There seems to be a groundswell of hacking activity recently. From the Epsilon breach that touched dozens of major U.S. companies and their millions of customers, and RSA replacing its customers' SecurID tokens after attacks on several defense contractors to Sony sites getting pummeled by hackers on a regular basis--all within the last few months.
What's going on?
"I truly don't think there's a higher instance of hacking right now. I think there's been a wave of media coverage," said Bruce Schneier, chief security technology officer of BT and one of the most respected security experts around. "We saw the same thing with shark attacks. It's not that there are more shark attacks. It's that they made the news when people started looking for them."
No one can really say if there are more attacks happening. Reports indicate that the number of breaches is
But it's clear that more attacks are bubbling to the surface lately. And they are various types of attacks, not just the data breaches that expose sensitive consumer personal data and thus trigger state disclosure laws.
Take, for example, RSA. The company sells SecurID tokens that are used by corporations, government agencies, and any other organization that needs to provide a way for workers to remotely access a sensitive network securely. SecurIDs are the industry standard for two-factor authentication, requiring users to supply a one-time numerical code from the device along with a password to log in.
RSA shocked the security world when it
RSA has been mum on the details of what was stolen, but it did hold private briefings with its most important customers, ostensibly to help them shore up their defenses in light of the breach. Despite that, two defense contractors--Lockheed Martin and L-3 Communications--
Those types of industrial cyber-espionage incidents aren't new, but the successful attack on the security pioneer and technology provider RSA is significant and has broad impact. Companies can move to other solutions, but replacing big security deployments within an organization is not cheap or easy.
Cyber-espionage is sexy, but attacks on databases containing customer information are more common for the financially motivated cybercriminals who litter the Internet. We've had a fair share of those recently too, notably Epsilon, an e-mail marketing service provider. In April, a breach at Epsilon turned the formerly obscure company into a
In a different type of attack
Public whipping boy
But the headlines of late have the word "Sony" in them. The company has been victimized so frequently and publicly that one of the hacker groups targeting it came up with a new word--"Sownage"--a play on the company's name and "pwnage," which stands for "pure ownage" and refers to taking control of a Web site, or "owning" it.
"Sony has become, for some reason, the public whipping boy" for hackers, Schneier said.
Sony's recent troubles started with a spat over customers hacking its PlayStation 3 device. After the company took some PS3 "modders"--hackers who modify the device for different users--to court, a loose-knit group of hackers known as Anonymous launched a digital protest and shut down several Sony sites with a distributed denial-of-service (DoS) attack in
Anonymous has a history of online activism, having targeted the sites of the Church of Scientology, the governments of Egypt and Iran, and the controversial Westboro Baptist Church. But the group really made its mark when it championed the cause of whistleblower site WikiLeaks
Weeks after the DoS attack, an attacker got into Sony's network and
Since then there's been a veritable avalanche of reported attacks on Sony's sites, with Sony Music Indonesia defaced; a phishing site found on a Sony server in Thailand; and records breached on sites in Japan, Greece, Canada, Belgium, the Netherlands, and Russia. About 37,500 customer records from a Sony Pictures site was exposed last week,
"The Sony hacks are nothing but pile-on," said Schneier. "'Let's have more fun at Sony's expense. Ha ha.'"
The Sony attacks have spawned attacks on other targets and copycats, including
LulzSec and other hackers are no doubt taking their cue from the success of Anonymous in its online protests and its new-found high profile. They realize that it's fairly easy to make a splash, particularly with an anti-establishment message. LulzSec has even taken action to show solidarity with WikiLeaks, hacking PBS.org, leaking passwords, and
While the RSA, Epsilon, and espionage attacks are truly threatening, some people seem to be enjoying the playfulness of the less destructive, more pranksterish attacks against Sony. These hacks of protest harken back to the days of DoS attacks on Yahoo and eBay and numerous Web site defacements in the 1990s, before e-commerce was so prevalent and organized criminals moved online.
"We are seeing a revival of the sort of hacking we have not seen in many years," said Marc Maiffret, chief technology officer at eEye Digital Security. "The hacking that has been taking place recently against Sony and others is a reminder that the hacker culture prior to our fixation on cybercrime and 'China is scary' is still alive and well."
"Although large sections of the security community will deny it if you ask them, they're secretly enjoying watching LulzSec's campaign of mayhem unfold," Patrick Gray wrote on the Risky.Biz blog. "It might be surprising to external observers, but security professionals are also secretly getting a kick out of watching these guys go nuts."
The Web of 2011 offers a more fulfilling playground for hackers than it did in past decades, not just because the number of targets is so much greater, but the tools of self-expression are more varied and effective. For instance, Twitter offers a perfect platform for publicity, and LulzSec makes use of it, frequently posting information about new hacks, boasts, and threats, as well as solicitations for donations.
"It hasn't been this bad since 2003 when all the worms were hitting, and even then we only had three worms" that targeted Microsoft customers by exploiting holes in Windows, said security researcher Dan Kaminsky. "Now governments are involved, defense contractors are involved, kids with Twitter accounts are involved."
Does this mean the rules of engagement have changed for companies going forward and that they will have to be careful not to anger hackers with a cause?
"I don't think it's necessarily going to change companies' behavior that much," said Chris Wysopal, chief technology officer at Veracode. "But I hope it will serve as a lesson to companies that if you have Sony vulnerabilities you're at a huge risk if someone decides to try to publicly flog you."