Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/22/2011
05:10 PM
50%
50%

Anonymous Hackers Are Hypocrites, Not Hacktivists

An amorphous group of hackers has proven its ability to breach, torment, and embarrass. But as its dance with BART shows, its larger ambitions ring hollow.

The hacker group Anonymous, which is less a coherent group of people working together toward a common cause than a random medley of hackers out to prank and disrupt the online world, has been busy these days. Multiple hacks on Bay Area Rapid Transit websites in response to BART's shutdown of the railway's underground cellular system have captured the attention of activists and technophiles alike. But even as the name Anonymous strikes fear into the hearts of many IT security workers, the group's political ambitions ring hollow.

Anonymous has a penchant for making grand--if sometimes dimly worded--proclamations about its motives. After the group initially hacked a BART website on August 14, it posted a message to the AnonOps blog that stated, "In the Bay Area, we’ve seen people gagged, and once more, Anonymous will attempt to show those engaging in the censorship what it feels like to be silenced." The group frequently issues demands in conjunction with its operations, and the BART hacks were no exception: "Anonymous demands that this activity revolving around censorship cease and desist and we know you are already planning to do this again."

Through its attacks against a variety of high-profile organizations, Anonymous has made itself difficult to ignore. But what's also hard to ignore is the hypocrisy and futility of the group's tactics. Even as the group proclaims its opposition to oppression, it resorts to little more than online bullying in pursuit of its aims. In purporting to advance the cause of freedom, the group brings its own brand of oppression to bear. Its message is pretty much always the same: Stop doing whatever it is we don't like, or we'll take down your website, steal your private data, and embarrass your workers and customers on the Internet.

In response to a decision by BART management to interrupt cell phone service in four underground stations in downtown San Francisco for a couple of hours on August 11, Anonymous hacked into a third-party BART website and released the personal information of thousands of BART riders, all of whom were innocent of BART's actions. The organization then proceeded to hack a BART police officer's association website and released the personal information of its users.

All told, within a week, this loose-knit group of hacktivists victimized a few thousand people who were in no way connected to the actions in question. As of Monday afternoon, the group is reportedly mounting a third protest, which we can only assume will be accompanied by further hacks targeting BART riders and workers. And amid all this chaos, thousands of Bay Area commuters have had their commutes disrupted, causing ripples of inconvenience and hardship throughout their lives.

Which part of Anonymous's ongoing assault against BART riders and employees is supposed to encourage change? Is there a specific policy that Anonymous would like BART to adopt? It's impossible to tell, because the group hasn't put nearly as much thought into advancing a substantial argument as it has into causing disruption. And this is where the intellectual bankruptcy of hacktivism reveals itself. It outlines no argument. It advances no coherent cause. It brings only vague threats and intimidation.

Ask yourself this: If Anonymous were to single out your organization for attack, what would you do? Would you search your soul for the source of whatever transgression might have elicited the group's animosity? Or would you spend a little extra on IT security and hunker down to weather the storm, while mobilizing your legal department to track down and prosecute the offenders? For anyone charged with running a business, the obvious answer is the practical one. Anonymous's tactics force an organization into IT defense mode, while doing little, if anything, to engage the organization's leadership in a meaningful dialog about the issues. It is, quite simply, online thuggery, with only the barest pretense of a political motive.

So for all the IT pros out there watching the Anonymous-BART drama unfold, there are certainly lessons to be learned. But those lessons have nothing to do with high-minded questions of liberty, equality, and human rights. Instead, they're just reminders to run your patches, secure your site's navigation layer, and enforce strict password policies on your users.

At a full-day virtual event, InformationWeek and Dark Reading editors will talk with security experts about the causes and mistakes that lead to security breaches, both from the technology perspective and from the people perspective. It happens Aug. 25. Register now.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/5/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Cybersecurity Spending Hits 'Temporary Pause' Amid Pandemic
Kelly Jackson Higgins, Executive Editor at Dark Reading,  6/2/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13864
PUBLISHED: 2020-06-05
The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from a stored XSS vulnerability. An author user can create posts that result in a stored XSS by using a crafted payload in custom links.
CVE-2020-13865
PUBLISHED: 2020-06-05
The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from multiple stored XSS vulnerabilities. An author user can create posts that result in stored XSS vulnerabilities, by using a crafted link in the custom URL or by applying custom attributes.
CVE-2020-11696
PUBLISHED: 2020-06-05
In Combodo iTop a menu shortcut name can be exploited with a stored XSS payload. This is fixed in all iTop packages (community, essential, professional) in version 2.7.0 and iTop essential and iTop professional in version 2.6.4.
CVE-2020-11697
PUBLISHED: 2020-06-05
In Combodo iTop, dashboard ids can be exploited with a reflective XSS payload. This is fixed in all iTop packages (community, essential, professional) for version 2.7.0 and in iTop essential and iTop professional packages for version 2.6.4.
CVE-2020-13646
PUBLISHED: 2020-06-05
In the cheetah free wifi 5.1 driver file liebaonat.sys, local users are allowed to cause a denial of service (BSOD) or other unknown impact due to failure to verify the value of a specific IOCTL.