Distributed denial of service attacks against websites have been around for about a decade. But as Fast Company wrote last week, Operation Payback, the pro-WikiLeaks attacks which hit Visa, MasterCard, and PayPal this week were different than your run-of-the-mill DDoS’s. This marked the first time that attacks of this scale were made for political–rather than criminal–reasons. Think of them as digital versions of the WTO protests.
And along with other types of persistent hacks, they’re probably not going to go away, either. Protestors have found a new tool, and they’re likely to use it to express their displeasure about other issues in the future. To find out what that means for companies, Fast Company reached out to cyber security experts to ask them why activists are suddenly using DDoS’s and what companies should do to protect themselves.
Why hacktivism now?
- Social networks are turbo-charging hacktivism
A major difference between Operation Payback and your run-of-the-mill criminal hit was the number of volunteers involved. Denial of service attacks aren’t particularly complicated to pull off, technologically, but you do need a large number of computers to all fire at the same time. Traditional hackers use computers they’ve infected without the owners’ consent. Last week’s attacks involved volunteers, who knowingly served up their machines to participate in the attacks. Social networks like Twitter made it possible to coordinate tens of thousands of people around the world, pointing them to discussions about the attacks and letting them know which site to target.
- Online sites are increasingly attractive targets
The more companies do business online, the more disruptive a DDoS attack can be. Like the WTO protestors, the hacktivists behind Operation Payback were mainly gunning for attention, and attention they got. As more and more companies put more of their operations online, the Internet becomes an increasingly attractive place to conduct a protest. “Standing outside holding placards does not get the attention it once did,” said Gunter Ollman, vice president of research at cyber security company Damballa. “Taking down important websites and denying access to legitimate business use of those sites gets a lot more attention.”
- Hacktivists are getting smarter
According to Noa Bar Yosef, senior security strategist at Imperva, professional criminal hacking is a $1.3 trillion industry. Though it lives in the shadows, the people who work within it have enormously sophisticated processes for breaking into other people’s systems, sometimes bringing sites down, sometimes stealing data. And now hacktivists are learning from them. “[Hacktivism] is not a new phenomenon,” Bar Yosef told Fast Company. “What’s new is that they’re learning from industrialized crime. They’re learning to use the same processes and same operations.”
How companies can protect themselves
- Don’t bother with PR
Since this week’s attacks were ideologically motivated, we wondered whether there was something PayPal and company could have done proactively to diffuse the rage toward them. Could they have done a better job of explaining why they were cutting WikiLeaks loose, for example, or taken other similar steps to position themselves as good guys?
Not likely, says Adam Powers, the CTO of Lancope, a DDoS analytics firm. “That kind of pre-emptive messaging works for the mature community,” he said. But most experts believe this week’s hacktivism was conducted, for the most part, by young men in their teens and early 20s, like the 16-year-old arrested in the Netherlands. “Those guys are a lot less likely to even care what those companies have to say about their policy decisions,” Powers said. “Deep down, they’re just concerned about the notoriety.”
- If you’re a small company, rely on your ISP
The probability that small- or medium-sized companies will become targets for hacktivists is as unlikely as the probability that the WTO protestors would have targeted a mom-and-pop coffee shop the same way they did Starbucks. Those protestors’ digital counterparts will similarly target high-profile companies whose outages will garner the media attention they’re seeking.
Still, experts say, smaller companies should take a second look at their ISPs. “For smaller organizations, their defenses and protection lie with being hosted in large service providers that can handle these types of attacks,” said Ollman.
- If you’re a large company, view Operation Payback as a wake-up call
The experts Fast Company spoke with all agreed that large companies need to make sure they’re taking all the necessary steps to protect themselves against attacks. There’s no magic in that, they said. The methods for securing one’s servers and data are well known.
But as with flossing, not everyone invests the time and resources in doing the things we know we should be doing. Perhaps now, though, they will. “This was a wake-up call for companies that they need to start taking security into consideration,” Bar Yosef said.