Tuesday, October 19, 2010

Week 6: Ethics and Law in New Media

October 18-24

Topic 11: From Hacktivism to Cyberwar

Find and blog about an illustrative case of hacktivism.


What is hacktivism?

If hacking "as illegally breaking into computers" is assumed, then hacktivism could be defined as "the nonviolent use of illegal or legally ambiguous digital tools in pursuit of political ends. These tools include web site defacements, redirects, denial-of-service (DoS) attacks, information theft, web site parodies, virtual sit-ins, virtual sabotage, and software development. It is often understood as the writing of code to promote political ideology - promoting expressive politics, free speech, human rights, or information ethics. Hacktivism is a controversial term, and can often be misconstrued as cyberterrorism. What separates hacktivism from cyberterrorism is a distinctly political or social cause behind the "haction".

TheHacktivist.com: What is hacktivism?

An illustrative case of hacktivism on the almighty Echelon

Hacktivists attempted to disrupt Echelon (the international electronic communications surveillance network we learnt about in a previous lecture) by holding "Jam Echelon Day" (JED) on October 21, 1999. On the day, hacktivists attached large keyword lists to many messages, taking advantage of listservers and newsgroups to spread their keywords further. The idea was to give the Echelon computers so many "hits" they overloaded. It is not known whether JED was successful in actually jamming Echelon, although NSA computers were reported to have crashed "inexplicably" in early March, 2000. A second Jam Echelon Day (JEDII) was held in October 2000, however the idea never regained its initial popularity. JED was partly denial-of-service attack and partly agitprop.

Some recent hactions of hacktivism

On August 1, 2009. The Melbourne International Film Festival was forced to shut down its website after DDoS attacks by Chinese vigilantes, in response to Rebiya Kadeer's planned guest appearance, the screening of a film about her which is deemed "anti-China" by Chinese state media, and strong sentiments following the July 2009 Ürümqi riots. The hackers booked out all film sessions on its website, and replaced festival information with the Chinese flag and anti-Kadeer slogans.

On February 10, 2010. Anonymous DDoS-attacked Australian government websites against the Australian governments attempt to filter the Internet.

On July 23, 2010. European Climate Exchange's website was targeted by hacktivists operating under the name of decocidio #ϴ. The website showed a spoof homepage for around 22 hours in an effort to promote the contention that carbon trading is a false solution to the climate crisis.
Topic 12: Social Engineering in Social Networks

Blog about a good case of social engineering. Formulate some measures which can reduce the effectiveness of social engineering attempts.


What is social engineering?

Social engineering is the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques; essentially a fancier, more technical way of lying. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim.

The best way to obtain information in a social engineering attack is just to be friendly

One morning, a stranger walked into a Swiss Bank and walked out later having access to the entire corporate network. How was it done? By obtaining small amounts of information, bit by bit, from a number of different employees. First, he did research about the company for two days before even attempting to set foot on the premises. For example, he learned key employees' names by calling HR. Next, at the front-door he pretended to service the companies Lexmark printers, and the front-desk allowed him to access the building. When entering the third floor secured area, he had "lost" his identity badge, smiled, and a friendly employee opened the door. Once at the Lexmark printer, a wireless access point was placed on the local network. Thus, leaving the internal network to be accessed from the street, where some more criminals were waiting to gain access to the internal network. From there, they used common network hacking tools to elevate privileges and to gain super-user access on critical system.

E-mail can also be used for more direct means of gaining access to a system. For instance, mail attachments sent from someone of authenticity can carry viruses, worms and Trojan horses. A good example of this is the AOL hack. In that case, the attacker called AOL's tech support and spoke with the support person for an hour. During the conversation, the attacker mentioned that his car was for sale cheaply. The tech supporter was interested, so the attacker sent an e-mail attachment with a picture of the car. Instead of a car photo, the mail executed an exploit that created a backdoor connection out from AOL through the firewall. This allowed the attacker to remote control its victim.
Education is the only defense against social engineering attacks. Employees need to be educated about what a social engineering is and what to do if they are in certain situations.

Creating and maintaining a security-aware culture

Social engineering attacks are personal. Hackers understand that employees are often the weakest link in a security system - they are susceptible to trickery, and their varied responses can give attackers many opportunities for success. One of the greatest dangers of social engineering is that the attacks need not work against everyone. A single successful victim can provide enough information to trigger an attack that will affect an entire organization. Creating a security-aware culture requires the commitment of the executive staff, the involvement of all employees, and effective security policies and procedures for everyone tied to the organization, including vendors and partners.

Top-down security culture. Executive commitment is vital to a security-aware culture. When security awareness is emphasized by the top levels of management, employees are more likely to view security as a business enabler instead of a hindrance to productivity. An executive staff that takes the initiative to be informed and involved in security issues, rather than off-loading responsibility to a security team, will encourage a security culture that is collaborative, structured, and ingrained throughout the organization's processes and people.

Security-awareness training. Most employees do not cause security problems intentionally. Accessing unsecure websites, deploying unauthorized wireless access points, or falling victim to social-engineering ploys are common employee actions that result in security breaches. The best way to avoid unintentional security problems is to provide all employees with regular security-awareness training. This training must inform employees of new threats and refresh their understanding of how to identify and avoid social-engineering attacks. An annual seminar or occasional memo is not an effective approach; organizations must treat security-awareness training as a normal, enduring aspect of employment.
With proper training, every employee should understand the company's physical security measures, know how to handle and protect confidential data, and be able to recognize and respond appropriately to social-engineering attempts. Employees in higher risk positions for social-engineering attacks, such as help-desk staff and network administrators, may benefit from specialized training. An ongoing risk assessment that tests the resistance of employees to social-engineering attempts and techniques can help assess the validity of the training program and further raise security awareness.

No comments:

Post a Comment