Days after the FBI arrested a number of alleged members of the hacking group Anonymous, the hackers struck again. They claim to have stolen a gigabyte of information from the North Atlantic Treaty Organization.
The group alerted the world to its latest activities via a series of tweets, including one with a link to a PDF file as evidence it had the stolen information.
It is difficult to ascertain why the group, which apparently banded with the hacker organization LulzSec to carry out this particular job, chose NATO as its target.
The two groups issued a statement saying the takedown earlier this week was “meaningless to us as you cannot arrest an idea.”
NATO did not immediately respond to TechNewsWorld’s request to comment for this story.
Why Ask Why?
Questioning the hackers’ motives is almost irrelevant, said Hugh Thompson, RSA Conference program committee chairman.
“It is impossible to predict their goals or targets,” he told TechNewsWorld. “Unlike cybercriminals who go after the money — targets like banks or people’s financial information — dealing with idealist groups is a different risk position altogether.”
It is not something the Internet security community ever planned for, he acknowledged. “We didn’t factor in groups like these, especially in the vertical sectors.”
War for Public Opinion
There is a certain method to the hactivists’ madness, Don DeBolt, director of threat research for Total Defense, told TechNewsWorld.
“They are looking to move public opinion in their favor, and they believe that releasing confidential data is the route to that end.”
Highly Classified vs. Low Level
What’s particularly worrisome is that the hackers were able break into NATO’s system in the first place — although it appears that the information taken is in the low-level restricted category.
Indeed, that is what people should be focusing on now, said Noa Bar Yosseff, a security strategist with Imperva.
“Today it could be Anonymous — tomorrow it can be some sole individual from France,” he told TechNewsWorld.
The point is, if NATO had put the necessary controls in place, “these type of attacks may have been blocked — or at the very least, given the attacker an extra layer of complexity to work around,” he explained.
If the purloined material was indeed low level, it could well have been snatched via an SQL injection, DeBolt said, as they are among the most prolific exploits.
It probably was something basic like that, agreed Nimmy Reichenberg, vice president of marketing at AlgoSec.
“Both SQL injection and cross-site scripting XSS are among the 10 most common Web vulnerabilities, yet we continue to see them exploited,” he told TechNewsWorld. “Not to blame the victim, but organizations need to open their eyes to the very real threat in front of them and do much more to secure sensitive data. It is unlikely that Anonymous could breach a more sophisticated security system with the controls in place to prevent common attack vectors.”
If a government agency — or company, for that matter — has sensitive data it doesn’t want hacked, it simply cannot be hosted in a database that is directly connected to the Internet, Total Defense’s DeBolt pointed out.
Of course, that would pose a problem for companies and entities that want to deliver data to their user base — essentially, just about every organization.
“Data is highly distributed with many different users and many different devices having access,” DeBolt said. “This presents significant challenges to all organizations, including NATO.”
A Wake-up Call?
This incident needs to be a wake-up call for all government agencies, said Prem Iyer, head of the information security practice at Iron Bow Technologies.
“I don’t think we can assume that all agencies have a similar approach to security,” he told TechNewsWorld. “But we need to make sure that each agency understands its security posture and fortifies it in a proactive manner to get in front of these types of attacks.”
Good luck with that, said Oliver Lavery, director of security research and development at nCircle.
“Let’s face it — government agencies aren’t known for moving especially quickly at anything,” he told TechNewsWorld. “Computer security, on the other hand, changes at the pace of days and weeks. Governments and large organizations are simply ill-equipped and maladapted to deal with this rapidly evolving security threat landscape.”