Anonymous spying on US government

While the US government has been spying on just about everyone, the hacktivist collective Anonymous has been spying on the US government. You could view that as scary, comforting, or a little of both.

According to a recent Reuters article by Jim Finkle and Joseph Menn, hackers associated with the loosely organized group have been spying on government activity since last December. That's when they exploited what investigators believe was a flaw in Adobe Systems' ColdFusion software--a tool for building complex Web sites. The hackers left back doors in the compromised servers, allowing them to return at later dates.

One can't easily pin down the amorphous group Anonymous. A collective of tech-savvy activists, it's known for hacks and distributed denial-of-service attacks on government and corporate sites. Wikipedia, quoting "A website associated with the group" that they do not identify, describe Anonymous as "a very loose and decentralized command structure that operates on ideas rather than directives." Anonymous members, in public, often wear the Guy Fawkes masks popularized by the movie V for Vendetta.

The FBI is investigating the breaks, and is still trying to determine the size of the damage. They believe that the attacks are ongoing.

According to an FBI memo that has not been publically released but has been seen by Reuters, the departments compromised include the U.S. Army and the Departments of Energy and Health and Human Services. One internal email, from Energy Secretary Ernest Moniz' chief of staff Kevin Knobloch, reports that the stolen data included personal information on more than 100,000 employees, family members, contractors, and others associated with the Department, and information on thousands of bank accounts.

The bank accounts are very much worth worrying about. Allegedly, Anonymous has only idealistic goals, but there's no guarantee that everyone associated with the organization is entirely honest.

The report also states, in the passive voice associated with bureaucracies, that "It is unknown exactly how many systems have been compromised, but it is a widespread problem that should be addressed."

The recently-discovered attacks might also be connected to another Anonymous campaign, Operation Last Resort. Or it could be retaliation for the heavy sentences handed out to convicted hackers recently, such as Aaron Swartz, who killed himself in January after receiving a 35-year prison sentence.

Investigators believe that this may be the work of the British hacker Lauri Love, or of people associated with him. Love was indicted on October 28 of hacking US government computers. The agencies he allegedly hacked include the Army, the Departments of Energy and of Health and Human Services, and, prophetically, the U.S. Sentencing Commission. The FBI believes that Love is associated with Anonymous.

Does Adobe bear any responsibility for the break-in? A spokeswoman told Reuters that most such attacks are the result of administrators failing to promptly install security patches.

That's a plausible weak link. We should all keep our software up to date to avoid cybercrime, and too many of us fail to do it. Putting anything sensitive in the public cloud is inherently dangerous.

You'd think the government, so adept at gathering information on all of us, would understand that.

Subscribe to the Security Watch Newsletter