Recently, the Web site of the Arizona Department of Public Safety became completely inaccessible, and millions of confidential Arizona department of public safety emails were made available by the Pirate Bay, a Swedish bit-torrent site known for facilitating illegal downloads. In addition, the complete personal identities of several Arizona Department of Public Safety employees were compromised.
All of this was done not by a foreign government to undermine security, nor by a foreign hacker looking to sell those identities on the black market. The data was stolen by the online group “Anonymous,” specifically a branch of that group called “LulzSec.”
Anonymous is an online hacker group formed in 2003 for the purpose of “the lulz,” meaning to make others laugh and for self-gratification. Anonymous is a headless organization with a very loose structure that follows no pattern and no common identifiers other than all members are for “the lulz.”
Serious Cyber-Threat
When Anonymous attacks, it usually makes its activities known by bringing down and defacing the Web site of the organization it takes issue with, stealing as much confidential information as possible and then immediately publishing it.
According to a 2010 Deloitte-National Association of State Chief Information Officers survey, more than 80 percent of state CIOs reported their state had been the target of a malicious hack, the average total cost of which was $6.75 million. State governments are facing a serious new cyber-threat in Anonymous that must be addressed to maintain information security.
Anonymous shares the stolen information on file-sharing sites such as the Pirate Bay and among other groups proficient in eluding law enforcement agencies. That means a state must focus on ensuring confidential information is more secure from theft in the event of an attack.
The most common technique employed by Anonymous’ hackers to gain access to confidential information is the exploitation of weak passwords to log in under the guise of a legitimate user. Login information obtained by Anonymous and published on the Web reveals many passwords used by government employees are set to something as simple as “password” or “123456.” To combat hacking, security experts recommend using secure passwords that include at least eight characters with a combination of upper- and lower-case letters, numbers, and symbols.
Other Methods of Cyberattack
Another common attack utilized by Anonymous is exposing vulnerabilities in login software to make it execute a command instead of processing a password, a process known as SQL Injection. For an organization that uses SQL, many security experts in the private sector recommend all inputs be cleaned to prevent injection of malicious code. As a general rule, intrusion into confidential information can be prevented by moving the data onto a secure intranet.
Another popular weapon in Anonymous’ arsenal is the Denial of Service attack, whereby a few hackers send thousands of requests to a Web site every second for a few minutes. This overwhelms the server hosting the site and causes it to crash, which brings down the Web site.
A Distributed Denial of Service attack functions in the same manner but uses thousands of computers across the globe to make the requests. Both kinds of attacks can be effectively defended against by use of strong firewalls and judicious load-balancing techniques.
Anonymous is a new cyber-threat to state governments and information security. The group’s membership characteristics, lack of a traditional structure of command, and motivations make it difficult to predict who will be attacked and when. Despite the recent arrests of some Anonymous members, it is prudent for all states to take action and implement best practices to preempt the possibility of attack.
Tom Bird ([email protected]) is an intern with the Telecommunications and Information Technology Task Force of the American Legislative Exchange Council (http://www.alec.org/).