Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

How to Stop Political Attacks

Experts advise users on how to defend themselves against cyber-terrorism, cyber wars, and hacktivism

Not all hackers are motivated by money. In fact, there is a growing number of politically-motivated attacks on businesses and government agencies, and the methods they use are different -- and potentially harder to stop -- than their cash-hungry counterparts, experts say.

Is your company ready to stop them?

The cyber battle between Russia and Estonia is just one example of the current trend toward the use of computers for political gain, industry observers say. Whether they are cyberterrorists trying to coopt or disable a nation's leading business, "hacktivists" mining the sensitive data of a target company, or ticked-off customers trying to deface your Website, many cyber criminals are using hacking to make their point. (See DOS Gets Political in Estonia and Estonian Attacks Raise Fears of Cyber 'Nuclear Winter'.)

"I suspect I could start a Website called 'Death to Western Civilization.com' and get a couple thousand paid subscribers in a very short time," says Andrew Colarik, an IT security consultant and co-author of Cyber Warfare and Cyber Terrorism, a book published earlier this month. "There are a lot of people on the Web who are influenced to join these movements."

But defending your company against politically motivated attackers is a different challenge than defending it against financially motivated criminals, experts say. You can't just follow the money.

"Attackers will scour Websites associated with a country's government and find flaws in them -- even in some of the most out-of-the-way portions of their Web presences -- and deface them with political messages," notes Jose Nazario, senior security researcher at Arbor Networks, which tracks security incidents.

In its study of Estonia, Arbor Networks recorded 128 unique denial-of-service attacks on Estonian-based URLs. Most lasted less than one hour, with the longest lasting 10 hours and 30 minutes. At its peak on May 9, the attack shut down up to 58 sites at once.

Are businesses at risk from this sort of all-out attack? "In some cases, they could be," Colarik says. "Unless they have a personal grudge against a particular company, most politically motivated attackers will go after high-value, prominent companies -- the IBMs, the Yahoos, the Amazon.coms. It's all about exerting power, so in most cases, they'll go after the companies that have the most money or power."

"It's a pretty tricky [question], but I think it comes down to companies that are extremely intertwined -- and visibly so -- with the government," says Nazario. Key defense contractors fall into this category, but most attackers who want to make a statement about government will usually target the government systems themselves, he says.

So far, DOS attacks, such as the ones seen in Estonia, are the most frequent vector used by political hackers, experts say. Web defacement is another popular political statement, particularly among hacktivists, who are generally trying to make their voices heard by the target company as well as the viewing public.

But those are not the only exploits used by political attackers. "We've seen hacktivists tap into, say, a Congressman's Outlook folders to steal his schedule," Colarik says. "Or they might put spyware on the machine of an administrative staffer -- someone who's not tech-savvy -- so that they can collect data and pass it over to a political opponent."

In some cases, an insider may play a role in the hack. "In banks, for example, an employee might collect data and sell it, and it may end up in the hands of a [politically-motivated] interest."

So what should companies do if they fall into the realm of potential political target? The IT organization should do its best to keep a low profile and decentralize as much as possible, Colarik advises. "If your organization is decentralized but your IT operations are not, you aren't decentralized," he says. "Most of these attackers work in small, local cells, so spread out your systems to give yourself some protection.

"If you're in the AT&T computer operations center, you don't put a big sign up on the building that says 'AT&T Computer Operations Center.' " This principle applies to the logical side of security as well, and IT organizations in high-profile companies should take advantage of Internet service providers' abilities to anonymize IP addresses and email server addresses so that they can't be readily identified with the company.

Nazario agrees that the best strategy is for the company to keep a low political profile. "Protect the brand, keep it out of the negative press, and don't become associated with activities that would give rise to the kinds of nationalist 'retaliation' attacks we see," he advises.

Both Nazario and Colarik say companies should develop a close relationship with their ISPs. "Work with the providers to ensure that if a DOS attack comes your way that you have adequate response measures in place to thwart the attack and repel the traffic," Nazario says, adding that companies should continually audit all Websites under the brand name to ensure that flaws don't allow attackers to penetrate an out-of-the-way server.

— Tim Wilson, Site Editor, Dark Reading

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Tor Weaponized to Steal Bitcoin
Dark Reading Staff 10/18/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18387
PUBLISHED: 2019-10-23
Sourcecodester Hotel and Lodge Management System 1.0 is vulnerable to unauthenticated SQL injection and can allow remote attackers to execute arbitrary SQL commands via the id parameter to the edit page for Customer, Room, Currency, Room Booking Details, or Tax Details.
CVE-2019-18212
PUBLISHED: 2019-10-23
XMLLanguageService.java in XML Language Server (aka lsp4xml) before 0.9.1, as used in Red Hat XML Language Support (aka vscode-xml) before 0.9.1 for Visual Studio and other products, allows a remote attacker to write to arbitrary files via Directory Traversal.
CVE-2019-18213
PUBLISHED: 2019-10-23
XML Language Server (aka lsp4xml) before 0.9.1, as used in Red Hat XML Language Support (aka vscode-xml) before 0.9.1 for Visual Studio and other products, allows XXE via a crafted XML document, with resultant SSRF (as well as SMB connection initiation that can lead to NetNTLM challenge/response cap...
CVE-2019-18384
PUBLISHED: 2019-10-23
An issue was discovered on TerraMaster FS-210 4.0.19 devices. An authenticated remote non-administrative user can read unauthorized shared files, as demonstrated by the filename=*public*%25252Fadmin_OnlyRead.txt substring.
CVE-2019-18385
PUBLISHED: 2019-10-23
An issue was discovered on TerraMaster FS-210 4.0.19 devices. An unauthenticated attacker can download log files via the include/makecvs.php?Event= substring.