As CISPA Hits Congress, Cybersecurity Company Hypes The Fear Of Anonymous
from the fearing-fear-itself dept
Through TNW, we learn of a survey published by threat protection company Bit9 that states an attack by Anonymous is the number one thing IT security professionals fear. Doubtless the release of this survey was timed to coincide with CISPA, the dangerous cybersecurity bill that is being debated in the House this week. It's no surprise that a security provider would want to play up the fear of cyber attack, but I'm reminded of a quote from comedian Dara O'Briain: "Zombies are at an all time low level, but the fear of zombies could be incredibly high. It doesn't mean we have to have government policies to deal with the fear of zombies."
Apart from the fact that the fear of something is pretty meaningless (except to those who sell security, and those who want to pass bad laws), the details of the survey make it clear that this is entirely a matter of the hype around Anonymous:
61% believe that their organizations could suffer an attack by Anonymous, or other hacktivist groups.
Despite the utter sense of fear that Anonymous has created over the years, 62% were more worried about the actual method of attack, with malware accounting for the most cause for concern at 48%.
Only 11% of the respondents were concerned about one of Anonymous’ actual methods of attack – DDoS, while fears over SQL injections dipped to a measly 4%. Phishing was a concern for 17% of the respondents.
So, despite the fact that Anonymous apparently has them shaking in their boots, they know that their real vulnerability is malware—and that's not really Anonymous' game. The fear is manufactured.
What this survey calls attention to, though, is a fact that deserves more attention: under CISPA or a similar law, Anonymous would make a juicy target. Security companies and the government could collude and share data not only to strengthen their networks against attack, which would itself be perfectly reasonable, but also to identify and investigate Anonymous members, notwithstanding any other privacy laws. Regardless of how you feel about Anonymous' tactics, this should concern you: privacy rights and the 4th Amendment exist for a reason, and CISPA would wash them away online. The authors of the bill insist that it targets foreign entities, but it is arguably an even stronger weapon against domestic hacktivism that will inevitably be used and abused.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: anonymous, cispa, cybercrime, fear, security
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
I want to see a Nation where neither one of these Parties are in our System at all.
If I had a ton of money I would be thinking of just pulling out to live elsewhere.
Wake me up when the Revolution Comes !
[ link to this | view in chronology ]
Re: Pols
They know EXACTLY what they are doing and they are trying to remove your rights to privacy so they have more control.
IS THAT NOT CLEAR YET?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
http://www.youtube.com/watch?v=rnnxFPOKHKU&feature=relmfu
In this, he categorizes the different motivations for attacks well (CHEW - crime, hacktivism, espionage, and war). Surprisingly, he downplays the threat of war by saying it doesn't go on very much. I imagine, that apparent change in his thinking is motivated by who he is currently representing. He emphasizes espionage as being the most important concern. Despite the cover photo for the video being the, Anonymous adopted, Guy Fawkes mask from "V for Vendetta", Clark doesn't seem too concerned about hacktivism here.
[ link to this | view in chronology ]
Re: Re: Re: Re:
Isn't the idea to turn hacktivism into espionage and criminal acts in the mind of policy makers and the public?
[ link to this | view in chronology ]
Not really true. Anonymous hackers have been known to use javascript on sites to secretly use people as DDoS tools. While it's not malware in the sense of taking over your computer fully, it's certainly a step towards using an end user's computer without permission.
It's only a short jump from there to a full on malware attack. Considering the intelligent leader types from anonymous are getting arrested or giving it up, we are left with stupid script kiddies who are very much more likely to want to try anything including malware to get the job done.
[ link to this | view in chronology ]
Re:
Most hacks occur from social engineering. No amount of laws are going to make people less stupid or companies more secure.
[ link to this | view in chronology ]
Re:
I suppose even a script kiddie can inject malware into a poorly secured site though my own experience with them says the vast majority of what we call script kiddies have difficulty launching their scripts. Take that and add that just about any good security admin is aware of what scripts are in the wild and guard against them.
What Anonymous has done till now says they're not a collection of script kiddies. Anything but.
Still, nice attempt at fear mongering. NOT.
[ link to this | view in chronology ]
Re:
Anonymous is not a real threat, in terms of security. Stuff like the Zeus botnet, however, is, but you don't see them complaining about that.
This only highlights that their primary fear isn't being hacked. Their primary fear is having their dirt exposed by pimply faced kids living in their mothers basement that know how to run a script.
[ link to this | view in chronology ]
Re: Re:
- Any estimate under 100M should be laughed out of the room. 200M is plausible. 300M is possible. (Vint Cerf posited 250M five years ago. I think his estimate was high at the time...but it's not high now.)
