Websites need better defense vs growing ‘hacktivism’, says cybersecurity expert
MANILA, Philippines – More and more computers are likely to be hacked in the future as people have turned to hacking as a means of protest, a cybersecurity expert said, citing the need for better defense against these attacks.
“This whole notion of hacktivism has become such an important issue globally, it’s obviously important here in the Philippines just based on that incident,” Hugh Thompson, Chief Security Strategist and Senior Vice President of Blue Coat Systems Inc., told reporters in a roundtable discussion September 4.
The “incident” Thompson referred to was the August 26 “Million People March” for the scrapping of the “pork barrel” or the legislators’ Priority Development Assistance Fund (PDAF), considered a source of corruption. The campaign began with a call on social media for people to gather at the Luneta Park as an expression of protest against the PDAF.
“The Philippines is not alone in [hacking incidents], across the world people are turning to hacking almost as a means of speech. In the past, some of those same people would have shown up with protest signs and stood outside the building,” he said.
The “Million People March” coincided with the attack on 30 government websites, Thompson said.
Anonymous Philippines, an international hacking group, defaced the websites of the Office of the President, the Senate, several department websites, and also of the Quezon City local government, as it joined the nationwide protest.
Calls for the abolition of the PDAF have steadily increased following the discovery of the billion-peso pork barrel scam allegedly masterminded by businesswoman Janet Lim-Napoles that siphoned money from the government through bogus non-government organizations (NGOs).
“Now [activists] see hacking as a way to express their opinion, and hacktivism-related attacks can be some of the most damaging in the short term, because their goal is destruction, defacement, taking [a website] down or bringing it offline,” Thompson said.
“And we’re seeing that these highly organized hacktivist groups have an amazing amount of resources, they can summon lots of people, lots of machines, lots of bandwidth at once to go after a specific objective,” he added.
Thompson explained that hacktivists usually deface or conduct denial-of-service attacks as a form of disruptive protest against current issues. In contrast are hackers who steal vital information and data with malicious intent.
“Usually when you design [computer] systems and you think about security, you don’t think about disruption attacks, you’re very focused on the data [security] and data theft,” Thompson said.
“[When] 10 thousand [computers] suddenly request a website all at once, its a completely different architectural choice that you’d make in the background to defend against an attack like that,” he said. “That’s why you see so many large organizations, defense agencies around the world fall in the face of these types of attacks.”
Thompson pointed out that unsecured computer networks could be hacked in a matter of minutes.
“If you haven’t designed for [attacks], if you haven’t anticipated for those types of things happening on your network, it can be done in minutes, it’s not something that will take three weeks for some brilliant hacker to do,” he said.
Advice for government websites
Thompson gave three recommendations for the Philippine government on how it could better defend websites against hackers: penetration testing and simulation, integration of computer security into the organization, and quick recovery and forensic analysis.
“This idea of doing simulations around [network] load is really, really important, [testing and simulation] become very critical from a national infrastructure perspective,” Thompson said.
“Often we think about all of the aspects of IT availability but don’t think about those when a system is under heavy load or when a system is under attack,” he said.
Security should become an integrated part of the entire organization.
“Second is looking at where security is built into the infrastructure today, often security in the past was added as a new requirement for a broad end, it was very tactical. Now we are at a time when security has to be strategic, we have to look as a business competency. Its not just some guy handles security, it has to be integrated in the [organization] and what [it] is doing,” Thompson said.
He said that government websites also needed to be able to recover quickly in the event of attacks as well as be able to do forensic analysis of how the attack happened and what the vulnerabilities of their system were exploited.
“We’ve moved into a period where you cannot prevent everything, at some point something will happen, someone will get in, some sites will get defaced, and the question is how can we recover from this quickly and figure out what the root cause was?” Thompson said.
“You’re seeing governments around the world now move to this idea that we [have to be able to] analyze the [movement of] data … and be able to do forensics activities very quickly, this is the idea of a quick recovery,” he said.
When asked about the possibility of being able to identify and apprehend the hackers, Thompson said that it would be next to impossible to find out who they really were.
“It’s so tricky, if someone is good, there so many ways to hide your identity, you can bounce an attack through seven countries in seconds and it looks like this attack is coming from country A, when in fact it’s coming from some teenager in the basement in country B,” he said.
“That type of scenario to pull off is not very difficult at all, in fact there’re lots of freely available services that allow you to bounce your traffic through multiple destinations before you get to the source,” Thompson said. “Cybercrime is a very different type of crime.”
He shared that he’s seen one person in a room hack another person in the same room but going through several countries in order to hide his identity.
“The problem is its becoming so much easier for people to use tools to hack. In the past it requires both the will to do it and the technical skill to be able to pull it off,” Thompson said. “Now it really just requires the will.”
“Anybody with a computer and an Internet connection can try [to hack]. It’s a different place than people were 10 years ago, you wouldn’t have the facility to actually make attempts like that [then],” he said.
Also becoming more and more vulnerable are small and medium businesses (SMB) all over the world because they pay little attention to the security of their computer networks.
“Security has been largely ignored and underappreciated in the SMB space globally, it is becoming easier and easier for attackers to attack SMBs and maybe even use the SMB as a channel into some larger group shared service,” Thompson said.
Government agencies, on the other hand, are now recognizing the need for security measures in their computer systems Thompson said.
“The government agencies here in the Philippines take security very seriously. We’ve seen that in our conversations with them, so I think the big question is how do we become diligent around security as security becomes a core competence and a core practice,” he said.