It is now three years ago that the Russian Federal Protection Service (FSO) (in charge of protecting high-ranking officials), ordered large quantities of typewriters and fax machines after the surfacing of Edward Snowden’s NSA leaks. Whilst it is improbable that this is due to the Kremlin joining the hipster nostalgia of an analogue world, it did signify the growing mistrust of storing sensitive data on digital platforms. Similar measures have been considered in Germany, after it was also revealed that the NSA had been monitoring Chancellor Angela Merkel’s calls. The nature of espionage has morphed away from the game defectors revealing secrets about the operations of their intelligence agencies, rather to one of intrusion of domestic citizens. This can partly be attributed to the post 9/11 counter-terrorism wake, which some agencies have perceived as a carte blanche for their intelligence operations. The difficulty for the intelligence agencies as Sir David Omand, (former British intelligence chief) states is, “intelligence services must be able to employ secret sources and methods that inevitably involve intrusion. Yet to command that public trust, they must also be transparent and prepared to live by rules that protect individual privacy”. Whilst most people do not have anything to hide, this shift closer towards Orwell’s 1984, society creates a sort of discomfort that ordinary citizens are starting to feel. It is perhaps a good idea then to follow the Russian example, albeit, the local bearded millennial in your town will probably overcharge you for your typewriter.
Where does that leave society today?
The changing effect of modern-terrorism and technology, has made surveillance an even more intrinsic aspect of society. Perhaps, greater transparency in the revealing of successful operations would justify their existence e.g. the capture of dark-net paedophiles. However, this is a difficult request as the intelligence community naturally seeks to retain the cloak of secrecy and independence to operate.
The issue with most organisations is that they are waiting for that ‘Edgar (Hoover)’ moment. ‘
We’ve never had anything happen for the last 5 years, so why should we be worried…”
What you spend on your security is based upon that balance of risk and reward and all of that ‘return on investment’ stuff. But there comes a time when that fundamental human trait of common sense needs to be applied.
Has the threat changed, what is happening in the rest of the world, or even your industry? Situational awareness anyone? Is there such a thing as being 100 percent secure? No… the trick is to introduce sufficient challenge to would-be attackers in order to put them off or deter them. If the principles we apply to our security investment relate to risk and reward, our attacking friends have a slightly different if not too dissimilar agenda with an additional attribute of effort (required to pwn).
Many organisations invest in monitoring controls, paying through the nose for Security Operations Centres (SOCs) which are supposed to monitor the network and alert on suspicious activity and assist in containing suspected attacks. Sadly, organisations don’t spend enough time to understand and work out what constitutes suspicious or abnormal behaviour. What is actually put in place is a ‘vanilla’ service that does not take account of unique business activity.
Nothing to report here.
A vicious circle ensues, of reporting a clean bill of health up the chain that all is well. All the while becoming oblivious to the pwnage ensuing in the background. This presents a false sense of security and allows organisations to become complacent until…. Boom! the headlines point to a serious breach.
Know your business!
This might sound simplistic, but sometimes the most fundamental aspects of security are the most neglected. Having a SOC is great, if well briefed and with the right level of integration into organisational incident management regimes. But part of this integration involves an analysis, with the right people, business users, of what constitutes established, understood and good behaviour. Any deviations from this (good behaviour) form the basis of what needs to be monitored and more importantly alerted.
The nub of the matter is that if you have an online presence, and your business matters, you need to have some form of logging, monitoring and alerting in place. This may or may not involve a SOC, but organisations (not SOC providers) need to take the initiative and decide what is important enough to be included.
If an attempt has never been made to gain unauthorised access to your environment, you are one of three things…
Do you remember receiving that email some time ago mentioning ‘Here is an invoice to the flight you recently purchased’ and you immediately thought ‘hmm, what flight? Maybe it was that flight to …?’ There was a time you received an email saying ‘You have been selected as the winner of the National Lottery’ and you thought ‘FINALLY, some good luck!’ And then there was that email from your long lost cousin reading ‘Dear cousin, I have been captured by the pirates and they are demanding a sum of $10,000 in order to be released and finally return to you and the family. Please help me, you are the only family I can rely on’ and naturally you thought ‘hmm this cannot be true’. In all these cases, there was always an attachment in the email which you may or may not have been tempted to open. Hopefully, you didn’t.
Opening Pandora’s box
These emails are examples of phishing – the malicious attempt to obtain private information from an individual or a company. As soon as you open one of these attachments, you have opened Pandora’s box and allowed a criminal access to your online life. How do you prevent this? Make sure you only access URLs you are familiar with, use spam filters in your email, only use secure websites to transmit your information, always be wary if you are unexpectedly asked for personal information, use anti-virus/anti-spyware/firewalls and NEVER open an attachment you are not expecting.
Hopefully this is common sense to the large majority of us who have ever had access to computers. But, a lot of us have made mistakes. These mistakes led to us seeing our bank accounts being rapidly depleted or spam emails being sent from our personal account to our entire contact network. We can only hope that those friends and family did not fall victim to the same mistake.
