the Internet security industry shook their heads.
“There’s more you can do beyond that,” said Erik Barnett, a global information security professional. “I think it speaks to a higher situation, a higher issue that has played out in the consumer industry. Because of this old-thinking mentality that security was something we didn’t really need, it has now become the most problematic issue in the world.”
In the weeks following the breaking news, the number of those impacted by the breach grew to as high as 110 million. As the U.S. Department of Justice, the Secret Service, and a third-party forensics team investigated, it was revealed the stolen information was obtained through a Point of Sale (POS) malware program that had reportedly been installed within Target cash registers, recording information and uploading names, mailing addresses, phone numbers and emails to remote servers. Ultimately, it was learned encrypted debit card PIN information was likely stolen as well
“Technology and the speed in which we’ve integrated it into our homes, into our lives, has been so fast and so fierce, that security is never one of those things that we think about that we need to have,” said Barnett. He explains that all aspects of the consumer industry struggles with security. For example, when a smart phone application is prepared, the developer must prepare security to not only address today’s threats, but also attacks five years from now.”
As news continued to buzz around Target, a leading security service provider named how another popular retailer was proliferating online malware to its customers, opening the door for similar data breaches for consumers.
Solutionary announced Amazon.com’s proud cloud service played host to malware. Reports stated that, of the top ten websites plagued by malware, Amazon hosted four. Solutionary, a wholly-owned subsidiary of NTT Group and a leading pure-play managed security services provider (MSSP), focused on delivering managed security services and global threat intelligence.
“You should be worried about the Interent,” said Barnett. “You should proceed cautiously, because in and of itself the Internet is the Wild Wild West – the World Wild Wild West. I say that, because there is no international law that is applicable to the Internet.”
Cyber hacking is far from the hijinks and mishaps captured by Matthew Broderick’s portrayal of David Lightman, a teen-aged slacker/computer genius in the movie WarGames. That was 30 years ago. The “personal computer” was still a mere marketing phrase coined by Steve Jobs as he pushed his Apple computers to a public who still could not figure out why an office machine needed to be in the home. Afterall, the most exotic of selling points for a computer in 1983 was how quickly it processed spreadsheets. The Internet was still a black void. The Internet protocol suite (TCP/IP) was first standardized a year before, making it possible to create a world-wide network of interconnected networks; but, it was still unrecognizable to today’s standards.
Today, every facet of life – mail, finances, business, education, pornography – are all commingled onto smartphones that access the Internet through radio waves. Televisions are “smart” as they record viewing habits, kids in Hoboken Skype on their tablets with grandma in Palo Alto, and meals are shared through smart phones via Instragram. A bad day is defined by whether or not your Dunkin Donuts has Wi-Fi, or if your wireless modem decides to quit.
So, imagine what trouble David would get into today.
Likely, David would be a constant visitor of community boards, most specifically 4chan.org. More than likely, he would be a contributor to “slash B”, a board within the site that has few rules and plenty of material to entertain or offend. Pictures are posted without attribution, and the community within has cultivated a collaborative culture. Some pranks, such as re-routing YouTube viewers to Rick Astley videos, have been hatched here. The very nature of this community was the birthplace for the hacking group known as Anonymous, or Anon.
Anonymous (used as a mass noun) is a loosely associated international network of activists and hacktivists. A website associated with the group describes it as “an internet gathering” with “a very loose and decentralized command structure that operates on ideas rather than directives.”
— Definition in Wikipedia.org
Today’s version of David is likely to be wearing a black tee-shirt with the face of Guy Fawkes, as originally illustrated by David Lloyd in the 1982 graphic novel “V for Vendetta” (later released as a movie by Warner Bros. in 2005). Since the release of the Warner Bros. movie, the face of Guy Fawkes has been used universally as a sign of revolution against any given establishment. However, the “V” persona itself has most specifically been adopted by the Anonymous group as another means to hide one’s identity. In the years following its establishment, roughly ten years ago, Anonymous (or Anon) has disrupted business for a long list of organizations, companies and governmental departments that includes Scientology, PayPal, SONY, and the Recording Industry Association of America.
The means by which Anonymous attacked its foes is through a distributed denial-of-service attack. This generally involves overloading a victim’s network with enough requests to reset or completely shutdown the service. Technically, such an attack is not hacking, as it doesn’t involve breaching the victim’s computer network. Instead, it’s akin to the old “I Love Lucy” skit, where Lucy and Ethel struggle with the rush of chocolate on the conveyor belt.
Anonymous drew strength from numbers, and in time, appeared omnipresent. Fawkes masks even appeared throughout the Occupy Wall Street movement in September 2011. Anon was not responsible for the organized protest, but statements were released indicating the group endorsed the protests. Although Anon is known more for work done over the Internet, the Occupy movement looked similar to the group’s protests towards Scientology in 2008. Once the group became a household name, their actions became a polarizing topic for debate – Anon was either a modern day group of Robin Hoods, or it was simply a group of hoods up to no good. Ultimately, the “group without a head” started to split between those with political and moral agendas, and those who wished to cause mayhem just for entertainment.
Anonymous’ strength was, and remains to be, the shear number of those involved. From the outside, looking in, it appears that anyone could be among the group. No leader. No real target to combat against. But, as the proverbial chain is described, when a chain is composed of so many links, the likelihood of it being compromised increases ever more. In December 2010, a single hacker tested that chain by infiltrating the group only to become one of it’s most formidable foes.
Anon’s weapon of choice, its prized possession, was its Low Orbit Ion Cannon (LOIC) DDoS toolkit. Based on an observation of a BBC documentary on Anonymous, the LOIC enabled a user to type in the address of a target and fire at will. With a coordinated effort, to continue to use the “I Love Lucy” analogy, the chocolate on the conveyor belt would flood over and force a shutdown.
In December 2010, a hacker advertised a replacement for the LOIC, boasting better performance with continued anonymity. In a report authored by Maj. TJ O’Connor for the SANS Institute, the replacement program was effective, but it also contained a backdoor that enabled it’s creator to remove the anonymity feature, and expose its user to the victim. The tool was used, and several members of Anonymous were revealed to authorities. The creator of the tool was later credited to The Jester.
Unlike Anonymous, The Jester reportedly acts alone. He’s a self promoted “patriot hacktivist.” (The avatar on his Twitter account (@th3j35t3r) is of Marvel Comic’s Captain America, with the face of a court jester superimposed.) The running list of victims from his five-year campaign lays down a clear agenda that supports his claim – several jihadist websites, then-Iranian President Mahmoud Ahmadinejad, and Wikileaks. He also has continued his attack against Anonymous after announcing their support for Edward Snowden, the man responsible for releasing more than 200,000 classified documents detailing the United States’ NSA mass-surveillance program. The focus of his attacks can likely be explained by his reported military background. By