Defending Against Hacktivism
‘Hacktivism’ is a term that describes hacking on behalf of ideals. Wikileaks is one example of hacktivism, made famous by their hacking of US government systems. Anonymous is often referred to as a hacktivist organization. This new movement has serious implications for security.
A lot of what I’ve written about in the past has been an explanation of why certain security methods work and why some don’t. Most of that is based on attackers and their motivation – if a target costs more to attack than the payoff it won’t be attacked. In the case of typical hackers and malware developers the goal is simply to make your product too “expensive” to hack.
But defending against hacktivist groups is an entirely different game. These are people who aren’t doing this for fun or profit, they’re doing it because they believe it’s the right thing to do. In the case of cost v benefit it’s a matter of raising costs higher than benefits – but hacktivists aren’t interested in financial benefits, only in their cause.
This new motivation is far more powerful than a financial one. In the case of an activist motivated attack financial gain isn’t a factor, therefor the cost is purely based on time. (In reality we’ve seen legal repercussions used as a deterrent as well).
The situation is similar to that of defending against so-called Nation State or Government Funded Malware; attacks like Stuxnet, Duqu, or Flame, all of which originated from the US government. Again, financial gain is not the prime motivator (well, I suppose for the US gov’t it is but I won’t go into politics).
Dealing with Hacktivist and Nation State malware is just about the same, as the motivations are less relevant and it’s all about defending from everything. It calls for a new level of security, one that software currently does not provide for us. Current policies enforced by operating systems are weak and don’t benefit the user much at all, and the only way to achieve true proactive security is to use PaX and Grsecurity for Linux, which is difficult for Desktop Users. Now, desktop users are not always the target, but as we’ve seen with Flame, DuQu, and Stuxnet they’re often caught in the crosshairs or even used to spread the malware.
Providing truly proactive security to desktop users will take entirely new tools and techniques. Maybe in future blog posts I’ll talk about those techniques, though it would take quite a while to explain. For now we have to rely on PaX and Grsecurity, or if we’re stuck on Windows, locking down the system with unruly policies and various other techniques to secure the system.
Without an explanation of how to defend I suppose this post may seem a bit useless. The point I want to draw attention to is that between Nation State and Hacktivist attacks we are going to continue to see a rise in advanced malware designed for attacking otherwise secure systems, and our current security is too outdated to deal with it.
insanitybit 
I’m hoping EMET may help with a some sort of a spontaneous Hacktivist attack. I’m also hoping there may be a quick cloud-based solution from Windows Defender in Windows 8 (or Security Essentials in Windows XP, Vista, or Windows 7) — if MAPS is enabled with advanced membership.
I would think EMET and MAPS, as well as a secure firewall, would pose a challenge to Hacktivists attacking Windows anyway — I hope!
EMET would be the most difficult part of that setup, but on Windows 7 and previous there are universal ASLR bypasses and data leaks. Windows 8 improves things quite a bit but targeted attacks have bypassed IE10 (Vupen did this) which uses all of Windows 8’s new mitigation techniques.
You can make things difficult to hack but governments and hacktivists have resources and willpower beyond financially based criminals. Hacktivist numbers are massive, in the case of Anonymous, and very skilled in the case of Wikileaks, and there’s certainly overlap. The US government can throw millions at attacks (and they have!) and so can other governments.
EMET is a great idea for preventing these types of attacks but it’s not enough. The goal of preventing any of these attacks is to make the development of an exploit long enough that you can patch the majority of systems before it spreads too far. There is no security model or mechanism that does this right now.
What you’re saying, if I understand you correctly, is that we need to concentrate on securing all of our primary internet systems , and not leave the unrealistic burden of security only to corporations, smaller firms, or individuals. We need a systematic approach, — a national security system– that helps guard the entire nation. “[T]he development of an exploit long enough” is to simply make an attack on us not worth anybody’s while.
Hopefully we will do all of this while still protecting our personal privacy as we become more and more interconnected on the Web.
Well, it’s not necessarily a national security system. My issue with that is that I don’t like or trust the NSA, along with many other government bodies (CIA, FBI).
I also don’t really like the idea of third party privatized security, but that’s what it’ll likely come to as they’re best equipped.
I’ll write more about this later – it’s an interesting thing to think about, who’s responsible for security when it comes to these massive scales.
I know this conversation is moving into the world of politics, or polity, or power — who controls what! One popular minority party, the Green Party, would probably suggest something like the idea of regional solutions to the concerns of our discussion above. (They would apply this principal to everything really — not just the myriad forms of cyber crime.), But this imagined regional security solution would still remain interconnected with the nation at large, and nobody would be left out of any benefits or solutions. All would have equal protection against cyber crime, (and have access to health care for that matter), but the variably of regions would necessitate different approaches when addressing these particular concerns. Power would not be concentrated at one locale, in the hands of a few: nor would we be a corporatocracy. This would be a form of social democracy which is environmentally concerned, and regionally based.
This subject certainly is interesting to think about, and I’m glad to know somebody is discussing it. It’s an important matter.
