Hacktivism draws attention, but little action
Another hacktivist group struck this week for yet another "good cause."
Parastoo, which broke into a server of the International Atomic Energy Agency (IAEA) and leaked the email addresses of 167 experts working with the agency, declared that its goal was to expose "beyond-harmful operations" at Israel's Negev Nuclear Research Center.
In a statement posted on Pastebin, the group demanded that those experts petition the IAEA to investigate the Negev site, and threatened to expose the locations and other personal and professional information of those experts if they don't.
The group sought to show that its motives were noble. "We are reassuring IAEA that their critical information is safe with us, as we are brothers." But it said its brotherly connection did not extend to any "Western-flavored elements."
Self-styled 'good guys'
This latest break-in is yet another example of hacktivists viewing themselves as the good guys. They have regularly described themselves as freedom fighters who strike blows in behalf of the common people against the evils of corporations and governments.
But security experts say the reality is that while they can make life miserable in some cases for their targets, they generally have little more long-term impact than other, more traditional, activist movements like the Tea Party or Occupy Wall Street (which did have a major online element). Hacktivists gain a measure of short-term publicity and influence, but are now essentially irrelevant.
Michael Murray, managing partner of MAD Security and also of the Hacker Academy, said the targets of attacks "hardly ever" comply with the demands or threats of hacktivists. "I know of a couple of off-the-record types of deals," he said. "But most often, the target plays along only so long as it takes to either prosecute the hacktivists, usually with the assistance of law enforcement, or to buy time to figure out how to stop the attacks."
Chester Wisniewski, a senior security adviser at Sophos, said online activism can have an effect on public policy. "That's one of the reasons SOPA (Stop Online Piracy Act) got shut down," he said. "But that's not hacking ... That's just making yourself heard.
"When they start breaking the law, no, they don't really change things. How many times did Sony get hacked—49 or so?—and they never changed their minds about anything," Wisniewski said. "Stratfor (an Austin, Texas-based international intelligence broker) is not going to back down from what they do because they got hacked. Most of those types of actions are really misguided."
The IAEA did not respond to multiple requests over two days for comment about how it might respond to the demand. But in a statement to Computerworld, spokesperson Gill Tudor said only that the agency was working to make sure that no further information was vulnerable.
[Slide show: Anonymous and LulzSec—10 greatest hits]
This doesn't mean hacktivism never has any impact. As a Business Insider post on the hacktivist collective Anonymous noted, "Following allegations of vote rigging after the results of the June 2009 Iranian presidential election were announced, declaring Iran's incumbent President Mahmoud Ahmadinejad as the winner, thousands of Iranians participated in demonstrations."
"Anonymous, together with The Pirate Bay and various Iranian hackers, launched an Iranian Green Party Support site called Anonymous Iran. The site has drawn more than 22,000 supporters worldwide and allows for information exchange between the world and Iran, despite attempts by the Iranian government to censor news about the riots on the Internet," the report said.
Wisniewski said one of the quieter impacts of hacktivism is intimidation that may have the beneficial effect of improving security. He said the Sony hacks woke people up. "I must have talked to 100 companies who were saying, 'What's preventing us from being the next Sony? 'We don't want to be on the front page.' That's the real impact I see—but it's good that it has them thinking about security."
Murray adds: "Anonymous did a good job of bringing attention to some of the abuses of the Church of Scientology, but this was as much predicated on their real-world efforts as their online ones."
But, Murray and Wisniewski agree that most of the time, the public does not buy the claim that "hacktivists are not criminals."
"In the mind of the general public, hackers are criminals whether they're trying to be activists or not," Murray said. "One can rob banks and give the money to charity, but it doesn't mean that the public and law enforcement won't consider them bank robbers."
Another thing that tends to undermine general public support for hacktivists is that they frequently acknowledge that their exploits are "for the lulz," which generally means for personal enjoyment, but is also seen as craving attention.
Regardless of its long-term impact, or lack of it, nobody sees hacktivism declining. Murray said that major media coverage of hacktivist exploits, including the arrests and trials of those who are caught will make it more valuable to be a hacktivist. "These people are doing this to bring attention, and the media gives more attention to it as it becomes more prevalent," he said.
Jeremiah Grossman, founder and CTO of WhiteHat Security, said it is important to keep hacktivism in perspective. "Remember, while hacktivists are a concern, they are in no way the most pressing," he said. "Professional hackers, those who are purely in it for the money, or nation state-sponsored hackers, are far more dangerous to us all."
Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.