- They're overwhelmingly, as in well over 99%, running Windows (which we know thanks to passive OS fingerprinting). More recently: MacOS.
- They're everywhere: consumer ISPs, corporations, universities, governments, non-profits, desktops, laptops, portable devices, servers.
- Command/control mechanisms for organizing botnets are getting increasingly sophisticated. They're using various techniques to resist detection and destruction.
- Individual botnets routinely include millions of members and we know some have passed the 10-million mark. Probabilities being what they are, we probably haven't seen the largest botnet.
- They're used for everything: sending spam, DDoS attacks, harvesting email addresses, phishing/spear-phishing, hosting illegal websites, providing DNS for abuser domains...too many things to list here.
- They're for rent. (Of course they are: supply and demand.)
- Every now and then some combination of companies and governments announces that they've busted one, usually with a big press release and a lot of self-congratulation about how this represents progress. It's meaningless. All those systems are still compromised. All those systems are still vulnerable to the same issue that got them compromised. All those systems are now just waiting for the next botmaster to sweep them up...a process which likely started before the triumphant press conference did.
- Anti-virus/anti-malware/anti-whatever aren't much help. (To borrow a line from Marcus Ranum: if they were ever going to work, they would have worked by now.) This is in part because they never were very effective, and in part because botmasters can commission custom malware that will evade the anti-whatever software, and because social engineering/trojan techniques work beautifully.
- Given the sophistication of contemporary botnet operations, it's reasonable to think that we don't see all their members -- that is, that some portion is being held in reserve. It's also possible that one reason we don't see more than we do is that nobody actually needs that much CPU/memory/disk/bandwidth for anything.
This is pretty much the largest (in terms of scale) problem in contemporary security. It's not going to be fixed by legislation, CISPA or otherwise. There already is legislation that covers it, and has been since before botnets existed. I leave it as an exercise to the reader to evaluate how effective that approach has been.
[ link to this | view in chronology ]
Re: Re: Re:
Wait, laws don't stop criminals?
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
This is not to say that fully updated systems running anti-malware and IDS systems cannot be infected. They can. However, it is more likely that a system that is not updated will be infected. This makes anti-malware software useful in limiting the size of botnets. Otherwise, why isn't everyone's computer part of some botnet? Frankly, I don't know how to convince people to keep their computers updated, but wider adoption of this practice would limit the size of botnets further. In addition, takedowns of botnets like Zeus and Kelihos is a new technique that pushes the balance further toward limiting the spread of botnets.
One thing for sure, as you say, the problem of botnets will not be fixed through legislation and is not a valid argument in support of CISPA.
[ link to this | view in chronology ]
Re:
You don't understand Anonymous, do you?
[ link to this | view in chronology ]
Our Rights Are Already Gone
[ link to this | view in chronology ]
Lately I've been hearing ads on the radio hyping up the fear of terrorism, and why you should report ANYTHING unusual to the police right away, even using as an example "that guy on the bus looks really nervous, lets call the cops, why take the chance".
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
But...?
And protests against laws taking away American rights is downright un-American...
[ link to this | view in chronology ]
Re: But...?
[ link to this | view in chronology ]
Background Checks on Sources
[ link to this | view in chronology ]
Re: Background Checks on Sources
Now that I've read this article I fear an Anonymous Zombie Apocalypse. I think I need a firewall. (as in a series of tubes constantly burning gas forming a fire wall)
[ link to this | view in chronology ]
You mean like SOPA "breaking" the Internet?
[ link to this | view in chronology ]
Re:
The real difference? The protesters point people to the source and asked them verify the allegations. The main drivers of the protests even posted pieces devoted to clearing up the misconceptions in regards to both SOPA/PIPA and ACTA. Bit9 is asking people to trust a survey that doesn't substantiate their claims, and we have yet to see a source that provides a valid foundation for CISPA.
So yeah, point still holds, fear is pretty meaningless.
[ link to this | view in chronology ]
Re: Re:
I don't think it was a mischaracterization to say that SOPA would break the internet. Nobody meant the internet would stop working technically, but rather that DNS would become balkanized and less secure, therefore less trustworthy and less open.
[ link to this | view in chronology ]
Re: Re: Re:
Sure the internet would still work but it would not be the internet we know and love today but without piracy. It would have turned into a crippled shell of what it once was. Even if technologically nothing was hindered, but there would have been plenty of technological issues too.
[ link to this | view in chronology ]
utter sense of fear lol!
Anon's methods have been around for dog's years...I read this as "62% of IT pros believe finger-crossing and chicken sacrifice are more effective than reading dox."
[ link to this | view in chronology ]
Re: utter sense of fear lol!
