Sunday, 19 June 2011

Hackers, not all hack for the heck of it! Who are the anonymous hackers? Beware of Seduction!





By HARIATI AZIZAN sunday@thestar.com.my

Some do it for fun or fame, others to make a political statement. But a bigger number of hackers are now doing it for money.

THEY brought down the CIA website and attacked Sony, Nintendo and a few tech companies with links to FBI and the US Senate. They wanted to expose the online weaknesses of these entities, “for the Lulz”, they bragged.

But what is grating the American authorities and security experts most about the group who carried out the cyber attacks, Lulz Security, an offshoot of the notorious activist hacker group Anonymous, is that they used basic hacking “tools” available for free online.

One irate network security expert, Paul Ducklin of Sophos, even branded them “a bunch of schoolboys” who did something as intellectually challenging as “boasting in the playground about who's got the hottest imaginary girlfriend”.

 
Beware: A hacker group threatening to attack Malaysian government websites.

It sounds like sour grapes to me, laughs a local IT student and part-time hacker who only wants to be known as “W”.

“This is the democratisation power of technology; it is now easy for anyone to start hacking,” he says.

Technological advancement has inadvertently lowered the bar for hacking, concurs Nigel Tan, the Asia-South principal consultant at online security company Symantec Corporation (Malaysia).

“In the past you have to write the programme yourself. Now there are toolkits available online, and you can create your own malware easily using these toolkits,” he says.

Symantec believes that the availability of these kits are likely responsible for the increase of malicious attacks on the Internet.

As its recent Internet Security Threat Report showed, there were more than 286 million new cyber threats last year, compared with 120 million in 2008.

But you don't really need statistics to show how rampant cyber attacks are growing.

Since last December, the world has been bombarded by a flurry of hacking incidents the highest-profiled possibly being the hacking of PayPal, MasterCard, and Visa by Anonymous in support of WikiLeaks' Julian Assange.

In March, the database of marketing group Epsilon was rampaged and millions of email addresses were stolen. In April and May, Sony's PlayStation network was attacked, more than once, exposing some 77 million users' data.

And in the past three weeks, the security of the International Monetary Fund, CitiBank, the Spanish police, Google, the CIA and our own government websites was breached.

While many of the hackers prefer to remain in the dark corners of the Internet, there seems to be an increase of groups like Lulz and Anonymous who want to grab their 15 minutes of fame for their hacking activities.

New breed

In their claim to fame, Lulz went as far as to open up a hotline to get public suggestions for their next target. The hotline number is said to spell out LULZSEC and callers are reportedly greeted by a male voice heavily tinged with a French accent, which then apologetically explains that “Pierre Dubois and Francois Deluxe” are unavailable because they are “up to mischief on the Internet”.

The group is obviously relishing the limelight, publicly taunting the authorities, not even bothering to hide (or purposely exhibiting) their telephone area code.

Despite their pop cultural references they use the Guy Fawkes masks popularised by the comic book and movie V for Vendetta for their public image Anonymous is less playful.

The “hacktivist” group's activities are self-proclaimed as acts of political activism. In its attack on the Malaysian government websites, for instance, Anonymous announced that it was a protest against the Government's decision to block a few file-sharing websites, which they claim is an infringement of Malaysians' human rights.

The open stance aside, the real identities of these two groups are difficult to detect, as international security personnel who have been tasked to trace them are discovering.

Anonymous, which has been around for almost a decade, for one, is a loose group made up of an indefinite number of members.

As one admirer was quoted: “If you claim you are a member of Anonymous, then you are a member.”

There is a cautionary tale on the web of how one man, HBGary Federal chief executive officer Aaron Barr declared war on Anonymous, only to find himself at their mercy.

In February, Barr had claimed that he had successfully uncovered the real identity of the group's top honchos and announced that he would expose them. Before he knew it, his website was hacked and his database compromised. Important files were deleted while his phone system was crosswired.

