Simple Attacks Can Be Devastating

Posted on 18 August 2011 by


In the 1989 film Field of Dreams, Terrance Mann is being annoyed by Ray Kinsella. Mann picks up a crowbar and walks towards Kinsella saying, “I’m going to beat you with a crowbar until you leave.”

I think anyone would accept that a crowbar is an excellent, if simple, weapon, and beating someone with one is an effective attack.

In fact, since the dawn of Man, hiding behind a rock or tree and emerging behind your enemy and crowning them on the noggin with a large object has been among the simplest and most devastating attacks in our collective arsenal. In my first Krav Maga lesson, I asked the instructor about the philosophy of what I was going to do. He said, “What philosophy? Hit him. Harder. Make him stop his attack.”

My point here is that simple attacks are often deadly. Which is why I have become so incensed at the DHS for its misguided and ultimately unsupportable advice to law enforcement that Anonymous comprises unskilled hackers.

It’s important to note that DHS did say accurately that

…the [tactics, techniques and procedures] and tools employed by Anonymous are commonly thought to be rudimentary and unsophisticated, their success to date executing operations and gaining media attention is on par with high profile incidents allegedly involving sophisticated “Advanced Persistent Threat” (APT) actors. They have relied on taking advantage of weaknesses in applications, thus allowing them to bypass, at least initially, conventional network defenses such as firewalls and anti-virus applications to access sensitive data. Additionally, Anonymous and closely associated groups appear to be building upon recent successes by conducting highly visible messaging campaigns over publicly available social media forums such as Twitter, YouTube, and Facebook.

However it’s buried in the mud after insulting and dismissing Anonymous as script-kiddies. This underestimates the danger and may lead to a false sense of security.

It may make administrators take Anonymous threats less seriously.

It may lead to dismissive attitudes among those entrusted with the stewardship of our data.

It underestimates the fact that amateurs who seek publicity and a splash are less predictable, less likely to be guided by an ethical compass, than professional, trained activist-hackers. One industry expert we know has referred to these less skilled folks as “cannon-fodder”. I recall in reading about history that troops used as cannon fodder took out a lot of other troops before their ultimate demise – and often they are effective: think of Stalin’s use of wave after wave of peasant-conscripts against a superior Nazi force.

And as we’ve said before, law enforcement IT sucks anyway. Let’s not make it worse with terrible, ignorant advice like this.

Take this week’s attacks against law enforcement in California. I won’t go into the whole rigamarole, but as we said yesterday, as we pondered the civil liberty consequences of a police agency (London) monitoring private messages and considering the cut off social media during the recent riots there, many here in the states – including me on Twitter – started shouting at the tops of our lungs about the sanctity of freedom of communication and whaddaya think this is, Syria? kinds of statements.

Then it came out that not only had the Bay Area Rapid Transit Police thought about it, they cut off mobile phone service pre-emptively to stop would-be protesters from communicating. The protest never actually happened, but BART shutdown the mobile service to the network.

It is noteworthy that among the responses from groups like the Electronic Freedom Frontier and the American Civil Liberties Union, the criminal hackers at Anonymous immediately launched Operation #OpBart.

This ultimately launched attacks against BART and a police department website (the former succeeded in some low-hanging fruit, screwing BART customers and belying Anonymous’ stated intentions of hurting BART and not the people – it only hurt innocent civilians who ride BART). You can read the transcript of self-righteously puffy and self-serving interviews with some Anonymous folks at the DemocracyNow website.

The point here is that after failing to successfully hit one police agency, information from The Bay Area Rapid Transit Police Officers’ Association was successfully exploited and the personal details of more than 100 officers was placed online.

A couple of points:

  • As Josh Corman likes to say, in information security you needn’t be faster than the shark, but you need to be faster than your buddy. Attackers looked for simple exploits on relatively unprotected sites. When at least one failed they moved on to the next until they found easy prey.
  • There are interesting murmurs that ‘Anonymous’ doesn’t claim responsibility for the attacks As Graham Cluley said, “I guess one of the problems of being a decentralised hacktivist group, with no leadership structure and no way of identifying members, is that anyone can claim to have done something under the Anonymous banner and no-one can credibly argue that it wasn’t an Anonymous action. After all, if it’s truly anonymous how is anyone to know what they have done and what they haven’t done?”
  • The attackers may use simple hacks, but simple ain’t harmless Just ask the 103 officers whose personal data is out there now.
  • While we’re at it, what possible good could come from releasing the information on innocent BART passengers The attacks earlier in the week released 2,000 records containing names, credentials, emails, phone numbers, and home addresses of BART customers. It strikes me as hypocritical to attack a site and harm the very people your group claims to be defending – the people.