Which is, of course, idiotic as doing it that way makes the site more vulnerable to attack, not less. But if you hire a low level cert that only teaches how to set up from a GUI I guess you get what you paid for. :-)
[ link to this | view in chronology ]
Re: Re: utter sense of fear lol!
[ link to this | view in chronology ]
Re: Re: Re: utter sense of fear lol!
And yes, I prefer that form of chicken sacrifice to having to do it all myself.
Every time I try to do it myself I end up eating wayyyyyyy too many feathers!
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Quote from Realist in an alternate reality where Techdirt followed this advice.
[ link to this | view in chronology ]
Re:
The fact that it was predictable is indicative that it is common knowledge that there are those with power looking to quash the rights of those smaller than themselves. It indicates that you are more than likely shilling for them or just too dumb to tell the difference.
[ link to this | view in chronology ]
Speaking as a "cybersecurity" professional...
Its own users.
I've said for years that competent system/network administrators should presume that their users are (variously) stupid, lazy, careless, insane, or actively hostile -- and plan accordingly. (And if the users turn out to be none of these things? Oh happy day. Celebrate with scotch. But go back to presuming this tomorrow.)
Users will reply to spam and download trojans. They will infiltrate malware and exfiltrate data. They will pick extremely poor passwords, re-use them elsewhere and write them down. They will give out sensitive information to the nice man on the phone who says he's from IT. They will bring in their home laptop (the one that hasn't been updated in two years and that the kids use all the time) and plug it into the corporate finance network. They will click on every shiny thing they see. They will send critical email messages to the wrong address (because, surprisingly, not all domains end in .com) and assert that their boilerplate disclaimer complete with unenforceable adhesion makes it all better. They will pass around USB sticks that have thoughtfully been preloaded with keystroke loggers. They will mistakenly send a 4,000-page document to the printer. They will leave that DVD on the airplane and lose their laptop in the hotel. They will use IE despite being furnished with Firefox, Chromium, and Opera. They will forward chain mail fake virus warnings "just in case".
And so on.
If you've been following the history of major network intrusions and serious data loss incidents for the past few decades, you know that nearly all of them have been caused by someone inside the operation involved. Sometimes it's a system or network admin: we screw up too. But if you're betting to win, bet on the users: they seriously outnumber us.
You can't just drop in a product or service like the ones that Bit9 is flogging and address this. It doesn't work that way. You have to design with this in mind, from the first cocktail napkin to the whiteboard to the formal layout. If you try to retrofit it, you guarantee failure.
Nor can you address this with legislation. Doesn't matter who writes it or what's in it, it's all worthless.
Good security doesn't come from products with colorful marketing brochures or from legislation dictated to congresscritters by whoever dropped the most cash into their coffers. Good security comes from smart, paranoid, ruthless, cynical people with an eye for detail and a grasp of The Big Picture. Oh, it's not perfect: we make mistakes all the time. But it's the best we've got.
[ link to this | view in chronology ]
Re: Speaking as a "cybersecurity" professional...
IT can create a fairly secure bubble; good crypto and security practices have been around at least as long as the WWW portion of the internet. In reality though the bubbles are porous; as you point out, IT can only do so much, and trying to legislate against stupidity is a fool's errand.
[ link to this | view in chronology ]
Re: Speaking as a "cybersecurity" professional...
I was part of a security audit at the firm I am now retired from and my ability to guess the passwords of some users that I was only mildly acquainted with was appalling. From the most lowly clerk to the executive floor. Everything from child's name, partner, dog, cat and other various easy to guess names, their own name spelled backwards, "1234567" and on it goes. And the oldie but goodie, "password".
A lot of these people had also responded to phishing and spam from home but had set "reply to" to their work email. Imagine what happened then!
It's not that users are hostile, most of the time, it's that they're lazy. As are the rest of us. Remembering one password is easier than a few dozen. Writing it down is a way of remembering seems "well, doesn't everyone do it?".
No matter what a lazy or just plain stupid people are you can't design every eventuality into a security system. Bit9's stuff might be helpful though nothing works as well as educating end users. Even then, they'll be lazy.
It's time like this I grab an old quotation that I love:
"Against stupidity the god's themselves contend in vain."
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Congressional Logic
Isn't this how the Soviet Union fell apart? Every time a problem arose they just added an additional level of bureaucracy, and took away more of their citizens rights, until the whole system came crashing down under its own weight, right?
