incomplete: 2011: the year of the return of hacktivism?

(This is unfinished, and I’m not sure I ever will finish it. This illustrates simply a bit of for-discussion points. While I take the tone that this year’s hacktivism surge isn’t much of a “real” surge at all, it’s still hard to argue that we’ve had a larger-than-usual number of high profile and large targets being successfully attacked in a relatively short amount of time.)

Has this year heralded a new trend in rising hacktivism (i.e. the actions of Anonymous, LulzSec, WikiLeaks informers, and various offshoots surrounding those group)? Maybe. Let’s look at a few things that we pretty much know for sure. I’ll lump most of this year’s activities under the term, “hack attacks.” (I’m not including things like RSA, which are almost certainly of a more nation-state-like nature.)

1. Code hasn’t suddenly gotten more insecure. It’s not like we had a period of time where code was secure and the ball has since been dropped. I’d argue that all of these issues have always been present. Granted, the landscape is changing, and web security hasn’t kept pace at all, from both the server-side (code, OS, practices) as well as the client-side (browser), but it’s not like things have gotten worse; they’re just not getting any better.

2. These hack attacks are not demonstrating some newfound body of knowledge that attackers have gained. In fact, most (if not all) of these attacks are relatively simple and not new at all. These attacks aren’t dropping 0days; they’re poking at very poorly secured web sites.

Wait, this sort of sounds like I’m about to say nothing has changed. Alas, clearly something has changed…

3. Breach disclosure laws. Sure, I still believe the whole “breach disclosure” issue is like the proverbial iceberg: you get a certain number of visible, announced breaches, but I imagine there is a much larger mass of them hidden under the surface either not detected or simply buried in corporate bureaucracy and dishonesty. Still, you have to admit there are far more announcements today than 10 years ago that are prompted by law. I still don’t believe this means there are more breaches; we just hear about more of them.

4. The media is ready for geek news (and the never-ending ‘reality show’ drama of security that has been thwarted, or conversely someone who has failed). Ten years ago, the media couldn’t give two rips about digital security and the breaches suffered by it. Today, it seems like the media is more comfortable being a bit more technology-focused. And hacktivists seem quite happy to feed this new trend in media coverage, while at the same time feeding off the attention. (Incidentally, I’d say many “older” hackers don’t give a rip about attention, at least not from the secular world. One might consider more mainstream attention desires to be somewhat immature.)

5. More financial transactions are done online. I don’t have numbers, but I’d expect there are more mainstream consumers and many more businesses today who perform financial transactions online than there were even 5 years ago. This means more opportunity for attackers to usurp the process (banking trojans) as well as much more data stored in databases behind public and poorly secure web sites.

My opinion really comes from the above. I don’t think there is a huge difference this year from the past 10 years, except in media coverage and the risk footprint of more financial information online. I think there have always been hacker groups and hacktivist activities; we just normally didn’t hear too much about them in the past.

Here are some things that may be red herrings in this discussion:

– The rise of social media is not significant for the geek crowd. Sure, there may be new faces in the newest generation who are growing up with “social networking,” but for the actual hacker/security geek, the social network has been around for decades, from BBS’s, to IRC, to web forums. The problem with social networks are their desire to data mine and their lack of trustworthiness, which will erode any malicious hacker’s efforts to remain hidden. I might entertain an argument that current “hacker” entrepreneurs are encouraging, by their success, younger coding-friendly geeks to be more bold, since it clearly paid off for them, but that’s more of a socio-cultural thing…

I might also entertain the idea that more mainstream people are online due to social networks, which then acts as their gateway to more “hacker-appropriate” networking online. I’d maybe even argue that much of today’s hacktivism is done by these newer members wielding non-novel attacks. This sort of rise and fall in the pursuit of notoriety has gone on for decades in the hacker underground. It usually wanes as these “newbies” grow up and actually start having bills they need to pay (and either turn into for-profit criminals or move on to real jobs) or have a law enforcement scare.

– Anything to do with the criminal world, or even “APT,” i.e. nation-state-sponsored digital espionage. There is little argument that recent coverage of these hacktivist attacks and plunders has driven at least some interest in security, and if nothing else is exposing the risk and/or insecure state of things. No criminal or espionage threat agent will like that attention. It hurts their chances of success, of being undetected, and increases the chance of “make an example of” penalties if caught. The for-profit crime and APT trends have been around for several years now, and are not new this year.

– I hate to go here, but I’d almost certainly leave discussions of PCI and compliance at the door. I believe compliance (read this as “PCI” even if I just generalize the term) does improve certain things, but I also believe it erodes other things. This is a discussion tangent big enough for its own treatment, but I think the net gain compliance has on a discussion about this year’s hacktivism is zero.