I was one of the few who voted for Jill Stein this election haha so Green Party politics tend to appeal to me.
The issue is resolving basic security principals with regulation. On the one hand there is no one better suited to secure systems than the operating system developers (though hardware developers like intel are also suited to an extent). The operating system designs the security model and implements exploit mitigation techniques. The kernel is the lowest level software can achieve, and is therefor best fit to act as a security broker for the system.
So MS is the best suited to secure their systems. How do we reconcile this with the current state of desktop insecurity? Clearly we need third party intervention because, while MS has improved, they’re still playing catchup with PaX and Grsecurity and they’re too widely distributed to be lagging so far behind. Even outside of mitigation techniques the User/Group security model is broken and outdated.
So then which third party? Government makes some sense, the NSA has certainly had its hand in Windows before (Bitlocker among other projects).But… the NSA also is a completely awful branch of the government that should be cut into a thousandth of its current self.
Do we turn to third party developers? AV industry etc?
In my opinion, yes. While AV itself is not suited, I think it will be third party software solutions that end up providing the most benefit towards security. Innovation can’t be held within a single branch of government, or a kernel developer team, or even one whole security company. The innovation that is necessary to “save” users will almost certainly come from the developer community, which has a far wider scope than the government or Microsoft. The culmination of various motivations and strategies and the diversity of opinions about computer security is something that the developer community has to a far greater extent than the government or MS.
Time will tell. I’m sure that, despite my opinions, the government will continue to attempt to seize control. The NSA has proposed a system similar to EZ-Pass for the internet, a way to label everyone and therefor cause detriment to attackers. This idea is painful to me, as it would be completely ineffective, would increase the way attacks are made, increase black market sales or compromises, and completely trample user privacy if it isn’t handled right (and it’s the NSA so we know it won’t be).
I, too, am a Green — if one can be a Green in a state with only two parties and a huge group of independents which are officially, in New Hampshire, considered to be undeclared,””:
In New Hampshire the Green candidates weren’t even on ballot. In fact, in New Hampshire, it is nearly impossible to get onto the ballot if you belong to a third party. Now, since this was one of seven or so swing states which could have theoretically swung the election one way or the other by means of the electoral college, I chose not to not to vote for my preferred party, but to vote, instead, for the man I personally admired the most, and who also happens to be the leader of a major political party that I dislike the least!
That being said, honestly, I don’t see how we can get real real cyber security when so much emphasis seems to be aimed right now at the very people it is supposed to be protecting. Was it Pogo who said, “We have met the enemy and he is us.” There seemed to be a vacuum after the cold war ended, and it seems to me the military industrial complex was looking desperately for something to fill that void. Then along came real trouble, and a form of national madness has taken over ever since — a madness I’m hoping will begin to abate. I want both security and privacy. I genuinely believe we can have both. There may never be a perfect balance between these two concerns — privacy and security–, but I’m sure this county is capable of doing a lot better than this.
I’m looking forward to more of your posts on the matter. This matter concerns all of us.
And again, thank you for bringing up this important subject.
I nearly voted for Obama just because of the Supreme Court, they’re all very old… but I live in New York so I was safe voting for whoever I wanted. I went for Jill Stein because, despite her lack of experience, her policies are way better than anyone else’s. I only disagree with her in two major areas, whereas I disagree with Obama quite a bit, Romney a huge amount, and the libertarian party… it changes.
I think we can have privacy and security. I think the iOS approach of walled garden is flawed in a similar way to where the NSA wants to take security. Restricting users has never led to security, it’s led to the opposite. The focus should be on enabling users, and restricting everything else.
There’s a new political party now called the Justice Party that is very much aligned with Green Party political thought. Here’s the link to it on the unlikely chance that you have not heard of it: http://www.justicepartyusa.org/ . I’m not too crazy about its name, but its platform is good, although not well developed.
I am so frustrated that every citizen of voting age in this country did not have equal opportunity to have all the same presidential candidates on the ballot last November. How we can call our elections truly fair, I do not know. And I know, also, President Obama, who is a man I personally like very much, has been very unhelpful when it comes to matters of privacy, or our need for transparency and disclosure concerning our government’s actions. Just the argument that we can lose our right of habeas corpus as we enter the beginning of the 21st century is truly abhorrent.
And, still, with all this being said, the alternative candidates from the Republican Party offered even less than the Democrats. With the exception of a little nutty skit, and some silly entertainment from Clint Eastwood during this Fall’s Republican Convention in Tampa, I could not, and cannot, stomach much from that party.
And, as for security, that last sentence or yours above is truly profound, and bears repeating: “The focus should be on enabling users, and restricting everything else.” The way things are going right now I conjecture that that sentence will need to be said one day, in front of a some Senate subcommittee. I hope it will be said, and somebody will be there to hear it.
Right now,as far as I can gather,we are as surveilled as China, although not limited to access nearly as much.
Obama hasn’t helped much at all. He’s made things worse in more than a few ways. I dislike the republican party far more than the democrats though.
I find that most fields reflect reality, whether it’s computer security or anything else, you can apply the same principals anywhere.
I know what you are saying is right.