Anonymous also took control of the company's email, leaking confidential business emails and dumping thousands of others. The whole attack cost HBGary Federal million-dollar losses and he retracted his claims.

As Anonymous announced later, the company was taken down by five of its members, which included a 16-year-old girl, another slap in Barr's already burning face.

A young Malaysian hacker who only wants to be known as Ahmad shares that many of his peers look up to Anonymous not only because of their political activism but also their technical prowess.

Says the IT student, “It is now easy to hack into different systems, but it is not easy to cover your tracks. Anonymous is master at it.”

Ahmad, however, concedes that he finds it strange that Anonymous has targeted Malaysia. “Sure, they have clearly stated their intentions, but I am still trying to wrap my mind around what it has to do with them. Why is Malaysia important to them?”

W believes that the web may be the final frontier for activism, as promoted by Anonymous and the growing breed of hactivists. “In the last few years, the Internet has been a useful tool for activists to get their message out and to mobilise supporters. Maybe now it is time to carry out their activism campaign in cyberspace itself.”

When asked if he had taken part in the recent Anonymous-initiated cyber attack on Malaysian government websites, Ahmad profusely denies any involvement, but he admits that he and his friend have hacked into other websites before.

“We like to challenge each other, as a test of our IT skills. Many of us do it for fun, just to see if we can get in. We don't steal the data or do any other harm. We have also hacked for classroom lessons' after being assigned tasks of hacking into a few websites to learn about cybersecurity,” he reveals.

For many young hackers, he says, many do it to get noticed by security firms.

“It is still a new area and there are not many professional' hackers those who work with security firms to hack into their systems after they install it to ensure that the systems are really secure. Then there are companies who hire hackers to test the security of new programmes. Our hacking activities are like our auditions or resumes,” he shares.

Symantec's Tan, however, alerts that while these so-called harmless “fun hacking” and hacktivism activities appear to be growing, a bigger number of hackers are doing it for money lots of it.

“I believe that in the last few years, there was a major shift in hacking those who are doing it for fame or fun have decreased. Now hackers are doing it for money. It is big business. Those who are making a big noise are the minorities; more prevalent are those who are involved in the underground economy activities. They are more quiet and targeted in their attacks and would rather keep below the radar so that they can continue their work longer,” he cautions.



Who do the anonymous hackers represent?

THE STAR SAYS

THE flap over the hacker attack of the Malaysian Government's portal has come and gone as swiftly as the click of a mouse.

However, the scale of the problem and the magnitude of the issues around it remain considerable.

To avoid unnecessary confusion, it is important to spell out the issues at stake before dwelling on the justness or otherwise of any particular motive.

In this specific instance, the hackers in the collective international identity of Anonymous had targeted the official websites of a sovereign nation.

Since it was not an attack on a political party or individual personalities but on an entire country's online representation, the hackers are culpable of anything from vandalism to subversion.

The attack was also not against any sinister policy of the Government but rather against its obligated move to block file-sharing websites that allow unlawful downloading of films and music.

Thus Anonymous is merely a group of selfish persons seeking to benefit personally from the work of professional artistes at the latter's expense.

Their motivation was therefore neither just nor defensible.

They are an accessory to illegal and unethical activities, if not also guilty of those activities themselves.

The fact that Malaysia became the first country in the region to block file-sharing websites does not detract from the rights and wrongs of the issues.

A country such as Malaysia has been besieged by various parties clamouring for better enforcement of laws against copyright piracy.

Whatever the record of such enforcement on the street, the clampdown on illegal file-sharing websites is certainly a plus especially when most infringements these days are being committed this way.

At the same time, for a government to resist Internet censorship despite the temptations is definitely commendable.

Attempts to liken Anonymous to Wikileaks are also grossly misplaced.

Wikileaks did not try to deface or destroy websites or to steal official secrets, but only to relay information of public interest to the public domain against the wishes of governments claiming to work for the public.

If hackers had any righteous values or morals, they would have applied their skills to attack websites spewing race hatred and child pornography, among others.

They fact that they do not, and that they have had to remain anonymous, speak volumes about their lack of scruples.

