Monday, January 02, 2012

Chinese hacks and Anonymous hacking: Lessons of the end game when nothing is 100% secure

I read about the hacking of the California State Law Enforcement Association or CSLEA website by Anonymous "for fun and m4yh3m!"just after reading about the latest round of hacking of Chinese websites. Nota Bene: I am NOT saying Anonymous hacked the Chinese websites; I'm NOT talking abut Chinese hacking of U.S. websites; and I'm NOT writing as an employee of any organization.

Cartoon depicting hacking in China Daily
What I am saying is that a new age of understanding may be dawning for those who seek to exploit unauthorized system access. For example, if the Chinese government has been turning a blind eye to hacking in China in the hopes of harnessing those hacking skills for state purposes--which is what some commentators have alleged--then the hacking of Chinese commercial entities by Chinese hackers seeking justice or attention (or both) should be raising serious doubts in government circles.

Here's the sort of thing that happens when you don't enforce strict laws against unauthorized system access and rules requiring protection of personal data:
The website of China Mengniu Dairy Co Ltd was hacked on Wednesday night after the country's biggest dairy operator admitted some of its milk products contained a cancer-causing substance, Chinese media reported. (Reuters)
Or this: 
The Qihoo 360 Technology, an anti-virus company that claimed to offer free Internet security services to more than 300 million netizens, issued a red alert on Dec 22, saying that the databases of many websites were hacked recently, causing the leakage of more than 50 million Internet users' registered accounts and codes. (China Daily)
Of course, such things can happen even when you have strong laws and regulations in place, but laws tend to be obeyed in proportion to the degree to which they are enforced and the severity of punishment suffered by those judged to have broken them. The FBI and other U.S. authorities indicted scores of people for cybercrimes in 2011 and dozens are in jail awaiting trial. If the Chinese government begins to feel public pressure to clamp down on illegal hacking within China to a similar degree, that may prompt reassessment of its stance towards Chinese nationals who hack public and private entities outside China.

Putting Internet scam artists behind bars strikes me as a noble undertaking in any country and the law enforcement folks who do this for a living deserve our thanks. Anyone who disapproves of some actions taken by some law enforcement agencies would be wise to show they understand that not all law enforcement is worthy of contempt. There's a good sci-fi story to be written about a 911 system that filters calls for help based on comments you have made about law enforcement on social networks. (How about a mandatory 10 minute response time penalty for people who habitually refer to law enforcement officers as scum?)

As for hacking law enforcement agencies and security companies, here's something to consider: One of the first things you learn when you study information system security is that no information system is 100 percent secure. Not even the proverbial "box buried in the ground" with no power or connectivity is safe (because if someone digs it up I'm betting we can get the data off the hard drive if there was ever any written to it). Ergo, any use of any computer system anywhere involves risks to the data on the system. Connection = exposure.
Can you hack my system? Can I hack your system? Can entity Y hack system X? The answer is always Yes! The only variable is the means required.
When you study human behavior as a relationship between ends and scarce means that have alternative uses you realize the reason that most IT systems and websites are not hacked is because doing so would require too many means or have too few uses. Your home wireless network protected with WPA is less likely to be hacked than the WiFi belonging to the small business on the next block that employs WEP. The data on that network is likely to have more uses, and hacking WEP requires less means than hacking WPA. Of course, if you personally happen to be a high value target, that equation changes.

And you do need to be savvy about the quantification of means and uses. Several decades ago we learned that teenagers with time on their hands can have, in the aggregate, greater means than a large software company (if said teenagers apply that time to try every possible way to break a piece of software). We also learned that defacing a website is "useful" to some people, for some meaning of useful (think 1996 CIA website hack used to send a message to the Swedish prosecutor Bo Skarinder). In other words, the uses of unauthorized access extend well beyond theft of data, IP, personal credentials, etc.

Exposing the security weaknesses of a system you have hacked is a use of unauthorized access that might, one could argue, have redeeming virtues (in some cases it amounts to a free penetration test for the victim). However, there are diminishing returns to this type of hactivity. The main reason most systems fail penetration tests is not the stupidity of the system's operators, but the reality of scarce resources. And that goes 10X for non-commercial entities. Try securing a state or local government system on a shrinking budget that caps salaries for technical skills well below market rates. That's a real hacking challenge.

Here is another great hacking challenge: Explain to the owner of a system whose security you have breached how they can maintain the profitability of their operation while improving security to a level you deem appropriate. I am not suggesting that anyone engage in attempting illegal system access, I'm just making the point that just because you can break into a system does not mean the owner of that system, or the people whose data are stored on the system, are worthy of scorn and public exposure.

So when we see personal data pertaining to law officers or the clients of companies in the security space shared for any random scam artist to abuse, it is natural to wonder: Where's the fun in that? And if the point is mayhem (m4yh3m) one has to wonder what the end game is. In China they are now learning valuable lessons about the value of good information security. They are also learning about the need to respect other people's data privacy. We wish them well and trust our fellow citizens will provide examples of that kind of respect.

No comments: