.NET Zone is brought to you in partnership with:

Troy Hunt is a Software Architect and Microsoft MVP for Developer Security. He blogs regularly about security principles in software development at troyhunt.com and is the author of the OWASP Top 10 for .NET developers series and free eBook of the same name. Troy is also the creator of the recently released Automated Security Analyser for ASP.NET Websites at asafaweb.com. Troy is a DZone MVB and is not an employee of DZone and has posted 58 posts at DZone. You can read more from them at their website. View Full User Profile

Hacktivism is dead. Long live opportunism!

11.11.2012
| 4397 views |
  • submit to reddit

So November 5th was last week and as promised, the global anonymous tirade has descended. The victims so far are both numerous and diverse; PayPal, ImageShack, Lady Gaga (I’m told this outage is a bad thing), Saturday Night Live and so on and so forth.

Down here in Australia where our clock ticks over before most of the rest of the world, the November 5 shenanigans have started a little earlier. What that means is we’ve got a whole lot of sites looking like this right now:

Hacked by Anonymous

These sites include Ascension Australia (a body, mind and spirit festival down in Melbourne), Semcorp (a local web development company) and the Quality Lifestyle Alliance who, well, I might let Kath Crosby sum this one up:

//qla.org.au/  Hacked by Anonymous for Nov 5th

Keep in mind that the roots of this loosely knit collectively we call Anonymous were founded on the hacktivist creed of the using computers as a means of protest to promote political ends. So the question is this: What protest are they making by taking down a hippie festival, a small web development company with poor security and an NGO helping people with disabilities? What cause is this supporting?

The answer is very easy and it’s simply this: Nothing. Nada. Zilch. This is no more about supporting a cause than when LulzSec hacked 26,000 accounts out of pron.com last year (yes, that site is what it looks like so exercise caution!) Which brings me neatly to the point of this post: It’s not about hacktivism any more, it’s about exploiting low-hanging fruit or in other words, opportunism.

The decline of hacktivism

“Back in the day”, there were attacks that were based on some form of political or social motivation. Not that far back either – take Anonymous’ attack on Visa and Mastercard, for example. Rightly or wrongly, these guys had stopped processing donations to WikiLeaks so they got DDoS’d. But it doesn’t matter whether it was right or wrong because in this context there was a cause and there was direct action related to the cause and that’s the point.

It was a similar deal with HB Gary last year. Anonymous created a very unpleasant environment for Aaron Barr in retaliation for what appeared to be some big-noting on his behalf regarding unmasking those behind the group. Unfortunately Aaron wasn’t really up to speed on some fundamental security practices (such as password reuse) and things didn’t turn out real well for him. Again, the rights and wrongs of this aren’t the point, the point is that there was motivation – there was a cause behind the attack.

The other thing is that in cases like the credit card companies and HB Gary, they knew they were a target. They had to expect something and indeed the hacktivist collectives normally do a pretty good job of announcing intentions beforehand.

But more recently it all seems to have gone a little downhill. Here’s a good example: a couple of months back there was lots of excitement because hacktivists had “hacked the FBI” and gotten hold of a whole swag of Apple device IDs. The usual pastebin post was released and in lieu of any evidence to the contrary, it seemed they’d pulled off a bit of a coup.

Except they hadn’t. In reality, a much smaller number of device IDs had been pulled from an app developer who was a bit lax with their security. It’s still a breach – no doubt – but there’s no longer a hacktivist motive, it’s just a random smash and grab coupled with completely misleading public announcements. Where’s the political motivation? Where’s the cause?

It’s a similar deal with groups like UGNazi. Attacking UFC for their support of SOPA can be rationalised in so far as there’s motive – political motive – behind the action. But then a little bit later they’ve descended into grabbing and publishing half a million accounts out of WHMCS. Where’s the motive? What’s the cause it’s supporting?

You can start to understand a little bit more about these questions once you look at the demographic of who’s actually behind the mask. Turns out they’re not too frightening after all.

Behind the hacktivist mask

What we’ve got to keep in mind is that behind that now ubiquitous Guy Fawkes mask that has become synonymous with hacktivism (not just through Anonymous) is an entirely less intimidating face – and it normally has a healthy dose of acne. They’re faces like Ryan Cleary’s:

Ryan Cleary

Ryan had barely hit adult years when he achieved infamy via his exploits with LulzSec. He got up to a whole bunch of pranks with cohort Jake Davis (among others):

Jake Davis

Jake had also barely hit adulthood which is pretty unfortunate for them both as the consequent legal proceedings against them weren’t as tolerant as if they’d been caught just a little bit earlier when they were legally still children. Same with the press coverage – once you hit 18, your face and your name are all over the papers. But hey – look on the bright side – at least when you’re that age you’ve got your mum to support you:

Ryan Cleary and mother Jake Davis and mother

Look at those maternal faces – they are so grounded!

The point I’m making is that these guys are all very young; they almost certainly had very little awareness of either the seriousness of their exploits or the ultimate consequences of their actions. Subsequent arrests (and frequently, custodial sentences), have also been for young blokes with the elder statesmen reaching into their 20s.

There’s an absolutely fantastic book by Parmy Olson titled We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous and the Global Cyber Insurgency where she paints a very interesting picture of Jake in particular. The impression you get is not one of an anarchist, rather a quiet guy who generally seems rather polite, albeit a little socially dysfunctional. It always strikes me that these guys sitting at a keyboard is a bit like some people within the confines of their cars; it turns otherwise perfectly normal individuals into psychopaths.

But what I found most interesting and what I think gives real insight into events like today is the emergence of many of these folks from sites like 4chan. Parmy paints a picture of virtual mob rule where almost nothing is off limits. An online Lord of the Flies, if you like. The community these guys inhabit (and it’s not just on 4chan) seems to be one totally desensitised to social norms, one where one-upmanship often involves seeing how far they can humiliate or gross out anyone they come across. If there’s a motive, it seems to be nothing more than street cred or lulz.

This creed seems to translate neatly to the attacks we’re seeing lately. Whilst the groups may have been founded on the basis of a greater cause (or could at least attribute various attacks to that motive), it seems to have descended into nothing more than random ram raids. If anything, that’s a whole lot more worrying than true hacktivism because motive goes right out the window; everyone becomes a target.

Random hacks aren’t personal (and don’t expect to be exempt)

It’s easy to get caught up in the furore that erupts after an event like this:

//www.youtube.com/watch?v=6lLs2dC9NaE … srs chin up sweet #dontbemad

Of course responses like that just make it crystal clear that these attacks don’t touch the perpetrators in any way other than to provide further opportunity to antagonise the victims. But again, going back to the culture Parmy describes it all sort of makes sense in a very macabre sort of way.

Likewise, the structure of the response above is equal parts childlike and taunting. Is this the response of an individual genuinely concerned about impacting political change? Or is it someone taking pleasure in watching the discomfort of others?

The thing this should remind us of is that when attacks are random, there can’t be any illusions that your particular internet presence doesn’t pose a target to guys like this. You got a web address? Yep? You’re a target. End of story.

They are Anonymous. Expect them.

Published at DZone with permission of Troy Hunt, author and DZone MVB. (source)

(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)