Seduction on the web

LIKE the spider luring the fly into his web, hackers are “seducing” their victims and luring them to their websites.

A major way for cybercriminals to obtain confidential data is by creating fake websites to host malicious software (malware) or to trick you into providing this information (phishing), says Nigel Tan, the Asia-South principal consultant at online security company Symantec Corporation (Malaysia).

Symantec's study shows that spikes in hacking and phishing occur during major events in the world, like the recent British Royal Wedding or the tsunami tragedy in Japan.


Hackers take advantage of these events to get people to click on links to their fake websites so that they can steal people's confidential information.

“It is human nature to get the latest update of an important global event or to see pictures of a tragedy. Hackers exploit this by sending emails with links for pictures or stories on the event or tragedy,” he says.

“When someone clicks on the link, they will be taken to the fake website where their confidentiality will be compromised or their computer may be affected.”

However, it remains a challenge to determine whether a website is genuine or fake other than the obvious spelling and grammatical errors (many fake websites are rush jobs) or shoddy infrastructure and programming.

Worse, sometimes you can go to a trusted website which has links to websites or advertising that may not be genuine and contain malware or phishing mechanisms.


Sometimes, all you have to do is to click the link and you will taken to a website that will affect your computer.

“We call this drive-by download,'” says Tan.

Password

Password is another easy prey for cyber criminals. With many websites out there now requiring users to register, most people are resorting to using personal information like date of birth or address as their password. Worse, people are increasingly using the same password for everything.

“It is understandable that people will not remember if they use different passwords, but the danger of using the same password for everything is that once a website or your email is compromised by a hacker, they will have access to everything else.”

Fortunately, it is not too difficult to strengthen your password, says Tan, advising people to use at least eight letters in a combination of capital letters, small letters, numbers and symbols.

If you use the same password, you can have variations on it by adding different letters or numbers or symbols, the significance of which should only be understood by you.

“Another effective safeguard is to segmentise your passwords by having one set of password for communication, another set for websites and another for banking and shopping online,” he elaborates.

Technology has also enabled hacking activities to be more targeted, so like those living in big houses in affluent areas who are targeted by burglars, those with bigger bank accounts or higher profiles, for instance, will be more susceptible to cyber attacks and need to be more vigilant on the Net.

Botnet alert

Another growing threat is hackers using our identity or computer to launch an attack.

Citing the recent gov.my hacking as an example, Tan says that while an individual may not be a direct focus target of most hackers, they may be a part of the attack without realising it.

The more common modus operandi is for hackers to use our personal information to get access to their target website. A method that is growing rampant is to control our computer to do their dirty work.

Explains Tan: “Now, hackers do not create malware to crash the computer, they want it to be alive. What they do is to plant malware called botnets (which are like sleeper spies) that will stay quietly in the background in your computer until they are activated by the Master to hack into official websites or to send spam emails that will phish information or crash a website.”

For example, if a hacker wants to spam people, they will just activate the malware they have planted in the different computers around the world and something like a pyramid scheme will be at work (the number of spams spread exponentially).

“The computer owner may not be doing anything but his or her computer will be hard at work. This trend is growing, especially now with broadband; so many people are connected 24 hours a day, even when they are asleep,” says Tan.

It is thus vital that people ensure that their computers are well-protected.

“One thing to remember is that although it is getting easier for cyber criminals and hackers to attack us, it is also getting easier for us to protect ourselves. The problem is that people just don't do it,” he notes, adding that it is also important to ensure that your software and programmes are up-to-date as older computers with outdated software are the most prone to attacks.

Ultimately, he stresses, it boils down to common sense.

“Typically, you won't walk into a dark alley or you won't give a stranger your IC number, so you should not do the same on the Net,” says Tan.

Related Stories:

Tackling cyber piracy needs careful planning; Hackers mainly locals

Malaysia Websites hacked but not whacked after threatened; time to build secured websites!

Beware of criminal hackers   

Meet the good hackers