Prepare for the Next Round of Hacktivism

protestDistributed denial of service attacks against websites have been around for about a decade. But as Fast Company wrote last week, Operation Payback, the pro-WikiLeaks attacks which hit Visa, MasterCard, and PayPal this week were different than your run-of-the-mill DDoS’s. This marked the first time that attacks of this scale were made for political—rather than criminal—reasons. Think of them as digital versions of the WTO protests.

And along with other types of persistent hacks, they’re probably not going to go away, either. Protestors have found a new tool, and they're likely to use it to express their displeasure about other issues in the future. To find out what that means for companies, Fast Company reached out to cyber security experts to ask them why activists are suddenly using DDoS’s and what companies should do to protect themselves.

Why hacktivism now?

  • Social networks are turbo-charging hacktivism

A major difference between Operation Payback and your run-of-the-mill criminal hit was the number of volunteers involved. Denial of service attacks aren’t particularly complicated to pull off, technologically, but you do need a large number of computers to all fire at the same time. Traditional hackers use computers they’ve infected without the owners' consent. Last week’s attacks involved volunteers, who knowingly served up their machines to participate in the attacks. Social networks like Twitter made it possible to coordinate tens of thousands of people around the world, pointing them to discussions about the attacks and letting them know which site to target.

  • Online sites are increasingly attractive targets

The more companies do business online, the more disruptive a DDoS attack can be. Like the WTO protestors, the hacktivists behind Operation Payback were mainly gunning for attention, and attention they got. As more and more companies put more of their operations online, the Internet becomes an increasingly attractive place to conduct a protest. “Standing outside holding placards does not get the attention it once did,” said Gunter Ollman, vice president of research at cyber security company Damballa. “Taking down important websites and denying access to legitimate business use of those sites gets a lot more attention.”

  • Hacktivists are getting smarter

According to Noa Bar Yosef, senior security strategist at Imperva, professional criminal hacking is a $1.3 trillion industry. Though it lives in the shadows, the people who work within it have enormously sophisticated processes for breaking into other people’s systems, sometimes bringing sites down, sometimes stealing data. And now hacktivists are learning from them. “[Hacktivism] is not a new phenomenon,” Bar Yosef told Fast Company. “What’s new is that they’re learning from industrialized crime. They’re learning to use the same processes and same operations.”

How companies can protect themselves

  • Don’t bother with PR

Since this week’s attacks were ideologically motivated, we wondered whether there was something PayPal and company could have done proactively to diffuse the rage toward them. Could they have done a better job of explaining why they were cutting WikiLeaks loose, for example, or taken other similar steps to position themselves as good guys?

Not likely, says Adam Powers, the CTO of Lancope, a DDoS analytics firm. “That kind of pre-emptive messaging works for the mature community,” he said. But most experts believe this week’s hacktivism was conducted, for the most part, by young men in their teens and early 20s, like the 16-year-old arrested in the Netherlands. “Those guys are a lot less likely to even care what those companies have to say about their policy decisions,” Powers said. “Deep down, they’re just concerned about the notoriety.”

  • If you’re a small company, rely on your ISP

The probability that small- or medium-sized companies will become targets for hacktivists is as unlikely as the probability that the WTO protestors would have targeted a mom-and-pop coffee shop the same way they did Starbucks. Those protestors’ digital counterparts will similarly target high-profile companies whose outages will garner the media attention they're seeking.

Still, experts say, smaller companies should take a second look at their ISPs. “For smaller organizations, their defenses and protection lie with being hosted in large service providers that can handle these types of attacks,” said Ollman.

  • If you’re a large company, view Operation Payback as a wake-up call

The experts Fast Company spoke with all agreed that large companies need to make sure they’re taking all the necessary steps to protect themselves against attacks. There’s no magic in that, they said. The methods for securing one’s servers and data are well known.

But as with flossing, not everyone invests the time and resources in doing the things we know we should be doing. Perhaps now, though, they will. “This was a wake-up call for companies that they need to start taking security into consideration,” Bar Yosef said.

[Image: Flickr user squirrel brand]

Follow E.B. Boyd on Twitter.

Add New Comment

4 Comments

  • Peter Ludlow

    "Operation Payback, the pro-WikiLeaks attacks which hit Visa, MasterCard, and PayPal this week were different than your run-of-the-mill DDoS’s. This marked the first time that attacks of this scale were made for political--rather than criminal--reasons."

    This is so utterly ignorant I thought there was a negation missing. Large scale DDoS attacks and website defacements have been around for two decades. Here are 10 examples:

  • Prokofy Neva

    What has to change isn't so much technology or procedure as mentality. Companies need to start by eliminating the nihilist and amoral hacker culture within their own ranks of coders. They have to reexamine wikitarianism and sharing data unaccountably. These cultural tics and habits within their own ranks made the U.S. government vulnerable and makes every other company vulnerable.

    It's start with a basic premise that unlike Lessig's tenet, code is not law; law is law. Code and coders have to be subject to the rule of law in the organic world, and the rule of law in companies, or they don't have jobs.

    The DDOS attack has to be repudiated as a form of "civil disobedience" without consequences -- a point of view sweeping through hacker circles now as somehow legitimate. It's not. The hack has to be defined not by perpetrators, motivated to minimize it, or the tribe of geeks, motivated to downplay it, but the victims -- the public and companies and individuals subjected to business and personal loss.

    Every single company attacked now needs to be going to the Huffington Post and asking them why on earth they are hiring as an advisor to their company the very man who runs which is the site used to coordinate many of these attacks. Everyone needs to be demanding accountability from Christopher Poole or "Moot" of for what his site is doing, and stop seeing it as a cool new idea generator.

    You also have to stop believing the hype perpetrated by the Anonymous agitprop and your own geeks within your own ranks who are the secret sympathizers that somehow all of this is cool and fun and not serious.

    While you're all welcome to spend time battening down your MYSQL from injections and bolstering yourselves from LOIC or whatever it is you think works, nothing can replace a sober assessment of the culture of your own IT people. Are they for you or against you?

    Businesses that rely on servers -- and who doesn't these days? -- need to be part of a community that bolsters ethical coders. Just as we have societies like "Business for Social Responsibility" we need "Programmers for Social Responsibility" which includes professional condemnation of the DDOS as a "form of free speech or civil disobedience". You need to be actively promoting the ethics of coders, not waiting for snivelling 16 year old "hacktivists" to grow up and come work for you and sabotage your business.



  • Penny Haywood

    "Don't bother with PR" ?
    Well, it may not stop the attacks initially but it may help to shorten them.
    The best result of sustained PR is to deliver well + do enough good and communicate that well enough to take you under the attack radar in the first place.
    But if an attack happens, good communications lays the foundation for counter-action - alongside the security effort, of course.
    Communicating well during a crisis helps to keep people alongside, or get them back when it's over. Plus may build enough sympathy to make persisting with attacks seem pretty pointless after the first rush of indignation that prompted the attack wears off.