Guest Blog // Selected Security Content Provided By Sophos
What's This?
09:00 AM
Dark Reading
Dark Reading
Security Insights

Where In Hacking The Ends Justify The Means

Do some 'ethical hackers' really have your best interest at heart, or are they more interested in making your private information public?

As an admitted pop culture fan, I frequently find parallels (sometimes easily, other times where it's admittedly harder to connect the dots) between that typically lightweight subject matter domain and the perennially sacrosanct security industry.

Case in point: the recent news about the new hacker group "The Unknowns," who are, to use Ted Samson's headline in InfoWorld, "claiming the high ground in exposing security holes." That conclusion got me to thinking of actor Jeff Goldblum in his role as Dr. Ian Malcolm in Jurassic Park .

The park's creator, philanthropist John Hammond, clashes with Dr. Malcolm about his desire to deliver dino-fans to the island for a once-in-a-lifetime experience. Hammond's complaint is that Malcolm isn't giving scientists enough credit for doing things that nobody has ever done before. Ever the contrarian Dr. Malcom retorts, "Yeah, but your scientists were so preoccupied with whether they could that they didn't stop to think if they should."

As myriad news outlets including InfoWorld have reported, using SQL injection, the Unknowns have claimed to breach the databases and publish administrative account and passwords for high-profile organizations including NASA (which discounts that in the instance of its breach any sensitive information was actually compromised), the U.S. Air Force, and Harvard University, as well as in-country targets including the European Space Agency, the Thai Royal Navy, and the French Ministry of Defense.

While up to this point in the story it appears these "Unknowns" are taking root in Anonymous' shadow, they claim their interest is mostly altruistic. As Samson reports, the Unknowns have released a statement that reports many of the systems they've successfully hacked have since been secured. "And now, we are happy to inform you that most of the links we used to penetrate through the databases, have been patched. This is exactly what we were looking for. This is what we want," the group said.

The group's "manifesto," posted on Pastebin, is at once eye-opening and, of course, these being hackers, self-serving:

• We are not Anonymous Version 2 and we are not against the US Government

• We can't call ourselves White Hat Hackers but we're not Black Hat Hackers either.

• These Websites are important, we understand that we harmed the victims and we're sorry for that -- we're soon going to email them all the information they need to know about the penetrations we did.

• We still think that what we did helped them, because right now they know that their Security is weak and that it should be fixed.

• We wanted to gain the trust of others, people now trust us, we're getting lots of emails from people we never knew, asking us to check their website's security and that's what we want to do.

• Our goal was never to harm anyone, we want to make this whole internet world more secured because, simply, it's not at all and we want to help.

• We don't want revolutions, we don't want chaos, we just want to protect the people out there. Websites are not secured, people are not secured, computers are not secured, nothing is...

• We're here to help and we're asking nothing in exchange"

So the takeaway is the Unknowns are completely on the up-and-up and we should trust them because they're not like the others, right?

Nope -- not buying it.

Let's take another look, shall we? According to the evidence already in hand, these Unknowns:

1. Search for vulnerabilities on websites

2. Use SQL injection tools to penetrate them

3. Extract sensitive, even confidential data

4. Publish that data to Pastebin for anyone to find and reuse

I don't know. Sounds like classic, old-school hacking to me.

One thing I never get with apolitical groups like these folks is why they just don't come together as some privately held security group, monetize their knowledge, and sell their services above-board to companies that want to conduct penetration testing of their websites and know for certain they will actually stand up to the Anonymous and other would-be hacker collectives of the world.

If they were really interested in fixing the Internet's flaws, why do it in the shadows? After all, capitalism is all about making money by leveraging your knowledge, experience, and skill to others lacking the same. Seems to me that any organization that serves as data custodians would want expert help and pay dearly for what these days passes as badly needed peace-of-mind.

And from a human perspective alone, doesn't this process ever become excruciatingly repetitive? How long will it be before you've proved to yourselves and everyone else in your loosely knit group that you can do it time and again without being stopped? How many pats on the back, how much self-media adulation do you really need? I have to imagine that even hacking for the sake of hacking gets old; after all, it only took 50 days before LulzSec threw in the towel.

An additional word of caution. Even as the Unknowns claim that they're "getting lots of emails from people we never knew, asking us to check their website's security and that’s what we want to do," I would ask: Would you really trust your business data and, for that matter your business, to a group of clandestine ex-coders who claim to have your best interest at heart?

I thoroughly recommend considering an alternative: aligning your organization with a known security solutions entity that doesn't hide behind anonymous or unknown personas and who you can also count on to keep your data secure and off public forum-private data disclosure sites like Pastebin. And when they get media attention (if they get it at all, that is), it's not for the number of hacks they’ve pulled off, but rather for the many hacks they've prevented.

Sometimes the ends justify the means. Other times, as in the example of these Unknowns, the two concepts couldn't be further apart.

Brian Royer, a security subject matter expert, Sophos U.S., is partnering with SophosLabs to research and report on the latest trends in malware, web threats, endpoint and data protection, mobile security, cloud computing and data center virtualization.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Title Partners Role in Perimeter Security
Title Partners Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
According to industry estimates, about a million new IT security jobs will be created in the next two years but there aren't enough skilled professionals to fill them. On top of that, there isn't necessarily a clear path to a career in security. Dark Reading Executive Editor Kelly Jackson Higgins hosts guests Carson Sweet, co-founder and CTO of CloudPassage, which published a shocking study of the security gap in top US undergrad computer science programs, and Rodney Petersen, head of NIST's new National Initiative for Cybersecurity Education.