[ link to this | view in chronology ]
Bit9 doesn't support CISPA
From Bit9's web-site and about the survey:
http://www.bit9.com/company/news-release-details.php?id=247
"Despite current plans to implement cyber security legislation, only 7 percent believe that government regulation and law enforcement will best improve security."
and from:
http://blog.bit9.com/bid/81664/CISPA-Does-the-Bill-Protect-Brands-More-Than-Their-Users
"S o how do we protect against these types of attacks while still not infringing on the privacy of the typical user? The legislation is very broad, leaving a lot of wiggle room for the government to acquire information outside of the bill's initial intent. Unlike the USA PATRIOT Act, which allows roving domestic wiretaps, CISPA would grant the government unprecedented access to web company user data and trump already passed (and extended) legislation like the USA PATRIOT Act."
"By putting companies in control, the bill claims to protect each user’s privacy by not mandating private or public web companies to fork over their user data. This would leave companies like Facebook to choose what to do with the information it knows about you as opposed to the government – a little better, but still disconcerting. Facebook, Microsoft, Oracle, Symantec, Verizon and reportedly Google have come out in support of the legislation – a stark contrast to the public and company protests regarding SOPA and PIPA."
"But most of these brands do not have a great track record of protecting user privacy to begin with. So the fact that they embrace support for this bill is a far cry from an authoritative endorsement of user privacy protection. The bill may be an "opt-in" legislative measure, but who is to say that both parties (the government and corresponding companies) can't both mutually benefit from the sharing of private information? This may now give companies the ability to barter private information with the government in exchange for corporate influence."
I would say this shows that Bit9 does not support CISPA. It does show that you often need to look past a single blog's summary of an event or publication, particularly if you are going to make a presumption, about Bit9 and CISPA here, that the blog does not make.
[ link to this | view in chronology ]
Re: Bit9 doesn't support CISPA
Though, I would note that I never claimed they did - in fact I was careful not to because I wasn't sure about that fact. But whether they support CISPA or not, drumming up fear of cyber attack still seems like their game here. In any case I find it hard to believe that the timing was coincidental - it is probably, as you say, an attempt to ride the wave of coverage and publicity.
[ link to this | view in chronology ]
Results NOTHING but the removal of basic fundamental rights.. as it's easier to do!! US gets stifled and the rest of the world develops and drives on ahead. Thus leaving the US behind.. The Land of The Free --- Yeah sure !!
[ link to this | view in chronology ]
Bit9 should've just said
[ link to this | view in chronology ]
On the other hand, ripping away the illusion that they are competent would just add fuel to the fire that cybergeddon is on the horizon when the "best and brightest" can not withstand Anonymous.
In the mean time I'd settle for Clark's email accounts being hacked and dumped online with a full dissection of how it was done. When your spokesperson saying we need more can not even keep himself secure, one needs to question why we are listening to him.
[ link to this | view in chronology ]
CISPA Is Fascism—Disguised In Cyber Security Legislation
The U.S. Justice Department can use CISPA spying to circumvent the Fourth Amendment, (no warrant searches) of Web Server Records; a Citizen’s Internet Activity, personal transmitted emails; fax and phone calls to issue subpoenas in hopes of finding evidence or to prosecute Citizens for any alleged crime or violation. If CISPA is passed it is problematic federal, state and local law enforcement agencies and private government contractors will want access to prior Bush II NSA and other government illegally obtained electronic records not limited to Americans’ Internet activity; private emails, fax and phone calls to secure evidence to arrest Americans, to civilly forfeit their homes, businesses and other assets under Title 18USC and other laws. Of obvious concern, what happens to fair justice in America if police become dependent on “Asset Forfeiture” to help pay their salaries and budget operating costs?
The passed “Civil Asset Forfeiture Reform Act of 2000” (effectively eliminated) the “five year statue of limitations” for Government Civil Asset Forfeiture: the statute now runs five years (from the date) police allege they “learned” an asset became subject to forfeiture. If CISPA is passed allowing (no warrant) electronic government surveillance of Americans, it should be expected CISPA will be used by government not just to thwart cyber threats but to prosecute Americans for any alleged crime; expect government/police will relentlessly sift through Citizen and businesses’ (government retained Internet data), emails and phone communications to discover possible crimes or civil violations. A corrupt despot U.S. Government Administration may too easily use no-warrant-seized emails, Internet data and phone call information) to blackmail political opposition, U.S. Citizens, corporations and others in the same manner Hitler used Nazi passed no-warrant police state search and seizure laws to selectively target Citizens for arrest, to extort support for the Nazi fascist government, including strong-arming parliament to pass Hitler’s 1933 Discriminatory Decrees that suspended the Constitutional Freedoms of German Citizens.
A Nazi Government threat of “Property Seizure” Asset Forfeiture of an individual or corporation’s assets generally was sufficient to ensure Nazi support. History shows how that turned out…
[ link to this | view in chronology ]