Cyber Security – Cyber Criminals are not Robin Hood!

For some reason people have always had a fascination for bad guys.  In Australia we had Ned Kelly; in the US you had Jesse James; in England you had Robin Hood.  Each of them was held up as a shining example of fighting the good fight against the powers that be.  Maybe some of their crimes were motivated by good intentions, maybe not, but they were considered inspiring figures.  They (and other outlaws) are all regarded as the underdog—oppressed heroes who need to be left alone to do their “job.”

What a load of rubbish.  All were murderers and thieves, and deserved what they got.  In today’s world, some cyber criminals—Anonymous, for instance—have acquired the same glamorous outlaw aura.  And they, too, attract a fanatical following.  Everyone believes they are “putting it to the man,” which is the furthest thing from the truth.  They may not be holding a gun to anyone’s head, but the Anonymous crowd are just another ruthless bunch of thieves.

Let’s just look at an Anonymous attack.  When Anonymous want to go after a business or organisation, they follow a number of steps, some of which the cyber security people know about, some of which they don’t.

Here is a breakdown:

  • The first sign that an organisation is going to come under attack from Anonymous is that a YouTube video is uploaded, generally with a faceless individual spouting claims about what the “bad” people involved in their target organisation are doing and why we need to do something about it.  This is their first call to action.
  • They will ask for help from anyone has a perceived beef with the company, and give everyone a time and place where the attack is going to take place.
  • Closer to the attack time, they post another video, explaining why they are doing it and why more people need to be involved.  Both videos are designed to gain support for the public attack and draw in gullible people to help.  They need a minimum of 50,000 people targeting the victim.  Some of the previous higher-profile organisations include government departments, IBM and Coca-Cola.
  • They ask the people who sign up to download an application or log into a website that will create a denial of service on the target organisation.
  • They then co-ordinate the attack.  In most cases the idea is to bring down a website or an application portal.
  • Meanwhile, the true black hats of Anonymous are doing what they always meant to do, and it has nothing to do with philanthropic targets.  They are using the denial of service to gain access to the target and steal everything that they can.  They are after money, information and intellectual property—any data that they can then sell.  The internal Cyber Security Team can’t stop them because they are focussed on fire fighting the denial of service.

The underlying reason this works is that Anonymous have learned how gullible most users of the internet are, and have played on their humanness to make them do something that they would not normally do.  The biggest thing that Anonymous has going for it is exactly what their name implies—they are anonymous, hiding behind a mask and spouting high-minded platitudes to goad normal users into action.

The reason people feel safe getting involved in these attacks is that they, too, can remain anonymous.  Isn’t it about time we got away from this anonymous curse?  If you have a problem with a company or organisation, vent it on Facebook, discuss it on Twitter, write blog posts about it, fill in the forms on the website—do whatever you have to do to get them to notice.  Put YOUR name to it.  Do not be anonymous, because if you are anonymous you are just another one of those faceless, destructive a**holes that the organisations ignore and try to foil. A malicious attack may hurt a company, but it won’t persuade them to change their ways.  A ground following of 100 people with names will have a bigger impact on an organisation than an attack from 100,000 wannabe heroes hiding behind a mask.

Roger Smith, is an educator. Teaching students at ADFA (UNSW) and showing them how vulnerable they are to cybercrime.

He is also CEO at R & I ICT Consulting Services Pty Ltd, an Amazon #1 author on Cybercrime and founder of the SME Security Framework. He is a Consultant who specialises in inexpensive and highly effective security strategies for small and medium businesses and not for profit organisations.

He has developed and authored the SME Security Framework and the Security Policy Training Course which are considered to be the definitive guides to helping SME's protect their organisation using the principles of Technology, Management, Adaptability and Compliance.