The Lesson of Anonymous: Corporate Security Sucks
Anonymous has run up quite a score against corporations, governments and law enforcement agencies, but for all these warnings corporate executives are turning their heads from the real problem -- their network security is terrible, a panel of experts concluded at Defcon.
The particularly high profile attack against security firm HBGary by the hacker collective earlier this year caught the attention of C-level executives for a few weeks, but then they relaxed, says krypt3ia, a panel member, a security blogger and longtime infosec practitioner.
The executives could have redoubled efforts to better defend their networks, but that's not what's happening. Rather than invest in better security, they're looking to hedge the economic impact if they do get hacked, he says.
"It's no coincidence that hack insurance is up," he says. He said he'd heard at the conference that a major corporation laid off security staff and bought hack insurance instead. He wouldn't name the corporation.
In doing so, executives have taken their eye off the main goal, which is protecting corporate intellectual property. By and large the Anonymous hacks and attacks have not scored valuable business intelligence, says Josh Corman, director of security research for Akamai, but it's just a matter of time until they do.
"Your executives are distracted by DDoS attacks, a new noisy thing that distracts us from the actual mission," Corman says.
Meanwhile the panel had a low assessment of Anonymous in whose name many high-profile defacements, data thefts and posting of stolen information have been made.
"Build a better Anonymous," says Jericho, another panel member and security blogger. Stealing documents and posting them all with few or none of them revealing wrongdoing doesn't make a point about whey the victim was attacked in the first place, he says.
"Releasing 250,000 documents is cool, but it hurts the cause," he says. "It's noise."
Krypt3ia says stealing and posting information from random police agencies in response to police in the United Kingdom arresting a teenager purported to be a key member of Anonymous spinoff LulzSec is irresponsible.
He cited the case of data about Phoenix police being posted in protest of the Arizona immigration laws they enforce. "Cops are bound to carry out the laws," he says. Protests about the laws should be aimed at the legislators who create them, he says, but releasing personal information about police and other law-enforcement workers is reckless. "There could be people in danger now," he says.
Corman says that Anonymous was by design decentralized, but that loose structure has enabled just about anyone to carry out attacks and attribute them to Anonymous. In some cases -- like the assistance groups using the name Anonymous gave to support uprisings in the Middle East -- the actions may coincide with what the groups founders intended.
But a change has occurred and now Anonymous attacks have less clear motivations, Corman says. "It's a franchise. Some people took the name and did Arab Spring and used it locally," he says. "Then it was hijacked by smaller groups and now it's become something of a public nuisance."
Krypt3ia gives them less credit. "I think they just wanted to smash things, and if they get caught, we say, 'We believe this ...'" he says. "You want to out people for doing bad things, do it right. ... Stop taking down stuff that's unimportant."
He says Anonymous should do its homework better and use other methods than network attacks and infiltration. "Learn your target," he says. "Know what they're doing. The only real dirt comes from insiders, people in the know who have access to very dirty things."
Read more about wide area network in Network World's Wide Area Network section.