The myth of covering your webcam…
There are also many of us who may not have yet realised the consequences of opening such an attachment simply clicking it away after we self-classified it as spam. However, in doing so we have opened up a direct route of access for the sender of that phishing email, the hacker, into our computer. Although these hackers remain dormant, they could have access to our emails, see everything we type, see us through our webcams… Is there a reason why cybersecurity experts have warned us to place something opaque onto the little camera above our computer screen?
Your value on the black market
It is true that everything comes at a price. Most things you can buy or sell online: clothes, food, books, electronics etc. And for the most part these transactions are recorded on some forum online for future reference. But something which will be news for many of us is that our personal information, probably obtained through illegal phishing practices now also has a price. It sits on the online black market, an area of online space many of us have no idea even exists. The online black market comprises of anything and everything which is online and that you could imagine. You can buy 1000 Hotmail email addresses for $12, 6-20% of a paypal account, stolen healthcare insurance information worth $1300 or even the hacked webcam of a girl for $1. This price information is collected from open-source documents such as news and government reports which closely track such sites, however are unable to catch the perpetrators.
Our information is private so long as we desire so we must ensure we protect it. Report anything which seems phish-y and more importantly ensure that you take sufficient anti-virus/anti-spamming steps to reduce your likelihood of being phished in the first place. Whatever you do, do not be tempted to open the email to save your long lost cousin who has been captured by pirates. Otherwise, you too will fall victim to online pirates but in this case, ransom money will not help.
There are codes of conduct for almost every industry, from the rules of the game in sport to the constitution in law to safety measures in factories. Ethical hacking is no different. It is governed by a code of conduct created by a community who consider themselves to be experts in this line of work. In the formal sense, an ethical hacker is either a company or an individual who identifies and exposes potential threats on a computer system, before someone with malicious intentions does so. Upon discovery, these gaps in the system are plugged to ensure the safety of the computers and networks being probed.
Rules of the ethical hacking game
The rules of the game include: asking for explicit consent from the party to be probed, respecting their privacy, ensuring that there are no open avenues for malicious hackers to enter the systems and finally they must alert the organisation/individual if there are any vulnerabilities they have found.
In fact, most companies with an online presence use a Bug Bounty program – a crowdsourcing initiative – to identify vulnerabilities on the company website in exchange for rewards in the form of compensation or recognition. Companies hope that in this way instead of becoming the victim of cybercrimes, they continue to remain a secure environment for their users.
However, there are instances when hackers attack a system under the umbrella of ethics, without adhering to the rules of the game. Can the ethical element of hacking still be present here?
The ethics of Hacktivism
When hackers enter a system without permission and with the purpose of hacking for the ‘greater good’, they consider themselves ‘hacktivists’ – conducting ethical hacking with a political purpose. Hacktivist attack the system of organisations they fundamentally disagree with the goal of exposing their activities to the wider public. Although they don’t play by the rules, they do not believe that their actions are disruptive or illegal since they are merely calling attention to issues that matter.
Is hacking to counter controversial morals ethical?
Take the relatively recent 2015 hack of the online dating site Ashley Madison. A group called ‘The Impact Team’ attacked this website which enabled married couples to engage in extramarital affairs. They obtained the personal information of the entire user base and in mid-August 2015 decided to release over 10 gigabytes of data (real names, addresses, credit card transactions, search history etc). That amounts to over 30 million people in over 40 countries. The Impact Team had provided the parent company of Ashley Madison, Avid Life Media, with numerous warnings expecting it to be shut down based on the fact that it was immoral to create a platform to allow people to actively be unfaithful to their partners. Yet, the parent company stood by the fact that they were merely providing a service in demand and it was not their role to judge its users’ morality. Evidently, the hacktivist team did not think such a response was sufficient. Can this be considered ethical hacking or is it a form of cyber-terrorism? The cliche of ‘one man’s terrorist is another man’s freedom fighter’ is in play here where The Impact Team wholeheartedly believed that releasing all of that private information was right. On the contrary, Ashley Madison believes that the rights of its users were violated as well as the act being nothing short of illegal.
Is hacking to counter terrorism ethical?
On the other hand, you have examples such as the hacktivist group Anonymous which claims to be ‘at war’ with the terrorist organisation Islamic State (ISIS). They have been systematically hacking the social media accounts of ISIS members and followers as well as bringing down their propaganda websites. Their aiming is to stunt the growth of the terror group. Can this be considered another form of ethical hacking, despite not entirely following the rules of the game?
Needless to say, the practice of ethical hacking is one in which you can become professionally qualified in if you have the drive to seeks vulnerabilities in a legitimate way and report them accordingly. Companies accept this intrusion into their system as a legal and justifiable act, rewarding it as such. Yet, hacktivism requires no such qualification and its legitimacy comes down to being a matter of opinion. Many agree with the morality behind the Ashley Madison hack, whilst others claim it was a cybercrime causing immeasurable damage to users. Similarly, the ethics of countering IS’ online terrorism with a form of cyber-crime itself, can we consider this more than or equally as ethical as that of the Ashley Madison hack?